Seven months after the revelation that a Chinese hacking group stole a Microsoft signing key and used it to access emails belonging to senior U.S. officials, the Cybersecurity and Infrastructure Security Agency unveiled new secure configuration baselines for Google Workspace intended to prevent another breach of that kind.
In a blog post published Tuesday, CISA noted that “recent threat activity from groups such as Storm-0558” — the group believed to be responsible for the Microsoft breach — “demonstrated the importance of hardening email and identity infrastructure, enabling key security capabilities such as logging, and enhancing the security of underlying cloud environments.”
The cyber agency’s Secure Cloud Business Applications (SCuBA) guidelines for Google Workspace — for which CISA is also seeking public comment — come on the heels of its October 2022 standards for Microsoft 365. The implementation of those standards earlier this year across “a dozen federal agencies” informed CISA’s Google-specific guidance.
“Using our ScubaGear assessment tool, agency practitioners implemented advanced protections and configured cloud environments to better safeguard sensitive information and secure government services against sophisticated threat actors,” Michael Duffy, CISA’s associate director for capacity building, wrote in the blog post.
“Though the Microsoft-specific baselines were developed collaboratively with the Federal Chief Information Officers Council to provide necessary security enhancements for most federal cloud business applications,” Duffy added, “we quickly identified that more was needed.”
The acknowledgement from CISA that security protections for federal cloud systems needed strengthening following the Microsoft breach comes three months after the tech giant released findings from its internal investigation into the incident.
Microsoft revealed in September that a signing key was exposed during an April 2021 consumer-signing system crash and included in the ensuing “crash dump.” A Chinese hacker later breached the account of a Microsoft engineer who had access to the debugging file that contained the signing key. From there, the hacking group was able to gain access to the email accounts of Commerce Secretary Gina Raimondo and the U.S. ambassador to China, among others.
During an October cybersecurity governance panel at ACT-IAC’s Imagine Nation ELC conference in Hershey, Pa., Duffy said CISA’s investment in SCuBA baselines is an “outgrowth” of strategic initiatives tied to the “post-SolarWinds compromise.”
In providing “heightened security baselines to organizations,” CISA is essentially saying that “yeah, your people should be online, but probably not the devices on the edge that should be connecting to highly privileged accounts across your enterprise,” Duffy said.
In addition to seeking public comment from all interested parties on the Google Workspace baselines, CISA asked federal agencies to “help validate and enhance the automated implementation of these” SCuBA project standards and the ScubaGoggles assessment tool.
The public comment period, CISA said, will “help ensure our products enable necessary security improvements to keep pace with evolving technologies while considering the challenging cyber threat environment.”