Pages

Wednesday, November 21, 2018

FAANG: Cyber Command and the DOD Cyber Crime Center


Hidden Cameras in Streetlights Bruce Schneier Previously reported, but some interpretation.

Surgical robot BOTCHES surgery, kills man on operating table while doctors sipped lattes NaturalNews 

One must write as if the whole world was reading as emails are like postcards anyone along the way can read it and your work emails are read by almost, Orwellian  almost, any Human Remains executive in order to protect the agency ;-)  How China diverts, then spies on Australia's internet traffic
The Sydney Morning Herald 


Who knew – not me – Faang companies??  OK, so here is the article via The Guardian: US stock markets continue to fall, erasing 2018 gains – “Technology stocks slid again and fears of a trade war with China worried investors. Much of the fall has been driven by troubles at the so-called Faang companies (Facebook, Apple, Amazon, Netflix and Google) whose phenomenal growth had driven stock markets to record highs…”

Kelly Nestor - Presenter and Teacher Giving Netflix, Stan, Foxtel etc a Run for Its Money with Off the Cuff Twitter: 



TIME TO GO: The Washington Post’s Margaret Sullivan calls on Mark Zuckerberg to resign as Facebook’s board chair. “Facebook is a rudderless ship sailing toward the apocalypse — and we’re all along for the ride,” Sullivan writes. “This is the same company — with the same leadership — that denied the now-established truth that misinformation deeply infected the 2016 presidential campaign.”


11 Zuck and 2 Sheryl Sandberg sort-of apologies over the years.










The Hill

November 16, 2018

President Trump on Friday signed into law a bill that cements the Department of Homeland Security’s (DHS) role as the main agency overseeing civilian cybersecurity, with a focus on securing federal networks and protecting critical infrastructure from cyber threats. The cybersecurity branch known as the Cybersecurity and Infrastructure Security Agency (CISA) will now be elevated to the same stature as other units within DHS, such as Secret Service or the Federal Emergency Management Agency (FEMA). The bill Trump signed Friday, which unanimously passed the House earlier this week, also rebrands DHS’ main cybersecurity unit, known as National Protection and Programs Directorate (NPPD), as the Cybersecurity and Infrastructure Protection Agency. Top DHS officials have been pushing for the bill to pass, arguing it would better communicate their mission to the private sector and help DHS recruit top cyber talent. The bill passed the House on Tuesday, after stalling in the Senate earlier this year.



Fifth Domain

November 15, 2018

In the past six months, the Department of Homeland Security has stood up a new cyber risk center. The Trump administration has announced it will undertake more offensive cyber operations. And the Pentagon has promised to deter foreign hackers in cyberspace. But significantly expanding the government’s cyber efforts will require additional dollars from Capitol Hill appropriators. And following this month’s midterm elections, Congressional aides are skeptical the near-term budget outlook will drastically change after Democrats take control of the House and Republicans lead the Senate. Instead, they expect another continuing resolution in the coming years. Such an agreement would limit new funds for a growing number of cyber initiatives. In hearings this week, some of the federal government’s cyber leaders said they need additional dollars in the next year. Offering a window of hope, both Democratic and Republican aides told Fifth Domain that cybersecurity is one of the few issues that has bipartisan support on Capitol Hill.



Nextgov


The Homeland Security Department’s long-sought plan to have a cyber division with the word “cybersecurity” in its name was nearly fulfilled Tuesday evening when the House passed a bill approving the re-naming. The Senate passed the bill in October, so now it only awaits President Donald Trump’s signature. The House passed a Senate version of the bill by unanimous consent. The bill would take the clunkily-titled National Protection and Programs Directorate, or NPPD, and dub it the Cybersecurity and Information Security Agency, or CISA. Homeland Security is the lead cyber agency for the civilian government, but the department’s cyber officials have struggled under a name that doesn’t give a clear indication of what they do.



AP

November 14, 2018

A congressional advisory panel says the purchase of internet-linked devices manufactured in China leaves the United States vulnerable to security breaches that could put critical infrastructure at risk. In its annual report on Wednesday, the U.S.-China Economic and Security Review Commission warns of dangers to the U.S. government and private sector from a reliance on global supply chains linked to China, which is the world's largest manufacturer of information technology equipment. China's push to dominate in the high-tech industry by 2025 already is a sore point with Washington and a contributing factor in trade tensions that have seen the world's two largest economies slap billions of dollars in punitive tariffs on each other's products this year. The U.S. also has had long-running concerns about state-backed cyber theft of corporate secrets, something that China agreed to stop in 2015. But the bipartisan commission highlights the potential security risks to the United States by China's pre-eminence in the so-called internet of things, or IoT, which refers to the proliferation of physical devices that have sensors that collect and share data and connect to the internet.



FCW

November 13, 2018

Congress passed landmark cybersecurity legislation in late 2015, but the Pentagon hasn't done much to put the law in play, according to a watchdog report. The Cybersecurity Information Sharing Act required Defense Department component agencies to come up with plans and procedures for sharing threat indicators with civilian and non-governmental entities. A Nov. 8 report by the Department of Defense Office of Inspector General focused on CISA implementation by the National Security Agency, the Defense Information Systems Agency, Cyber Command and the DOD Cyber Crime Center, known as DC3. The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO.



ADMINISTRATION



Nextgov

November 16, 2018

The Homeland Security Department hopes to complete before the end of this year a list of the nation’s most vital functions that must be protected against cyberattacks, the department’s top cyber official said Friday. Once those “critical functions” are identified, Homeland Security will work with federal research facilities and other organizations to map out which of those functions are most vital and how they rely on each other, said Chris Krebs, director of Homeland Security’s newly authorized Cybersecurity and Infrastructure Security Agency. The broad goal for that mapping process is to identify which sectors rely most heavily on a critical function and what the chain reaction would be if a function was compromised by a cyberattack, said Bob Kolasky, a Homeland Security official who’s leading the identification and mapping process. Kolasky cited the Global Positioning System as an example.



The Hill

November 15, 2018

A presidential committee has voted to move forward with its cybersecurity “moonshot,” a daunting task aimed at making the U.S. a global leader on cyber over the next decade. Members of the President’s National Security Telecommunications Advisory Committee (NSTAC) sent their 56-page report to the White House on Wednesday, calling for the Trump administration to establish a council and executive director to make cybersecurity a priority for the federal government, U.S. businesses and American citizens. The report also issued a dire warning on the future of attacks, saying that over the next 10 years the U.S. will see “more severe and physically destructive cyber attacks than have been experienced to date,” and that cyber threats need to be viewed as “an existential threat to the American people’s fundamental way of life.” But how to prepare for tomorrow’s threat today is the challenge, according to Peter Altabef, chairman of the moonshot subcommittee and CEO of security firm Unisys. “It's that balance of, you have to take a long view to really sustainably fix it, but you actually already have to get started because we're living in a very urgent situation,” Altabef told The Hill.



Nextgov


The government’s lead contracting agency plans to formalize how and when contractors are required to disclose data breaches and to mandate better government visibility into how serious those breaches are. The proposed rule will mandate that the General Services Administration and the agency that’s being served by the contract have access to breached contractor systems, according to a regulatory roadmap set to be published in Friday’s Federal Register. Contractors will also be required to preserve images of the affected systems for the government to review, the roadmap states. The proposed rule is scheduled to be published in February with a comment period that closes in April.



Fifth Domain

November 14, 2018

Despite long-held beliefs by cybersecurity leaders that military operations in the physical world and in cyberspace are strategically no different, one of the Department of Defense’s top cyber officials is challenging that conventional wisdom. “What if the way we’ve structured Cyber Command and our thinking about this space, what if it’s wrong?” Lt. Gen. Vincent Stewart, deputy commander of U.S. Cyber Command, said during a keynote presentation at the CyCon U.S. conference in Washington Nov. 14. Cyberspace, in many regards, is strategically confounding. For example, what does sovereignty look like in cyberspace that knows no geographic bounds? How does one hold a target at risk in cyberspace without telegraphing what vulnerabilities in an adversary’s system has been exploited? Is there such thing as deterrence in cyberspace below the threshold of armed conflict? These are all still questions that many academics and even the government are still wrestling with. Stewart contended that cyber is different than the physical world. If during a ground maneuver, a commander encounters a river, Stewart said the river cannot be moved. However, in cyberspace, with a couple of keystrokes, the terrain can be changed and even moved.



Nextgov

November 13, 2018

More than three years after suffering the most devastating cyber breach to date against civilian government networks, the Office of Personnel Management still hasn’t implemented about one-third of the recommendations from the government’s in-house auditor, a Tuesday report found. Un-implemented recommendations include regularly updating software to the latest version, encrypting passwords and ensuring administrators aren’t sharing account logins, according to the Government Accountability Office report. In some cases, OPM still hasn’t reset passwords that were used before the breach, the report found. The OPM breach compromised sensitive security clearance information about more than 20 million current and former federal employees and their families plus a smaller amount of fingerprint data. Overall, OPM has implemented 51 of the Accountability Office’s 80 recommendations, or about 64 percent. Some of those implemented recommendations include strengthening firewalls, enforcing password policies and updating contingency plans for the especially vital system, the report states.



The Hill

November 13, 2018

A top cyber official at the Defense Department on Tuesday urged companies to refrain from “hacking back” when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace. B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that “industry, private citizens should have the ability to defend themselves.” But he cautioned that there is a “unique nature in cyberspace in regards to offensive activity,” such as a company using cyber methods to retaliate against hackers who target their networks. Wilson said that while there are some established norms for behavior in cyberspace, like the United Nations cyber agreements whose signatories include the United States, industries carrying out offensive attacks could be a “destabilizing influence.” The concept of “hacking back” has gained steam in recent months. Sen. Sheldon Whitehouse (D-R.I.) said during a congressional hearing earlier this year that Congress should allow companies to retaliate against cyberattacks.



INDUSTRY



CyberScoop

November 16, 2018

Blackberry, the Canadian technology company that once was a giant in the mobile phone market, announced Friday that it is buying American cybersecurity company Cylance in a $1.4 billion cash deal. Although Cylance is expected to operate as a separate unit within its new parent company, Blackberry said it hopes Cylance’s artificial-intelligence-driven endpoint protection capabilities will mesh well with the security portfolio that it is trying to build. Blackberry has largely pivoted from making and selling smartphones to managing connected devices for enterprises. The acquisition — which had been the subject of rumors for at least a week — comes after Blackberry announced its new “Spark” platform in September, offering various internet-of-things (IoT) cybersecurity solutions. “The area we want to focus on growing is ‘enterprise of things’ which is the enterprise market of the IoT world,” Blackberry CEO John Chen said in a press call.



Gov Info Security

November 16, 2018

An attack on Altus Baytown Hospital involving a strain of Dharma ransomware has resulted in the Texas hospital reporting to federal regulators a data breach impacting 40,000 individuals. The attack is among the latest incidents involving ransomware posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the HHS Office for Civil Rights' website lists major health data breaches impacting 500 or more individuals. The Altus ransomware attack was reported on Nov. 2 by Oprex Surgery L.P. - which does business as Altus Baytown Hospital - as a hacking incident involving a desktop computer and network server, according to the HHS website.



TechCrunch

November 15, 2018

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more. The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.



CNET

November 14, 2018

Apple's Safari team, following Chrome's lead, has begun warning people when they're visiting websites that aren't protected by HTTPS encryption. The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari. Apple released the update Wednesday. Apple is trying hard to improve privacy right now, an effort that could dispel apathy about the issue and help Apple stand out from tech rivals. It's also meant Apple has butted heads with law enforcement officials and politicians who want to preserve something like the ability to tap phone lines. But when it comes to pushing website operators to secure connections, it's been players like Google, Mozilla and Cloudflare that took the initiative. In July, Chrome began warning you if you visited a site that wasn't secure, part of a longer-term plan to get us to consider secure connections to be the norm on the web. Mozilla helped launch the Let's Encrypt project that means website operators now can get the necessary encryption certificates for free.



Wired

November 13, 2018

For two hours Monday, internet traffic that was supposed to route through Google's Cloud Platform instead found itself in quite unexpected places, including Russia and China. But while the haphazard routing invoked claims of traffic hijacking—a real threat, given that nation states could use the technique to spy on web users or censor services—the incident turned out to be a simple mistake with outsized impacts. Google noted that almost all traffic to its services is encrypted, and wasn't exposed during the incident no matter what. As traffic pinballed across ISPs, though, some observers, including the monitoring firm ThousandEyes, saw signs of malicious BGP hijacking—a technique that manipulates the web's Border Gateway Protocol, which helps ISPs automatically collaborate to route traffic seamlessly across the web.



CyberScoop

November 13, 2018

One of the biggest annual cybersecurity trade shows, the RSA Conference (RSAC), says it will no longer allow all-male panels on its keynote stages and is taking several other steps to improve diversity and inclusion at its events. Tuesday’s announcement comes as surveys and studies continue to show that women are vastly underrepresented not only in cybersecurity jobs but also the technology industry in general — a fact only amplified by the prevalence of “manels” at big conferences such as RSA, which holds events in the U.S. and globally throughout the year. The initiatives also include programs intended to improve the environment for conference attendees and reduce bias and exclusion throughout the industry in general for “all genders, orientations, physical abilities, religions, ethnicities and experiences, in every aspect of our events around the globe,” said Sandra Toms, vice president and curator of RSAC.



Infosecurity Magazine

November 13, 2018

Cyber-attacks are the number one business risk in the regions of Europe, North America and East Asia and the Pacific, according to a major new study from the World Economic Forum (WEF). Its Regional Risks for Doing Business report highlights the opinions of 12,000 executives from across the globe. While “unemployment or underemployment” and “failure of national governance” take first and second place respectively, cyber threats have moved from eighth in last year’s report to fifth this year. It tended to be viewed as a greater risk in more advanced economies: 19 countries from Europe and North America plus India, Indonesia, Japan, Singapore and the United Arab Emirates ranked it as number one. In Europe, the UK and Germany both placed cyber-attacks as the number one risk. Bromium’s EMEA CTO, Fraser Kyne, argued that businesses are still suffering despite spending an estimated $118bn on cybersecurity globally.



Ars Technica

November 12, 2018

A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.



CNBC

November 12, 2018

Moody's will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack. That move might be a game-changer for many institutional and individual investors, who often struggle to quantify the potential impact of a significant cybersecurity incident into a meaningful rating. Ratings agencies including Moody's have been warning for years that cyber issues, including lax controls or a meaningful breach, could lead to a downgrade. But this is a first real step toward codifying those predictions. "For us, it's not something we view as a totally new idea," said Derek Vadala, who was named Oct. 17 to a new role heading Moody's Investors Services Cyber Risk Group. "We've been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important."



INTERNATIONAL



AP

November 16, 2018

U.S. cybersecurity experts say hackers impersonating a State Department official have targeted U.S. government agencies, businesses and think tanks in an attack that bears similarity to past campaigns linked to Russia. The “spear phishing” attempts began on Wednesday, sending e-mail messages purported to come from a department public affairs official. Cybersecurity companies CrowdStrike and FireEye both said they were still working to attribute the attack. But it was consistent with past hacking campaigns by Cozy Bear, or APT29, a Russian group believed to be associated with Russian intelligence and linked to hacking ahead of the 2016 U.S. presidential election.



The Guardian

November 16, 2018

Health service insiders fear the NHS will be hit by another cyber-attack similar to the WannaCry ransomware outbreak that caused widespread disruption to hospitals and GP surgeries last year. Poor leadership, budgetary constraints, deficient IT systems and a lack of qualified staff mean another attack on the health service is inevitable, according to experts at a Guardian event supported by DXC. Guardian technology reporter Alex Hern spoke about the impact of the 2017 WannaCry cyber-attack, and clinicians, cybersecurity specialists, policy advisers and politicians discussed how to best protect NHS IT systems. Meg Hillier, MP for Hackney South and Shoreditch, and chair of the public accounts committee, which earlier this year described WannaCry as a wake-up call for the NHS, said that as well as a shortage of IT skills in the NHS workforce, there was an issue around leadership. . “A chief executive has a lot of pressures put on them,” she pointed out. “It’s a challenge: what are you going to pay for? You don’t see any particular benefit for patients if you invest in a good IT system – it’s not a big enough issue and not an instant win in a world of winter pressures.” Hillier added that many NHS staff do not trust their IT systems.



The Washington Post

November 14, 2018

Japan is in the midst of revising its cybersecurity laws ahead of the 2020 Tokyo Olympic Games. However, a cabinet minister who is supposed to be shaping these laws made a surprising admission this week: He doesn’t use a computer. Yoshitaka Sakurada, a minister from Prime Minister Shinzo Abe’s Liberal Democratic Party, was asked about his computer use during a meeting of a parliamentary committee. “I’ve been doing business independently since I was 25 years old, so I have been giving instructions to employees and secretaries,” the 68-year-old Sakurada told the committee, according to Kyodo News. “I never touch my computer myself.” When asked by independent lawmaker Masato Imai how a man who does not use computers could help implement online security measures, Sakurada said that the cybersecurity initiative is a government-wide project and that he had confidence in it.



NBC

November 14, 2018

The former U.N. diplomat accused of helping steal and distribute Republican fundraiser Elliot Broidy's emails is entitled to diplomatic immunity, the U.S. government tells NBC News. It's the latest blow to Broidy's legal campaign against Qatar and the individuals he says hacked him on its behalf. Several other defendants in lawsuits filed by Broidy including Qatar itself have already convinced the court to dismiss them from the case, which criss-crosses the murky worlds of cybercrime, the Persian Gulf diplomatic crisis and pay-to-play politics in Trump era.  Broidy, the Republican National Committee's former deputy finance chair, is suing Jamal Benomar, a British citizen born in Morocco. Broidy accuses Benomar of being a "key player" in a Qatari scheme to hack Broidy's emails and distribute them to U.S. journalists. The stolen emails exposed how Broidy tried to parlay his access to President Donald Trump into lucrative contracts for his private security company with Saudi Arabia and the United Arab Emirates, Qatar's chief rivals. Qatar denies involvement in the hacking.



The Washington Post

November 13, 2018

The Russian government is arguing that a federal court should dismiss a lawsuit brought by the Democratic National Committee alleging that Moscow’s military spies, the Trump campaign and the WikiLeaks organization conspired to disrupt the 2016 campaign and tilt the election to Donald Trump. In a letter and statement this month to the State Department and a judge in the Southern District of New York, Russia’s Ministry of Justice argued that the United States’ Foreign Sovereign Immunities Act protects the Russian government from such lawsuits. In particular, the lawsuit’s naming of the GRU military spy agency as a defendant takes the litigation out of bounds on the basis that “any alleged ‘military attack’ is a quintessential sovereign act,” said a Nov. 6 statement by the ministry’s Department for International Law and Cooperation. The Russian government also warned that if the suit is allowed to proceed, it exposes American spy services such as the National Security Agency — an arm of the Defense Department — to “a tidal wave of civil litigation” in foreign courts.



CyberScoop

November 13, 2018

The U.S. financial and energy sectors are no strangers to foreign government hackers, from Iranian denial-of-service attacks on American banks to Russian reconnaissance of industrial control systems. Less-familiar territory, however, is how companies would work with the U.S. government to respond to a cross-sector cyberattack during a geopolitical crisis. About 20 private-sector executives and former government officials gathered last month in Washington, D.C., to take a stab at that question. A tabletop exercise hosted by the Foundation for Defense of Democracies (FDD), a think tank, hashed out what companies and federal agencies might ask of each other in the 72 hours after a disruptive series of computer intrusions. The fictional scenario involved a confrontation between the United States and China in the Taiwan Strait, which was followed by a cascading cyberattack on multiple U.S. critical infrastructure sectors. The former defense and law enforcement officials in the room discussed with their private-sector counterparts — executives from the banking, electricity, and retail sectors — how a U.S. government and industry response to the cyberattack might play out.



Reuters

November 12, 2018

France and U.S. technology giants including Microsoft on Monday urged world governments and companies to sign up to a new initiative to regulate the internet and fight threats such as cyber attacks, online censorship and hate speech. With the launch of a declaration entitled the ‘Paris call for trust and security in cyberspace’, French President Emmanuel Macron is hoping to revive efforts to regulate cyberspace after the last round of United Nations negotiations failed in 2017. In the document, which is supported by many European countries but, crucially, not China or Russia, the signatories urge governments to beef up protections against cyber meddling in elections and prevent the theft of trade secrets. The Paris call was initially pushed for by tech companies but was redrafted by French officials to include work done by U.N. experts in recent years.



Reuters

November 12, 2018

Australia's chief cyber security chief said on Tuesday an investigation into the hacking of defense contractor Austal Ltd could take years, rejecting a local media report that his agency had concluded the attack originated from Iran. Austal said earlier this month hackers had breached its defenses to gain access to ship designs and that some staff email addresses and mobile phone numbers were accessed. The attack triggered an investigation by the Australian Cyber Security Centre (ACSC), the country's top cyber security unit. The Australian Broadcasting Corporation reported on Tuesday that the ACSC had determined criminals in Iran were behind the attack, but the ACSC rejected the news report. "Some might have their suspicions but we can't come to the conclusion that it came from any one country," Alastair MacGibbon, head of the ACSC, told Reuters.



TECHNOLOGY



The New York Times

November 14, 2018

In a technology lab full of graduate students huddled over laptops, Prof. Marios Savvides flipped through photos on a computer screen searching for one full of people whose faces were barely recognizable to the human eye. “How about a riot?” Professor Savvides asked. He had just come upon an image of police officers wearing helmets and gas masks and rioters covering their mouths and noses with bandannas — all trying to shield themselves from the tear-gas- and smoke-filled air. Professor Savvides was delighted. It was a perfect example of where, with the facial recognition skills of artificial intelligence, “we can now recognize a face from very few pixels,” he said. The episode was unfolding at the Biometrics Center, part of the CyLab Security and Privacy Institute at Carnegie Mellon University. CyLab, which includes the center, was founded in 2003 to expand the boundaries of technology and protect people when that technology — or the people using it — poses a threat.



Ars Technica

November 13, 2018

Back at the start of the year, a set of attacks that leveraged the speculative execution capabilities of modern high-performance processors was revealed. The attacks were named Meltdown and Spectre. Since then, numerous variants of these attacks have been devised. In tandem, a range of mitigation techniques has been created to enable at-risk software, operating systems, and hypervisor platforms to protect against these attacks. A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.