Lanodonal shares a report from the BBC: Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover. The Conti ransomware group was reportedly asking the Irish health service for $20 million to restore services after the "catastrophic hack." But now the criminals have handed over the software tool for free.The Irish government says it is testing the tool and insists it did not, and would not, be paying the hackers. Taoiseach (Irish prime minister) MicheÃl Martin said on Friday evening that getting the software tool was good, but that enormous work is still required to rebuild the system overall.

Conti is still threatening to publish or sell data it has stolen unless a ransom is paid. On its darknet website, it told the Health Service Executive (HSE), which runs Ireland's healthcare system, that "we are providing the decryption tool for your network for free." "But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation." It was unclear why the hackers gave the tool -- known as a decryption key -- for free, said Health Minister Stephen Donnelly. In an alert made public Thursday by the American Hospital Association, the FBI said the Conti group has also hit at least 16 U.S. medical and first response networks in the past year.

An anonymous reader quotes a report from Motherboard: Crime and neighborhood watch app Citizen has ambitions to deploy private security workers to the scene of disturbances at the request of app users, according to leaked internal Citizen documents and Citizen sources. The plans mark a dramatic expansion of Citizen's purview. It is currently an app where users report "incidents" in their neighborhoods and, based on those reports and police scanner transcriptions, the app sends "real-time safety alerts" to users about crime and other incidents happening near where a user is located. It is essentially a mapping app that allows users to both report and learn about crime (or what users of the app perceive to be crime) in their neighborhood. The introduction of in-person, private security forces drastically alters the service, and potential impact, that Citizen may offer in the future, and provides more context as to why a Citizen-branded vehicle has been spotted driving around Los Angeles. The news comes after Citizen offered a $30,000 bounty against a person it falsely accused of starting a wildfire.

In short, the product, described as "security response" in internal emails, would have Citizen send a car with private security forces to an app user, according to the former employee. A private security company working with Citizen would provide the response staff, the former employee added. A second Citizen source confirmed this description of the service. Citizen has been actively testing the program, with what the company describes as quick response times and instant communication between Citizen and security partners, according to the emails.

Currently, Citizen offers a subscription product called "Protect," which costs $19.99 per month. Protect sends a user's location to a Citizen employee when it's turned on, can stream video to a "Protect agent" when activated using a safeword, and is pitched to users as a "digital bodyguard." Protect also advertises "Instant emergency response to your exact location," and says "Live monitoring means you never have to walk alone." It is not clear if the private security response would be tied to Protect or another service. A Citizen spokesperson told Motherboard that "LAPS offers a personal rapid response service that we are testing internally with employees as a small test. For example, if someone would like an escort to walk them home late at night, they can request this service. We have spoken with various partners in designing this pilot project." They declined to answer other questions from Motherboard.

The Federal Bureau of Investigation said that the same group of online extortionists blamed for striking the Irish health system last week have also hit at least 16 U.S. medical and first response networks in the past year. From a report: In an alert made public Thursday by the American Hospital Association, the FBI said the cybercriminals using the malicious software dubbed 'Conti' have targeted law enforcement, emergency medical services, dispatch centers, and municipalities. The alert did not name the victims or go into detail about the nature or severity of the breaches, saying only that they were among more than 400 organizations worldwide targeted by "Conti actors."

Apple's software engineering head Craig Federighi had a tricky task in the Epic v. Apple trial: explaining why the Mac's security wasn't good enough for the iPhone. From a report: Mac computers have an official Apple App Store, but they also allow downloading software from the internet or a third-party store. Apple has never opened up iOS this way, but it's long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is good enough for macOS, Apple's claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices -- and in the process, threw macOS under the bus.

The second difference is data sensitivity. "iPhones are very attractive targets. They are very personal devices that are with you all the time. They have some of your most personal information -- of course your contacts, your photos, but also other things," he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. "All of these things make access or control of these devices potentially incredibly valuable to an attacker." That may undersell private interactions with Macs; Epic's counsel Yonatan Even noted that many telemedicine calls and other virtual interactions happen on desktop. Still, it's fair to say phones have become many people's all-purpose digital lockboxes. The third difference is more conceptual. Federighi basically says iOS users need to be more protected because the Mac is a specialist tool for people who know how to navigate the complexities of a powerful system, while the iPhone and iPad are -- literally -- for babies.

Microsoft has open-sourced today a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. The Record reports: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks. However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software.

"If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

CNA Financial, among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, Bloomberg News reported Thursday. From a report: The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren't authorized to discuss the matter publicly. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker's identity with the FBI and the Treasury Department's Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

Microsoft today open-sourced a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. From a report: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks.

However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software. "If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

The Microsoft security team has published details about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. From a report: According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments. "Attackers used compromised email accounts to launch the email campaign," Microsoft said in a series of tweets last night. "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware." First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts. According to a technical analysis by German security firm G DATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.

Craig Federighi is currently testifying during the Apple vs. Epic lawsuit. While facing questioning from Apple's lawyers, Federighi made some interesting comments about security, particularly noting that the Mac currently has a level of malware that Apple "does not find acceptable." 9to5Mac reports: One of Federighi's goals is to paint the iPhone ecosystem, including the App Store and lack of side-loading support, as a secure and trusted environment for users. To do this, it appears that part of Federighi's strategy is to throw the Mac under the bus. Judge Yvonne Gonzalez Rogers, who is presiding over the Epic vs. Apple case, asked Federighi about why the Mac can have multiple app stores, but not the iPhone. "It is regularly exploited on the Mac," Federighi explained. "iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today." "Today, we have a level of malware on the Mac that we don't find acceptable," Federighi added.

The Apple executive also pointed to Android as another example of a platform with multiple app stores that suffers from security problems. "It's well understood in the security community that Android has a malware problem," he explained. "iOS has succeeded so far in staying ahead of the malware problem." Federighi added that Apple is essentially playing "an endless game of whack-a-mole" with malware on the Mac and has to block "many instances" of infections that can affect "hundreds of thousands of people" every week. Since last May, Federighi testified there have been 130 types of Mac malware, and one of them infected 300,000 systems. When asked whether side-loading would affect security on iOS, Federighi said things would change "dramatically. No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy," he said.

The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company's chief executive came to a difficult conclusion: He had to pay. From a report: Joseph Blount, CEO of Colonial Pipeline, told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back. Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company. "I know that's a highly controversial decision," Mr. Blount said in his first public remarks since the crippling hack. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country," he added.

[...] Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attacks. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage. In return for the payment, made in the form of bitcoin, about 75 in all, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline's systems, the person said.

The same technology that powers Google Duplex to call businesses and make appointments for you is being used to help you automatically change your password to a website that's been compromised in a security breach. TechCrunch reports: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."

A software bug that's now been fixed allowed some Eufycam owners to stream video from strangers' homes instead of their own. The Register reports: These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people's homes -- even those in other countries -- and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker's support forum.

A spokesperson for Anker told us just a small number of customers were affected: "Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users' cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST." We're told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe. "We realize that as a security company we didn't do good enough," the spokesperson added. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy recommends users unplug and then reconnect their devices, log out of the Eufy security app, and log in again to fix the issue.

An anonymous reader quotes a report from CNBC: DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, received a total of $90 million in bitcoin ransom payments before shutting down last week, according to new research. Colonial Pipeline was hit with a devastating cyberattack earlier this month that forced the company to shut down approximately 5,500 miles of pipeline in the United States, crippling gas delivery systems in Southeastern states. The FBI blamed the attack on DarkSide, a cybercriminal gang believed to be based in Eastern Europe, and Colonial reportedly paid a $5 million ransom to the group.

On Friday, London-based blockchain analytics firm Elliptic said it had identified the bitcoin wallet used by DarkSide to collect ransom payments from its victims. The same day, security researchers Intel 471 said DarkSide had closed down after losing access to its servers and as its cryptocurrency wallets were emptied. DarkSide also blamed "pressure from the U.S.," according to a note obtained by Intel 471. In a blog post Tuesday, Elliptic said DarkSide and its affiliates bagged at least $90 million in bitcoin ransom payments over the past nine months from 47 victims. The average payment from organizations was likely $1.9 million, Elliptic said. "To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound," said Tom Robinson Elliptic's co-founder and chief scientist.

According to Elliptic, $15.5 million of the $90 million total haul went to DarkSide's developer while $74.7 million went to its affiliates. The majority of the funds are being sent to crypto exchanges, where they can be converted into fiat money, Elliptic added.

Brian Krebs: In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed -- such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country's borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. [...] Here's the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

Apple has compromised on data security to placate Chinese authorities, the New York Times reported Monday, citing internal company documents and interviews with current and former Apple employees and security experts. An excerpt from the story: At the data center in Guiyang, which Apple hoped would be completed by next month, and another in the Inner Mongolia region, Apple has largely ceded control to the Chinese government. Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers they're meant to secure.

[...] In China, Apple has ceded legal ownership of its customers' data to Guizhou-Cloud Big Data, or GCBD, a company owned by the government of Guizhou Province, whose capital is Guiyang. Apple recently required its Chinese customers to accept new iCloud terms and conditions that list GCBD as the service provider and Apple as "an additional party." Apple told customers the change was to "improve iCloud services in China mainland and comply with Chinese regulations."

The terms and conditions included a new provision that does not appear in other countries: "Apple and GCBD will have access to all data that you store on this service" and can share that data "between each other under applicable law." Under the new setup, Chinese authorities ask GCBD -- not Apple -- for Apple customers' data, Apple said. Apple believes that gives it a legal shield from American law, according to a person who helped create the arrangement. GCBD declined to answer questions about its Apple partnership. Matthew Green, who teaches cryptography at Johns Hopkins, commented on Times' story: "Apple asked a lot of people to back them against the FBI in 2015. They used every tool in the legal arsenal to prevent the US from gaining access to their phones. Do they think anyone is going to give them the benefit of the doubt now?"

The Colonial Pipeline cyberattack has spurred new efforts in the U.S. Congress "to require critical companies to tell the government when they've been hacked." Politico reports: Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition. The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial...

The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, "the United States government is completely blind to what is happening," Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. "That just weakens our overall cyber posture across our entire country."

Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. "You couldn't have a better reason" for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.

Warner said the intent is to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse..." In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.
Politico adds that "The incident reporting situation has become untenable, many cybersecurity experts say,"

"Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere."

"Chinese technology provider Huawei was recently accused of being able to monitor all calls made using Dutch mobile operator KPN," writes the Conversation. Long-time Slashdot reader schwit1 shares their report: The revelations are from a secret 2010 report made by consultancy firm Capgemini, which KPN commissioned to evaluate the risks of working with Huawei infrastructure. While the full report on the issue has not been made public, journalists reporting on the story have outlined specific concerns that Huawei personnel in the Netherlands and China had access to security-essential parts of KPN's network - including the call data of millions of Dutch citizens - and that a lack of records meant KPN couldn't establish how often this happened... KPN essentially granted Huawei "administrator rights" to its mobile network by outsourcing work to the Chinese firm.

Legislation is only now catching up to prevent similar vulnerabilities in telecoms security...

Lower revenues force operators to carefully manage costs. This means that operators have been keen to outsource parts of their businesses to third parties, especially since the late 2000s. Large numbers of highly skilled engineers are an expensive liability to have on the balance sheet, and can often appear underused when things are running smoothly... , outsourcing by mobile operators is widespread. And firms in the UK and across Europe have often turned to Huawei to provide IT services and to help build core networks.

In 2010, Huawei was managing security-critical functions of KPN's core network.

Slashdot reader storagedude writes: The MITRE cybersecurity product evaluations use adversarial attack techniques instead of basic malware samples, and as a result are the best tests of enterprise security products — particularly in light of dramatic recent attacks on SolarWinds and Colonial Pipeline.

What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:

"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.

"In cybersecurity, experience still counts for something."

ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th: The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."

What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).