cvg strategy logo
ITAR Question?
Login

call: 321-253-9791

Rss Twitter Youtube Linkedin Pinterest
CART
cvg strategy logo
Login
ITAR Question?
View Cart
cvg strategy logo
View Cart
Login
ITAR Question?

Barry Poindexter

Wassenaar Changes to CCL Implemented by BIS

by
Wassenaar Changes to CCL
Wassenaar Changes to CCL

The Bureau of Industry and Security (BIS) has implemented Wassenaar Arrangement changes to the Commerce Control List (CCL).  These changes were agreed upon in the Wassenaar 2018 Plenary meeting.  The changes to the CCL will place additional controls on the export of certain emerging technologies.  It is therefore important that exporters make themselves aware of these new export controls.

What is the Wassenaar Arrangement?

The Wassenaar Arrangement was formed in July of 1996 to promote regional and international security and stability.  Its forty-two member states have agreed to encourage a greater responsibility in the transfer of conventional arms and dual-use goods.  Participating states are required to report their transfers and denials of goods that fall under the List of Dual-Use Goods and Technologies and the Munitions List.  Enactment of agreed upon guidelines, elements, and procedures are implemented at the discretion of member states policies.

What Changes Have Been Made to the CCL?

The BIS published its final ruling on implementation of Wassenaar Arrangement changes made in 2018 on May 23, 2019 (84 FR 23886).  The ruling went into effect September 11, 2020. 

Resulting changes in the CCL effects five emerging technologies: discrete microwave transistors, continuity of operation software, post-quantum cryptography, underwater transducers designed to operate as hydrophones, and air-launch platforms. As a result revisions have been made to twenty eight Export Control Classification Numbers (ECCNs).  The changes effect the following categories:

  • Category 0-Nuclear Materials, Facilities, and Equipment [and Miscellaneous Items]
  • Category 1-Special Materials and Related Equipment, Chemicals, “Microorganisms”, and “Toxins”
  • Category 2-Materials Processing
  • Category 3-Electronics
  • Category 5-Part 1-”Telecommunications” and Part 2-“Information Security”
  • Category 6-Sensors and Lasers
  • Category 7-Navigation and Avionics
  • Category 8-Marine
  • Category 9-Aerospace and Propulsion

Change the Only Constant in Export Law

The Wassenaar Changes to the CCL are but one example of recent changes to export law.  The International Traffic in Arms Regulations (ITAR) and the Export Arms Regulations (EAR) are under constant change to respond to the security requirements of the United States.  As a result exporters must monitor these changes to remain in compliance.  Failure to meet export regulations can result in fines, debarment (loss of ability to export) and even imprisonment.

CVG Strategy Export Compliance Consultants

CVG Strategy has been helping businesses develop and maintain export compliance programs.  A viable and effective compliance is a requirement for parties dealing in the export of goods.  Our staff can establish tailored processes and procedures to keep your organization on track.  We also offer up to date, engaging training that will keep your team current on export law regulations.

 

 

Video Conferencing Application Vulnerabilities an Issue

by
Video Conferencing Application Vulnerabilities
Video Conferencing Application Vulnerabilities

Video conferencing application vulnerabilities have been frequently in the news during the Covid-19 pandemic.  During this time the use of these apps has skyrocketed due to remote work and schooling.  This has presented a tempting target for cyber criminals to steal information and disrupt activities.

Zoom Bombing Incidents

AL.COM reported that Saturday night Jewish prayer services in Alabama were zoombombed with anti-Semitic messages, swastikas, and images of Adolf Hitler.  The Selichot services held in Montgomery, Mobile, Auburn and Dothan were being held on the online video conferencing platform Zoom in lieu of in person services due to the coronavirus pandemic.

On September 14, 2020 a federal court hearing in Georgia challenging voting machines was interrupted with videos of 9/11 attacks, swastika, and porn.  Again the Zoom app was being used in the session.

A Chicago Public School virtual elementary classroom session was subjected to images of pornography and weapons.  This incident involved the Google Meet video conferencing application. 

Secure Video Conferencing Apps

All video conference tools have potential security issues.  Many however have had a history of repeated incidents involving disruption and compromise of sensitive information. 

Zoom for example was hit with multiple lawsuits for selling user data to Facebook.  Additionally, the company left thousands of personal videos on the open web.  As a result names, phone numbers, and intimate conversations were left viewable on the Zoom cloud.

There are many video conferencing apps available to the public that are considered safer to use.  These apps use End-to-end encryption, also known as E2EE, to ensure that only the participating users and access messages or media.  A TechieTechTech review rated Signal Private Messenger, Wire Platform, Facetime, and Linphone favorably. 

Video Conferencing Security Best Practices

Video conferencing is becoming more and more of a necessity as the Covid pandemic requires people to work from home and engage in virtual classrooms.  Cyber security is everybody’s responsibility.  Any application or service can be compromised by ineffective practices by the user. 

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for securing video conferencing.  This guidance includes tips on how to ensure secure connections, control access, manage data access, and ensure latest versions of applications.  Specific guidance for remote classrooms can be found on a previous post “Teleconferencing Guidance for Education“.

CVG Strategy Cybersecurity

Video conferencing application vulnerabilities pose a significant threat to the well being and security of our families, communities, and organizations.  Our cybersecurity experts are committed to upgrading the cybersecurity awareness and preparedness of businesses and organizations. 

We can assist you in developing Information Security Management Systems (ISMS) appropriate to your unique requirements.  We specialize in ISO 27001, NIST 800-171, and CMMC Certification.  A properly structured ISMS can help your organization identify risks, employ effective security measures, and create incident response plans.  

 

Arab League Boycott Faces Uncertain Future

by
Arab League Boycott
Arab League Boycott

The Arab League Boycott was dealt a severe blow when the United Arab Emirates (UAE) issued a decree ending its involvement in it.  This announcement now allows trade between the UAE and Israel.  It follows the normalization of relations between Israel and the UAE created by the recent peace accord. 

What is the Arab Boycott

The Arab Boycott was formally declared by the Arab League in 1945 as an effort to isolate and weaken Israel.  It called for Arab institutions, organizations, merchants, commission agents, and individuals to refuse to deal in, distribute, or consume Israeli products.  As the boycott evolved in its efforts to isolate Israel, it focused on three targets:

  1. Restriction of trade between Israel and Arab states.
  2. Restriction of trade between companies that trade with Israel and Arab states.
  3. Boycotting agencies that trade with other companies that trade with Israel.

United States Anti Boycott Regulations

In 1977 President Jimmy Carter signed into law Anti Boycott Regulations to disallow U.S. businesses from participating in the the boycotts.  These regulations were incorporated as amendments to the Export Administration Act (EAA).  They were also incorporated into the Ribicoff Amendment to the 1976 Tax Reform Act (TRA). 

As a result, the Export Administration Regulations (EAR) administered by the Bureau of Industry and Security (BIS) require reporting of any request to participate in the boycott.  Additionally, the TRA requires reporting of operations in or related to a country participating in the boycott.

Boycott Looses Momentum but Remains a Concern

As various Arab countries have negotiated peace treaties with Israel, the effectiveness of the boycott has decreased.  These nations include Qatar, Oman, Egypt, Jordan, and Morocco.  It is expected by many that more Arab states will break away from the boycott in the near future. 

Moreover, many non-Arab states have not recognized the boycott.  France, Germany, the Netherlands, and Japan have all enacted laws making cooperation with the boycott unlawful.

Effect of Boycott on U.S. Businesses

The boycott, remains a concern for exporters in the United State as boycott requests to comply continue from businesses in Arab states.  A 1993 study estimated that U.S. firms lost $410 million in exports due to the boycott.  Additionally for that year, another $160 million was spent on costs associated with compliance to the anti boycott regulations.  Failure to comply with Anti boycott regulations can result in criminal and administrative fines and penalties including denial of export privileges.

CVG Strategy

CVG Strategy has been assisting businesses comply with export laws for over a decade.  This includes anti boycott compliance.  Our experts can help you establish an export compliance program for EAR and International Traffic in Arms (ITAR).  We can also provide the training necessary to keep your export team up to date with ever changing regulations.

Denial of Service Attacks on the Increase

by
Denial of Service Attacks
Denial of Service Attacks

Denial of Service attacks (DoS) occurs when a targeted host or network is incapable of responding to legitimate users as a result of being flooded by traffic from the attacker.  Businesses worldwide have reported an increased number of these kinds of attacks.  Because these attacks result in inaccessibility of an organization’s resources and service, they can be costly.

Denial of Service Methods

Syn Flood

Syn Flood is a type of Denial of Service.  It utilizes the TCP protocol, which is one of the main protocols of the Internet.  

After initiating a synchronize message to a server, the attacker will fail to to respond or respond with  a spoofed IP address.  This will cause the server to wait for acknowledgement.  As a result network congestion occurs.

Distributed Denial of Service (DDoS)

A distributed denial-of-service (DDoS) attack uses multiple machines operating together to attack one target.   This is often accomplished using a group of hijacked internet-connected devices known as botnets.  The botnets are commanded to conduct the attack on the target victim.  This type of attack also victimizes the botnets involved.

Application Layer Attacks

In an application layer attack the attacker targets specific functions or features on a website and seeks to over exercise them to deplete the sites operating resources.  This can lead to disrupted transactions or lack of database access.  This is often accomplished by hackers using pre-built applications.

Actions To Take if Your Organization Is Being Attacked

If you notice unusually slow performance when opening files or accessing the internet you may be under attack.  It is advisable to contact your system administrator so that they can detect and identify a potential attack.  Once an attack has been identified firewalls can be configured to mitigate the attack.  Traffic can also be rerouted through a DoS protection service.

In cases of DoS attacks it is very important to remain vigilant about data security.  Often an attacker will instigate a DoS attack on a targeted network to create a diversion when their real goal is data theft.

The Importance of Being Prepared

Organizations have been slow to respond to cyber threats.  As a result billions of dollars a year are being lost.  While no system can be made completely invulnerable actions can be taken to mitigate loss.  This can be accomplished by creating an Information Security Management System (ISMS).

An ISMS can allow your business to identify vulnerabilities, access risks, create mitigation processes, and develop response procedures.  ISMSs are powerful because they involve all stakeholders and stress training.

CVG Strategy can help you develop an ISMS that is compliant to ISO 27001 or NIST 800-171.  We also help those who supply defense products and services prepare for CMMC Certification.

IP Theft and National Security Responses

by
IP Theft and National Security
IP Theft and National Security

IP Theft and National Security

IP Theft and national security have been in the news a lot of late.  Most of this news has been centered around the activities of the Chinese military.  As a result commercial and defense technologies are at risk.  Fortunately, the United States has implemented a number of measures aimed protecting sensitive information.

Cybersecurity and Infrastructure Security Agency (CISA)

In 2018 President Donald Trump signed into law legislation creating the Cybersecurity and Infrastructure Security Agency (CISA).  This action enhanced the mission of the the National Protection and Programs Directorate (NPPD) which was founded in 2007.  CISA provides programs and services to help the public and private sectors understand and manage risk associated with cybersecurity

This activity pertains to the security of Intellectual Properties (IP) and the security of infrastructure assets.  CISA with the National Risk Management Center (NRMC) works to identify, analyze, and prioritize significant risks to IP and infrastructure.  As a part of its activities regularly releases advisories and articles to inform the public of cyber developments and agency initiatives.

Cybersecurity Maturity Model Certification (CMMC)

The CMMC was created to ensure a cyber-safe, cyber-secure, and cyber-resilient defense industrial base.  The defense industry supply chains are comprised of organization that vary in size and capabilities.  The CMMC was implemented largely due to the failure of industry to implement systematized approaches to cybersecurity.

CMMC establishes a tiered system of certification that suppliers and contractors must have to conduct business on defense contracts.  This system requires Department of Defense (DoD) contractors to implement a NIST SP 800 171 cybersecurity framework. 

National Institute of Science and Technology (NIST)

The National Institute of Science and Technology (NIST) has conducted research and development to protect information systems.  It does this by providing standards, guidance, mechanisms, tools, metrics and best practices.  Specific areas of involvement include cryptography, security engineering,  and risk management.

CVG Strategy

CVG Strategy is concerned about IP theft and national security.  The theft of intellectual property cost businesses billions of dollars a year.  This economic espionage is a security risk for all sectors of our society.  As a result, we are committed to helping organizations implement effective Information Security Management Systems (ISMS).  A properly designed ISMS can allow your organization to assess risk and establish processes to proactively engage cybersecurity practices.  Contact us today to see how we can help.

 

 

 

Sensors Transforming Manufacturing Towards Industry 4.0

by
Sensors Transforming Manufacturing
Sensors Transforming Manufacturing

Sensors are transforming manufacturing and moving us toward what is being called Industry 4.0.  Today’s sensors provide cost effective solutions to measurement and monitoring requirements.  

What is Industry 4.0?

Industry 4.0 builds on the computer revolution of Industry 3.0 by combining intelligent devices by way of the Internet of Things (IoT) and the Internet of Systems (IoS).  This machine to machine communication can be harnessed to create a smart factory that is more efficient and productive.  This is because integrated intelligent devices can monitor, analyze, and diagnose production independent of human interaction.

Developments in Sensor Technology

Advances in hybrid electronics and the development of low-cost flexible circuits are innovations that are driving sensor technology forward.  These devices often incorporate micromechanical systems (MEMS) at the semiconductor level to combine functions and provide digital signal transmission.  An example of combined functions would be a sensor that can measure electrical current, temperature, and vibration.

Uses of Sensors on the Manufacturing Floor

Sensors can be incorporated into condition monitoring and predictive maintenance programs to gather information from machinery and systems critical to production.  This data can be used to detect critical stresses conditions before failure occurs.  As a result production downtime can be greatly reduced.

Sensors in Quality Control

Sensors are also transforming manufacturing in quality control.  They provide precise measurement and are of great value where there are tight tolerances.  These sensors also can perform inspection processes in a highly repeatable fashion resulting in representative data.  Applications for quality control include temperature, coating thickness, torque, dimensional measurement, and location or orientation.

Sensors for Facility Management

Sensors can be implemented in facility management to improve asset management, control energy costs, and detect environmental issues.  This can greatly increase efficiency and maintain regulatory requirements.

Information Integration and Quality Management

Data gathered from sensors, once analyzed, can provide metrics to increase quality and efficiency.  This can greatly increase the scope and pace of a Quality Management System.  To accomplish this processes and procedures must be created to effectively analyze and integrate this data.  This can provide a much more dynamic, real time assessment of quality parameters and allow for rapid corrective actions and optimizations.

CVG Strategy Quality Management Solutions

CVG Strategy quality management experts can tailor solutions to your business requirements.  We have experience in ISO 9001:2015, AS9100D, ISO 27001:2013, AAR M 1003, and ISO 13845:2016.  Our experts can provide guidance and the essential training to help you achieve a more efficiently run business with improved customer satisfaction.

Companies Added to Entity List for Building Military Islands

by
Companies Added to Entity List
Companies Added to Entity List

The Bureau of Industry and Security added 24 companies added to list entity list for their involvement in constructing artificial military islands for the Chinese military.  China has been building these islands since 2013.  This announcement was made by the U.S Department of Commerce on August 26, 2020. 

The islands have been condemned by the United States and nations in the South China Seas.  The islands allow for the military control of some of the busiest shipping lanes in the world.

International Reaction to China’s Island Building

The World Court ruled that the building of islands violated the sovereign rights of the Philippines.  This was due to the fact that the Chinese military islands have interfered with Philippines fishing and petroleum industries.  This ruling has been supported by Japan, Vietnam, and Australia who also contest China’s assertion of claims to the waters.

Companies Added to Entity List

A number of Chinese companies have been added to the entity list of late.  Most of these have been high tech companies.  This has been partially the result of China’s actions with regard to Hong Kong and cybersecurity concerns about the products of companies like Huawei.  This latest group of companies however include companies involved in construction and dredging. 

What is the Entity List?

The BIS uses the entity list to restrict the export, re-export, and transfer (in-country) of items subject to the Export Administration Regulations (EAR).  These restrictions can apply to individuals, organizations, or businesses.  Restrictions are applied to entities that are involved in activities contrary to the national security or foreign policy interests of the United States.  As a result, exports to those on the list are significantly limited. 

Effect of BIS Ruling on U.S. Businesses

Companies added to the Entity List are subject to export restrictions.  It is the responsibility of all businesses in the United States to comply with all export law.  To fulfill these requirements it is necessary to conduct an Export Control Classification of items to be exported. 

This classification should begin with an examination of the United States Munitions List that categorizes military articles and services controlled by the International Traffic in Arms Regulations (ITAR).  If the item is not covered under ITAR it should next be categorized by its Export Control Classification Number (ECCN) which is controlled by the Export Administration Regulations (EAR). 

Restrictions may still apply even if an item does not fall under these classifications.  These restrictions can be the result of sanctions.  They can also apply to exports destined to parties on the Entity List.

CVG Strategy Export Compliance Consultants

Complying to ever changing export laws is complicated.  Not complying to these laws and regulations can result in severe fines, penalties, and even imprisonment.  CVG Strategy can help you develop an export compliance program.  We can also provide the training essential to keeping your entire team current on all parts of these important regulations. 

Military Cybersecurity Strategies Applicable for Businesses

by
Military Cybersecurity Strategies
Military Cybersecurity Strategies

Military cybersecurity strategies have developed in the last decade.  General Paul Nakasone, Commander of United States Cyber Command and Director of the National Security Agency recently shared his perspectives on how to approach cyberspace in Foreign Affairs magazine.

Employing Proactive Cybersecurity Approaches

Cyber Command was established in 2010 to protect military operations networks from cyber attacks.  Since that time the organization has moved away from reactive strategies to provide information security to the Department of Defense.  It has moved beyond securing network perimeters to actively hunting for malware.  As a result, the agency’s protection teams have developed the ability to detect quarantine and eject intruders from its networks.

Zero Trust Cyber Strategy

Cyber Command utilizes a zero trust approach to cyber security.  This approach is widely embraced in the cyber security community. Zero trust architecture secures data by inspecting all network traffic.  It works on an assumption that all connections to the network are hostile. 

As General Nakasone stated “We aim to prevent toeholds from turning into beachheads so that a single compromise will not threaten the military’s ability to accomplish its mission.”

Cultivating an Accountability Mindset

An accountability mindset is being promoted among military commanders.  This mindset treats military cybersecurity strategies as an essential requirement and not an afterthought.  Because of this, leadership must now consider cybersecurity as a mission-critical component in any undertaking.  This “command-centric” perspective gives commanders improved comprehension of threats and necessary measures to counter them.

Lessons to be Learned From Military Cybersecurity Strategies

Much can be learned by businesses from studying military cybersecurity strategies.  The private sector is under increased threats by actors who seek to compromise data and endanger critical infrastructure.  Many military cyber strategies are beyond the scope of business enterprises.  However, much can be accomplished by maintaining a proactive cyber security stance. 

Accountable management in cyber security requirements , maintaining vigilant detection and response, and employing zero trust strategies are all effective measures. 

CVG Strategy Cyber Security Consultants

CVG Strategy can help your organization develop and maintain effective Information Security Management Systems (ISMS) that are tailored to your organizational requirements.  Our experts can create ISO 27001 and NIST 800-171 that provide security architecture, detective controls, and preventative controls.  We can also help you prepare for Cybersecurity Maturity Model Certification (CMMC).  Contact us today to see how we can help.

Training Requirements for ITAR – Knowledge is Power

by
Training Requirements for ITAR
Training Requirements for ITAR
CLICK HERE FOR SCHEDULE AND TO REGISTER

Training Requirements for ITAR (International Traffic in Arms Regulations) are often overlooked by companies working with defense articles and defense services.  In truth, the day to day challenges of developing product, conducting testing, advancing sales opportunities, and meeting deadlines consume most of our time.  The reality however, is that well designed and intentioned export compliance programs are only as effective as the weakest team member.  As a result, infractions can occur that can endanger the success of our enterprises.

Technical Data

A major vulnerability for any compliance program is the handling of technical data.  This data is available to most members of a company’s personnel.  It includes information dealing with the design, manufacture, testing, repair, quality control, or installation. 

Sharing this data in any manner with a foreign person is considered a deemed export.  If this transfer occurs without a license it is considered a violation under ITAR and Export Administration Regulations (EAR).  Therefore, all personnel should receive regular training to reinforce proper data management.

Training Requirements and Your Compliance Program

Export compliance programs change as businesses evolve.  Often changes are required as a result of a program audits or voluntary disclosures.  These changes must however be put into practice to be effective. 

These process and procedure changes must be communicated on a regular basis to all involved for a business to remain ITAR compliant.  Ineffective implementation of changes meant to address known inadequacies in a program can result in prosecution when violations are found. 

Changes in Export Regulations

There have been many changes in ITAR in 2020.  Changes will quite likely continue to take place in light of developments in international relations.  As often mentioned with regard to export regulations, “Ignorance of the law is not a defense”.  Keeping current with these developments is the responsibility of everybody in an organization, starting with the executives. 

Fines and prison sentences are certainly not to be taken lightly, but neither should be the loss of reputation and trust within an organization’s customers and suppliers.

CVG Strategy and Export Compliance Training

Regular training is a requirement for all employees in an export compliance program.  This is a requirement by both the Bureau of Industry and Security (BIS) and the Department of Defense Trade Controls (DDTC). 

Our comprehensive and engaging course provides training that is of value to those with experience in export law because it allows them to keeping current on changes in regulations and reinforces best practices for achieving compliance.   It also provides those new to export compliance with an overview of the involved agencies and laws so that they can understand how to access these regulations.

CVG Strategy understands the importance of ITAR training requirements.  We provide engaging, informative, and effective training for ITAR, EAR, and Canadian export regulations.  We can also help establish an effective export compliance program that meets your organizations requirements.  Our experts can also provide audits to monitor your programs performance and provide metrics for improvement. 

Visit our Export Compliance store for badges, signs, and other items to assist in your facility security.  We also provide quick answers to any pressing export compliance questions you might have.

Course Description

This one-day ITAR Training Basics live webinar provides a fundamental overview of the U.S. International Traffic in Arms (ITAR), the U.S. Export Administration Regulations.  It includes instruction and exercises on how to classify articles (product and tech data).  Additionally, it explains the key principals in the regulatory and statutory framework involved in export compliance.

Subjects covered in this training include:

  • ITAR and United States Munitions List (USML)
  • EAR and CCL (Commerce Control List)
  • How to Register with the DDTC
  • ITAR and EAR technical data controls
  • ITAR and EAR licenses
  • Compliance and enforcement
  • Transition of hardware and technical data from the Munitions List (USML) to the Export Administration Regulations (EAR)
  • Regulation of brokering activities
  • Two sections on how to classify articles
  • Use of classifications to organize necessary controls under US Law.
CLICK HERE FOR A SCHEDULE AND TO REGISTER

Arrests for Export Dual Use Violations Announced

by
arrests for export dual use violations
arrests for export dual use violations

The U.S. Department of Justice announced arrests for export dual use violations of Chong Sik Yu, and Yunseo Lee.  These two individuals are executives of America Tecma Inc..  The charges involve exporting electronic components with military applications to Hong Kong and China.  They are also charged with conspiracy to commit wire fraud, bank fraud, and money laundering. 

Efforts to Evade U.S. Export Controls

The arrests for export dual use violations occurred August 6, 2020.  Evidence including emails indicate that the defendants conspired with others to ship what they knew to be export-controlled items to Hong Kong and China.  These items included electronics components which are export-controlled under the Commerce Control List (CCL).  Yu and Lee allegedly sought to evade law enforcement by, transshipping packages through South Korea, and by using a separate company to send shipments to Hong Kong.

U.S Committed to Strict Enforcement of Export Law

Assistant Attorney General for National Security John C. Demers was quoted as saying “The Department’s fight against illegal technology transfer to China is no more critical than in areas like those involved in this case — controlled items used in missile and nuclear technology.  We will do everything in our power to disrupt illegal exports like these that jeopardize our national security.  Together with the Commerce Department and all of our law enforcement partners, we will continue to protect our national security by preventing dual-use technologies from being sent abroad without the required licenses.” 

Dual Use and Export Administration Regulations

Export Administration Regulations (EAR) are administered by the Bureau of Industry and Security (BIS).  Items deemed “dual use” (applicable for military and commercial end use), are classified with an Export Control Classification Number (ECCN).  Because of this export of these items are controlled.  As a result, authorization to export these items is based on the export control classification, where it is going, who the end users are, and what the end use of the item will be.

CVG Strategy Export Control Expertise

CVG Strategy export control experts can help your organization establish effective export compliance programs.  We have assisted businesses with EAR and International Traffic in Arms (ITAR) for over a decade.  We can assist with export control classifications.  Our ITAR training provides interesting and engaging education that will keep your team up to date on the latest regulations. 

Check out our export compliance store for signs, badges, and visitor guides to keep your campus secure.

Russian Cyber Espionage Malware

by
Russian Cyber Espionage Malware
Russian Cyber Espionage Malware

The National Security Agency and the Department of Defense have issued a warning about Russian cyber espionage malware known as Drovorub.  This malware provides file download and upload capabilities to external actors when deployed on a victim Linux system.  It utilizes a number of means of concealing itself once implanted and is resilient to rebooting.  Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence Directorate (GRU).

Recommended Mitigations

To mitigate Russian cyber espionage malware The NSA has made the following recommendations:

  • System administrators should continually check for and run the latest version of vendor-supplied software for their computer systems.  This should include updating to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. 
  • System owners are advised to configure systems to load only modules with a valid digital signature. 
  • UEFI Secure Boot should be activated to ensure that only signed kernel modules can be loaded.

Nation State Sponsored Cyber Espionage

China has been in the spotlight of late on the subject of state sponsored cyber attacks.  This attention is well deserved.  China has been responsible for more than 90 percent of cyber espionage in the United States.  Furthermore this activity has increased since the beginning of 2020 as tensions in trade have ramped up between the two countries.  China, however is not the only player in this game.  Russia, North Korea, and Iran are major players as well.

Russia and China has both targeted organizations involved with corona virus vaccine development in the United, States, United Kingdom, and Canada.  This activity is widely believed to be an effort to steal intellectual properties and disrupt organizations’ activities.  Of course the medical community is not the only sector at threat.  Commercial, governmental, and defense related cyber espionage is growing rapidly.  This results in losses in the trillions of dollars annually. 

CVG Strategy

CVG Strategy provides cybersecurity solutions for businesses.  We can assist in establishing Information Security Management Systems (ISMS) that meet your organization’s requirements.  Our experts in ISO 27001 and NIST 800-171 provide effective consultant services.  We can also help your with CMMC CertificationContact Us to see how we can help.

 

Manufacturing Technology and Quality Management

by
manufacturing technology and quality management
manufacturing technology and quality management

The Only Constant is Change in Manufacturing

Advances in manufacturing technology is affecting quality management strategies.  Companies are reassessing their manufacturing requirements, and many are reshoring to the United States.  According to studies conducted by the McKinsey Global Institute, the United States could boost annual manufacturing  as much as 20% by 2025.   To accomplish this, manufacturing processes must utilize technology to create better products with higher efficiency and lower costs.  As a result, quality management systems must evolve to embrace the changes advanced technologies will bring.

New Frontiers in Manufacturing Technology

There are many emerging technologies that will effect industry in the coming years.  These technologies will allow for higher quality production with increased process control.  This increase in automation will result in smaller more capable workforce.  Some of these advancing technologies include:

  • Automated CNC.
  • Analytics and machine learning.
  • Precision robotics for assembly and quality inspection.  The number of industrial robots in the U.S increased by more than 15% last year.
  • Additive manufacturing technologies such as 3-D printing.
  • AI for real-time monitoring and control of processes and asset maintenance.
  • Internet of Things (IoT) sensors for process control and maintenance monitoring.
  • Advances in human/machine interfaces such as Extended Reality (XR) to present data in a spatially relevant perspective.

New Perspectives for Quality Management

As the manufacturing floor changes so too must approaches to quality management.  An important step will be to implement quality as an organization-wide function.  This will require a transition from a silo perspective to one that will provide collaborative exchanges among all stakeholders.  Quality will also have to be much more action based to respond to increases in capabilities of data capturing and analytics.  This enhanced feedback will ensure more timely continuous improvement processes.

Responding to Risks

Intelligent change must identify and mitigate risks.  Because all of the technologies mentioned here are vulnerable to cyberattacks, effective cybersecurity to prevent industrial espionage and theft of intellectual properties should be implemented.  Information Security Management Systems (ISMS) are excellent mechanisms for accomplishing this.  They ensure that risks are identified, mitigation processes created, and incident response procedures are in place.

CVG Strategy

CVG Strategy understands the importance of manufacturing technology and quality management.  We support development of manufacturing in the U.S.  We offer consultant services for quality management systems that fit your organization’s requirements.  Our consultants provide expertise in ISO 9001:2015 and AS9100.  We also provide services for ISMS cybersecurity solutions including ISO 27001 and NIST-800-171Contact Us today to see how we can help.

Ransomware a Growing Problem for Businesses

by
Ransomware a problem
Ransomware a problem
Image by DC Studio on Freepik

Ransomware is a growing problem for organizations.  The rate of increase in incidents is skyrocketing in governmental agencies and small to medium businesses.  The Cybersecurity and Infrastructure Security Agency (CISA) estimates that a ransomware incident occurs every 14 seconds.  While the average costs of ransoms are increasing the real cost to an organization is downtime and loss of reputation.

What is Ransomware

Ransomware is malicious code that denies access to data stored on a computer or system.  Access to data is denied until a ransom is paid in cryptocurrency.  There is no guarantee that data will be restored once ransom demands are met.  Because ransomware is typically spread by phishing emails or visiting infected sites it is difficult to mitigate through IT solutions alone.  Effective preventive measures require organizational awareness and regular training of all personnel.

Recent Incidents of Ransomware in the News

  • The Washington Times reported that The George W. Bush Presidential Center was hacked on August 1, 2020.  A ransom was paid by Blackbaud, a third party data management service to retrieve unencrypted donor data.
  • The city of Lafayette Colorado was hacked on August 5, 2020.  As a result city emails, phones, and online payment portals were disabled until a $45,000 ransom was paid. 
  • Canon confirmed that it was hit with a ransom for their photo and video storage service on August 6, 2020.  This resulted in the site being down for over six days.

Precautions and Mitigations

CISA recommends that users keep software and operating systems up to date.  It advises that data backups be performed on a regular basis.  It also advises to not click on attachments in unsolicited emails and to practice safe internet browsing habits.  These are excellent recommendations but difficult for an organization to effectively implement. 

Effective protection of data requires the implementation of an Information Security Management System (ISMS).  ISMS such as ISO 27001 and NIST 800-171 incorporate risk assessment and incident management plans and procedures.  They also include asset management and include scheduled training for all personnel. 

CVG Strategy is aware that ransomware is a growing problem and is committed to helping organizations protect themselves and their data.  Our consultants can tailor an ISMS that meets your organizations requirements.  Contact Us today to see how we can help.

Electronics Supply Chain Challenges for U.S. Companies

by
Electronics Supply Chain Challenges
Electronics Supply Chain Challenges

Supply Chain Challenges in a Changing Global Market

COVID-19 has introduced additional electronics supply chain challenges.  This is especially the case for the electronics industry.  As a result companies will have to:

  • Reconsider product designs. 
  • Develop new procurement strategies.
  • Provide effective risk management for data security.
  • Further guard against counterfeit parts.

Electronic products require a large volume of components.  These components are being produced all over the world.  In the last forty years, manufacturing has been established where labor is the cheapest.  China is a country that has exploited this opportunity to create immense economic growth.  Unfortunately, it has often done this by using forced labor and creating environmental hazards.  It has also conducted cybercrime to steal intellectual materials to further its growth. 

In light of China’s actions during this crisis the U.S., E.U., and the United Kingdom are invoking tariffs and bans.  As a result many products sectors that China has dominated will be in short supply.  Semiconductors and lithium ion batteries are products of special concern.  Legislation in the United States, such as the CHIPS for America Act are attempting to strengthen and secure a stable domestic supply line.

Supply Chain Cyber Crime

The supply chain has always been a vulnerability for information security.  It is often difficult to identify and mitigate risks when multiple organizations are working together.  Because of this, counterfeit products, tampering, theft, insertion of malicious software and hardware, can result.  These incidents have historically increased during times of component shortages.

As the National Institute of Science and Technology (NIST) has consistently reported, organizations are at increased risk of compromise through their supply lines.  These attacks are often carried out by nation states such as China, Russia, and North Korea. 

Quality and the Supply Chain

Prompt delivery of quality product is threatened by an inconsistent supply chain.  Risk assessments of a new design’s ability to be manufactured should be taken into consideration.  Enhanced product quality testing should be planned for to mitigate the release of product with counterfeit components. 

CVG Strategy Solutions for Electronics Supply Chain Challenges

CVG Strategy offers quality and cybersecurity solutions to businesses of all sizes to help guide you through electronics supply chain challenges.  We provide consulting in ISO 9001 and AS9100D quality management systems.  We also specialize in helping organizations establish effective Information Security Management Systems (ISMS) to protect your vital information.

Export Control Training Recommended by BIS and DDTC

by
export control training
export control training

Export Control Training

Export control training is an essential part of an effective export compliance program.  Both the Bureau of Industry and Security (BIS) and the Directorate of  Defense Trade Controls (DDTC) recommend regular training for all employees involved in exports.  For businesses that are involved with International Traffic in Arms Regulations (ITAR) this includes employees that have access to controlled information.

Elements of Effective Export Compliance Programs

The BIS and the DDTC recognize eight elements crucial to an effective export compliance program:

  1. Management commitment and organizational structure
  2. Risk Assessment that identifies risks and builds controls
  3. Processes that ensure that the organization makes correct decisions, tracks and protects exported items, and screens all parties associated with a transaction
  4. Record keeping in accordance with requirements
  5. Training for all involved employees
  6. Periodic audits to access the integrity of the program
  7. Procedures for reporting and addressing violations
  8. An export compliance manual that defines processes, roles, and responsibilities

Changing Regulatory Landscape

In recent months there have been major changes in export regulations.  Ignorance is not an adequate defense for violation of these regulations.  Therefore it is important to maintain an up to date export compliance knowledge base.  When investigating export compliance incidents, export enforcement agents are instructed to assess an organization’s compliance program .  As a result, when programs are found negligent, increases in civil fines, penalties, and criminal prosecution occur .  Specific items of concern are:

  • Is the corporation’s compliance program well designed?
  • Is the program being applied earnestly and in good faith?  In other words, is the program adequately resourced and empowered to function effectively?
  • Does the corporation’s compliance program work in practice?

CVG Strategy Export Control Training

CVG Strategy provides a one-day live export compliance webinar.   This training covers the regulatory and statutory framework of export law.  It covers the key principals and essentials of ITAR and EAR Export compliance.  Subjects covered in this training include:

  • ITAR and USML (U.S. Munitions List).
  • EAR and CCL (Commerce Control List).
  • Registration with the State Department.
  • ITAR and EAR technical data controls.
  • ITAR and EAR licenses.
  • Compliance and enforcement.
  • Transition of hardware and technical data from the USML to the Export Administration Regulations (EAR)
  • Regulation of brokering activities.
  • Using classification of articles to organize the necessary controls for US Law.

Other CVG Strategy Export Services

CVG Strategy, LLC is a premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs.  Visit our ITAR store for badges, signs, and visitor log books to help with your facility security requirements.  We also offer answers to your ITAR questionsContact Us today to see how we can help your export compliance program.

Remote Workforce Cybersecurity Concerns Grow

by
Remote Workforce Cybersecurity
Remote Workforce Cybersecurity

Business Executives Have Concern About Remote Workplace Cybersecurity

Remote Workforce Cybersecurity is a growing concern for businesses who are adapting to the Covid-19 pandemic.  Although many tools are available to secure vital data, the remote employee still poses the greatest threat.  The challenge therefore is to train employees how to regularly use effective cybersecurity practices.

Effective IT Tools and Policies

A number of tools are available for cybersecurity.  These include the use of Virtual Personal Networks (VPN)s, encrypted data protocols, dual authentication, and providing employees with properly set up equipment.  Policies can also help to mitigate cyber vulnerabilities.  These include prohibiting data from being on employees’ personal devices and establishing protocol for meeting software usage.  All of these, however are only as effective as the daily habits of the employees that are accessing secure data.

Information Security Management Systems

An Information Security Management System (ISMS) is  a comprehensive approach to keeping corporate information secure.  It involves people, processes, and IT systems to coordinate business security efforts.  ISO 27001 (ISO/IEC 27001) is a standard for developing an ISMS that ensures comprehensive integration of internationally recognized best practices.  Because it employs risk management and continual evaluation for improvement it is a dynamic tool capable of adapting to a cyberthreat environment that is growing in scale and complexity.  As with any management system, continual training is critical for effective implementation.

Improving Remote Workforce Cybersecurity Practices

Although cyber-criminals are using increasingly sophisticated tools phishing remains a leading form of attack.  Employees should be trained to think before they click on suspicious emails and links.  Other basic practices include proper password etiquette.  Passwords should be should be strong and unique.  Follow this link for The National Institute for Science and Technology’s guidance on Choosing and Protecting Passwords.

People can be brilliant and still not regularly practice common sense.  Instilling good practices involves continual education.  While it is easy to point the finger elsewhere, you may well ask yourself how well you practice cybersecurity basics.  To find out take the Federal Trade Commission Cybersecurity Basics Quiz.

CVG Strategy

CVG Strategy cybersecurity experts are committed to keeping business information secure.  This is more critical than ever as remote workforce cybersecurity practices increase vulnerability.  We can help your business implement ISMS solutions that fit your unique requirements and provide the training required to make them work.  Contact Us today to see how we can help.

Secret Link