Information Technology

Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link. Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices. 

Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.SEE: This mysterious malware could threaten millions of routers and IoT devicesGPZ’s Ian Beer and Samuel Groß described the NSO’s exploit as both “incredible” and “terrifying”. The exploit creates a “weird” emulated computer environment within a component of iOS that handles GIFs but doesn’t normally support scripting capabilities. This exploit, however, allows an attacker to run JavaScript-like code in that component in order write to arbitrary memory locations – and remotely hack an iPhone.   Security researchers at Canada-based Citizen Lab reported the bug to Apple as part of its joint research with Amnesty International into NSO’s Pegasus mobile spyware package, which can be installed after using an exploit that jailbreaks an iPhone.Apple patched the memory corruption bug, tracked as CVE-2021-30860, in the CoreGraphics component in iOS 14.8 this September. 

Citizen Lab also shared a sample of NSO’s iMessage-based zero-click exploit for GPZ researchers to analyze. The attack exploits the code iMessage uses to support GIF images. GPZ’s Beer and Groß said it showed “the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states”. The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username, the report notes. Even advanced users who know not to click links can be compromised.The weakness iMessage exposed comes via extra features Apple enabled for GIF images. Apple uses a ‘fake gif’ trick” in iOS’s ImageIO library to make normal GIF images loop endlessly. That trick also happens to introduce over 20 additional image codecs, giving attackers a much larger surface to attack. “NSO uses the “fake gif” trick to target a vulnerability in the CoreGraphics PDF parser,” Beer and Groß explain. The PDF parser is an interesting target. PDF historically was a popular target for exploitation because it was complex software and everyone used it. Also, Javascript in PDFs made it easier to exploit, they explain. As the GPZ researchers note: “The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…”NSO found that powerful tool in Apple’s use of the JBIG2 standard for compressing and decompressing images. The standard was originally used in old Xerox scanners to efficiently transform images from paper into PDF files of just a few kilobytes in size.SEE: A winning strategy for cybersecurity (ZDNet special report)Among several crafty tricks NSO developed was the emulated computer architecture that relied on the JBIG2 portion of Apple’s CoreGraphics PDF parser. That emulated computer environment allowed them to write to arbitrary memory addresses with a scripting language not unlike JavaScript, despite JBIG2 lacking scripting capabilities. “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory,” explain Beer and Groß.”So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.” More

A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. 

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021.  The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on Slack to harbor malicious content and to obfuscate communications made between malicious command-and-control (C2) servers.  “It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s C2 server suggest the possibility that they may have accessed reservation data,” IBM says.  The Slack messaging Application Program Interface (API) was abused by a new backdoor deployed by the APT named “Aclop.” Aclip is able to harness the API to both send data and receive commands – with system data, screenshots, and files sent to an attacker-controlled Slack channel.  Overall, three separate channels were used by the backdoor to quietly exfiltrate information. Once installed and executed, the backdoor collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption.  The second channel was utilized to check for commands to execute, and the results of these commands – such as file uploads – were then sent to the third Slack workspace. 

While a new backdoor, Aclip is not the only malware known to abuse Slack – which should be of note to enterprise teams as the tool is valuable for those now often working from home or in hybrid setups. Golang-based Slack C2bot also leverages the Slack API to facilitate C2 communications, and the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure. In a statement, Slack said, “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service.” “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which Check Point called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.” 

Because of the length of wallet addresses, most systems copy a wallet address and allow you to paste it in during transactions simply. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address. Researchers with Check Point said they have seen 969 transactions intercepted, noting that Twizt “can operate without active command and control servers, enabling it to evade security mechanisms,” meaning each computer that it infects can widen the botnet.In the last year, they have seen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens stolen by Twizt operators, amounting to about $500,000. In one instance alone, 26 ETG was taken. Between April 2016 to November 2021, Phorpiex bots hijacked about 3,000 transactions worth nearly 38 Bitcoin and 133 Ether. The cybersecurity company noted that this was only a portion of the attacks taking place. Phorpiex was originally known as a botnet used for sextortion and crypto-jacking but evolved to include ransomware. Check Point said Phorpiex has been operating since at least 2016 and was initially known as a botnet that operated using IRC protocol. “In 2018-2019, Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr — a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure. In our 2019 Phorpiex Breakdown research report, we estimated over 1,000,000 computers were infected with Tldr,” Check Point explained. In May, Microsoft’s Defender Threat Intelligence Team released a lengthy blog post warning that Phorpiex “began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads.”

In August, the activity of Phorpiex command and control servers dropped sharply, and one of the people behind the botnet posted an ad on the darknet offering the source code for sale. Check Point’s Alexey Bukhteyev told The Record that even though the command and control servers were down, any buyer of the source code could set up a new botnet using all of the previously infected systems. It is unclear if the botnet was actually sold, but Check Point said the command and control servers were back online at another IP address within weeks. When the command and control servers were restarted after their hiatus in August, they began distributing Twizt, which enables the botnet “to operate successfully without active command and control servers, since it can operate in peer-to-peer mode.””This means that each of the infected computers can act as a server and send commands to other bots in a chain. As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections,” Check Point explained.”The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption. It also verifies data integrity using RSA and RC6-256 hash function.”Now, Check Point said the new features to Twizt make them believe the botnet “may become even more stable and, therefore, more dangerous.” Check Point has seen attacks stay consistent even when the command and control servers are inactive. Over the last two months, there has been an uptick in attacks, with incidents hitting 96 different countries. Alexander Chailytko, cybersecurity research & innovation manager at Check Point Software, said two main risks are involved with the new variant of Phorpiex. “First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero,” Chailytko said. “This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.”Check Point urged cryptocurrency owners always to double-check the original and pasted addresses to make sure they match. People should also send test transactions before any large trades. Researchers said the Phorpiex crypto-clipper supports more than 30 wallets for different blockchains in the report. They also noted that the botnet operators may be in Ukraine because evidence indicates that the bot does not execute if the user’s default locale abbreviation is “UKR.”Even though it served a variety of purposes, Check Point’s report says Phorpiex was originally not considered a sophisticated botnet. “All of its modules were simple and performed the minimal number of functions. Earlier versions of the Tldr module did not use encryption for the payloads. However, this did not prevent the botnet from successfully achieving its goals. Malware with the functionality of a worm or a virus can continue to spread autonomously for a long time without any further involvement by its creators,” Check Point explained.”We showed that a cryptocurrency clipping technique for a botnet of this scale can generate significant profits (hundreds of thousands US dollars annually) and does not require any kind of management through command and control servers. In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The command and control servers can now change their IP addresses and issue commands, hiding among the botnet victims.” More

Hundreds of victims involved in the non-consensual release of explicit videos online have been awarded video rights and millions of dollars in damages. 

On Wednesday, the US Department of Justice (DoJ) said that all rights to videos and images produced by pornography organizations GirlsDoPorn and GirlsDoToys are now awarded to the women who appear in the footage. GirlsDoPorn (GDP) and GirlsDoToys (GDT) have been the subject of a sex trafficking case launched by US prosecutors. Adult film actor and producer Ruben Andre Garcia admitted to participating in a scheme from roughly 2013 to October 2019 to use “force, fraud, and coercion” as tactics to make young women “engage in commercial sex acts,” according to the DoJ.Originally, women responded to adverts for clothed modeling work and were then told they would be paid between $3,000 and $5,000 for one-day, anonymized adult video shoots. Alongside Michael James Pratt, Matthew Isaac Wolfe, Theodore Wilfred Gyi, Valerie Moser, and others, Garcia lied to women — numbering in the hundreds in the US and Canada — promising that the videos produced would not be published online and their participation would be concealed. However, US prosecutors say the defendants in the case knew these representations to be “false” and a conspiracy between Garcia and the owners of GDP/GDT formed. 

GDP and GDT generated at least $17 million in revenue from millions of views on a subscription basis. Snippets of this illegally-obtained content were also uploaded to other adult websites, including PornHub, to lure additional subscribers to the GDP/GDT platforms. Under the terms of the order, US District Judge Janis Sammartino has ordered Garcia to pay $18 million in restitution, hand over the video and image rights, and will also serve 20 years in prison. “An important step in this long healing process is for the victims to be able to take back control of their lives,” commented FBI Special Agent in Charge Suzanne Turner. “This ruling helps to facilitate that shift while the FBI aggressively pursues the lone outstanding fugitive in this case — and its ringleader — Michael James Pratt.”The FBI is currently offering a reward of up to $50,000 for information leading to the arrest of Pratt, who is currently on the run. Pratt, a 36-year-old producer from New Zealand, is wanted to answer allegations of sex trafficking and child pornography. The case is ongoing and the next hearing is due to take place in March for motions related to Wolfe. In October, PornHub’s parent company settled with 50 women who accused the firm of being aware of the allegations against GDP/GDT but maintaining a partnership anyway. The terms of the settlement were not disclosed. Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Digital Transformation Agency (DTA) has been carrying out digital identity age verification trials for online alcohol purchases with selected providers in Australia since September, according to a Freedom of Information (FOI) request.FOI documents released by the Office of eSafety Commissioner indicated there were also plans to carry out similar trials for online gambling, with each private beta testing scheduled to operate for a three to six-month period.Scope to expand the trial in 2022 has also been proposed to include additional users, other Australian-based online alcohol, online gambling service providers, and R18+ online video games with “loot boxes”, and myGovID as an identity provider. The intention of the FOI request filed by Greg Tannahill dated September 29 sought to understand Mastercard’s proposed involvement in delivering or influencing the delivery of age verification services in Australia. It came off the back of Mastercard announcing just two days before the request was filed that it was working with the DTA to see how its digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post last year.  

Based on discussion notes about the trials between the DTA and eSafety Commissioner, DTA noted it was focused on “establishing systems that enhance privacy, security and safety — including by being least invasive to the user (i.e. simply determining that someone is 18+)”.”We prefer systems that are not an unnecessary burden to those wishing to access or services which are they are entitled to use,” the notes said.The DTA also highlighted that it flagged it was “interested in a market-based system that offers choice to consumers”.See also: Australia Post a ‘trusted’ service provider for government identificationAt the time of announcing its work with the DTA, Mastercard also said it applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia.If granted, Mastercard said would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In October, the federal government released an exposure draft for legislation that seeks to expand the application of Australia’s federal digital identity system to state and territory governments and the private sector.Under the Bill, the federal government is seeking to formally enshrine two voluntary schemes for entities that want to provide or rely on digital identity services: A federal government-run digital identity system and a new accreditation scheme that will be based on the existing TDIF system.Additionally, the federal government, state and territory governments, Australian companies and foreign companies registered with the Australian Securities and Investments Commission (ASIC) would be eligible to apply to join the two digital identity systems.Related Coverage More

In an investigation conducted by Australia’s Information Commissioner (OAIC), it has found the Australian Federal Police’s (AFP) use of the Clearview AI platform interfered with the privacy of Australian citizens. Clearview AI’s facial recognition tool is known for breaching privacy laws on numerous fronts by scraping biometric information from the web indiscriminately and collecting data on at least 3 billion people, with many of those people being Australian.From November 2019 to January 2020, 10 members of the AFP’s Australian Centre to Counter Child Exploitation (ACCCE) used the Clearview AI platform to conduct searches of certain individuals residing in Australia. ACCCE members used the platform to search for scraped images of possible persons of interest, an alleged offender, victims, members of the public, and members of the AFP, the OAIC said.While the AFP only used the Clearview AI platform on a trial basis, Information and Privacy Commissioner Angelene Falk determined [PDF] the federal police failed to undertake a privacy impact assessment of the Clearview AI platform, despite it being a high privacy risk project. By failing to do so, the OAIC said the AFP breached the Australian Government Agencies Privacy Code. It added that the AFP did not take reasonable steps to implement practices, procedures, and systems relating to ensure the Clearview AI platform complied with the Australian Privacy Principles as well.

Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailedThe AFP submitted that it did not undertake privacy impact assessment as its use of Clearview AI platform was only under a “limited trial”. When investigating this decision, however, the OAIC said the AFP failed to provide any evidence that a project manager or trial participant conducted a threshold assessment to determine whether a privacy impact assessment was required. A threshold assessment is a preliminary assessment used to determine a project’s potential privacy impacts and whether a privacy impact assessment should be undertaken.Worryingly, the OAIC’s investigation also found that the AFP has not shown any indication that it has taken, or would take, steps to prevent similar breaches from occurring again in the future. This is despite the AFP having already admitted in April last year that it trialled the Clearview AI platform despite not having an appropriate legislative framework in place”Without a more coordinated approach to identifying high privacy risk projects and improvements to staff privacy training, there is a risk of similar contraventions of the Privacy Act occurring in the future,” the OAIC wrote in its determination.”This is particularly the case given the increasing accessibility and capabilities of facial recognition service providers and other new and emerging high privacy impact technologies that could support investigations.”In light of these privacy breaches, the OAIC has ordered the AFP to engage an independent third-party assessor to review its practices, procedures, and systems and write a report about any changes that the AFP must make to ensure its compliance with the Australian Government Agencies Privacy Code.The report of the gaps in AFP’s privacy infrastructure must be written in the next six months, and the AFP must also provide the OAIC with a timeline for implementing any actions set out in the report.The OAIC has also ordered for all AFP personnel that handle personal information to have completed an updated privacy training program in the next 12 months.RELATED COVERAGE More

At the start of this month, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. The laws also introduced a cyber-incident reporting regime for critical infrastructure assets. Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors. Provisions seeking to enshrine those obligations were eventually excluded from the Critical Infrastructure Bill, however, after the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended for these “less urgent” aspects to be legislated in another Bill down the road. In those recommendations, the PJCIS said legislating those aspects later would give businesses and government additional time to co-design a regulatory framework that receives a broader consensus among stakeholders. Home Affairs has now released an exposure draft [PDF] of a Bill focusing on those excluded aspects. In this second Bill, called Security Legislation Amendment (Critical Infrastructure Protection) Bill (SLACI Bill), the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations.

The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance. According to the Bill’s exposure draft, the risk management program would have to identify hazards to critical infrastructure assets and likelihood of them occurring. In addition, entities would be required to submit an annual report about the risk management program and if any hazards had a significant impact on critical infrastructure assets. Looking at the proposed enhanced cybersecurity obligations in the Bill’s exposure draft, government is seeking for entities that have systems of national significance to have an incident response plan for addressing cyber attacks. This incident response plan would have to be shared with the Home Affairs secretary. These entities would also be required to undertake cybersecurity exercises to build cyber preparedness, make vulnerability assessments to identify vulnerabilities for remediation, and provide system information to build Australia’s situational awareness. In regards to the proposed requirement to provide system information, the Bill is seeking to give Home Affairs the power to compel relevant entities into installing system information software. The government has also used this second Bill to amend “key sector and asset definitions” to clarify which entities are deemed to hold critical infrastructure assets. Among the definitions that would be amended under the Bill is “critical domain name system”, which clarifies that an asset is critical if it administers an Australian Domain Name System. The exposure draft also seeks to amend the definition of “critical data storage or processing asset” to provide clarity to industry about the types of entities that will be captured as responsible entities for critical data storage or processing assets. Under the amended definition, entities are deemed to hold critical infrastructure if they provide any data storage or processing services to government. Data storage in this instance is defined as a service provided on a commercial basis that enables end-users to store or back-up data or a data processing service provided on a commercial basis that involves the use of one or more computers. Data processing, meanwhile, includes computerised data actions such as retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal. Home Affairs will be accepting feedback on this exposure draft until February 1. Related Coverage More

The US Senate passed the The National Defense Authorization Act (NDAA) on Wednesday, approving the $768 billion annual defense spending bill that was packed with cybersecurity provisions. The bill now heads to the desk of President Joe Biden. In an explainer document released alongside the text of the bill, the US House of representatives armed services committee said the cyber provisions in the bill would initiate “the widest empowerment and expansion of CISA through legislation since the SolarWinds incident.” In addition to significantly more cybersecurity investments, the bill gives greater budget authority to the Commander of US Cyber Command, “modernizes” the relationship between the Department of Defense Chief Information Officer and the National Security Agency’s components responsible for cybersecurity while also establishing a program office within Joint Forces Headquarters-DODIN to centralize the management of cyber threat information products across the Defense Department. The bill also mandates the first taxonomy of cyber weapons and cyber capabilities and requires the Defense Secretary to create a software development and acquisition cadre to assist with developing and acquiring software by providing expert advice, assistance, and resources. A grant program created by Congress will fund cybersecurity research in coordination with Israel. A National Cyber Exercise program is also outlined in the bill. It will force CISA and other government bodies to test the National Cyber Incident Response Plan and, “to the extent practicable, simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident.” An amendment also requires CISA to update its incident response plan at least every two years. The DOD is now required to submit a report on how its Cybersecurity Maturity Model Certification program affects small businesses thanks to the bill. Experts also touted the addition of the apprentice program to expand the available cyber talent as well as the Veteran training program. CISA is given more funding for a program called “CyberSentry” that provides “continuous monitoring of cybersecurity risks to critical infrastructure that own or operate industrial control systems that support national critical functions.”

Bill Lawrence, CISO at SecurityGate, said CyberSentry was a somewhat controversial provision because it says CISA “may access all network traffic, including the content of communications, as stored within the CyberSentry stack to further analyze the origins of an alert and/or evaluate the state of the network.”  “There are valid reasons for CISA to help protect US critical infrastructure just as their are valid reasons for CI owners and operators to not want government sensors on their networks, as well as valid arguments from security providers that the government is giving cyber services away for free (using taxpayer money, of course),” Lawrence said. “DHS does include a great deal of privacy considerations in the CyberSentry write-up.  It would be helpful to also read about the tactical and strategic objectives of this program and see if rapid information sharing with all CI asset owners and operators is included, and help determine if this juice is worth the squeeze on the commercial providers. I have my apprehensions.” But what garnered the most interest was what the bill was lacking, namely a cyber incident reporting provision that was hotly debated and ultimately scuttled at the last minute. For months, Democratic and Republican Senators jockeyed over the language of a cyber incident reporting provision in the NDAA. In November, two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to introduce a new amendment to the NDAA that would have forced critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.But by December, The Washington Post reported that Florida Senator Rick Scott took issue with the ransomware reporting provision and called it too broad, asking senators to limit the language to enterprises in the 16 critical industries. Sources told CyberScoop’s Tim Starks that debate over the ransomware language ran too long and negotiators in the House and Senate ended up leaving the entire provision out. Lawrence noted that some companies had issues with reporting breaches or ransomware attacks within 72 hours of discovery and ransom payments within 24 hours of payout. He explained that smaller organizations do not have 24/7 security operations center available to them which limits their ability to respond to such incidents, much less tell the US government what is happening during incident response. Rep. Bennie Thompson and Rep. Yvette Clarke noted that cybersecurity incident response legislation was included in the House NDAA which passed in September. The two — who respectively serve as Chairman of the Committee on Homeland Security and Chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation — explained in a statement that there were intensive efforts to get cyber incident reporting in the bill but “ultimately the clock ran out on getting it in the NDAA.” “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security,” Thompson and Clarke said. “We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA. We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward.”  More