[ad_1]
The Network: It’s time to step up cyber regulations even more
More than 2½ years since President Biden took office, his administration has moved further than any of his predecessors to impose further cybersecurity rules. But our network of experts say his administration should be doing even more.
Just short of a majority, 49 percent, said cyber regulators aren’t going far enough. Another sizable contingent, 36 percent, say they’re striking the right balance. And a smaller sliver, 15 percent, say regulators have gone too far.
Their answers, as our experts often explained, are complicated by the fact that not all agencies are taking the same approach to the regulations, or having the same success putting their mandatory security measures in place.
This month’s survey is deliberately meant as a follow-up to a survey with our network a little more than two years ago, when we asked: “Should the government require that companies in critical industry sectors, such as agriculture and transportation, meet minimum cybersecurity standards?” Back then, a vast majority answered “yes.”
But a lot has happened since then. The administration began putting regulations in place across a range of critical infrastructure sectors, and it is still very much in the midst of establishing more.
- Take, for example, the Securities and Exchange Commission approving some of the more controversial rules among agencies, on publicly traded companies, just last month.
- This year, the administration released a National Cybersecurity Strategy that explicitly spelled out its approach to regulations.
One respondent who wants to see more from the administration said the fault isn’t with federal regulators, but with a legislative body that hasn’t given them enough tools.
“US cyber regulators are doing the best they can with the tools they have — but those tools are inadequate,” wrote Jeff Greene, senior director of cybersecurity programs at the Aspen Institute think tank who served in Biden’s White House. “We have fifteen years (or more) of experience with the industry-driven voluntary approach to critical industry cybersecurity, and it has failed miserably. It is time for Congress to give agencies the authority they need to establish the cybersecurity baselines that all Americans deserve.”
Another expert suggested that the problem was the “kind” of rules that are predominant, namely those that require critical infrastructure operators to report to the federal government when they suffer a major hack.
“The emphasis on timeframes for reporting is misplaced or at the least imbalanced … more must be done to reduce the security up charges (e.g., necessary logs cost extra), esp to the government, and other efforts to move towards secure by design and default and develop a market focused on digital sustainability, not near term profit for long term pain,” wrote Megan Stifel, chief strategy officer at the Institute for Security and Technology.
David Brumley, CEO and co-founder of ForAllSecure and a professor at Carnegie Mellon University, said something similar: “I can’t think of a cyber policy that encourages proactively improving security. Everything is focused around disclosure and knowing the ingredients, not if the ingredients are spoiled.”
Jake Williams, a member of the faculty at the Institute for Applied Network Security (IANS), took a high-level view.
“I don’t think it’s possible to look at the state of cybersecurity, especially in critical infrastructure, and think that market forces alone are enough of an incentive for organizations to do protect their users,” he wrote. “This is the precise use case for regulation: mandating behavior for the public good. We certainly need to be careful that regulation isn’t overly proscriptive and doesn’t unduly stifle competition in the vendor landscape. But there’s no question more needs to be done on the regulatory front.”
There’s at least some overlap in the arguments of those who say regulators are striking the right balance and those who say they need to go further.
“By and large, I think they are striking the right balance — especially in that many are constrained by existing authorities in just how far they can go,” wrote Jeremy Grant, Venable’s director of its technology business strategy. Grant cited some agencies’ efforts to push industry toward multifactor authentication without the authority to mandate it. “It’s a creative way to help shape market behavior without a formal regulation.”
Amy Hogan-Burney — Microsoft’s general manager and associate general counsel for cybersecurity policy & protection, who leads its digital crimes unit — specifically praised the administration’s overarching strategy.
“The release of the National Cybersecurity Strategy is a positive step in strengthening U.S. cyber defenses,” she wrote. “It strikes the right balance of setting priorities and sharing effective practices, while also recognizing implementation challenges.”
Several experts, however, chose this answer because of the totality of the divergent efforts, some of which they praised and others of which they didn’t.
“It’s an uneven approach to cyber regulations across Critical Infrastructure sectors right now,” said Norma Krayem, vice president and chair of the cybersecurity, privacy and digital innovation practice at Van Scoyoc Associates. “Some sectors have been heavily regulated for cyber for many years like banking/financial services, other sectors actually get to write their own regulations, then there are sectors like water/wastewater with no regulations at all.”
Despite the 15 percent who said regulators have gone too far, the only comments we got truly advocating for this position were from people who chose to make their remarks anonymously.
One of them cited the array of different regulatory ideas that are in the mix.
“There are too many overlapping, duplicative and uncoordinated cybersecurity efforts at the Federal level,” they wrote. Add in regulations proliferating at the state level, this person said, and “there doesn’t appear to be any prioritization of this efforts and it is increasingly pulling private sector resources away from doing actual security work.”
Another took aim at one regulation in particular, the SEC’s recently approved rule, saying it is having “a chilling effect on the cybersecurity community and unintended negative consequences.” Some chief information security officers are contemplating retirement rather than face litigation, while others say the expected standard is too vague, this person wrote.
- Gone too far. Katie Moussouris checked this box, but wrote that the correct answer was not listed as an option. “These are poor choices,” the founder and CEO of Luta Security wrote. “The answer is: no, they are focusing on the wrong things. The US and other governments, lawmakers, and regulators around the world are still lacking enough real world cyber security expertise at scale to understand the big picture to make informed, strategic, actionable regulations.” She also wrote that “[u]ntil regulators understand that cybersecurity is a moving target and [move] to regulate using a maturity model framework that measures risk and outcomes, we’re doomed to chase regulatory compliance instead of effective prevention, defense, detection, and most importantly cyber resilience. We need better regulators and a better system of regulation that does not coddle the largest technology companies, while also leaving room for new technology innovation.”
- Not far enough. John Pescatore, director of emerging security trends at the SANS Institute, the largest cybersecurity training organization: “The US is still lacking national data privacy legislation, the US still allows mobile phone numbers to be easily spoofed, the US still allows ISPs to deliver known malware. All three are solvable problems that other countries have been able to address.”
- Not far enough. Michael Daniel, president and CEO of the Cyber Threat Alliance: “The real answer is ‘It depends.’ As in it depends on which regulator in which industry for which purposes.”
- Right balance. “I think regulators are, largely, taking the correct approach: trying to find a balance between security and the free market,” said Allan Liska, senior security architect at the cybersecurity firm Recorded Future. “Will the government make mistakes? Undoubtedly. But we have to try, because what we are doing now ain’t working.”
Former Cyber Ninjas CEO appears to be unindicted co-conspirator in alleged Coffee County breach
Former Cyber Ninjas chief executive Doug Logan appears to be one of the unindicted co-conspirators listed in a wide-ranging indictment of former president Donald Trump and 18 others in Georgia, our colleague Jon Swaine reports.
Cyber Ninjas, the company behind a shoddy and partisan audit of the 2020 election results in Maricopa County, Ariz., went out of business last year, The Cybersecurity 202 reported at the time. The firm was in free fall after a four-month audit of the state’s election results that was filled with cyber and procedural flaws.
- Jon writes that a person listed in the indictment as “Individual 25” had “downloaded Coffee County elections data on four days in 2021 — Jan. 9, 10, 11 and 13 — from a server maintained by SullivanStrickler, according to the indictment.”
- The report adds: “An account in Doug Logan’s name and registered to his email address was the only one to have downloaded data on all four days on which the indictment says ‘Individual 25’ did so, the access logs show.”
“Individual 25” is also one of two co-conspirators described in the Georgia indictment as having accessed nonpublic areas of the Coffee County elections office on Jan. 18, 2021 with permission from former county elections supervisor Misty Hampton, who was charged in the indictment.
- “Surveillance footage reviewed by The Post shows Logan was one of only two members of the public to visit the office that day, when it was closed for the Martin Luther King Jr. Day holiday,” Jon writes. “It was not clear from the footage what he did inside.”
- Logan and the other alleged apparent unindicted co-conspirators either declined to comment or did not respond to requests for comment. Hampton did not respond to a request for comment.
Raided Kansas newspaper accused of computer crime will have equipment returned
A local prosecutor agreed to withdraw a search warrant and return items taken from a small Kansas newspaper after a controversial police raid this past Friday led to intense criticism and investigation by national outlets, our colleague Paul Farhi reports.
- Local law enforcement seized phones, computers and other materials from the Marion County Record’s office. Police also seized materials from the home of Eric Meyer, the newspaper’s co-owner and publisher. The newspaper said the death of Meyer’s 98-year-old mother, Joan Meyer, a day after the raid, was caused by stress from the search of the home she shared with her son.
- The police officers removed computers and snapped photos of sensitive information, including passwords.
Paul writes: “Attorney Bernard Rhodes told The Washington Post that County Attorney Joel Ensey withdrew the warrant Wednesday and would return computers, cellphones and records taken by Marion police and sheriff’s deputies from the newspaper headquarters and the home” of Meyer.
- Rhodes also urged an investigation into the raid, which has sparked outrage among groups that viewed it as a violation of press freedom.
- “The Record and the public deserve to know why the Marion Police decided to conduct this raid and whether they gave even a moment’s thought to the First Amendment or other legal restrictions before they decided to search a newsroom,” said Caitlin Vogus, a deputy director at the Freedom of the Press Foundation, in a statement.
Marion Police Chief Gideon Cody, who led the search, was being investigated by the paper for over a year after departing from the Kansas City, Mo., police force this year, Paul notes, adding that he threatened to sue the outlet if it published misconduct allegations. The raid was reportedly prompted after a local restaurant owner accused the outlet of illegally obtaining damaging information about a 2008 drunken driving conviction she faced.
White House demands agencies beef up cybersecurity after falling behind on directives
The White House is demanding that several federal agencies shore up their cybersecurity posture, arguing that they have fallen behind on implementing a 2021 cybersecurity executive order, CNN’s Priscilla Alvarez and Sean Lyngaas report.
Several federal departments and agencies “failed to fully comply” by the end of June with key security practices prescribed by the executive order, “leaving the U.S. Government exposed to malicious cyber intrusions and undermining the example the Government must set for adequate cybersecurity practices,” according to remarks from national security adviser Jake Sullivan in a memo to Cabinet secretaries sent this week.
- The executive order came off the heels of high-profile cyber incidents including Russia- and China-linked hacking campaigns — better known as the Colonial Pipeline and SolarWinds incidents.
- The directive from President Biden called for reporting of severe cyber incidents within three days, creating a board to review significant incidents and the removal of contractual hurdles to reporting federal agency breaches, among other things.
The memo “reflects frustration among senior US officials that the government hasn’t gone far enough in protecting itself from a barrage of state-backed and cybercriminal attacks,” Alvarez and Lyngaas write.
Special counsel obtained Trump DMs despite ‘momentous’ bid by Twitter to delay, unsealed filings show (Politico)
A nonprofit fights GOP allegations that it supported a ‘censorship regime’ (Cat Zakrzewski)
Hackers are increasingly hiding within services such as Slack and Trello to deploy malware (CyberScoop)
ChatGPT leans liberal, new research shows (Gerrit De Vynck)
NYC bans TikTok on city-owned devices (The Verge)
Beware the emergence of shadow AI (Tech Policy Press)
Monti ransomware targets legal, government entities with Linux-based variant (The Record)
Cybersecurity researchers become target of criminal hackers (Financial Times)
How a hacking crew overtook a satellite from inside a Las Vegas convention center and won $50,000 (CyberScoop)
- Former attorney general Alberto R. Gonzales speaks with Washington Post Live about the recent Trump indictments at 1 p.m.
- CISA’s Rob Costello and other cybersecurity officials take part in the GovForward Summit on Wednesday.
Thanks for reading. See you next week.
[ad_2]