At a glance.
- Nakasone says cyber is about people.
- The latest on Section 702.
- FBI issues guidelines for requesting cyber incident disclosure delays.
- A rundown of the US-EU Cyber Dialogue.
- The EU's cyber resilience bill.
- The US Senate confirms a National Cyber Director.
Nakasone says cyber is about people.
US Army General Paul Nakasone, director of the US National Security Agency (NSA) and Cyber Command (CYBERCOM), says when it comes to cyber defense, his focus is on personnel. Speaking last week at an event hosted by trade organization the Intelligence and National Security Alliance, the dual-hatted director stated, "A lot of times we think about the incredible technological capabilities and the high-speed computers that are there, but, at the end of the day, what makes us the agency that we are is our talent.”
Earlier in 2023 NSA set a goal of hiring over three thousand new employees by the end of the year, and while Nakasone says they’re on their way to hitting that target, he feels quality is just as important as quantity. As Breaking Defense notes, the general believes hiring the right employees – and retaining them – is key, especially as the workforce changes over time. He explained, "How do we think about a population that is over 50% today millennials and [Generation Z]? Ten years ago, 70% of our workforce was baby boomers. Five years ago, Gen Z and millennials overtook baby boomers. Five years from now, 70% will be Gen Z and millennials. This is the workforce that is coming into our agency, so this is an agency that is looking much differently in how we retain our workforce.” To that end, NSA is concentrating on work-life balance, as well as making it easy for employees to move from the private sector to government work.
As the Department of Defense explains, also important is understanding and leveraging new tech like artificial intelligence, and that’s where the AI Security Center comes in. The newly established entity’s mission is to oversee the development and integration of AI tools with the US’s national security systems and defense industrial base, and the center will serve as a hub for best practices, evaluation methodology, and risk frameworks connected to the secure adoption of new AI capabilities. Nakasone says the AI Security Center has been working with global partners and recently issued a report on AI security infrastructure in conjunction with several organizations including the Cybersecurity and Infrastructure Security Agency and the United Kingdom's Government Communications Headquarters.
As for CYBERCOM, Nakasone says the ever-evolving cyber landscape calls for a new model. “So we have to have…[a] cyber force 2.0…CYBERCOM 2.0. …,” Nakasone stated. “We built our force in 2012 and 2013. We’ve had tremendous experience. But the scope, scale, sophistication of the threat has changed.” Although the Pentagon and Congress have said they’re considering establishing an independent cyber force, Nakasone did not directly address this potential initiative, but he did divulge that he’s working with the Department of Defense on a study examining the potential for a new force generation model for CYBERCOM.
The latest on Section 702.
At the same event, Nakasone also weighed in on the battle over the reauthorization of Section 702, the US intelligence community’s controversial surveillance program that allows government collection of communications of foreigners living overseas. Nakasone described the tool, which is set to expire at the end of the year, as “the most important authority that we utilize day in, day out,” and said its removal could have disastrous consequences.
Opponents of Section 702 have said it threatens the privacy rights of US citizens, whose communications often get swept up in surveillance data. Nakasone, however, disagreed, stating, “As the director of the National Security Agency, I will tell you that our focus is not only national security. It’s also the protection of our civil liberties and privacy. This is an authority with oversight and transparency that allows both of those things.” As C4ISRNet notes, the Biden administration agrees with Nakasone, as well as FBI Director Christopher Wray and Air Force Lt. Gen. Timothy Haugh, CYBERCOM’s current deputy chief and Nakasone’s expected successor as NSA and CYBERCOM director. Haugh recently stated, “When we see things like the origins of fentanyl in China and its path that it takes to the United States? Informed by 702. Counterterrorism actions, the ability to see some of the egregious acts that Russia has done in Ukraine? Informed by 702.”
The Wall Street Journal offers an overview of the debate thus far, which is reaching a fever pitch as the New Year looms. In a last-ditch effort, Congress has included short-term extension of the surveillance tool into a must-pass annual defense authorization bill, which is scheduled for a vote in the next week. However, this would only lengthen 702’s life until April, leaving its long-term survival in question.
Some Republican lawmakers remain opposed to renewal, especially given recent revelations from the Federal Bureau of Investigation (FBI) about past abuses of the tool. The FBI says they’re taking measures to prevent such activities in the future, but some legislators remain unconvinced. During a Senate hearing last week Senator Mike Lee, a Republican from Utah, told FBI Director Chris Wray, “We have absolutely no reason to trust you…It’s never different. You haven’t changed.” Even some Democrats agree that 702’s powers must be reigned in to preserve the rights of American citizens and are calling for an extension only with additional privacy protections. Senator Ron Wyden of Oregon stated, “It is possible to confront our country’s adversaries ferociously without throwing our constitutional rights in the trash can.” As the countdown to 2024 continues, it remains to be seen whether such a compromise can be reached.
FBI issues guidelines for requesting cyber incident disclosure delays.
As a follow-up to the Securities and Exchange Commission’s (SEC) controversial new cyber incident disclosure rules, the Federal Bureau of Investigation last week released guidance on how companies can request a disclosure delay. Approved in June, the SEC’s rules state that companies must report cybersecurity incidents that are “material” in nature within four days of detection unless the US attorney general determines that such a disclosure could be a threat to national security or public safety. The FBI has been placed in charge of collecting such delay requests, and with the rules set to take effect on December 18, the bureau worked with the Department of Justice (DOJ) to develop the guidance document.
As the Record explains, there’s been much discussion about what, exactly, makes a cyber incident “material,” with companies and lawmakers expressing outrage over the difficulty of making this determination. The guidance offers a little help there, explaining that a material incident is one in which “there is substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision. The document goes on to say that in order to be considered for a delay, companies must tell the FBI when the incident occurred and when the organization determined it was material, down to the exact date, time, and time zone. The delay request must also include details about the type of cyberattack, the intrusion vectors, what infrastructure or data were impacted, whether or not attribution has been confirmed, and effect of the incident on operations.
If approved, the delay request can give a company an extra thirty business days to file. There’s an option to delay for an additional thirty, and in “extraordinary circumstances” an additional sixty days can be granted, not to exceed one hundred twenty days without an exemption order from the SEC. And when considering approval, the FBI made decisions on a case-by-case basis, taking into account the industry of the victim, the nature of the vulnerability exploited, and the type of attacker.
DOJ deputy assistant attorney general Eun Young Choi explains, “If it's something like a zero-day and a nation-state, we're probably more to lean towards potentially having a concern about that disclosure in terms of the national security risk benefit versus a sort of run-of-the-mill phishing attack.” That said, the guidance is not an excuse for companies to dilly-dally when it comes to reporting or determining materiality. Indeed, as the FBI emphasizes, “failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied,” and it’s recommended that victims report incidents even before materiality is confirmed in order to seek assistance from the FBI on determining materiality.
George McGregor, VP of Approov Mobile Security, pointed out that there are points of convergence between the SEC regulations and the EU's Cyber Resiliency Act. “With the new SEC reporting guidelines as well as the EU Cyber Resiliency Act 24 hour breach reporting requirement coming into force, companies are having to scramble to be able to quickly report breaches. The process to request a delay by the FBI is welcome, and will take some of the pressure off. Companies are struggling to balance limited investments, and what we don’t want to see is a focus on regulatory reporting to the detriment of spending on upstream cyber defense techniques.”
The issues surrounding disclosure are complex. Troy Batterberry, CEO and Founder of EchoMark, observed that there are occasions in which too much transparency can help the adversary. “The current SEC disclosure rules, while well-intentioned to keep investors informed, fail to comprehend the complexity of dealing with such events as they emerge. Prematurely disclosing information can help assist the very criminal(s) involved and make the situation even worse for the victim and their respective investors. Such situations are not just limited to national security.”
A rundown of the US-EU Cyber Dialogue.
American and European leaders gathered in Brussels last week for the 9th US-EU Cyber Dialogue, and after the event a joint declaration was issued outlining the powers’ transatlantic cybersecurity partnership. The statement reads, “The United States and European Union reaffirmed their continued commitment to an open, free, interoperable, secure, and reliable Internet, respecting human rights and fundamental freedoms. We are committed to advancing international security and stability in cyberspace and enhancing the ability of all states to reap the benefits that modern technologies provide.” Issues discussed during the Cyber Dialogue included global cyberthreats like Russia’s aggression against Ukraine, the rise in cyberattacks targeting supply chains, critical infrastructure, and intellectual property, and the surge of ransomware attacks.
Attendees highlighted the need for cross-regional cooperation with Latin America, the Indo-Pacific, and Africa to strengthen cybersecurity awareness on a global level, and they reaffirmed their commitment to the establishment of the UN Cyber Programme of Action to implement an international framework of responsible state behavior in cyberspace. Last January US Department of Homeland Security Secretary Alejandro Mayorkas and EU Commissioner for Internal Market Thierry Breton issued key priorities for cyber security and resilience, and Cyber Dialogue attendees gave updates on these initiatives, which include security standards for digital products, defense of critical infrastructure, emerging technologies, and cooperation between US and EU cybersecurity agencies.
The release adds, “During the Cyber Dialogue, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA) formalized a Working Arrangement covering themes such as cyber awareness and training, best practice exchange, and knowledge sharing for common situational awareness.” As well, the US-EU Cyber Fellowship pilot program was launched, allowing representatives from the US Department of Homeland Security and agencies to meet with European and EU Member State cybersecurity officials.
The EU's cyber resilience bill.
Anurag Gurtu (he/him), CPO at StrikeReady, suggests that new EU measures could become a de facto global standard:
"The regulation paves the way for what could become a global standard to classify risk, enforce transparency, and financially penalize tech companies for noncompliance. The European Union's deal on the landmark AI bill marks a significant moment in the global conversation about the regulation of artificial intelligence. This ambitious legislation, which seeks to classify AI risks, enforce transparency, and penalize noncompliance, demonstrates the EU's proactive stance in addressing the complexities of AI technologies. The Act's focus on monitoring and oversight, especially for high-risk applications, could set a new global standard for AI regulation. While it aims to balance protection and innovation, the Act will require tech companies operating in the EU to adapt significantly, potentially reshaping global AI development and deployment strategies. This legislation also raises critical discussions about the balance between innovation and ethical considerations in AI. While Europe is taking a lead, it will be interesting to see how other regions, particularly the U.S., respond to this development. Will they follow suit with similar regulations, or will they take a different path? Moreover, the Act's implications on open-source AI models, which are exempt from certain restrictions, could stimulate interesting shifts in the AI industry, potentially favoring open-source approaches. However, there are concerns about the potential impact on innovation and the competitive edge of European AI companies. While the Act aims to ensure safety and ethical standards, it's crucial that it doesn't stifle the innovative potential of AI. This development is a significant step in the global dialogue on AI governance and sets the stage for further international discussions on how best to manage this rapidly evolving technology."
The US Senate confirms a National Cyber Director.
The US Senate on Tuesday confirmed Harry Coker, Jr. as National Cyber Director in the White House Office of the National Cyber Director, where he will serve as the principal advisor to the President on cybersecurity policy and strategy. He will be the second person to hold the office since its creation in 2021. Coker is a retired senior executive at the Central Intelligence Agency and a career Naval officer. He most recently served as Executive Director of the National Security Agency. The first National Cyber Director was Chris Inglis, who held the post from 2021 until February of this year.
Mr. Coker received a courteous welcome from industry. Sabeen Malik, Rapid7's VP of Government Affairs and Public Policy, said, “We applaud the nomination of Harry Coker to serve as the National Cyber Director. This critical role has been vacant for most of the year, and it is more important than ever to have a coordinated cybersecurity policy across all levels of government and across the public and private sector.”
Bruce Byrd, Executive Vice President and General Counsel at Palo Alto Networks, also offered good wishes. “We congratulate Harry Coker on his confirmation as National Cyber Director. In an age of rapidly evolving cyber threats, his confirmation comes at a critical juncture in the fight to secure our digital way of life. Palo Alto Networks looks forward to its continued partnership with the Office of the National Cyber Director and to Director Coker’s leadership.”
Robert DuPree, Manager of Government Affairs at Telos, thinks it important that the empty position be filled. “While there will continue to be disagreements in Washington over the extent to which government should legislate or regulate cybersecurity, the Senate’s December 12 confirmation of Harry Coker as the new National Cyber Director will help fill a leadership void that has existed in the cyber policy arena. Geopolitical tensions continue to increase and there are constantly new technologies expanding the security landscape. Having this top White House post finally filled by a Senate-confirmed director ten months after the position was vacated will help the Administration better work with Congress and the private sector to implement the National Cybersecurity Strategy and other such initiatives.”