At a glance.
- US Energy Department issues RFI on securing the bulk power system's supply chain.
- UN agreement mandates cyber protections for newly manufactured cars.
- Huawei pushes back at official skepticism.
- Computer Fraud and Abuse Act before the US Supreme Court.
US Department of Energy issues an RFI on securing bulk power distribution.
The US Department of Energy yesterday issued an RFI (Request for Information) inviting performers to help it arrive at an understanding of "the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system." Citing the authority of the May 1st Executive Order 13920, ‘‘Securing the United States Bulk Power System,’’ which declared a national emergency, the Department of Energy specifically concerned with threats "foreign adversaries" (specifically and explicitly Russia and China) pose to the US infrastructure.
The RFI offers the following background: "The BPS [Bulk Power System] is a target of these adversaries’ asymmetric cyber and physical plans and operations. A successful attack on the BPS would present significant risks to the U.S. economy and public health and safety and would render the U.S. less capable of acting in defense of itself and its allies.... These near-peer foreign adversaries continue to map U.S. critical infrastructure with the long-term goal of being able to cause substantial damage.... [T]hese foreign adversaries are employing innovative combinations of traditional spying, economic espionage, and supply chain and cyber operations to gain access to critical infrastructure. They are also attempting to access our Nation’s key supply chains at multiple points—from concept to design, manufacture, integration, deployment, and maintenance—by, among other things, inserting malware into important information technology networks and communications systems."
The Department asks those responding to the RFI to address the Executive Order's first three "pillars:"
- "Prohibit any acquisition, importation, transfer, or installation of BPS electric equipment by any person or with respect to any property to which a foreign adversary or an associated national thereof has any interest, that poses an undue risk to the BPS, the security or resiliency of U.S. critical infrastructure or the U.S. economy, or U.S. national security;
- "Authorize the Secretary [of Energy] to establish and publish criteria for recognizing particular equipment and vendors in the BPS electric equipment market as 'pre-qualified' for future transactions and to apply these criteria to establish and publish a list of pre-qualified equipment and vendors;
- "Direct the Secretary, in consultation with heads of other agencies, to identify existing BPS electric equipment in which a foreign adversary or associated national thereof has an interest that poses an undue risk to the BPS, the security or resiliency of U.S. critical infrastructure or the U.S. economy, or U.S. national security and develop recommendations to identify, isolate, monitor, or replace this equipment as appropriate."
The framework Energy is using derives from the National Counterintelligence and Security Center's supply chain risk management framework. The Department is soliciting comment as part of its commitment to public participation in its rule-making processes. It's interested not only in appreciations of threats and vulnerabilities in the bulk power system, but in assessment's of its own economic analyses.
CSO reports that industry seems to have received the RFI well. Requests for Information typically precede Requests for Proposals, although RFIs don't always or inevitably lead to a procurement. Responses to this RFI are due by August 7th.
UN agreement mandates cybersecurity measures for connected automobiles.
A United Nations agreement reached last month and signed by fifty-three nations will, the Wall Street Journal reports, oblige "national authorities responsible for approving car models before they go on sale to ensure that vehicles are built with cybersecurity protections. Manufacturers will need to guarantee that their suppliers also implement cybersecurity measures, and will be required to have forensic technology in place to analyze attempted cyberattacks." The agreement effectively applies to cars being sold in Japan, South Korea, and the European Union.
Huawei seeks to regain ground in Brazil and the UK.
With official opinion turning toward skepticism with respect to the Chinese hardware manufacturer, Huawei is working to get officials in Brazil and the UK to open (or reopen) their infrastructure to Shenzhen's products. The company line is affordability: they're competing on cost. SecurityWeek reports that Huawei has urged the British government not to rush into a decision about the company's future participation in the UK's 5G infrastructure. Banning its products would be, ComputerWeekly describes the company as arguing, hugely costly to the British economy, and therefore not a decision HM Government should take lightly.
Gadgets Now reports that the company is following the same line in Brazil, about which Marcelo Motta, Huawei's director of cybersecurity and solutions, said that restricting the company's participation would not only delay the country's 5G deployment, but would render it markedly more expensive. "In places where there have been restrictions on Huawei we have seen prices rise two to five times," Motta said, "often making business unfeasible for operators."
"Violating Terms of Service Isn’t a Crime Under the CFAA."
As the US Supreme Court considers the Computer Fraud and Abuse Act (CFAA), the Electronic Frontier Foundation is urging the Court not to interpret violations of terms of service as criminally actionable. The EFF's principal concern is that the CFAA might be applied in ways that rendered legitimate research, and various forms of white hat security measures crimes.