At a glance.
- CISA releases 5G security guidelines.
- TikTok files suit against the US Executive Order that brands it a security risk.
- The US cyber doctrine of persistent engagement.
- Oversight of Israel's dual-use cyber exports.
CISA releases 5G security guidelines.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) yesterday released its security guidelines for 5G technology. CISA Director Christopher Krebs summarized the importance of the issue, writing, "From my perspective, 5G is the single biggest critical infrastructure build that the globe has seen in the last 25 years and, coupled with the growth of cloud computing, automation, and future of artificial intelligence, demands focused attention today to secure tomorrow." The guidance lays out four lines of effort and five strategic initiatives. The defined lines of effort include:
- "Facilitate Domestic 5G Rollout."
- "Assess Risks to & Identify Core Security Principles of 5G Infrastructure."
- "Address Risks to United States Economic and National Security During Development and Deployment of 5G Infrastructure Worldwide."
- "Promote Responsible Global Development and Deployment of 5G."
The four strategic initiatives are:
- "Support 5G policy and standards development by emphasizing security and resilience."
- "Expand situational awareness of 5G supply chain risks and promote security measures."
- "Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments."
- "Encourage innovation in the 5G marketplace to foster trusted 5G vendors."
- "Analyze potential 5G use cases and share information on risk management strategies."
The CISA measures are designed to implement the US National Strategy to Secure 5G released in March of this year.
TikTok files suit.
As expected, TikTok has sued the US Government over the Executive Order that found the company a security threat. The Washington Post reports that TikTok says the Government’s ban is “not rooted in bona fide national security concerns.” In its explanation of the suit, the company cites the steps it had already taken to secure user data, and it alleges that the Executive Order constitutes a violation of due process. The steps TikTok says it's already taken would seem meant to imply that the US ban is evidence of the Administration's implacability with respect to a Chinese-owned company.
Persistent engagement as US cyber doctrine.
In a Foreign Affairs essay, General Nakasone, commander of US Cyber Command and director of the National Security Agency, explained his organizations’ increasingly assertive doctrine of persistent engagement in cyberspace. Simply defending perimeters has become insufficient. “We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it.” The new persistent engagement was made possible by Congressional and Presidential action. "In 2018, Congress clarified the statutory authority for military cyber operations to enable Cyber Command to conduct traditional military activities in addition to the mostly preparatory operations to which it had been limited previously. That same year, the White House released a National Cyber Strategy, which aligned economic, diplomatic, intelligence, and military efforts in cyberspace."
General Nakasone cites US cooperation with the government of Montenegro's work to secure that country's own elections last Fall against Russian interference as holding useful lessons for his organizations' work to defend this year's elections in the US.
Traditional collection and distribution of indicators and warnings haven't fallen away (far from it), but they've not been joined by a far more assertive operational repertoire. "This doctrine of persistent engagement reflects the fact that one-off cyber operations are unlikely to defeat adversaries. Instead, U.S. forces must compete with adversaries on a recurring basis, making it far more difficult for them to advance their goals over time. For example, publicly releasing adversary malware obtained during hunt forward missions to the cybersecurity community makes that malware less effective because defenses can be tuned to detect and defeat it. Additionally, cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks."
Thus, no more perimeters, and that goes for the adversary as well as for the US.
Oversight of Israeli dual-use cyber exports.
The recent diplomatic rapprochement between Israel and the United Arab Emirates has raised concerns about Emiratis concerned with their own government's surveillance practices that this particular international thaw augurs a spring flood of domestic repression. Qantara reports that concerns have formed around two particular relationships: the sale of NSO Group Pegasus spyware to Emirati authorities, and Emirati cybersecurity firm Dark Matter's hiring of former Israeli cyber experts.
The Times of Israel says that Israel’s Ministry of Defense is distancing itself from Psy-Group, which the US Senate cited in its recent report on foreign attempts to influence the 2016 US election. The report indicated that Psy-Group had worked for Russian operators; Israel’s Ministry of Defense disclaims any involvement.
In principle these connections involve dual-use products and services: Pegasus could be a legitimate lawful intercept tool, Israeli security alumni could be doing legitimate work that involved no repression, and as far as whatever Psy-Group may have been up to, at one level of abstraction it's just marketing. But in this case it's allegedly marketing in Russian battledress. Israeli government supervision of cyber exports seems likely to remain a matter of domestic debate for the foreseeable future.