At a glance.
- India bans more Chinese apps.
- CISA issues BOD 20-21 to mandate Federal vulnerability disclosure policies and systems.
- Senate Intelligence Committee will continue to receive in-person election security briefings.
- FBI plans more insistent alerting of election security threats.
India bans more Chinese apps as security threats.
According to Medianama, yesterday India's IT Ministry added one-hundred-eighteen more apps to its list of banned Chinese products. The Ministry took the action on the advice of the Indian Cyber Crime Coordination Centre and Home Ministry and under the authority of Section 69A of the Information Technology Act. It says it has broad, cross-party support for the action.
China's embassy in New Delhi took strong exception to the measure: "The relevant practices by the Indian government not only harm the legitimate rights and interests of Chinese investors and service providers, but also harm the interests of Indian consumers and the investment environment. Suppression, self-seclusion and restrictions cannot benefit one country's development. It's the right way to integrate into global cooperation by being open, fair and transparent."
Given the current state of Sino-Indian affairs, which have included small but lethal fire fights along the border, the Embassy's appeal to openness, fairness, and transparency is unlikely to find a receptive audience.
CISA directs Federal vulnerability disclosure system.
The US Cybersecurity and Infrastructure Security Agency (CISA) has taken comments into consideration and issued Binding Operational Directive 20-21. The Directive, which supports the Office of Management and Budget's (OMB) M-20-32 (“Improving Vulnerability Identification, Management, and Remediation”), directs all Federal agencies (with the exception of statutorily defined “national security systems” and certain systems operated by the Department of Defense or the Intelligence Community) to establish and publish a vulnerability disclosure policy. CISA will begin scanning agency networks for such policies beginning in March of 2021.
CISA's Assistant Director Brian Ware offered some background in the offhand, pleasantly faux-slacker diction that's already become a hallmark of his young agency's culture:
"This directive is different from others we’ve issued, which have tended to be more technical – technological – in nature. At its core, BOD 20-01 is about people and how they work together. That might seem like odd fodder for a cybersecurity directive, but it’s not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow.
"A final note to those people who find and report vulnerabilities: we see your work, we want to help, and we appreciate you. To others that would use these new ways to reach agencies, please: this is not a business development opportunity, and pitches to firstname.lastname@example.org aren’t going to be appreciated. Don’t @cisagov on your spicy tweets."
Read and heed. And don't send the agencies your white papers.
Senate will continue to receive in-person briefings on election security.
Politico reports that Senator Marco Rubio, Republican of Florida and interim chair of the Senate Intelligence Committee, has said that his committee will continue to receive in-person briefings from the US Intelligence Community on matters relating to election security. Director of National Intelligence John Ratcliffe has recently discontinued such briefings before the equivalent House Committee, citing a problem with too many leaks. The House will continue to receive regular reports, but these will be written as opposed to oral.
FBI says its warnings about possible election interference will be more alarming this time around.
The FBI had warned the Democratic National Committee (DNC) several times over the course of several months that it was receiving the attentions of Russian intelligence services interested in hacking into its systems, WIRED writes, but the warnings were apparently lost in the noise until a DNC staffer noticed, on April 16th, 2016, that Fancy Bear was well-established in their servers. Evidently because the warnings "never used alarming language," they never went higher than the DNC's IT director, who, WIRED says, "dismissed them after a cursory search of the network for signs of foul play." In any case the FBI says it will be a lot more insistent and alarming with anything it discovers this time around.