At a glance.
- Cyber doctrine for the next administration?
- Information-sharing under the Cybersecurity Maturity Model Certification (CMMC) program.
- US Department of Justice reports finding no evidence of significant election fraud.
A cyber doctrine for a Biden Administration.
TAG Cyber CEO Edward Amoroso published national cybersecurity advice for US President-elect Biden on LinkedIn last week. Amoroso thinks the US should return focus from centralized offense to distributed defense, despite its greater difficulty. Since threat actors typically exploit local vulnerabilities, and CISOs often know what needs to be done but lack the resources, integrated initiatives like Einstein 2 should be phased out in favor of a “mosaic of distinct and diverse” efforts, with CISA funds and personnel reapportioned to frontline institutions, he says.
Amoroso also gripes that the US puts too much stock in friendly alliances and unfriendly pleas at the expense of domestic technical know-how, calling for a national cybersecurity program where youths would receive free college in exchange for five years of service.
In the comments section, the CISO of Eclipzo.io highlighted some benefits of centralization, including greater manpower and streamlined solutions.
CMMC raises information-sharing challenges.
The Information Technology Industry Council (ITI) says higher levels of Cybersecurity Maturity Model Certification (CMMC) appear to require information sharing that might be prohibitively pricey, Nextgov reports. CMMC came into force yesterday, and any comment-driven revisions will be implemented early next year.
Certification levels 4 and 5 include metrics related to APT defenses. CISA advises organizations to exchange TTP findings via Information Sharing and Analysis Centers (ISACs), but ISAC membership can be costly, and companies lack the liability shields to use other routes.
ITI is also worried about the risk posed by third party auditors, who will work as volunteers to certify roughly 300 thousand organizations. The Council hopes DoD will step in on assessments of higher security vendors. (A root concern seems to be threats to confidential business information or fairness posed by auditors with potential conflicts of interest or inadequate training.)
DOJ hasn’t found proof of widespread election fraud.
The Delaware Republic reports US Attorney General Barr yesterday informed the Associated Press the Justice Department has not “to date” uncovered “fraud on a scale that could have affected” the election’s outcome, in contrast to earlier cautionary statements about mail-in voting. President Trump’s lawyers responded that “there hasn’t been any semblance of a Department of Justice investigation,” and their legal struggle will continue.