At a glance.
- Current state of US actions with respect to Huawei.
- Ways in which cyber strategy may be different from traditional strategy.
- Continuities and discontinuities between US Presidential Administrations.
- Reaction to the IoT Cybersecurity Improvement Act.
The US prods Huawei with legislative stick and prosecutorial carrot.
The NDAA includes a provision directing the Pentagon to weigh the risks of large deployments of military personnel or equipment to nations using Beijing 5G tech, South China Morning Post reports. National Intelligence Director John Ratcliffe has designated China the leading threat to US interests. The rule could force tough choices from countries like South Korea that rely on both US military support and trade with China, depending on how strictly it’s interpreted. Another provision would create a supply chain supervisory role in the Defense Department.
As for the carrot, the Washington Post claims Huawei CFO Meng Wanzhou’s release may be a budding possibility. Should she assume some responsibility in US court for Huawei’s (alleged) Iran ruse, she might be permitted to depart for Beijing on a deferred prosecution deal. ETTelecom says two key law enforcement officials are scheduled to testify this week.
As we’ve seen, since Meng’s detention in Ottawa, China has arrested two Canadians, moved two more to death row, and imposed economic sanctions on the country. Prime Minister Trudeau commented that the law stands independent of its convenience.
CSIS: cyber strategy is not your grandma’s strategy. (Or it shouldn’t be.)
The Center for Strategic and International Studies (CSIS) argues public cybersecurity discourse is clogged with implausible hypotheticals and irrelevant kinetic relics. Five ideas we should stop emphasizing are stability, transparency, escalation, deterrence, and norms implementation.
Enemies of the West are not concerned by destabilization; in fact, they seek it. We should stop assuming stability as a universal goal, and expect increasing instability. Likewise, cyber capacity transparency has neither enhanced stability nor encouraged reciprocity (and regardless, some obscurity is necessary to preserve strategic advantage.) On the other hand, escalation from cyber to kinetic combat hasn’t occurred in twenty plus years of cyber contest. Thus far states have observed the “use-of-force threshold,” so continued anti-escalation measures are wasted. That said, current methods of cyber deterrence aren’t working, and neither is norm building, which has proved more descriptive than prescriptive.
CSIS concludes that cyberattack numbers are moving the wrong way, and it’s time to retire dated concepts.
Administrative continuity and discontinuity.
ExecutiveBiz reports Fortinet CISO Phil Quade thinks the Biden Administration should restore the National Security Council cybersecurity coordinator role for the safety of critical infrastructure like manufacturing and energy. In contrast to CSIS, Quade maintains that norm building is the future.
Other industry observers hope the Biden Administration emphasizes global coalition building and takes seriously the threat of Beijing and Moscow, investing in AI as a corrective, according to the Washington Examiner. One expert said the Trump Administration is bequeathing a “good working order” cyber enterprise, including a souped-up Cybercom that has probably “conducted more operations in the last two years than…all previous years combined.” The Council on Foreign Relations contends President Trump’s cyber legacy will be weaker on disinformation, internet authoritarianism, data privacy, and cybercrime, and stronger on Beijing, military initiatives, election security, intracontinental data mobility, and regulation of Big Tech.
Quartz adds that 230’s amendment remains a puzzle, and the next Administration could take one of two tracks: exclude special topics from immunity, or conditionalize immunity on certain criteria.
Industry reacts to the IoT Cybersecurity Improvement Act.
President Trump has signed the IoT Cybersecurity Improvement Act into law, and the industry experts we're hearing from generally give the bill good reviews. Edgard Capdevielle, CEO of Nozomi Networks, calls it "a solid step forward for IoT security." He adds:
“Although it only applies to devices purchased or managed by the government, its purchasing power will provide a powerful incentive for manufacturers to adopt the standards. And while the hard work of developing device standards hasn’t been completed, NIST involvement will help drive global adoption of IoT device security standards that we believe will go a long way toward improving overall industrial and critical infrastructure security.
"The IoT device security bill calls out four important areas for the creation of standards and guidelines to manage cybersecurity risks:
- Secure development
- Identity management
- Patching
- Configuration management
"It also directs NIST to work with the U.S. Department of Homeland Security, along with “cybersecurity researchers and private-sector industry experts” to publish guidelines for reporting and remediating vulnerabilities. The guidelines will also need to align with “industry best practices” and widely adopted IT standards ISO 29147 (vulnerability disclosure) and 30111 (vulnerability handling).
"You can never guarantee zero risk...that's why enterprise and industrial organizations must put additional security measures and technologies in place to shore up their IoT security.
"That includes using AI-powered solutions that can quickly identify the hundreds or even thousands of IoT devices connected to the network and assess their level of risk or vulnerability to help prioritize fixes and response. By effectively managing vulnerabilities of their IoT devices, security teams are one step closer to protecting against cyber threats and the risk of downtime due to cyberattacks.
"Nozomi’s 2020 OT/IoT Threat Landscape Report found that In the first six months of this year, hackers used IoT botnets and shifting ransomware tactics as their weapons of choice for targeting IoT devices in operational networks. With more than 5.8 million enterprise and automotive IoT devices expected to be connected to the Internet this year according to Gartner, this new law will help make IoT security a top priority.”
Yaniv Nissenboim, Vice President of Vdoo, points out that NIST has been preparing for this law for more than a year:
“NIST has been anticipating the Act for over a year. A new set of NIST guidelines for IoT cybersecurity will soon be published. Given the focus on and demand for cybersecurity standards, we expect that federal agencies will quickly adopt the guidelines and insist on compliant products. We also expect the trend to spread to state governments (most have already introduced or passed IoT cybersecurity legislation) and then immediately onto private adopters and users. Companies that fail to demonstrate compliance might find themselves shut out of lucrative target markets for their IoT devices at some point.
"We expect similar regulations and standards to emerge outside the US as well. Singapore has already launched a national rating system for connected devices' cybersecurity, and other nations will follow. This is an expected reaction of regulators to the increasing threat globally. Given the device-development cycle, the time to get started is now.
"IoT cybersecurity requires a very high level of expertise. The broad range of platforms, technologies, and protocols used in connected devices, as well as unique attack vectors and exploitation methods used by adversaries to compromise them, makes cybersecurity for these products a challenge. We expect to see more and more technologies for automating product security and compliance testing emerging to face this challenge. ”