At a glance.
- The Cyberspace Solarium on international norms.
- CMMC audits may be delayed by the pandemic.
- Pentagon warns contractors of an ongoing Chinese cyberespionage campaign.
The Cyberspace Solarium and international norms.
Members of the Cyberspace Solarium staff have an essay on the Council on Foreign Relations blog. Their topic is the work of the Solarium's Task Force Three, which looked at ways of using norms and soft power toward building greater security in cyberspace. They distinguish between "big N" and "little n" norms, and explain how these could be confused. "In one sense, norms are frameworks for behavior articulated in statements, documents, or other declarations made by governments around the world. In other words, norms are what governments say they will do and what they expect others to do. Our task force came to refer to these as 'big N norms.'" This usage, they say, is well-known in the academic literature. "Big N norms" are intentionally formulated and amount to voluntary, non-binding principles to which "stakeholders" (like governments) agree.
But they say they noticed another sense of the word "norms" that continued to intrude itself into discussion. "In this sense, the term 'norms' refers to informal descriptions of what governments actually do in cyberspace. These norms occur when repetition of behavior, consciously or unconsciously carried out, goes unchallenged long enough to become a habit. Seeing the term 'norms' used in this sense, we began to refer to these tolerated and habitual behaviors as 'little n norms.'"
The distinction essentially is between the normative and the descriptive (or the normal), that is, between how people ought to behave and what their actual habits of behavior are, the way things ought to be and the way things are. The policy challenge is to get the two to converge so that behavior conforms to right, or, as the essay says, to convert "big N norms" into "little n norms."
CMMC audits may be delayed by up to a month.
The Department of Defense has been telling contractors that the Cybersecurity Maturity Model Certification (CMMC) program would not be delayed by the pandemic. That may be true insofar as the policy's effective date is concerned, but the CMMC audits themselves will probably in fact be delayed. FCW reports that Katie Arrington, CISO at the Office of the Undersecretary of Defense for Acquisition who had been prominent among those who said the program would become effective as scheduled, said yesterday that the first audits could be delayed for up to a month. FCW goes on to say that "Arrington suggested that auditors would wear masks and employ social distancing practices to complete their duties, and that company representatives present during the audit would 'respect each other's personal space.'"
DCSA warns of renewed Electric Panda cyberespionage campaign.
The CMMC audits may be delayed, but Chinese industrial espionage seems not to be lagging. Politico reports that the US Defense Counterintelligence and Security Agency this week warned contractors in a bulletin that it had detected renewed activity by the Chinese government's Electric Panda group. The memorandum Politico obtained said that "nearly 600 'inbound and outbound connections' from 'highly likely Electric Panda cyber threat actors' targeting 38 cleared contractor facilities, including those specializing in health care technology," had been detected since the beginning of February. Electric Panda has been active since 2016 at least, and its interest in healthcare technology seems to represent a shift driven by the current pandemic. A similar shift in interest has been observed in Electric Panda's sister threat group, Pirate Panda, but in that case it's a shift in phishbait, not in targeting.