At a glance.
- Responsibilities of sovereignty.
- Japan plans to increase military cyber capabilities.
- US states and cities would like Federal money for cyber.
- State, local, and Federal cooperation for cybersecurity.
- Incentivizing industry to adopt cyber standards.
- Closing a workforce gap.
Sovereignty implies a reasonable level of control over what goes on within your borders.
ZDNet recaps the Biden Administration’s warning to President Putin that if Moscow can’t (or won’t) get a handle on its cybercrime problem, Washington will.
Japan plans to increase military cyber capability.
Against a backdrop of escalating Russian and Chinese cyber mischief, Tokyo plans to grow its cyber force by more than three hundred specialists over the next two years, Infosecurity Magazine reports. A consolidated unit will oversee the Self Defense Forces’ air, sea, and land branches’ cyber needs. The Defense Ministry is also bolstering cybersecurity training and recruiting private sector experts as consultants.
A June International Institute for Strategic Studies report found Japan’s cyber capacity lacking thanks to Constitutional restrictions on harvesting data. Last year employee information and hypersonic missile designs were apparently pilfered from Mitsubishi Electric, compromising national security. Kyodo News says the Government’s new three-year cybersecurity plan “for the first time” names and shames Beijing and Moscow, and advocates for stronger defense, deterrence, intelligence, communications security, IT standards, Indo-Pacific capacity building, and collaboration—including through joint exercises with the US. China’s response was predictably hostile, labeling the callout “groundless slander” and “completely wrong.” All eyes are on the Tokyo Olympics, which begin in two weeks.
US states and cities want Federal grants for cybersecurity.
Nine local and state Government groups, among them the National Governors Association and National League of Cities, have asked Congress to pass and fund a cybersecurity grant program, according to StateScoop. “The increased sophistication of cyber criminals…and the limited resources of states, territories and localities, create the perfect storm,” the groups argued in a letter to Senate and House leaders.
State, local, and Federal cooperation for cybersecurity.
The US Deputy National Security Advisor for Cyber, Anne Neuberger, met with local government leaders this week to outline ways in which cities, states, and the Federal Government might cooperate in cybersecurity. BleepingComputer reports that she outlined in particular the Federal strategy for fighting ransomware:
Neuberger also outlined the Administration's ransomware strategy, which includes:
- "disruption of ransomware infrastructure and actors by working closely with the private sector;
- "international cooperation to hold countries who harbor ransom actors accountable;
- "expanding cryptocurrency analysis to find and pursue criminal transactions;
- "and the federal government's review to build a cohesive and consistent approach towards ransom payments."
We heard from several sources about this process. Dr. Chenxi Wang, General Partner at Rain Capital, wrote:
"In the real world, individuals and small city governments are not expected to fight organized crimes alone. Why should Cyberspace be any different? Ransomware attacks are an active underground business with an intricate web of criminal activities and operators collaborating across the various value chains. Disrupting this vast web of criminal business requires the close cooperation of government entities spanning state, federal, and across the globe, as well as private industry experts and impacted parties."
Garret Grajek, CEO of YouAttest, thoroughly approved of the White House outreach:
“Good advice from the Deputy National Security Advisor Anne Neuberger. Many local city/state infrastructures are using out-of-date systems that are particularly vulnerable. Enterprises need to assess not only their security tools in place, but also understand the roles and policies of the application and entities. All of our enterprises, including public infrastructure, are being constantly scanned. CISA and the FBI have both recommended that enterprises practice the Principle of Least Privilege (PoLP, NIST AC-6(1)) - ensuring that their entities are NOT over-privileged which can lead directly to significant harms to the organization should credentials be compromised. Regular and triggered permissions for identity access changes and requests are a crucial requirement for both staying compliant and for keeping an organization secure.”
Saryu Nayyar, CEO of Gurucul, would like to see more work on "the essential problem" of identifying and remediating attacks:
"Ransomware continues to be a growing crisis for both governments and enterprises. It has become enough of a problem for the White House to get involved and elevate ransomware to a strategic national security priority. State and local governments are being asked to examine cybersecurity practices to provide responses and contingency plans for attacks that lock out users from essential tasks in exchange for payment.
"While the Administration strategy is clear, it doesn’t solve the essential problem of how to identify and remediate attacks. This requires more concrete actions on addressing cybersecurity weaknesses, coupled with the ability to respond with an action plan. Security analytics enables governments and enterprises to understand when a ransomware attack is occurring, but these organizations need to have a response that can close down such attacks quickly."
Chloé Messdaghi, Cybersecurity Disruption Consultant and Researcher, also pointed out the challenges that remain to be addressed:
"Legacy equipment, inadequate or even undesignated cybersecurity budgets, and challenges finding and up-skilling talent – these are all substantial problems across the public sector as well as commercial and industrial enterprises.
"Whether public or private sector, the thing to remember is that EVERYONE is a target. Teams must prioritize in real time and urgently need vulnerability disclosure policies. These have proven enormously successful in the commercial sector and among Federal agencies, but are not being implemented across state and local levels.
"Outdated equipment, missed patches, inadequate staffing and tight budgets a huge problem across the public sector. Getting employees to update their systems in time is such a challenge, and the slower that cities and towns are to patch and update their systems, the more at risk they put the public they serve.
"It’s especially important not to rely on just one set of security tools – such as scanners. They’re not time reactive, and don’t give any indication of what to prioritize. Security teams need to be able to focus on what to prioritize in real time, and scanners and excel docs just don’t give a real time view of what threats are rising and are most critical. Likewise, phishing and threat training across the city or town is crucial.
"Invest in your team - both inside your security team and among the general employee population."
Purandar Das, Chief Security Evangelist and Co-Founder at Sotero, places the meeting in the context of a larger concern to address cybercrime:
“This should be viewed as a continuation of the administrations focus and efforts to prioritize cybercrime. Earlier steps to increase funding of the governments cyber agencies, involvement at the highest levels of the administration and opening up collaborative doors to the private sector. This is now an acknowledgement of the weakness at the smaller levels of government. It is an acknowledgement that the security practices at the town and city levels are particularly vulnerable. Along with that acknowledgement, the administration should provide both financial and administrative help to upgrade and improve the security practices.”
State law incentivizes industry to implement cyber standards.
StateScoop also has the scoop on the US state of Connecticut’s new Cybersecurity Standards Act, signed into law this week. Following in the footsteps of Ohio and Utah, the Nutmeg State will now provide legal cover for businesses observing a “written cybersecurity program that…conforms to an industry recognized cybersecurity framework” such as the National Institute of Standards and Technology framework. In addition, the legislation broadens the scope of protected “personal information” to encompass IRS-issued credentials and biometric data.
A Federal approach to developing the cybersecurity workforce.
Recent bipartisan efforts in the US Congress have sought to address shorfalls in the Federal cybersecurity workforce. MeriTalk has an account of some of the measures proposed.
Steve Moore, chief security strategist at Exabeam wrote about the effects the widely reported skills gap is having, and offers a positive appraisal of the legislation under consideration to address that gap:
“Seventy-four percent of companies have reported that the cybersecurity skills gap is impacting their ability to secure sensitive information, inevitably leading to data breaches. Over 60% of security analysts are looking to leave their job, according to Exabeam research. Why? The disconnect between analysts and executive staff drives them out the door. Analysts often feel as if there is no job progression or any sort of defined career path. As a result, new security professionals are left wandering aimlessly day after day with no clear purpose.
"Exabeam research has also revealed that less than a quarter of executives (20%) thought that the gap between leadership and entry-level employees was a problem. The misconnection is causing the skills gap to widen and leaving both private and public sector organizations at risk. Recent breaches at the federal level, including the breaches in the Treasury Department and Justice Department as a result of the SolarWinds attack, have pushed government officials in action to fortify cyber defenses.
"The introduction of The Federal Cybersecurity Workforce Expansion Act would help get cybersecurity talent into the door of the workforce for federal organizations, and is a great benefit to transitioning veterans, however it fails to consider the near term needs of security to the private sector. As a result, we’re leaving holes for adversaries to take advantage of across the entire country.”