At a glance.
- US energy regulator offers cyber standards for electrical utilities.
- The US SEC continues to focus on cybersecurity enforcement.
- The White House engages state and local governments.
- Last of the JEDI.
Post-Holiday Bear: US regulator warns electric sector to batten the hatches.
JD Supra reviews the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center’s (E-ISAC) whitepaper “SolarWinds and Related Supply Chain Compromise – Lessons for the North American Electricity Industry.” The document spells out recommendations for securing systems, including malware fixes and steps highlighted in CISA’s Emergency Directive 21-01 and Alert AA20-352A. Other “extensive and detailed” suggestions are meant to mitigate the ongoing threat from Holiday Bear’s breach to downwind critical systems.
The SEC’s focus on cybersecurity enforcement.
JD Supra also takes a look at the Securities and Exchange Commission’s (SEC) half a million dollar settlement with real estate insurance firm First American Financial Corporation for “disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.” A security error exposing 800 million documents’ worth of personal information was not brought to the attention of the company’s CEO, CIO, or CISO for months, in violation of a rule governing disclosure protocols. JD Supra sees an enforcement target on general cyber policies—with a novel emphasis on internal reporting procedures—given the case’s lack of attention to a specific incident or fraud allegation.
The settlement follows 2018 actions against Equifax employees for breach-related insider trading, Yahoo heir Altaba for alleged failure to disclose a major incident in a timely fashion, and Voya Financial Advisors for inadequate mitigation of identity theft risk.
White House urges cities to cooperate with states on cybersecurity.
ZDNet recaps Deputy National Security Advisor for Cyber Anne Neuberger’s meeting this week with the US Conference of Mayors, where she encouraged local officials to connect with state cyber offices regarding their security plans. Cities in US states from Maryland to Florida and Oklahoma, made vulnerable by workforce issues and outdated technology, have recently suffered cyberattacks.
Neuberger also noted the Administration’s efforts to hunt cybercriminals through cryptocurrency exchanges, tackle ransomware operations with the help of international and private sector partners, and develop a “cohesive and consistent approach” to ransomware payment. The White House is also working to defend critical infrastructure through a “Cybersecurity Industrial Control Systems Initiative.”
Starting over on JEDI.
After protests, lawsuits, and much public lobbying and complaint on all sides, the US Department of Defense has decided to cancel its $10 billion JEDI cloud computing contract. ("JEDI" is a forced acronym for "Joint Enterprise Defense Infrastructure.") The Pentagon will now look to other vehicles for its cloud needs. Microsoft blogged that there are no hard feelings about the cancellation, that its commitment to the Defense Department remains "steadfast," and that "the decision to end prolonged litigation charts a new path forward for the DoD in cloud computing."
JEDI will be replaced, TechTarget reports, by JWCC ("Joint Warfighter Cloud Capability"), for which both Microsoft and Amazon at least are expected to bid. The Defense Department is expected to investigate as well whether other providers might be capable of meeting the contract's demands.
It seems unlikely that JWCC will have only one winner. Emil Sayegh, CEO of Ntirety, thinks the Pentagon has realized that multi-clouds and hybrid clouds are clearly in the forecast:
“The DOD has finally come to realize what some of us have been saying for a long time: the future is multi-cloud and hybrid cloud as I outlined in my blog when we were first introduced to the JEDI contract. A single sourced cloud, no matter how reputable the vendor is, makes little sense economically and practically. Infrastructure needs to match up to applications and should not be a one size fit all. Furthermore, long term single sourced contracts like Jedi fail to take advantage of the feature enhancements of competing clouds. Unfortunately, the government procurement philosophy needed some time to catch up the reality of the market as it should have never made sense to get into a long-time contract with a single source. This is a good albeit hard lesson for all IT decision makers out there.”
Tripwire's Tim Erlin also sees a kind of inevitability to the multi-cloud environment:
"The entire basis of the US economy is competition, so multi-cloud has always been an inevitability. It’s more the shape and divisions of how multi-cloud develops that’s been in question. As long as you have multiple companies with strong financial positions competing with each other, there will be multiple technology providers for any given use case, including cloud."
Tripwire recently published a survey of security professionals that indicates the perceived security challenges that multi-cloud environments (inevitable as they may be) present.