At a glance.
- Easterly confirmed as US CISA director.
- CISA releases vulnerability assessments.
- Updates on US state and local cybersecurity laws.
US Senate confirms Easterly as CISA director.
The US Senate yesterday unanimously confirmed former White House, NSA, and Morgan Stanley official Jen Easterly as Director of the Cybersecurity and Infrastructure Security Agency (CISA), Politico reports. CyberScoop notes that the confirmation comes half a year after President Biden’s inauguration.
Easterly has expressed interest in instituting compulsory standards and reporting rules for critical infrastructure. She’ll also need to cultivate private sector trust and deliver on a post-SolarWinds promise to bolster the Agency’s intrusion-detection services while enacting new legal authorities and allocating limited resources across CISA’s expansive mission.
Nikesh Arora, Chairman and CEO of Palo Alto Networks, wrote to express approval of the confirmation:
“Jen Easterly is a tremendous leader who has driven the nation’s cyber defense in government and the private sector, and I applaud her confirmation as director of the Cybersecurity and Infrastructure Security Agency. Her unique expertise and experience is exactly what is needed at a momentous time for our nation’s cyber defenses. She understands the critical importance of collaboration to stay ahead of cyber threats. Palo Alto Networks looks forward to continued partnership with CISA to support their mission.”
CISA’s 2020 vulnerability assessments released.
SecurityWeek reviews CISA’s 2020 Risk and Vulnerability Assessments report, which uncovered outdated security postures among local, state, Federal, and critical infrastructure partners using the MITRE ATT&CK framework. The Agency recommends familiar fixes like updating software and auditing network traffic.
Updates on US state and local cyber laws.
TechCrunch says New York City has joined the ranks of Portland, Oregon, and Illinois in implementing a biometrics privacy ordinance that curtails businesses’ use of customers’ data. Government and law enforcement agencies are excluded from the rule, as are employees. Companies must now display conspicuous signage describing how the location collects biometrics, and are prohibited from profiting off the data.
Connecticut’s Act Incentivizing the Adoption of Cybersecurity Standards for Businesses was also signed into law last week, according to PR Newswire, and will take effect in October. As we’ve seen, the legislation mirrors laws in Ohio and Utah, and protects organizations that follow “reasonable” security plans from punitive damages. Frameworks like the Center for Internet Security’s (CIS) Critical Security Controls have been found to stop a substantial percentage known hacking techniques.
CIS executive Curtis Dukes observed, “Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis." Bill sponsor Representative Caroline Simmons remarked, "In Connecticut, we took a step to accomplish [improved cybersecurity] voluntarily without regulation by incentivizing organizations to adopt cyber best practices.”