At a glance.
- When it comes to vulnerability disclosure, Missouri aspires to become the Don't Show Me State.
- Colorado National Guard will protect voter data.
- Projected US Federal cybersecurity legislation.
- CISA's EDR RFI.
Officials ask Missouri governor to focus on cybersecurity measures.
Missouri state representative Ashley Aune is urging the state’s governor Mike Parson to appoint members to the Missouri Cybersecurity Commission, which was established three months ago, Security Week reports, but is currently still member-less. “In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure,” Aune stated. The event she references is the discovery of a bug in a web app run by the Missouri Department of Elementary and Secondary Education web application that exposed the social security numbers of around 100,000 teachers and other staff. As we noted last week, the bug was found by a St. Louis Post-Dispatch reporter, who Parsons is now accusing of “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”
National Guard to protect Colorado voter data.
In the state of Colorado, the National Guard has been called in to support cybersecurity efforts for next month’s state elections. The Durango Herald explains that Governor Jared Polis has signed an executive order stating that the Colorado National Guard Defensive Cyber Operations Element will aid in protecting the state’s online voter registration systems from intrusion by cybercriminals who might seek to steal private voter data. The order states, “The exposure of voters’ personally identifiable information does not threaten the integrity of our state elections, but could undermine public confidence in the system and suppress voter registration.”
The future of US cybersecurity legislation.
The Washington Post offers its predictions regarding upcoming cybersecurity legislation in the US. In light of the recent attacks impacting critical services, like the massive Colonial Pipeline incident, Members of Congress have proposed a number of bills focused on improving the government’s response to cybercrime. Three bipartisan proposals are focused on mandating reporting to the Cybersecurity and Infrastructure Security Agency (CISA) in the event of cyberattacks on critical infrastructure. The Senate is poised to vote on the annual defense authorization bill, which includes dozens of cybersecurity measures already passed by the House. Among them: increasing the term of the CISA director to five years, authorization of $500 million in annual cybersecurity grants to local governments, and the establishment of a State Department program to incentivize security research.
CISA asks industry for advice on cybersecurity readiness.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a request for information (RFI) seeking guidance from industry leaders on the implementation of Endpoint Detection and Response (or EDR) tools to fight and react to cybersecurity incidents. Nextgov.com discusses the RFI and what it could mean for CISA’s next steps. For instance, CISA is asking for recommendations concerning how long to maintain logs that could shed light on related to cybersecurity incidents, just one element of EDR mentioned in a May executive order issued in response to the SolarWinds incident, where logging capabilities of the impacted entities were called into question. The RFI states that CISA is seeking to address “gaps in both coverage of the EDR tools across the agency’s endpoints as well as in functionality for tools that may not be fully configured to leverage functions and features of the product in alignment with CISA’s requirements.”