Cyber defense policies evolve in three of the Five Eyes.

Summary

By the CyberWire staff

At a glance.

Australian critical infrastructure protection policy evolves.
US Commerce Department restricts cyber exports.
Software Supply Chain Risk Management Act passes the US House.
UK established information assurance unit in the MoD.
Qualifications for the Cyber Safety Review Board.

Australia allows government intervention for cyberattacks on critical services.

The Guardian reports that Australia has approved new legislation requiring operators of critical services to report cyberattacks and, in extreme cases, allowing the government to take over their operations. As the ruling explains, its purpose is to permit the government to “provide assistance immediately prior, during or after a significant incident.’ It also broadens the term “critical infrastructure” to include providers of food, energy, communications, financial services, higher education and research, and space technology, which comprised a quarter of all cyberattacks reported to the Australian Cyber Security Centre in the past year. Innovation Aus points out that last week the Australian Information Industry Association backed by an international group of tech associations penned a letter warning the law could set a “troubling global precedent,” as it could force businesses to give the government access to internal systems and grant excessive control over how these businesses operate. Home Affairs Minister Karen Andrews disagreed, stating, “If we don’t act now, we risk our cybersecurity falling further behind.”

Josh Brewton, vCISO at Cyvatar, finds it significant that the government will intervene when the operators' responses are inadequate:

“It’s interesting that the Government are willing to step in when the response is deemed not adequate. Where is the line drawn? How will they define their triggers? How or who will be paying for the response if the ASD take control. Given the frequency of Cyber Attacks today I wonder how the cost of such a response would be dealt with. It could push smaller businesses over the edge. With a healthy bill from the government and the added financial, operational and reputational impacts from the attack itself.”

Saryu Nayyar, CEO of Gurucul, approves of the required transparency, but wonders if the projected degree of intervention will prove helpful:

“The Australian government is set to pass laws requiring “essential industries” to report cyber-attacks immediately, and as a last resort, have the Australian Signals Directorate come in and take control of cyber defenses to respond. Essential industries include food, energy, communications, financial services, and higher education and research.

“Transparency on attacks is important, and formally informing the government is a good way of achieving that, but it’s not clear that having an outside organization come in to take over defense is realistic. The Australian Signals Directorate personnel will be unfamiliar with the organization, the attack, and any existing defenses in place. This will likely result in confusion and an inadequate response. Instead, perhaps the government should direct essential industries to have a cybersecurity risk management program in place and define the minimum standards needed for organizations to protect themselves.”

US rule limits export of hacking tools.

A new rule from the US Commerce Department’s Bureau of Industry and Security (BIS) aimed at preventing the export of hacking software and hardware to China, Russia, and other countries of concern will take effect in ninety days, the Wall Street Journal reports. The ruling covers tools that could be abused to carry out malicious activities like surveillance of undesirables (like NSO’s controversial Pegasus spyware) or network sabotage. Though the ruling was delayed for years due to concerns it could hamper defensive efforts, the Department says it should not slow US researchers collaborating with overseas partners to detect security flaws or react to attacks. “The rationale is these are items that can be misused to abuse human rights...but they also have very legitimate cybersecurity uses,” a senior official told the Washington Post. As CyberScoop explains, transactions deemed above-board will be allowed a special license granted by the BIS. Bleeping Computer adds that the ruling will bring the US into alignment with the forty-two members of the Wassenaar Arrangement, an arms control agreement that sets voluntary export control policies on technologies that can be used for both civilian and military endeavors like penetration testing tools.

US House approves Software Supply Chain Risk Management Act.

The Hill reports that on Wednesday the US House passed the Department of Homeland Security (DHS) Software Supply Chain Risk Management Act, intended to bolster software and information technology supply chains to DHS in order to prevent cyberattacks on critical infrastructure like the recent SolarWinds incident. “The security and integrity of software bought by DHS is integral to homeland security,” explained Representative Ritchie Torres, vice chairman of the House Homeland Security Committee. “My bill will ensure that the Department has access to prevent, detect, and respond to future cyber-attacks.”

New UK unit focuses on information assurance.

The UK Defence and Security Accelerator (DASA) has established a new unit called the Military Systems Information Assurance (MSIA), Computer Weekly explains. An element of the Cyber Defence Enhancement through Life Project, the MSIA will concentrate on identifying, creating, and encouraging technical solutions for information assurance. In conjunction with the creation of the new unit, DASA also launched a competitive effort calling for proposals for new approaches outside of traditional cryptographic techniques.

Qualifications for members of new US cyber safety board.

A May executive order from US President Biden established the Cyber Safety Review Board, which will convene after significant cyberincidents to make recommendations for improving cybersecurity and incident response policies. The researchers at Tenable offer their take on the traits they feel all suitable members should possess:

Forensics and research experience, so that in the event of an attack members can understand exactly what occurred and efficiently communicate the necessary details to the government in terms they’ll understand
Deep technical expertise typical of CTOs, CISOs and other industry leaders who are familiar with how these entities work and can therefore develop technical solutions for preventing future attacks
Cybersecurity and business alignment expertise, so they can better determine how to make cybersecurity and corporate goals align

Selected Reading

CISA Awards $2 Million to Bring Cybersecurity Training to Rural Communities and Diverse Populations (CISA) As part of its mission to recruit diverse cybersecurity talent and build the workforce of the future, the Cybersecurity and Infrastructure Security Agency (CISA) has awarded $2 million to two innovative organizations for development of cyber workforce training programs.

Coalition moves to boost critical infrastructure security (Australian Financial Review) Cyber attacks will be treated more like threats in the physical world, under changes to be considered by Parliament

Aussie cyber spies to control critical infrastructure during ransomware attacks (Cointelegraph) The new bill, if passed, will allow cyberwarfare operatives to take over control of critical infrastructure under attack.

‘Problematic’ critical infrastructure bill passes lower house (InnovationAus) Legislation allowing the government to take control of a company’s network as a “last resort” in the event of a cyberattack has sailed through the lower house despite a group of tech heavyweights labelling it “highly problematic”.

Commerce Department announces new rule aimed at stemming sale of hacking tools to Russia and China (Washington Post) The Commerce Department on Wednesday announced a long-awaited rule that officials hope will help stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders.

US govt to ban export of hacking tools to authoritarian regimes (BleepingComputer) The Commerce Department's Bureau of Industry and Security (BIS) today announced export controls for software and hardware tools that could be used for malicious hacking activities.

Commerce Department rule to limit sale of offensive cyber tools to China, Russia (CyberScoop) The Commerce Department released a rule Wednesday aimed at stopping offensive cybersecurity tools made in the U.S. from falling into the hands of countries that use such software undermine human rights or national security. The new rule requires U.S. companies to obtain a license from the Commerce Department’s Bureau of Industry and Security before selling hacking tools to the governments and individuals in countries of national security concern, including China and Russia.

Commerce Announces Rule for Selling Hacking Tools to Foreign Governments (Nextgov.com) A new interim rule takes aim at Russia and China.

3 Qualifications Cyber Safety Review Board Members Must Have (Tenable®) Expertise in security forensics, technology development and aligning cybersecurity with business goals are essential to advising federal policymakers following significant cyber incidents.

Senators urge FCC to address surveillance threats to US telecom networks (Reuters) A group of five U.S. senators urged the Federal Communications Commission (FCC) on Wednesday to address surveillance threats posed by foreign firms providing services to U.S. telecommunications providers.

House approves bill to strengthen IT supply chain following SolarWinds hack (TheHill) The House on Wednesday approved legislation to strengthen software and information technology supply chains at the Department of Homeland Security (DHS) and to help protect against attacks similar to last year’s Sol

House passes bills to secure telecommunications infrastructure (TheHill) The House on Wednesday approved multiple bipartisan bills aimed at securing U.S. telecommunications systems against foreign interference, in particular against threats from China.

Cryptocurrency Industry Gets Tailored Guidance on Complying With U.S. Sanctions (Wall Street Journal) Virtual-currency companies now have a set of Treasury Department guidelines on how to ensure they comply with U.S. sanctions, the latest salvo in an effort by the Biden administration to combat ransomware and other nefarious uses of cryptocurrencies.

UK government launches information assurance unit for defence (ComputerWeekly.com) The Military Systems Information Assurance is aimed at developing alternatives to cryptology.