At a glance.
- Australian critical infrastructure protection policy evolves.
- US Commerce Department restricts cyber exports.
- Software Supply Chain Risk Management Act passes the US House.
- UK established information assurance unit in the MoD.
- Qualifications for the Cyber Safety Review Board.
Australia allows government intervention for cyberattacks on critical services.
The Guardian reports that Australia has approved new legislation requiring operators of critical services to report cyberattacks and, in extreme cases, allowing the government to take over their operations. As the ruling explains, its purpose is to permit the government to “provide assistance immediately prior, during or after a significant incident.’ It also broadens the term “critical infrastructure” to include providers of food, energy, communications, financial services, higher education and research, and space technology, which comprised a quarter of all cyberattacks reported to the Australian Cyber Security Centre in the past year. Innovation Aus points out that last week the Australian Information Industry Association backed by an international group of tech associations penned a letter warning the law could set a “troubling global precedent,” as it could force businesses to give the government access to internal systems and grant excessive control over how these businesses operate. Home Affairs Minister Karen Andrews disagreed, stating, “If we don’t act now, we risk our cybersecurity falling further behind.”
Josh Brewton, vCISO at Cyvatar, finds it significant that the government will intervene when the operators' responses are inadequate:
“It’s interesting that the Government are willing to step in when the response is deemed not adequate. Where is the line drawn? How will they define their triggers? How or who will be paying for the response if the ASD take control. Given the frequency of Cyber Attacks today I wonder how the cost of such a response would be dealt with. It could push smaller businesses over the edge. With a healthy bill from the government and the added financial, operational and reputational impacts from the attack itself.”
Saryu Nayyar, CEO of Gurucul, approves of the required transparency, but wonders if the projected degree of intervention will prove helpful:
“The Australian government is set to pass laws requiring “essential industries” to report cyber-attacks immediately, and as a last resort, have the Australian Signals Directorate come in and take control of cyber defenses to respond. Essential industries include food, energy, communications, financial services, and higher education and research.
“Transparency on attacks is important, and formally informing the government is a good way of achieving that, but it’s not clear that having an outside organization come in to take over defense is realistic. The Australian Signals Directorate personnel will be unfamiliar with the organization, the attack, and any existing defenses in place. This will likely result in confusion and an inadequate response. Instead, perhaps the government should direct essential industries to have a cybersecurity risk management program in place and define the minimum standards needed for organizations to protect themselves.”
US rule limits export of hacking tools.
A new rule from the US Commerce Department’s Bureau of Industry and Security (BIS) aimed at preventing the export of hacking software and hardware to China, Russia, and other countries of concern will take effect in ninety days, the Wall Street Journal reports. The ruling covers tools that could be abused to carry out malicious activities like surveillance of undesirables (like NSO’s controversial Pegasus spyware) or network sabotage. Though the ruling was delayed for years due to concerns it could hamper defensive efforts, the Department says it should not slow US researchers collaborating with overseas partners to detect security flaws or react to attacks. “The rationale is these are items that can be misused to abuse human rights...but they also have very legitimate cybersecurity uses,” a senior official told the Washington Post. As CyberScoop explains, transactions deemed above-board will be allowed a special license granted by the BIS. Bleeping Computer adds that the ruling will bring the US into alignment with the forty-two members of the Wassenaar Arrangement, an arms control agreement that sets voluntary export control policies on technologies that can be used for both civilian and military endeavors like penetration testing tools.
US House approves Software Supply Chain Risk Management Act.
The Hill reports that on Wednesday the US House passed the Department of Homeland Security (DHS) Software Supply Chain Risk Management Act, intended to bolster software and information technology supply chains to DHS in order to prevent cyberattacks on critical infrastructure like the recent SolarWinds incident. “The security and integrity of software bought by DHS is integral to homeland security,” explained Representative Ritchie Torres, vice chairman of the House Homeland Security Committee. “My bill will ensure that the Department has access to prevent, detect, and respond to future cyber-attacks.”
New UK unit focuses on information assurance.
The UK Defence and Security Accelerator (DASA) has established a new unit called the Military Systems Information Assurance (MSIA), Computer Weekly explains. An element of the Cyber Defence Enhancement through Life Project, the MSIA will concentrate on identifying, creating, and encouraging technical solutions for information assurance. In conjunction with the creation of the new unit, DASA also launched a competitive effort calling for proposals for new approaches outside of traditional cryptographic techniques.
Qualifications for members of new US cyber safety board.
A May executive order from US President Biden established the Cyber Safety Review Board, which will convene after significant cyberincidents to make recommendations for improving cybersecurity and incident response policies. The researchers at Tenable offer their take on the traits they feel all suitable members should possess:
- Forensics and research experience, so that in the event of an attack members can understand exactly what occurred and efficiently communicate the necessary details to the government in terms they’ll understand
- Deep technical expertise typical of CTOs, CISOs and other industry leaders who are familiar with how these entities work and can therefore develop technical solutions for preventing future attacks
- Cybersecurity and business alignment expertise, so they can better determine how to make cybersecurity and corporate goals align