At a glance.
- Anglo-American talks reaffirm close cyber cooperation.
- Fed publishes disclosure rule for US banks.
- CISA issues 5G security guidelines.
- CISA's chemical security guidelines include cybersecurity measures.
- State AGs scrutinize Instagram for its effect on minors.
- CISA's advisory panels.
US and UK intelligence agency leaders commit to continued cooperation in cyber operations.
GCHQ and US Cyber Command have reaffirmed the longstanding Anglo-American commitment to cooperative cyber operations. Meetings at Fort Meade, Maryland, headquarters of both NSA and US Cyber Command, included, on the British side, Director GCHQ Sir Jeremy Fleming and General Sir Patrick Sanders, Commander of UK Strategic Command, and, on the US side, General Paul Nakasone, Director of the US National Security Agency and Commander of US Cyber Command.
The leaders issued a joint statement with a short set of talking points:
“As like-minded allies for two centuries, the United Kingdom and the United States share a close and enduring relationship. Our two nations today face strategic threats in an interconnected, digital world that seek to undermine our shared principles, norms, and values.
“We agree that strategic engagement in cyberspace is crucial to defending our way of life, by addressing these evolving threats with a full range of capabilities. To carry this out, we will continue to adapt, innovate, partner, and succeed against evolving threats in cyberspace.
“We will achieve this by planning enduring combined cyberspace operations that enable a collective defence and deterrence and impose consequences on our common adversaries who conduct malicious cyber activity.
“As democratic cyber nations, the UK and US are committed to doing so in a responsible way in line with international law and norms, setting the example for responsible state behaviour in cyberspace.”
The emphasis on deterrence and imposition of consequences on common adversaries is particularly noteworthy.
Danny Lopez, CEO of Glasswall, wrote to approve of the close continuing Anglo-American partnership:
“The UK and US governments have a crucial role to play in the fight against global cybercrime. Not only does enhanced strategic engagement between the two countries provide a clear roadmap for increasing defence capabilities in cyberspace, it also acts as a clear deterrent to those perpetrating attacks on businesses and public sector organisations on both sides of the Atlantic.
The US has demonstrated its commitment to developing comprehensive legislation to impose costs for malicious cyber activity, introducing several bills recently that aim to improve the security of national infrastructure. There is a clear need for clarity of purpose, focused strategic thinking, and strong partnerships when it comes to showing a united front against cybercriminals. As world-leading cyber powers, a combined effort between both countries will see each benefit from this partnership and will better protect our connected nations.
As a British cybersecurity company operating in both the UK and the US, we are delighted with this announcement. It is a testament to the strength of the UK/US security and intelligence alliance.
With a cyberattack occurring every 39 seconds in 2021, the world is experiencing a ransomware explosion, which will likely continue its upward trajectory in 2022. Attackers will increasingly use a more personalised approach and aim to blend into the network to look like an insider, and therefore having consistent strategies across the world’s most powerful nations to prevent attacks of this nature will be vital in stopping future cyber disasters.”
New incident reporting regulation for US banks.
The Board of Governors of the US Federal Reserve System announced that the US federal bank regulatory agencies have approved a final rule regarding cyber incident reporting for banking organizations. The rule would require a banking organization to notify its primary federal regulator of cyber incidents no later than thirty-six hours after discovery. The requirement applies to all incidents that could affect the viability of the bank’s operations, its ability to deliver products and services, or the stability of the financial sector. Banks will be expected to be in compliance by May 1, 2022.
CISA and its partners issue 5G security guidance.
The US Cybersecurity and Infrastructure Security Agency (CISA) has developed new guidelines on 5G cyber threat mitigation issued under the Enduring Security Framework (ESF), a public-privacy, cross-sector partnership led by CISA and the National Security Agency (NSA). “5G changes communication capabilities and risks,” NSA Cybersecurity Director Rob Joyce told MeriTalk. “This guidance document from ESF brings to light the need to secure Pods as an important aspect of securing 5G cloud environments.” The guidance, which highlights three main threat categories (policy and standards, supply chain, and system architectures) will be presented in a four-part series. Parts one and two were released yesterday.
- Potential Threat Vectors to 5G Infrastructure
- Security Guidance for 5G Cloud Infrastructures Part I: Prevent and Detect Lateral Movement
- Security Guidance for 5G Cloud Infrastructures Part II: Securely Isolate Network Resources
CISA’s ChemLock program secures hazardous chemicals (and includes cybersecurity guidelines).
CISA was busy yesterday, also issuing guidance about its ChemLock program, which offers services and tools to help organizations that handle dangerous chemicals to identify and mitigate potential risks. Such organizations are reliant on computer networks for their operation, and history tells us that cybercriminals are not above exploiting vulnerable systems to weaponize hazardous chemicals. The guidance provided includes establishing an overall security plan, running exercises for testing the efficacy of that plan, and developing a training program for owners, operators, and other personnel.
Examining Instagram’s effect on minors.
The Wall Street Journal reports that a group of US states (including the two largest, New York and California) are investigating Instagram’s impact on minors. A bipartisan coalition of state attorneys general announced that they’re examining the techniques used by parent company Meta to increase engagement of children on the social media platform, and the potential harm this engagement might cause. Nebraska Attorney General Doug Peterson stated, “When social media platforms treat our children as mere commodities to manipulate for longer screen time engagement and data extraction, it becomes imperative for state attorneys general to engage our investigative authority under our consumer protection laws.” The announcement comes on the heels of reports that Instagram’s own internal research shows the platform can cause “negative social comparison” among users (though Instagram claimed that research was misinterpreted). In a statement Thursday, Instagram said, “We continue to build new features to help people who might be dealing with negative social comparisons or body image issues, including our new ‘Take a Break’ feature and ways to nudge them towards other types of content if they’re stuck on one topic.”
CISA to announce members of new security panels.
CISA executive director Brandon Wales told the House Oversight Committee Tuesday that the agency will soon reveal the members of two new advisory and investigative panels, the Record by Recorded Future reports. Wales described the groups as “thought leaders and experts who will provide critical perspective, insight and knowledge in dealing with our most difficult cyber challenges.” The Cybersecurity Advisory Committee is intended to “develop, at the request of the CISA Director, recommendations on matters related to the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the agency.” It will comprise thirty-five members, with at least one member from twelve key industries. The Cyber Safety Review Board, established earlier this year as part of President Joe Biden’s executive order aimed at improving the resilience of federal systems, will investigate major cyber incidents at civilian agencies.