At a glance.
- US announces plans to work with allies against proliferation of surveillance technology.
- NSA and CISA publish part III of their 5G infrastructure guidance.
- The US GAO finds US cybersecurity strategy wanting.
- UK considers IoT legislation.
- US issues railroad cybersecurity regulation.
White House announces plans to restrict proliferation of surveillance tech to authoritarian regimes.
The Wall Street Journal reports that the US yesterday announced its intention to work with friendly governments to restrict the sale of surveillance and intercept technology to authoritarian regimes likely to abuse it. The effort will begin formally at next week's inaugural Summit for Democracy, a virtual event scheduled for December 9th and 10th, and expected to be attended by some one-hundred governments. The non-proliferation program is expected to be achieved through coordination of export controls.
Russia and China have not been invited to the party, and have issued a joint statement criticizing the summit as likely to "stoke up ideological confrontation and a rift in the world," as if there's not enough of that going on as it is.
The US has recently placed certain intercept tool ("spyware") vendors under sanction, notably Israel-based NSO Group, and the Guardian reports that some eighty-six organizations have signed a letter urging the EU to do likewise, and to include users of NSO Group's Pegasus software under sanction as well.
NSO Group would be in increasingly bad odor, should that even be possible at this point, over a report today by Reuters that US State Department phones have, in just the past few months, been infested with Pegasus.
NSA and CISA publish part III of their 5G infrastructure guidance.
Yesterday the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the third installment of guidance on protecting data in 5G infrastructures. The document represents a contribution to the Enduring Security Framework and addresses the challenges to preserving "the confidentiality, integrity, and availability of data within a 5G core cloud infrastructure."
The General Accounting Office gives the US Congress a poor report on US cybersecurity policy.
A report the US Government Accountability Office (GAO) delivered to Congress yesterday makes the case that US critical infrastructure remains at serious risk from cyberattacks. The report calls out what it sees as a lack of a comprehensive cybersecurity strategy, and concludes, "the federal government needs to move with a greater sense of urgency in response to the serious cybersecurity threats faced by the nation and its critical infrastructure."
The GAO had earlier outlined four major areas it concluded required attention. In the GAO's view, they still do. The report concentrates on two of those areas, along with the top-level recommendations the report offers:
- "Establishing a comprehensive cybersecurity strategy and performing effective oversight." The Executive Branch "urgently" needs to do this. "We recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals and resource information, among other things. The National Security Council staff neither agreed nor disagreed with our recommendation and has yet to address it."
- "Protecting cyber critical infrastructure." The GAO urges the Federal Government to take a more assertive role here. In particular, "DHS needs to complete CISA transformation activities to better support critical infrastructure owners and operators." Sector risk management agencies also need to up their game in support of infrastructure owners and operators. The GAO offers some sector-by-sector advice for aviation, mass transit and passenger rail, pipeline systems, communications, energy, education, and financial services.
The UK considers IoT security legislation.
Naked Security describes a law under consideration by Parliament, the Product Security and Telecommunications Infrastructure (PTSI) bill. In its account, the proposed measure addresses IoT three security issues:
- "Default passwords. If Parliament gets its way, there won’t be any. You won’t be allowed to have pre-configured passwords in your devices, so that you can’t flood the market with products that every crook already knows how to get into.
- "Vulnerability disclosures. You’ll need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) some visible commitment to closing off security holes that you already know about before the crooks figure them out.
- "Update commitments. You’ll need to tell buyers in advance how long you are going to provide security fixes for the product they’re buying today.
In the US, NIST continues to pursue its plans for consumer IoT cybersecurity labeling.
US Transportation Security Administration issues railroad cybersecurity regulations.
The US Transportation Security Administration (TSA) yesterday, under authority granted by Congress, issued cybersecurity regulations that will apply to most passenger and freight rail operations in the US. The Wall Street Journal says TSA based its rule-making on "credible cyber-threat information." The rules are seen as in some respects an extension of those promulgated earlier for pipeline operations. They mandate that railroads report cyber incidents within twenty-four hours of detection, and hat they "designate a cybersecurity coordinator, complete cyber-vulnerability assessments and put plans in place in the event of a serious attack." Comparable rules are coming for airlines and airports.
The twenty-four-hour reporting requirement seems to have aroused the most controversy. Ron Brash, VP of Technical Research at ICS/OT software security firm, aDolus Technology, observes that it's not always easy to distinguish a cyberattack from an accident or other anomaly:
"The problem with reporting incidents within 24 hours is that many organizations lack the skill & resources to comply, but it is also dangerous to assume adherence with or without an added coordinator. Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole and a fibre optic run is severed - connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether. I hope neither occurs as that is counter productive to the spirit of the objective and may discourage proactive action.
"If Biden's XO for SBOMs and supply chain transparency overflow into rail and transportation, organization's will need accelerated security program growth and maturity yesterday. This is both a good thing, and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation. Overly prescriptive approaches may also result in too rigid of a structure, and focus on the wrong elements - e.g., a checkbox ticking exercise v.s actual risk reduction."