At a glance.
- GCHQ chief calls for more British investment in cybersecurity.
- Report: US Senate may soon take up a bill that would make information-sharing mandatory.
- CISA and NIST offer guidance on supply chain security (as supply chain security month wraps up).
GCHQ calls for UK investment in cybersecurity.
ComputerWeekly reports that UK Government Communications Headquarters (GCHQ) Director Jeremy Fleming stressed the importance of investing in cyber technologies, standards, labor, and defenses in an address last Friday. Given the growing threats posed by Moscow and Beijing to allied ideals, he said, Britain must regularly remake its strategic advantage to guard values like liberty and security. Fleming supports Her Majesty’s Government’s “whole-of-society” drive to advance security priorities, a plan aimed in part at nurturing cyber markets.
US Senate expects to take up information sharing.
Senate Intelligence Committee Chairman Mark Warner (Democrat of Virginia) said Congress is putting together a bill that could mandate incident reporting and threat intelligence sharing, according to Breaking Defense. As we’ve seen, the private sector is wary of regulation that could jeopardize companies’ reputations, revenue, and legal protections. Mentioning carrots like privacy, anonymity, legal shields, and incentives, Warner expressed a desire for a compulsory “early warning system” in light of the shortcomings of voluntary reporting.
CISA and NIST offer new guidance on software supply chain attacks.
In collaboration with the US National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA) published a new resource titled “Defending Against Software Supply Chain Attacks.” SecurityWeek says the document covers the risks of supply chain attacks along with prevention and mitigation measures. Recalling recent hacks involving SolarWinds, CCleaner, MeDoc, Windows 7, Kaspersky Lab tools, and Operation ShadowHammer, SecurityWeek notes that supply chain hackers typically meddle with code signing, open-source code, and updates to accomplish their aims.
CISA and NIST recommend following a Cyber Supply Chain Risk Management (C-SCRM) method to mitigate research, design, development, manufacturing, acquisition, distribution, delivery, deployment, integration, operations, maintenance, destruction, and disposal risks. The resource also advises software vendors to heed software development life cycle (SDLC) and secure software development framework (SSDF) best practices.
Supply Chain Integrity Month wraps up.
NIST and CISA’s resource arrives at the close of National Supply Chain Integrity Month. The collaborative initiative highlighted resilience measures, information and communication technology security, supply chain threats, and supply chain basics.