At a glance.
- Notes on the CISA’s Cybersecurity Advisory Committee’s third meeting.
- GAO recommends federal cyber insurance program.
- Feedback on the SEC’s proposed incident reporting rules.
- US healthcare sector asks the federal government for cyberattack support.
- US Technology Modernization Fund funds projects with security implications.
Notes on the CISA’s Cybersecurity Advisory Committee’s third meeting.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday released a readout from the third meeting of its Cybersecurity Advisory Committee. Each of the six subcommittees presented its recommendations, and topics discussed included cyber hygiene for public and private organizations, the development of an incentive program for security researchers reporting vulnerabilities impacting critical systems, and the impact of mis- dis- and mal-information risks on critical functions.
The Transforming the Cyber Workforce Subcommittee submitted their recommendations for prioritizing strategic workforce development and improving the cyber-talent acquisition process. Their advice is for CISA to develop internal Key Performance Indicators to track progress on the agency’s efforts to close talent gaps and better compete with the private sector for cyber-talent. As well, CISA Director Jen Easterly gave the committee a new topic for discussion: the development of a national alert system for cyber risk. “I couldn’t be more grateful for the Committee’s partnership and look forward to closely studying their recommendations,” Easterly stated. “With their guidance and the great work of the CISA team, we will help CISA fulfill its mission of ensuring the security and resilience of our critical infrastructure.”
GAO recommends federal cyber insurance program.
The US Government Accountability Office (GAO) on Tuesday released a report recommending the Treasury Department’s Federal Insurance Office (FIO) and the CISA consider a federal cyber insurance program. Cyberattacks are increasingly targeting critical infrastructure that impact national security, and GAO has found that private insurers and the government's terrorism risk insurance may not be able to adequately cover the resulting financial losses. “CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” GAO urged. The report, which Nextgov explains was expected to be published over a year ago, focused on whether the Treasury’s Terrorism Risk Insurance Program should be expanded to cover the cybersecurity incidents. GAO notes that private insurers have been attempting to minimize their potential losses from systemic cyber events by increasing premiums and excluding coverage for losses from cyber warfare and infrastructure outages, leaving a gap in coverage for attacks that could greatly impact critical infrastructure. As well, the Treasury’s Terrorism Risk Insurance Program, established after the September 11 attacks to help the private sector cover qualifying events, supports only a limited set of incidents. GAO explains that some “cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses.”
Feedback on the SEC’s proposed incident reporting rules.
Back in March the US Securities and Exchange Commission (SEC) requested feedback from the private sector on its proposed cybersecurity incident reporting rules. The feedback period ended on May 9, and cyber/data/privacy insights provides an overview of the over one hundred comments received. One area of concern is the four business day deadline for reporting a material cybersecurity incident, which many organizations feel is insufficient time to evaluate the incident and prepare a report, especially given that premature reporting could increase risk.
One suggestion was to permit delayed reporting of incidents that are under investigation by law enforcement or other public authorities, allowing the targeted companies time to maintain the confidentiality measures needed to comply with the needs of the investigation. Other subjects of contention included imprecise definitions of key terms, the board of directors’ cybersecurity expertise disclosure requirement, and the possibility that disclosure requirements could increase exposure to future cyberattacks.
US healthcare sector asks the federal government for cyberattack support.
The pandemic has led to unrelenting surge in cyberattacks on the healthcare sector, disrupting medical services and exposing sensitive patient data. and US hospitals are asking the federal government for help. Lee Milligan, chief information officer at Asante Health System in the state of Oregon, told Politico, “It blows my mind that ultimately, it’s on the individual hospital systems to attempt to — essentially in isolation — figure it out.” And the cost of an attack can be crippling. Last year’s cyberattack on Scripps Health, cost a staggering $112.7 million, and John Gaede, director of information services for Sky Lakes Medical Center, says his organization spent $10 million to mitigate the impact of their recent attack. “Our budgets typically have a margin of maybe 3 percent a year, but we’re supposed to compete with nation-state actors?” Gaede asked. While the Department of Health and Human Services, the Federal Bureau of Investigation, and the Department of Homeland Security have extended help to health systems impacted by cyberattacks, some organizations feel a more structured partnership needs to be established. Eric Goldstein, executive assistant director for cybersecurity at CISA, says that while the government may not be directly defending every health system from a cyberattack, CISA’s Joint Cyber Defense Collaborative, established last year to help telecom companies and cloud providers secure their infrastructure, could indirectly benefit health systems.
US Technology Modernization Fund funds projects with security implications.
The Technology Modernization Fund (TMF), whose mission is to provide funding “for technology-related activities to improve information technology, and to enhance cybersecurity across the Federal Government,” has released funds for a range of projects with significant security implications. The Office of Management and Budget reported on the TMF's recent activities, and SC Magazine has an overview of the grants, the biggest of which went to the General Services Administration (GSA), which will receive $187 million "to build new cybersecurity capabilities into LogIn.gov." We received a number of comments on the TMF allocations from industry experts. Gal Helemski, CTO and co-founder, PlainID, emphasized the sensitivity of Government-held data:
"The government holds the most sensitive data out there, and in today’s world, you cannot put your trust in any static, perimeter-based security system. Every single data access needs to be assessed in real-time with specific context of who is accessing what data, from where and how. This will massively improve the cybersecurity capabilities of these three federal agencies.
"Everyone must realize, the key to defending an organization from future cyberattacks is protecting the data and the applications, by ensuring that even if a bad actor (which can be a federal employee sometimes) has gained access credentials, they don't have automatic access to any or all data. To quote from the memorandum "Authorization, a critical aspect of zero trust architecture, is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorization determines what that user has permission to do.
"Let's face it, zero-trust is the only way to secure a modern, decentralized enterprise, in which data and applications are accessed from anywhere by employees, customers and partners."
Glasswall CEO Danny Lopez likes the GSA's plans to move agencies toward zero trust:
"We applaud the GSA's distribution of funds to upgrade government agencies' outdated perimeter-based defenses and move toward a zero trust approach. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside. Zero-trust starts by taking a proactive rather than a reactionary approach to cybersecurity. You are already too late if you are responding to a threat. Consideration of Content Disarm and Reconstruction, which proactively examines, purifies, and rebuilds files as they enter the organization, is a smart first step. This way, every file is seen as a potential hazard, and dangers are proactively eliminated before they can cause any harm."
Arti Raman, CEO and Founder of Titaniam, set the announcement into the larger context of recent Federal initiatives. “In the last twelve months, there have been a series of guidelines issued by the Federal Government and President that require agencies to dramatically lift their security posture in the face of growing cyber attacks," she said, adding:
"Agencies have been asked to close current vulnerabilities and implement new solutions that enforce Zero Trust and improve data encryption. As agencies have moved to conform, it has become clear that in many cases, they are severely limited by budget and are unable to explore anything beyond the very basic. The funds made available by the General Services Administration will play a critical role in supporting much-needed security initiatives.
"It is my hope that the budget is utilized not just to catch up to the basics but to leapfrog and adopt critical new technologies such as encryption-in-use that comprehensively implement Zero Trust Data Security and have the power to eliminate data-related impacts from cyber attacks.”
Neil Jones, Egnyte's director of cybersecurity evangelism, drew attention of the need to address the threat of targeted cyberattacks:
"With the escalating volume of nation-based and supply-chain-induced cyberattacks, it's clear that the approaches most government agencies use to address targeted cyberattacks on critical U.S. infrastructure just aren't working. So, I’m excited to see that $100 million from the General Services Administration's Technology Modernization fund will be invested to improve user experience, maintain site resilience and enable more effective remote access at three key U.S. Federal agencies.
"Since the global pandemic began, users all across the world have demanded more of federal and local government resources, particularly those that are provided online. To meet such expectations, agencies can no longer rely on decades-old networks and file-sharing systems that can't keep up with expanding user volume. Rather, they must be able to spin new computing capacity quickly, utilize secure networks with modern capabilities and apply critical security patches immediately. This appropriation will boost the country’s cybersecurity efforts and jump-start the government's growing response to cybersecurity threats. And, it will protect U.S. citizens’ health, well-being and food safety, essential outcomes that we can’t quantify.”
Aaron Sandeen, CEO and co-founder of Cyber Security Works, offered some advice to agencies on where they might direct their attention:
“The federal government's investments should help government agencies establish their security posture through proactive penetration testing and ongoing vulnerability management. Enterprises must repair the vulnerabilities that threat groups and attackers exploit in order to prevent catastrophe. To truly safeguard their organization from potential cyberattacks, leaders must enhance their cybersecurity visibility of known and unknowable assets, validate more frequently, and look for early warning capabilities as the world's cybersecurity issues grow.”