At a glance.
- Europol, mass surveillance, and GDPR.
- More on US zero-trust architecture plans.
Europol mass surveillance and GDPR.
SecurityWeek takes a look at Europol’s use of mass surveillance via a report by an international law professor. Europol’s bulk data mining has been determined to be a breach of the General Data Protection Regulation (GDPR), resulting in the European Data Protection Supervisor ordering Europol to delete all stored data not related to a person with a known link to crime. Douwe Korff, an Emeritus Professor at London Metropolitan University, compares Europol’s recent issues with mass surveillance to the Edward Snowden scandal. The GDPR was instituted, at least in part, in response to Snowden’s revelations regarding NSA’s mass surveillance, leading some to view Europol’s behavior as hypocritical. As the Guardian put it, “While Europol lags behind the US in terms of technological capacity, it is on the same path as the NSA.” Korff writes, “This is about the desire of Europol and EU Member States to collect, ‘in a generalized manner’, vast stores of personal data on overwhelmingly innocent people,”
OMB's zero trust memorandum.
As we noted yesterday, the White House’s Office of Management and Budget (OMB) has released a memorandum setting out a zero-trust architecture adoption strategy for federal agencies. As CNN notes, the plan gives agencies until 2024 to implement the required benchmarks, and is an attempt to set cybersecurity policies that revolve around outcomes rather than checklists. "This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses," National Cyber Director Chris Inglis said in a statement.
Bleeping Computer adds that cybersecurity experts have been advocating for a zero-trust model for years, and in February of last year, the National Security Agency (NSA) and Microsoft recommended the approach for large companies and critical infrastructure. In the press release accompanying the memorandum, CISA director Jen Easterly explained “As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity. Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
The Verge explains that now that the final strategy has been issued, agencies are expected to designate a strategy implementation lead within their organization in the next thirty days, and they have sixty days to submit their implementation plan to the OMB.
We received a number of comments from industry about OMB's memorandum. Tim Erlin, VP or strategy at Tripwire, sees the memorandum as an important advance in Federal cybersecurity:
“The published memorandum represents a substantial step forward for cybersecurity across the US government. Moving the whole of government in a single, forward direction is incredibly difficult, and the efforts of OMB and all of the participating agencies should be applauded.
"Implementing a Zero Trust Architecture is a proven way to reduce cybersecurity risk, but it is by no means an easy solution. The OMB memorandum lays out a set of foundational steps that agencies must take in order to begin this journey to Zero Trust, but it’s just a beginning.
"It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for Zero Trust: integrity monitoring. Documents from both CISA and NIST include integrity monitoring as a key component of Zero Trust, but the OMB memorandum doesn’t include similar treatment. Integrity monitoring is foundational to a successful Zero Trust Architecture.
"This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology. EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response (XDR). The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.”
Troy Grubbs, Regional Director of Federal at CyberArk, also thinks the emphasis on zero trust is an important advance:
“Fully embracing a Zero Trust approach to cybersecurity is a sea-change for much of the federal government, not only operationally, but also in mindset. As described in the OMB memo, the heart of the shift lies in protecting identity – both in how users and applications access data and complete tasks. In particular, the compromise of privileged identities (identities that have elevated access to sensitive data), is increasingly a target of bad actors and poses one of the greatest cybersecurity risks. Damages cannot only be measured by the impact of public service disruptions, but also, by the risk of compromising national security and defense readiness and public safety.
"Our geopolitical environment is increasingly uncertain, and the tactics used by adversaries have significantly advanced. A Zero Trust approach, with securing identity at its core, is best suited to protect vital infrastructure and data and allow agencies to securely execute their IT modernization goals.”
Michael Crandell, CEO at Bitwarden, thinks the guidance needs some expansion with respect to the storage of passwords:
"With today’s news that the Office of Management and Budget (OMB) released a Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity, there is a clear missing piece to the strategy, with the OMB offering no advice on how to generate and safely store strong and unique passwords.
"For instance, the strategy mentions that password policies must not require use of special characters or regular rotation. However, their advice to not rotate also comes with a need for people to use strong and unique passwords, an area where they offer no guidance.
"The federal strategy also covers the important matter of multi-factor authentication, which can stop hackers from guessing weak passwords or reusing passwords obtained from a data breach. But what’s missing is how are people advised to avoid weak or re-used passwords? That question is left open and misses an opportunity to show people the value of a password generator, available for free both outside and inside password management products.
"When it comes to cybersecurity, we are all in this together. It helps all of us when the administration reinforces the message that cybersecurity is everybody’s responsibility and gives the public guidance on the tools they need. What would make their guidance complete is simple: use a password manager. There are many available, including several free options, and experts, including NIST – the National Institute of Standards – recommend them. Password managers are a simple, practical solution that will help people avoid weak and re-used passwords, and instead create, save, and use strong and unique passwords to keep themselves safe online."
And Craig Mueller, of iBoss, sees an implicit mandate for cloud service providers:
“Cloud Service Providers (CSPs) that cannot make all applications and resources private, including those in the cloud, will fail to reduce cyber risk and deliver on the Zero Trust model as outlined in the NIST Special Publication 800-207 mentioned in the memorandum. Cloud Service Providers will require a containerized cloud architecture to ensure cloud applications become completely isolated and only accessible specifically to trusted users. With a containerized architecture, the federal government can implement the goals of the memorandum and ultimately protect and isolate all resources, regardless of location, while granting access to those resources to trusted users working from anywhere.”