At a glance.
- US’s top cybersecurity advisor to vacate his post.
- CISA’s NCPS receives hefty funding.
- Houston, we have a problem.
- White House approves quantum computing security legislation.
US’s top cybersecurity advisor to vacate his post.
Insiders say US National Cyber Director Chris Inglis will be stepping down from his position, after which he is expected to retire, CyberScoop reports. Having served in the role since July 2021, Inglis advised the White House on such topics as securing the nation’s critical infrastructure, nurturing private-public cyber partnerships, and strengthening the cybersecurity workforce. “He’s done what he came to do — build an office that’s going to stand the test of time,” said one anonymous source close to the matter. When contacted for a response, Inglis neither confirmed nor denied his plans to leave, but told CNN that he had always intended to get the office up and running and then leave it to an able successor.
A former National Security Agency deputy director, Inglis is expected to vacate the role in coming months, though there is no firm date for his departure. The White House is on the cusp of releasing the much-anticipated National Cyber Strategy, which Inglis and his team have spent months creating, and some lawmakers are urging Inglis to stay on until the measure is implemented. “I hope that Chris stays in the job until [the strategy] is complete – and beyond – but at the end of the day, he will make the decision that’s right for him and his family,” said Representative Jim Langevin of Rhode Island. POLITICO reports that Kemba Eneas Walden, who has served as principal deputy national cyber director since May, will serve as acting director after Inglis’s departure.
Katherine Ledesma, Senior Director for Government Affairs at SecurityScorecard, offered an appreciation of Inglis's tenure as the first National Cyber Director:
"In the last eighteen months, we’ve seen the Office of the National Cyber Director (ONCD) focus and further its mission under the leadership of Director Inglis. As the first National Cyber Director, Inglis has charted a path forward for stronger collaboration across government and industry and increasing national cyber resilience.
“ONCD has done incredible work propelling cohesive movement forward across the federal government on cyber risk issues to secure our digital ecosystem, and the engagement with industry as mutual problem-solvers in this space. They have built out a talented team, with office leadership representing breadth and depth of experience in public policy, government service, and industry. The diverse voices are important to the national cybersecurity dialogue and to keep moving the needle on reducing cyber risk.
“We are looking forward to the forthcoming National Cybersecurity Strategy and the continued harmonization of cyber efforts across the federal government, including the important work of the Cybersecurity & Infrastructure Security Agency, the National Security Agency, and the National Security Council, along with the sector risk management agencies.”
CISA’s NCPS receives hefty funding.
In the appropriations bill released by the US House and Senate Appropriations committees on December 20, the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity Protection System (NCPS) was granted an extension as well as a $91 million boost in funding. NCPS was originally authorized in 2015 for a seven-year period, but the funding is intended to keep it running through September 2023. As MeriTalk explains, NCPS is “an integrated system-of-systems that delivers a range of capabilities, such as intrusion detection, analytics, information sharing, and intrusion prevention” that helps to secure the IT infrastructure of federal civilian executive branch agencies. It is perhaps best known for a set of capabilities dubbed EINSTEIN that serves as an early warning system by providing nearly real-time identification of potential cyber intrusions. However, it’s worth noting that EINSTEIN’s effectiveness has been challenged by some members of Congress who last year questioned CISA on the system’s limitations after the SolarWinds Orion and Microsoft Exchange security attacks.
Houston, we have a problem.
According to an annual audit from the National Aeronautics and Space Administration (NASA Office of Inspector General (OIG)), the aerospace agency's infosec capabilities and practices are "Not Effective," the Register reports. Conducted by accounting firm RMA Associates, the audit found the agency lacked the tools and data necessary to adequately ascertain the performance of its IT infrastructure, and was also lacking the processes to assess and respond to threats. Among other issues, the agency has failed to complete a cybersecurity workforce assessment since 2016, has not implemented recommended data protection and privacy standards, and has neglected to make multi-factor authentication universal. The recent audit is not the first time NASA’s infosec has been found inadequate; over the years NASA has consistently scored low ratings on infosec assessments, with the agency earning a Level 2 rating in 2019. Experts say the agency’s lack of resources on low-budget missions forces leaders to spend all of their attention on science, leaving infosec by the wayside. As a result of the audit, NASA’s CIO has been given a list of seventeen recommended actions.
White House approves quantum computing security legislation.
Yesterday US President Joe Biden approved the Quantum Computing Cybersecurity Preparedness Act, which focuses on boosting the adoption of quantum-proof tech by federal government agencies. Co-sponsored by Senators Rob Portman of Ohio and Maggie Hassan of New Hampshire, the legislation was passed by the Senate earlier this month, with companion legislation approved in July. As FedScoop explains, the measures were motivated by mounting fears concerning the advancements in quantum computing, which could be used to crack current encryption methods, by US rivals like China. The legislation will require the Office of Management and Budget to prioritize federal agencies’ transition to post-quantum cryptography. The National Institute of Standards and Technology is expected to issue post-quantum cryptography standards, and the act mandates that the White House create guidelines for federal agencies to assess critical systems against these standards.
Ryan Lasmaili, CEO and co-founder of Vaultree, sees the big challenge quantum computing poses is to legacy cryptographic methods: “Cryptography schemes based on prime factorization and discrete logarithm problems are likely to be broken by quantum computers if powerful enough ones can be built, as quantum algorithms for breaking such issues already exist. These are algorithms used in the internet's core as RSA and ECDSA. New cryptographic schemes based on problems believed to be hard against quantum computers are the answer to this question. Many quantum researchers have different opinions about quantum computers breaking cryptography, but recent advances in the field make it easier for companies to protect against it.”
Added, 2:00 PM, December 23rd, 2022.
The bill's Senatorial sponsors, Senator Maggie Hassan (Democrat of New Hampshire) and Senator Rob Portman’s (Republican of Ohio) offered their comment on the measure's passage into law.
“To strengthen our national security, it is essential that we address potential vulnerabilities in our cybersecurity systems, including new threats presented by quantum computing,” said Senator Hassan. “This law will help ensure that our federal government is ready to defend our country against data breaches that could be exploited by quantum computing. I was glad to work with members of both parties to get this law across the finish line, and I will continue working to strengthen our county’s cyber defenses.”
“Quantum computing will provide for huge advances in computing power, but it will also create new cybersecurity challenges,” said Senator Portman. “I’m proud our bipartisan legislation to require the government to inventory its cryptographic systems, determine which are most at risk from quantum computing, and upgrade those systems accordingly is now law of the land.”