At a glance.
- Strengthening American Cybersecurity Act clears US Senate.
- WhatsApp and local government transparency.
- NSA's cybersecurity guidelines for infrastructure.
US Senate passes Strengthening American Cybersecurity Act.
With Russia’s invasion of Ukraine increasing concerns that Russia might respond to Western sanctions with retaliatory cyberattacks, the US Senate unanimously approved the Strengthening American Cybersecurity Act. The package consists of three cybersecurity bills, and Bloomberg Government notes that Majority Leader Chuck Schumer highlighted a cyberincident reporting bill as the “most important” measure. The bill requires operators of critical infrastructure to notify the Department of Homeland Security within seventy-two hours of an attack, and within twenty-four hours of a ransomware payment. The reporting measure was removed from the annual defense policy bill passed a few months ago, but this unanimous vote indicates that the conflict in Ukraine convinced some members of the Senate to fast track the bill. As the Record by Recorded Media reports, just before the vote Senate Homeland Security Committee Chair Gary Peters said, “I think this is especially important right now as we face increased risk of cyber attacks from Russia — and the cyber criminals that they harbor — in retaliation for our support for Ukraine.” The package also updates the Federal Information Security Modernization Act to codify the responsibilities of top cyber officials like the National Cyber Director and authorize the Federal Risk and Authorization Management Program cloud computing program for five years. The act now goes to the House before being signed into law.
DC Council passes measure to limit government use of WhatsApp.
On Tuesday, the Council of Washington, DC approved an emergency measure regulating the use of WhatsApp and other messaging platforms by government officials. The Washington Post explains that the move is in response to reports that DC Mayor Muriel Bowser’s administration has been conducting government business over the app. The issue is that the use of messaging platforms that have an auto-delete feature conflict with the Freedom of Information Act and other laws stating that all communications, even electronic ones, be made available to the public. When introducing the measure, DC Council chairman Phil Mendelson stated, “After learning of the use of encrypted messaging apps, by members of the Executive Branch, it is an urgent matter that we boost transparency in District Government.” Bowser said she supports the measure, but finds it hypocritical that members of the Council would not be covered by the policy. Mendelson responded that the Council does, in fact, have other rules in place to ensure that their electronic communications remain available to the public.
NSA publishes cybersecurity guidelines for infrastructure operators.
The US National Security Agency (NSA) yesterday announced the release of its “Network Infrastructure Security Guidance” Cybersecurity Technical Report, a collection of cybersecurity best practices for infrastructure operators. NSA states, “While compromise occurs and is a risk to all networks, network administrators can greatly reduce the risk of incidents as well as reduce the potential impact in the event of a compromise. This guidance focuses on the design and configurations that protect against common vulnerabilities and weaknesses on existing networks.” Advice includes implementing protections to both perimeter and internal networks, and improved access controls to better prevent intrusion. While it’s acknowledged that most networks likely have some measures in place, the intent of the report is to provide guidance on prioritizing future improvements.