At a glance.
- Quantum-resistant encryption.
- Strengthening American Cybersecurity Act and DoJ.
- Healthcare and the Cybersecurity Reporting Act.
US officials work toward quantum-computing resistant encryption.
As advances in the field of quantum computing threaten to render standard encryption techniques obsolete, world leaders are looking for a solution to secure communication flows. With worries of a Y2Q moment looming, VentureBeat reports that the NATO Cyber Security Center yesterday disclosed it has been experimenting with a post-quantum VPN from quantum computing provider Post-Quantum. Reportedly the VPN employs cryptography so complex that it’s able to withstand malicious quantum-level decryption. The move comes on the heels of the US National Institute of Standards and Technology’s announcement that it’s creating a standard for replacing tech reliant on public-key algorithms. And the White House recently released a National Security Memorandum requiring the National Security Agency (NSA) to update the Commercial National Security Algorithm Suite with quantum-resistant cryptography within thirty days. The memorandum also gave national security agencies one hundred eighty days to identify any encryption not in compliance with NSA-approved Quantum Resistant Algorithms and produce a timeline for becoming compliant. Post-Quantum’s CEO Andersen Cheng stated, “People frequently talk about commercial quantum computers when referencing this Y2Q moment, and that’s a long way off — potentially ten to fifteen years away. But from a cybersecurity perspective, we’re not talking about slick commercial machines; a huge, poorly functioning prototype in the basement is all that’s needed to break today’s encryption,” Cheng said.
US cybersecurity package receives pushback from FBI and DOJ.
As we noted last week, the US Senate has unanimously passed the Strengthening American Cybersecurity Act, a package of three bills intended to enhance the nation’s cybersecurity infrastructure, no doubt motivated by concerns that Russia’s invasion of Ukraine could lead to cyberattacks on Ukraine’s western allies. The most prominent measure is the Cyber Incident Reporting Act, which requires critical organizations to report attacks to the Cybersecurity Infrastructure Security Agency (CISA) within seventy-two hours of detection, and ransomware payments within twenty-four. However, the Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) say the measure is inadequate as it leaves the FBI out of the attack response process. FBI Director Christopher Wray told the Hill that while he supports the bill, it “has some serious flaws.” Kylie Nolan, a spokesperson for the Senate Homeland Security Committee’s Senator Rob Portman, told the Dispatch, “This bill reflects changes from DOJ and FBI as well as many others to obtain the broad support it currently enjoys across government and the private sector. It is shameful that for some a bureaucratic turf war appears to be taking precedence over our nation’s security during this critical time.” However, a spokesperson for bill sponsor Senator Gary Peters, chair of the Senate Homeland Security & Governmental Affairs Committee, said that the DOJ and FBI were consulted before approval and the bill had been revised before to address their concerns. He was alluding to a revision directing CISA to share attack reports with other relevant federal agencies, but the question remains whether this will be enough. The legislation now goes to the House for approval.
Healthcare and the Cyber Incident Reporting Act.
GovInfoSecurity notes that the Senate’s new cyber bill covers all entities for which a cybersecurity incident could impact national security, economic security, or public health and safety. That includes healthcare organizations, but exactly which organizations it pertains to remains a gray area. Privacy attorney Kirk Nahra at WilmerHale stated, "The scope of who will be required to report and what they will be required to report is likely to evolve. A doctor losing a laptop likely won’t trigger under this. A hospital being attacked by ransomware that shuts down the whole hospital record system would.” The measures would also include contractors working with theDepartment of Defense, the Veterans Administration, and the State Department. Any entities that create, receive, maintain, or transmit protected health information would still need to adhere to HIPAA breach reporting rules, but not all of them would necessarily fall under the new legislation. Privacy attorney David Holtzman of HITPrivacy says the measure could apply to any healthcare organization that maintains an information system accessible to the internet, as well as any of that organization’s vendors. He explains, "The bill passed by the Senate does not exempt HIPAA-covered entities or their business associates from the obligations to report cybersecurity incidents or make ransomware payments. The legislation does not preempt or modify the existing HIPAA breach reporting requirements established in the HITECH Act."
Reed Loden, VP of Security at Teleport, sees the law as tending to drive a higher standard of security in both the private and (especially in its official authorization of FedRAMP) public sector:
“In short, the Senate’s passing of new cybersecurity legislation that forces businesses to swiftly report breaches and attacks is a major step to improving our country’s security posture. Instead of making it easier for organizations to cut corners when it comes to reporting breaches, the legislation forces companies to hold themselves to a higher standard by requiring disclosure of these kinds of attacks to CISA. This legislation also officially authorizes FedRAMP, giving the existing program more weight to force federal agencies to comply with its requirements for the third-party products and services they buy. With FedRAMP as a universal standard for products bought by the federal government, more companies will implement security best practices for cloud infrastructure and applications, further increasing the nation’s ability to successfully combat against attempted breaches.
"While this piece of legislation is strong, there is still a large piece missing in how security breaches should be disclosed to the public. Right now, that is still left to an ever-growing patchwork of state laws that burden businesses with unnecessary complexity. Congress should further elevate and simplify disclosure requirements with a federal-wide policy on how and when breaches should be publicly reported.”