At a glance.
- EU proposes controversial crypto law.
- US Chamber of Commerce debates SEC’s new cyberincident reporting measure.
- Notes from the Cybersecurity Advisory Committee meeting.
- Comment on the US State of Emergency for critical infrastructure.
- Comment on the US President's Budget.
EU proposes controversial crypto law.
The EU Parliament yesterday approved proposed measures that would prohibit anonymous cryptocurrency transactions and extend anti-money laundering rules to apply even the smallest digital currency payments by removing the EUR 1,000 minimum. The move has been met with much debate, and the European People's Party (EPP) says the law effectively bans self-hosted wallets. “With this approach of regulating new technologies, the European Union will fall further behind other, more open-minded jurisdictions,” EPP spokesperson Markus Ferber told CoinDesk. Industry leaders like Coinbase, who would have to consult with the authorities whenever a customer receives cryptocurrency over EUR 1,000 from a self-hosted wallet, have also expressed their dissent, and legal experts say the laws are so stringent they could lead to legal challenges in EU courts. The proposal will now go to the EU Council, where it must be approved by both the parliament and national ministers before becoming law.
US Chamber of Commerce debates SEC’s new cyberincident reporting measure.
The US Securities and Exchange Commission’s (SEC) proposed rules requiring that public companies disclose cyberincidents in 8K security filings were a hot topic at a Chamber of Commerce event this week, Nextgov reports. Christopher Roberti, the Chamber’s senior vice president for cyber, intelligence and supply chain security policy, said he feels the proposal goes against the spirit of the Cybersecurity and Infrastructure Security Agency’s (CISA) reporting rules, which incentivize reporting by ensuring companies are protected from liability. “When we look at the law and the will of Congress versus the SEC proposed rule, it seems to us that Congress has spoken and used things like confidentiality and liability protection as a means to foster a virtuous circle of reporting and action,” Roberti commented. “To us, it would seem like the Securities and Exchange Commission’s proposed rule…could upend that intent of Congress.” Rhode Island Representative Jim Langevin disagreed, stating that breach disclosure is paramount, and that shareholders have a right to know about a company’s cybersecurity posture. “Post breach disclosure cost is a really important part of that risk communication … shareholders really should be able to [distinguish] between companies that take cybersecurity seriously, and those who don't,” Langevin stated.
Notes from the Cybersecurity Advisory Committee meeting.
CISA this week held its second meeting of the Cybersecurity Advisory Committee, a collection of experts in industry, academia, and government selected to provide recommendations on CISA’s program and policy goals. CISA Director Jen Easterly stated, “The Committee has truly hit the ground running in scoping key areas of focus to help support our evolution as the nation’s cyber defense agency.” The six subcommittees reported on their progress in areas including the cyber workforce, cyber hygiene, and strategic communications, and mis-, dis-, and mal-information.
Comment on the extended US state of emergency.
Roya Gordon, Security Research Evangelist at Nozomi Networks, the leader in OT and IoT security shared her comments on the US state of emergency President Biden extended earlier this week. She sees critical infrastructure as having a global presence and a global exposure:
"US critical infrastructure companies have a global presence, so it makes sense for the government to encourage them to maintain a heightened security posture in the midst of an ongoing physical conflict. US assets abroad could be easily targeted, or even caught in the crossfires (from a cyber perspective) so maintaining a “Shields Up” approach to security is key.
"What I find more interesting is that we are shifting from what traditional military defense is (defending the land) to a cyber defense that not only involves military but corporations as well. Corporations are realizing that they can’t sit this one out. Although military and government systems are highly targeted, threat actors realize that targeting critical infrastructure (ran by private companies) can do even more damage to cripple a nation. I encourage companies to comply with the government and increase their security posture by: segmenting their networks, scanning for unused ports, patching, constantly changing passwords, reviewing identity and access to ensure old employees don’t still have access to company networks, etc. These are just the basics that companies should be doing to strengthen those weak points. Whether they like it or not, they are players in this new cyber frontier."
Comment on the President's Budget, and its implications for cybersecurity.
Discussing the US President's Budget, which we discussed earlier this week, Mark Manglicmot, VP of Security Services at Arctic Wolf, welcomes the increased resources:
"In the wake of critical infrastructure concerns stemming from the conflict in Russia – paired with the ongoing risk of nation state attacks – it’s clear that the administration is concerned with ensuring the forward progress of collective cybersecurity efforts. There have been consistent motions from the Biden administration for organizations to focus on strengthening their cyber ecosystems – from internal initiatives to the recent memorandum holding federal contractors accountable for their efforts, too.
"To improve their defenses, organizations must, at a minimum, improve their cybersecurity budgets. In fact, 50% of surveyed security teams don’t have the budget to feel adequately equipped to thwart threats. Inadequate budgets impact important avenues for improving security postures, including tools, talent acquisition and retention and robust and consistent awareness training for employees. Spending the funds efficiently enables organizations to shore up gaps in technical controls, remediate known vulnerabilities, and add talent to address 24x7 coverage deficits.
"Additional budget can continue to advance both defensive and offensive cybersecurity operations. It can also expand the resources to continue the recent progress made in bringing both private and public sector leaders together to fight adversarial attacks. With this motion to put more resources behind our nation’s security, both sectors are in a better position to collectively defend against attackers that are most certainly resource backed."