At a glance.
- More on the US’s new cyberincident reporting legislation.
- US State Department offers millions for information on illicit North Korean cyberactivity.
- US House investigating facial recognition software.
More on the US’s new cyberincident reporting legislation.
Mondaq offers a breakdown of the White House’s recently signed Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require critical infrastructure organizations to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within seventy-two hours of discovery, and ransomware payments within twenty-four hours. Highlights include:
- Industries covered by the legislation include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial bases, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and waste, transportation systems, and water and wastewater systems.
- Covered incidents include those that result in a “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.”
- CISA's director is required to issue a proposed rule within two years, and must issue a final rule eighteen months after making the proposal, though he or she has the power to issue future regulations to amend that rule. Once the rule is in place, public comment will be accepted for thirty to sixty days.
- CISA will conduct an outreach and education campaign on new cybersecurity initiatives to include the Cyber Incident Reporting Council, Ransomware Vulnerability Warning Pilot Program, and a Joint Ransomware Task Force in collaboration with the Federal Bureau of Investigation (FBI), the National Cyber Director, and the Attorney General.
US State Department offers millions for information on illicit North Korean cyberactivity.
On Friday, the US State Department announced that its Rewards for Justice program will be offering rewards of up to $5 million for intel on money laundering, exportation of luxury goods, cyberoperations, human rights abuses, actions supporting the proliferation of weapons of mass destruction, and other illicit activities carried out by North Korea. “RFJ is seeking information on those who seek to undermine cybersecurity, including financial institutions and cryptocurrency exchanges around the world, for the benefit of the Government of North Korea.” The Record by Recorded Future notes that the announcement comes just a day after the US Federal Bureau of Investigation fingered Lazarus, the North Korean state-backed threat group, for attacking the decentralized finance platform Ronin Network. The FBI stated, “Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK [Democratic People’s Republic of Korea], are responsible for the theft of $620 million in Ethereum reported on March 29th.”
US House investigating facial recognition software.
US lawmakers are launching a probe into the government’s use of facial recognition software, SecurityWeek reports. The Internal Revenue Service was recently pushed to stop using such software following complaints from opponents who worried facial recognition databases were an easy target for cyberattacks and also questioned how such data could be used by other government agencies. Two House committees submitted a letter Thursday to facial recognition tech company ID.me requesting details about the firm’s contracts with ten federal agencies and thirty state governments. House oversight committee chair Carolyn Maloney stated, “I am deeply concerned that the federal government lacks a clear plan, leaving agencies like the IRS to enter contracts worth tens of millions of dollars with questionable terms and oversight mechanisms…Without clear rules of the road, agencies will continue to turn to companies like ID.me, which heightens the risk that essential services will not be equitably provided to Americans, or will be outright denied, and that their biometric data won’t be properly safeguarded.” An ID.me spokesperson responded, “ID.me remains a highly effective solution available for government agencies that provides the most access for under-served Americans. ID.me adheres to the federal guidelines for identity verification and login while providing services to public sector agencies. These standards have proved remarkably effective at preventing fraud.”