At a glance.
- Cyberspace Solarium Commission recommends revamp of US' critical infrastructure security plan.
- Ten years after Snowden leaks, where does the US stand on domestic surveillance?
- 311, I have a cyber emergency.
Cyberspace Solarium Commission recommends revamp of US critical infrastructure security plan.
A report released yesterday by the Cyberspace Solarium Commission 2.0 (CSC) says that the US “current systems for designating sectors as critical and for mitigating cross-sector risks are inadequate,” and recommends an overhaul to address these issues. In the Executive Summary, the Commission states that despite the Biden administration’s efforts to build strong relationships with the private sector, “the policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands. Similarly, the implementation of this policy — and the organization, funding, and focus of the federal agencies that execute it — is inadequate.” Nextgov explains that the report is being released just as a review of the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21), originally written in 2013, is being launched. As Cyberscoop notes, the report highlights the 2021 Colonial Pipeline ransomware attack as an example of how government cyber-response systems are not sufficiently prepared for a massive attack on critical infrastructure providers. Perhaps most importantly, the report states that the Cybersecurity and Infrastructure Security Agency (CISA) is not adequately structured to support rapid response to cyberattacks targeting the US's most critical systems. As CISA didn’t even exist when the PPD-21 was written, the CSC is calling for the new PPD to officially designate CISA as the nation’s risk management agency. The CSC offers ten other recommendations for addressing gaps in cybersecurity policy for critical infrastructure organizations, including revising strategy documents, addressing inconsistent guidance for Sector Risk Management Agencies across industries, and strengthening information sharing procedures.
Ten years after the Snowden leaks, where does the US stand on domestic surveillance?
As we reach the ten-year anniversary of Edward Snowden’s leaks concerning the US National Security Agency’s collection of Americans’ cell phone calls, the Register reflects on what the past decade has taught us about domestic spying programs. US Senator Ron Wyden, Democrat of Oregon, told The Register. "I warned in 2011 that 'When the American people find out how their government has secretly interpreted the Patriot Act, they will be stunned and they will be angry.' I was right, as Edward Snowden's revelations proved." Since those revelations surfaced, there has been a call for privacy programs to protect citizens’ data and more transparency about what information the government is intercepting. In 2015 Congress passed the USA Freedom Act, which put an end to the bulk collection of phone records and required the federal government to release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC). Currently, officials are engaged in debate over whether Section 702 of the Foreign Intelligence Surveillance Act, which allows US intelligence to inspect US communications made overseas without a warrant, should be renewed at the end of this year. Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, states, "To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then." Indeed, a new poll from The Associated Press-NORC Center for Public Affairs Research shows that both Democrats and Republicans share a distrust of domestic spying practices. Over the past decade Republicans in particular have become less willing to compromise freedom in response to threats, AP News notes. The survey found that 28% of respondents support the government listening to phone calls made outside of the US without a warrant, while 44% oppose it. 48% said they believed it necessary to sacrifice their rights and freedoms to prevent terrorism, down from 54% in 2021 and nearly 66% in 2011.
311, I have a cyber emergency.
Small businesses and nonprofits, which often lack the resources to devote to cybersecurity, are easy prey for hackers, and with federal agencies focused on cyberthreats to critical infrastructure, these organizations often slip through the cracks. US universities are offering an unusual solution: cybersecurity centers used to train students as digital security consultants. Modeled after law school legal clinics, these centers can offer free cyberdefense resources to organizations who don’t have the funding or staffing to do so on their own. Sarah Powazek, the program director of public interest cybersecurity at the University of California, Berkeley's Center for Long-Term Cybersecurity, told Wired, “There is a critical role for universities to play in community cyber defense. Students are local, highly motivated, and able to provide a range of services pro bono for under-resourced organizations that otherwise couldn’t afford them.” The University of Texas at Austin has plans to open the newest of these clinics in a few months, and it will have an unusual approach: a cyber hotline. Much like the 311 phone service that residents call to report city issues like potholes, the hotline will offer emergency cybersecurity support for local businesses, and the clinic will join a consortium of other schools sharing resources and best practices. Robert Chesney, founder of the new clinic and the dean of UT-Austin’s law school, explains, “There’s no learning like the learning that involves an actual, real client. Everybody says those experiences are the most impactful things that they do.”