At a glance.
- OMB extends deadline and clarifies parameters of secure software attestation requirements.
- Washington state requires disclosure of deepfakes used in election media.
- USCYBERCOM conducts hunt forward mission in SOUTHCOM.
- FTC Safeguard Rule became effective last Friday.
OMB extends deadline and clarifies parameters of secure software attestation requirements.
The White House Office of Management and Budget (OMB) announced last week that it’s extending the previously declared secure software attestation deadline, Federal News Network reports. According to a memo issued last September, the deadline for agencies to start collecting software security attestation forms from contractors was set for June 12 for critical software and September 14 for all software. A new memo released last week says agencies must begin collecting attestations for critical software no later than three months after the Cybersecurity and Infrastructure Security Agency’s (CISA) common attestation form is finalized under the Paperwork Reduction Act, and agencies have six months for all other software.
It’s unclear exactly when CISA’s form will be finalized. The new memo also clarifies that agencies are required to collect attestation from only the “producer of the software end product,” as that organization is “best positioned to ensure its security.” In other words, agencies aren’t required to collect attestations for products that are proprietary but are “freely obtained and publicly available,” and software resellers won’t have to provide attestation. Jason Weiss, the former Defense Department Chief Software Officer and co-founder of Digital Triad Group, stated, “[Government officials] have listened to industry, provided clarifying scope, and we can see in this new memo how the administration continues to take steps to re-balance cybersecurity risk by placing the burden on the software producer.”
(Added, 8:00 PM ET, June 12th, 2023. We received some explanatory comment from experts at Contrast Security. Tom Kellermann, SVP of Cyber Strategy at Contrast, thinks the regulation is warranted. “It's high time. Accountability is paramount given the number of vulnerabilities that are metastasizing in software. Plausible deniability is no longer acceptable.”
His colleague, Jeff Williams, co-founder and CTO at Contrast Security, sees some instructive analogies with Sarbanes-Oxley. “I think this move demonstrates the commitment to making attestation work. Although it may seem as though OMB is backpedaling a bit on their earlier memo, I believe this update shows that they are being practical but unwavering in their desire to see real transparency in the software market," he writes. He notes a significant phrase in the form of the attestation. "The attestation form contains this: 'Disclosure: Providing this information is mandatory. Failure to provide any of the information requested may result in the agency no longer utilizing the software at issue. Willfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute.' This sounds like Sarbanes-Oxley (SOX) for software," he observes.
"The CEO of software vendors (or their designee) must sign an attestation demonstrating their compliance with the NIST SSDF and lying may result in Federal charges," Williams explains. "I believe this provides ample motivation for executives to leverage their legal, audit, and compliance machinery to make sure it gets done. The OWASP CycloneDX project is working to make it possible for vendors and agencies to use a machine-readable attestation format that will help to handle producing and consuming these attestations, create databases, apply policy, create alerts, and generally manage the massive volume of attestations required in a large agency or a large vendor.”)
Washington state requires disclosure of deepfakes used in election media.
Last week the US Federal Bureau of Investigation warned that scammers were using deepfakes in sextortion scams. Now, Washington state governor Jay Inslee has signed a bill requiring disclosure when deepfakes are used in election-related materials. “With more generative AI tools shaping the media we see and hear, it’s important for those consuming it to understand what’s been manipulated,” West stated. During the 2022 legislative session then-State Senator David Frockt sponsored a similar bill that did not move forward, but this revised proposal was approved during the 2023 session.
The Center for an Informed Public, an interdisciplinary misinformation and disinformation research program at the University of Washington, explains that its founders Ryan Calo and Jevin West advised lawmakers on the revised bill. State Senator Javier Valdez, one of the bill’s sponsors, stated, “This bill is a powerful step towards protecting the integrity of our democratic process. With this legislation, we send a clear message that the use of manipulative media will not be tolerated, and that candidates and campaigns can work for the hearts and minds of voters on a level playing field.”
USCYBERCOM conducts hunt forward mission in SOUTHCOM.
Defense News reports that the US Cyber National Mission Force conducted a hunt-forward mission to identify digital weaknesses on foreign networks and expose hacking tools inside Southern Command’s (SOUTHCOM) area of responsibility. At a cyber summit last week, Brigadier General Reid Novotny stated, “The whole point of the defend-forward mission is to learn something on someone else’s network, a partner network, another nation’s network, so we can bring back that information and make sure our networks are more secure.” SOUTHCOM covers two-dozen countries including Argentina, Brazil, Jamaica, and Nicaragua, but Novotny did not disclose exactly where or when the mission took place. Defense News notes that such international efforts are often disclosed well after they are completed and sometimes not at all.
FTC Safeguard Rule became effective last Friday.
Dror Liwer, co-founder of cybersecurity company Coro, commented on the implications of the Rule: it's broad, and it amounts to a one-size-fits-all approach to regulation. “The expanded FTC Safeguards Rule goes into effect today, requiring a new and surprising group of small and midmarket businesses to comply with a stringent level of customer privacy and security protection. The new rule creates two critical issues for these businesses. First, the FTC’s definition of a financial institution is so broad, that the auto dealerships, travel agencies, career counselors and any business that regularly uses wire transfers to and from customers may not even be aware that they are impacted," Liwer wrote. "Second, while of course it’s important to put in place the right security to protect customer information, the new FTC requirements require implementing the same approach to security -- with costly penalties for non-compliance – for both large financial institutions as well as small, 20-person career counselors. Today’s new ruling is a costly and potentially devastating event for the hundreds of thousands of small and midmarket businesses that must now comply.”