At a glance.
- European Council says manufacturers should not report vulnerabilities directly to ENISA.
- Cyber amendments in the US’s 2024 defense authorization bill.
- CYBERCOM nominee discusses new budget authorities.
European Council says manufacturers should not report vulnerabilities directly to ENISA.
In an amendment to the Cyber Resilience Act (CRA), the European Council has determined that manufacturers will be required to report actively exploited vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based. This decision is a rejection of a proposal that called for manufacturers to disclose such vulnerabilities to one central EU body, the European Union Agency for Cybersecurity (ENISA). Instead, ENISA will operate and maintain an intelligence sharing platform, which the various CSIRTs will use to disseminate warnings about reported vulnerabilities.
As the Record notes, the decision could cause disagreement between the various incident response teams, as each one is run according to the laws of the country in which it’s based. The rule also states that if a CSIRT is informed about a vulnerability it must inform the potentially impacted manufacturers with “undue delay,” but the term “undue” has not been clearly defined. While it’s unclear why the decision was made, there have been concerns that having ENISA, which is based in Greece, serve as the main repository for threat info could make it a target for malicious actors. Bart Groothuis, the European Parliament’s rapporteur for cybersecurity, said of the initial proposal, “It’s a risk in itself for the safety and security of the internet because other agencies might want to go for that.” The CRA is expected to be negotiated with the European Parliament later this year before it becomes law.
Cyber amendments in the US’s 2024 defense authorization bill.
Last week the US Senate began its deliberations over the National Defense Authorization Act (NDAA) for FY2024, MeriTalk reports. As it stands, highlights of the bill include allocating $845 billion for the Department of Defense and $32 billion for national security programs within the Department of Energy and authorizing substantial investments in military tech like microelectronics, hypersonic weapons, and unmanned aircraft systems. Senate Armed Services Committee Chairman Jack Reed (a democrat out of Rhode Island) and Ranking Member Roger Wicker (a Republican from Mississippi) issued a joint statement noting, “The bill authorizes significant investments in key technologies like hypersonics and artificial intelligence, and it makes important progress toward modernizing our ships, aircraft, and combat vehicles.”
Two cyber-related proposals stand out. An intelligence authorization amendment would direct the Election Assistance Commission to conduct penetration testing of voting system hardware and software. And the State Department authorization amendment would provide enhanced cyber protections to personnel whose accounts and devices are considered at higher risk of cyberattack. It’s expected that the Senate will pass its version of the defense package by the end of this week, and then the House and Senate will work together to create a unified bill.
CYBERCOM nominee discusses new budget authorities.
Speaking of the NDAA, Federal News Network explains that the fiscal year 2024 defense appropriations bill could grant Cyber Command (CYBERCOM) with new programming and budgeting powers. As stipulated in the Fiscal 2022 National Defense Authorization Act, the FY2024 budget would authorize CYBERCOM to set training standards, increase its warfighting forces, and bolster partnerships with industry. During a confirmation hearing last week, Lieutenant General Timothy Haugh, US President Joe Biden’s nominee to take over as CYBERCOM head, said the new powers will “change the dynamic” of the command’s mission. He explained, “We’ll have the responsibility for the acquisition of the capabilities for our Cyber Mission Force and have the authority to set the training standards. It allows Cyber Command to set the investment in our training infrastructure, in our training courses, and allows the services to focus on recruiting; initial skills training aligned to our standard; and then to leverage the retention capabilities that Congress has given to the services.” He said more control over training will allow CYBERCOM to scale more quickly, and increased interaction with industry partners would give the command access to greater resources.