At a glance.
- NCSC names new CTO.
- NCSC CEO warns of security risks of AI products.
- CERT NZ and NCSC join forces.
- SEC cyber incident disclosure rule takes effect today.
- Crypto firms needn’t worry about SEC’s new rules?
- CISA brings in "Mudge" as an advisor on security-by-design.
NCSC names new CTO.
The UK National Cyber Security Centre (NCSC), an arm of Britain’s Government Communications Headquarters (GCHQ), has selected its first ever Chief Technology Officer. Ollie Whitehouse has decades of experience in cybersecurity in the private sector, most recently working at information assurance firm NCC Group, the Record notes. For the past ten years he also served as an independent advisor to the NCSC’s Research Advisory Panel and has contributed to several other government research panels as well. The NCSC says the new CTO will be “influential in tackling the challenges of tomorrow,” from “diversifying the pipeline of expert talent, to anticipating technological capabilities, to ensuring the NCSC remains at the forefront of digital developments.”
NCSC CEO warns of security risks of AI products.
Speaking of the NCSC, its CEO Lindy Cameron is urging artificial intelligence tech developers to focus on security when designing their products. At a speech during the Chatham House Cyber 2023 conference, the UK Defence Journal reports, Cameron emphasized the need for a “secure by design” approach. She stated, “We cannot rely on our ability to retro-fit security into the technology in the years to come nor expect individual users to solely carry the burden of risk. We have to build in security as a core requirement as we develop the technology.” Cameron said. This take is in keeping with the Five Eyes’ stance of putting greater responsibility on manufacturers when it comes to cybersecurity. Cameron went on to name the NCSC’s three main goals when it comes to AI: helping organizations understand the potential threats of AI, maximizing the benefits AI can offer in cyber defense, and understanding how adversaries are exploiting AI. She warned, “AI developers must predict possible attacks and identify ways to mitigate them. Failure to do so will risk designing vulnerabilities into future AI systems.”
CERT NZ and NCSC join forces.
New Zealand's Computer Emergency Response Team (CERT NZ) has merged with the country’s National Cyber Security Centre (NCSC), but NCSC head Lisa Fong says that for now, operations will continue as usual, at least from a customer perspective. “This initial shift has been designed to minimise disruption to customers, with the move simply transferring CERT NZ’s operations and staff from the Ministry of Business, Innovation and Employment to the NCSC,” Fong told Reseller News. She said that the group is working on an integrated operating model that will allow them to work as a single agency similar to those in Australia, the UK, and Canada.The merger follows a recommendation made by the Cyber Security Advisory Committee (CSAC) in July.
A report published by CSAC last year found that while CERT and NCSC were very responsive to victims, they both struggled when it came to offering individualized resources. Minister for the Public Service Andrew Little told Parliament that the current system was too fragmented, and that customers could benefit from a more one-stop-shop experience. Little stated, “[CSAC] said this would be best achieved by merging CERT NZ and the NCSC, in part because the NCSC is subject to robust legislation to protect individuals and users' data, whereas the previous government did not put the same protections around CERT NZ when they established that organisation.” That said, the merger has been met with some pushback, as some experts say there’s a need for an independent cybersecurity body. Cybersecurity figure and entrepreneur Kendra Ross said "We would not recommend it sit inside an intelligence organisation which, even though it does have NCSC for Critical Infrastructure, is not truly outward facing.” As well, she said the integration process lacks a clear strategy and that there has been little consultation with industry.
SEC cyber incident disclosure rule takes effect today.
The US Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule takes effect today. The regulations, under preparation since 2022, seek to address the growing cyber risks facing public companies. Specifically, public companies will be required to address material cyber incidents in their 8-K filings. "New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material," the SEC said in a factsheet, "and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations."
Three Republican members of the US House have criticized the rule as agency overreach. The Washington Post quotes Andrew R. Garbarino (New York 2nd), Mark Green (Tennessee 7th), and Zachary Nunn (Iowa 15th): “It is unfathomable that the SEC is moving forward with its public disclosure requirements, which will only increase cybersecurity risk, without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland."
At the time of the rule's adoption, the SEC likened a cyber incident to a fire that destroys a plant “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
We received comments on the rule from two industry experts. George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic, thinks today marks a milestone, the more consequential deadline is December 15th. “While today marks the beginning of the mandate for publicly traded companies to notify the SEC of a cyberattack within four days of a material cybersecurity incident, the more important date is December 15 when companies are required to notify investors. The reality is that the majority of companies are heading into this mandate unprepared, while the responsibility falls on the CISO." He sees, as others have, uncertainty surrounding judgments of materiality. "There are still way too many unknowns at this time. We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous. Furthermore, there is very little guidance on how companies should handle third-party attacks. Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident. So, how are companies going to pull in third-parties and their team to handle an incident within such a short timeframe?" And Gensler recommends that companies and the SEC arrive at answers to "three major unanswered questions:
- "What is the impact on your company?
- "How do you handle a four-day disclosure timeline, especially if a third-party is involved?
- "What are the penalties of failing to meet the reporting deadline?"
He hopes there are answers to these before the 15th of December.
Scott Kannry, CEO and Co-Founder of Axio, urges companies to take the regulatory risk seriously. “Now that the SEC cybersecurity rules are in effect, you don’t want to be the company who has a cyber event and isn’t prepared. For most public companies, the first deadlines are December 15th and 18th, so the time to get ready is now. When viewed through a simplified lens, there are two sides to the rule:
- "The disclosure side speaks to having better disclosure as to how the company (more specifically, Board of Directors/Management) is governing and overseeing the cybersecurity program. Companies have to be more forthright about the methodologies and frameworks they are using to manage cybersecurity.
- "The other side speaks to how to determine if a cyber incident is material to investors in the company. This is, whether a cyber event negatively impacts an investor’s investment in the company.
Kannry reccommends that companies immediately take steps to bring themselves into compliance. "To ensure that your company is prepared on the disclosure side, you must quickly evaluate the methodologies in place that govern cybersecurity from a board level standpoint. If it's a hodgepodge of spreadsheets and new consultants every year, you aren't going to have consistency. I often draw the analogy to financial management reporting where it’s important to have a trusted and consistent methodology, and capabilities in place to support the utilization of that methodology. For example, do you have the cybersecurity equivalent of an FP&A platform? If the answer is yes, you have the underpinnings to meet the requirement. On the materiality side, it’s the same logic from a different perspective. How would you define if an incident is material as it relates to investor materiality? How does that relate to the way that you define other risks from a materiality standpoint? For all other areas of risk that might find their way into a company’s enterprise risk management program, that’s typically defined in dollars and cents. We need to do the same thing in cyber and to do so we can use cyber risk quantification. If you currently define cyber event materiality as the percentage of endpoints impacted, can you effectively translate that into operational impact and potential financial impact on the business? If the answer is no, your company is not ready to meet the requirement.”
Crypto firms needn’t worry about SEC’s new rules?
While the US Securities and Exchange Commission’s (SEC) new regulations could have a big impact on many organizations in the private funds industry, one insider says most cryptocurrency brokers should be in the clear. Adam Guren, co-founder of alternative asset manager Hunting Hill Digital, says that crypto firms that have been proactive about adhering to regulations as they’ve changed over the past few months shouldn’t have much to worry about. However, Guren told crypto.news, the new rule could lead to increased costs for some crypto fund managers, especially smaller firms with fewer resources.
CISA brings in "Mudge" as an advisor on security-by-design.
The Washington Post reports that the US Cybersecurity and Infrastructure Security Agency (CISA) has brought in Peiter "Mudge" Zatko as a a part-time senior technical advisor on security-by-design. Chris Wysopal, founder and CTO at Veracode (and, like Mudge, an alumnus of the L0pht hacker collective) praised the appointment.
“Mudge will be a huge asset for all of us at the Cybersecurity and Infrastructure Agency. His appointment continues the decades-long effort to enhance global security through secure by design software. This effort started back in the late 90s and early 2000s when Mudge and members of the L0pht, including myself, sounded the alarm on the risks of insecure software to educate the federal government on the benefits of secure software as the long-term strategy to solve our cybersecurity woes. It has taken decades, but we are starting to see progress. Secure by design is a way for all computer users to benefit from cybersecurity improvements, not just those with the ability to afford expensive cybersecurity protection software and service.
"Mudge has vast experience building secure software at Google and a Stripe. He is good at building bridges between different communities such as the government and vendors. I see his appointment as a sign that CISA’s Secure by Design efforts are building steam to help tackle an important and game changing cybersecurity improvement for the whole network connected world.”