At a glance.
- Implementation of the US’s National Cybersecurity Strategy.
- US House examines two CISA cyber programs.
- UK’s Online Safety Bill passed by parliament.
Implementation of the US’s National Cybersecurity Strategy.
Lawfare offers a closer look at the White House’s recently released National Cybersecurity Strategy (NCS), and how the corresponding implementation plan outlines a roadmap for reaching the strategy’s goals. The plan’s first installment, issued in July, details sixty-five short- and long-term initiatives, assigning responsibility for each to various government agencies. Across the strategy’s file pillars, tasks are identified to defend critical infrastructure, disrupt threat actors, shape the market to incentivize security, invest in a resilient future, and collaborate with international partners,
While some initiatives have a longer implementation schedule than others, the authors note that progress has already been made in reaching goals across all five pillars. The plan is considered a “living document,” one that will change over time as the cyber landscape evolves and lessons are learned. As such, the final portion of the plan actually focuses on assessing the effectiveness of the NCS, tasking the Office of the National Cyber Director with reporting on how the implementation process has progressed. That said, in the absence of the Biden administration, it’s unclear whether the tenets of the NCS will be upheld, meaning when it comes to implementation, time is of the essence.
US House examines two CISA cyber programs.
In the wake of several recent cyberattacks impacting the federal government, the US House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection yesterday held a hearing examining two of the Cybersecurity and Infrastructure Security Agency’s (CISA) cybersecurity programs. As SC Media explains, the initiatives in question are Continuous Diagnostics and Mitigation, which involves how civilian federal agencies monitor and track devices connecting to federal networks, and EINSTEIN, an automated system that monitors federal network traffic for potentially malicious activity.
Officials discussed the efficacy of these programs in detecting potential intrusions given the fact that recent attacks – like the breach Microsoft’s cloud email system and the mass-hack of the MOVEit file transfer app – flew under the radar. Subcommittee chair Representative Andrew Garbarino stated, “While this perimeter security function is important, it is not sufficient for a cybersecurity program given the current threat landscape and the ability of bad actors to evade many perimeter security mitigations.
What’s more, EINSTEIN has faced longstanding downsides, including limitations in detecting and preventing encrypted traffic, and focusing on what we already know is malicious traffic.” Recommendations include expanding cybersecurity programs to cover Internet of Things devices and rely more on endpoint detection. As well, the White House’s proposed budget requests $425 million for Cyber Analytics and Data System (CADS), a system that would eventually absorb EINSTEIN. Officials also discussed how a possible government shutdown could negatively impact the nation’s cybersecurity. Brian Gumbell, president of contractor Armis, stated, “I think the shutdown will obviously cause some delays and some cyber projects will come to a halt. The longer we delay, the longer the adversaries will have the chance to get in front of us.”
UK’s Online Safety Bill passed by parliament.
The British parliament has passed the Online Safety Bill, a slate of legislation that has been the source of controversy since its earliest stages. Beginning in 2019 as a white paper, over the years the bill has grown in scope to address a swath of online issues from disinformation to cyberbullying to child safety to deepfake porn. As TechCrunch notes, current secretary of state Michelle Donelan worked to temper the reach of the legislation, particularly when it comes to the regulation of harmful but legal content that might interfere with freedom of speech. Most recently, messaging platforms that offer end-to-end encryption argued that the bill’s mandate for platforms to scan messages for harmful content could expose users’ communications to intrusion.
The Record explains that while the current version of the bill could, in some circumstances, require messaging platforms to use “accredited technology” to identify particularly unsafe content like child sexual abuse material (CSAM), UK regulators would have to deem such scanning “necessary and proportionate,” and no such accredited technology yet exists. Lord Parkinson of Whitley Bay stated that the bill’s goal is to “to make the UK the safest place in the world to be online, particularly for children,” and the next step will be for the Office of Communications (Ofcom), the regulator and competition authority for the UK communications industries, to focus on implementation. The legislation gives Ofcom the power to levy fines of up to 10% of annual turnover (or up to £18M, whichever is higher) for violations. The bill will now seek Royal Assent before becoming law.