At a glance.
- GAO says its recommendations for critical infrastructure have gone unheeded.
- US National Cyber Director to retire next week.
- Nonprofits call on consumer rights watchdog to crack down on data brokers.
GAO says its recommendations for critical infrastructure have gone unheeded.
A report released Tuesday by the US Government Accountability Office (GAO) says that the majority of the watchdog’s cybersecurity recommendations for the critical infrastructure operators haven’t been implemented. Nextgov.com explains that of the over one hundred recommendations issued by the GAO since 2010, only forty-six have been implemented as of December 2022. The GAO warned, “Until these are fully implemented, key critical infrastructures will continue to have increased cybersecurity risks to their systems and data.”
The watchdog noted that the Department of Energy had implemented plans to better protect the national energy grid, but had not addressed vulnerabilities impacting distribution systems and supply chains as recommended. “The U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks,” the report stated. It also said that the Cybersecurity and Infrastructure Security Agency (CISA) “needs to assess the effectiveness of its programs and services to support the communications sector.”
In November 2021 the GAO released a report with a similar warning to CISA, and a report issued last September noted that CISA was collaborating with the Federal Bureau of Investigation and Secret Service were working together to help local government organization defend themselves from cyber attacks, but identified gaps in “aspects of six of seven key practices for interagency collaboration.” Tuesday’s report is the third in a four-part series on urgent, high-risk cybersecurity concerns.
We received some comment from industry experts on critical infrastructure protection and broader issues of US cybersecurity policy. Xage Security’s CEO Duncan Greatwood would like to see infrastructure operators catch up with lessons from their own security history:
“As we await President Biden's signature on the U.S. National Cyber Security Policy, inquiring minds may be wondering how critical infrastructure operators can actually implement the anticipated contents of the policy in practice. With 16 different critical infrastructure sectors targeted under the policy, it’s important to understand that each and every sector has its own unique considerations, regulations, governing boards, etc., which will factor into the successful adoption of policy. Oil & gas requires a unique approach from water and so on. That said, there are several lessons learned from the recent TSA directive to oil & gas, when it comes to acting on cyber legislation and regulatory mandates to achieve both compliance and cyber hardening that we should consider as we think about other sectors. The Colonial Pipeline attack was a wake up call to the oil & gas industry, and we at Xage have seen firsthand (and applaud) the accountability this sector has shown in the cybersecurity realm, to address pervasive issues in the aftermath."
He went on to offer some advice for industry, "two takeaways," as he put it: "Business continuity planning must include cyber hardening measures for operational technology (OT)," and " Not just that, but OT must design-in preventative cyber measures to stop threats. When we're talking about our world's scarcest resources and critical systems, it's not enough to know you got hacked."
He concluded with some thoughts on how securing infrastructure is an inherently collaborative challenge.
"Assisting our critical infrastructure agencies to turn directives into effective actions is a responsibility shared by the cyber industry with government and organizations across sectors. We understand these are challenging economic times, with in some cases strapped OT and IT teams, but a top-down approach as it relates to government regulation isn’t as impactful as a collaborative approach. Cybersecurity companies are equally responsible for creating tools and offerings that not only contribute to optimal – even preventative – critical infrastructure security but also support the government policies with actionable guidance.”
US National Cyber Director to retire next week.
Chris Inglis, the US’s National Cyber Director, is set to retire in under a week on February 15. Kemba Eneas Walden, who joined the Office of the National Cyber Director last spring, will serve as acting director until Inglis’s successor is chosen. Inglis’ departure comes just as his team is set to release a much-anticipated national cybersecurity strategy that will outline a tougher federal approach to digital defense. Lawmakers urged Inglis to stay on until the strategy is released, and while it’s expected to come out soon, a release date has not yet been announced. Inglis told CNN he is confident that Office of the National Cyber Director “is viable and valuable – in its capabilities, its people, and its influence on issues that matter: protecting our Nation’s critical infrastructure, strengthening and safeguarding our technology supply chain, expanding pathways to good-paying cyber jobs, and so many more.”
Nonprofits call on consumer rights watchdog to crack down on data brokers.
Wired offers a look at the world of data brokerage, and what lawmakers can do to reign in an unwieldy ecosystem that thrives on the buying and selling of personal digital information. Existing laws technically shield users from having their data nonconsensually passed back and forth for profit, but the illicit dealings of data brokers and the rapidly growing market have made enforcement a challenge. A group of legal nonprofits including Demand Progress, the National Consumer Law Center, and Just Futures Law submitted a letter yesterday to Rohit Chipra, head of the Consumer Financial Protection Bureau, urging his office to better enforce violations of the Fair Credit Report Act (FCRA).
Lauren Harriman, and counsel for Just Futures Law, explains, “Data brokers’ practices are especially egregious because they circumvent the Fair Credit Report Act and value data without valuing the accuracy of that data. [Data brokers] pay handsome sums to your utility company for your name and address, turn around and package your name and address with other data, fail to conduct any type of accuracy analysis on the newly formed data set, and subsequently sell the new data set at a steep profit.” Harriman says such inaccuracies have led to individuals being deprived of civil rights, “denied jobs, government benefits, or even housing.” The letter notes the case of analytical advertising platform Kochava, which was sued last year by the US Federal Trade Commission (FTC) for harvesting the data of millions without consent, exposing them to “threats of stigma, stalking, discrimination, job loss, and even physical violence.”
Privacy advocates have been calling for better regulation of data brokerage for years, especially when it comes to data users must submit in order to gain access to basic necessities like phones and energy, and in 2018 a group of utility companies agreed to stop selling such information to Thomas Reuters. Many federal agencies have been known to purchase location data from brokers as a way of bypassing legal restrictions on demanding such information directly from businesses.