At a glance.
- The wait for the US’s National Cybersecurity Strategy is over.
- US House committee votes in favor of TikTok ban.
- Knowing your customer in the cloud.
The wait for the US’s National Cybersecurity Strategy is over.
The White House has released its much-anticipated new National Cybersecurity Strategy, which aims to “position the United States and its allies and partners to build that digital ecosystem together, making it more easily and inherently defensible, resilient, and aligned with our values.” A fact sheet summarizing the highlights of the new guidelines emphasizes two fundamental changes to the US’s approach to cybersecurity: shifting the responsibility away from individuals, small businesses, and local governments, and onto larger organizations; and providing incentives for long-term investment in cyber safeguards. To that end, the new strategy is based on five main pillars: defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
The document expands minimum cybersecurity requirements for critical sectors and also prioritizes a more aggressive approach in defending against and preventing cyberattacks before they occur. “Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document reads. AP News notes that the strategy codifies many actions that have already been taken by the administration over the past two years in the wake of crippling cyber incidents like the 2021 attack on US software company SolarWinds. For instance, the document officially classifies ransomware attacks as a threat to national security rather than merely a criminal challenge, allowing the government to continue to use measures beyond arrests and indictments to respond to or prevent such attacks.
The Washington Post highlights some of the more distinctive aspects of the strategy that could fly under the radar. Former White House cyber czar Michael Daniel notes that the document is ambitious in its reach, stating “it really does cover a broad swath of policy areas and starts to take on some long-standing issues that we know that we have to do, but will generate potentially some opposition from industry and the Republican Party.” It’s also notable that the document underlines the need to prevent malicious cyber actors from exploiting the US’s own infrastructure, much as they did in the SolarWinds attack. It also urges legislators to pass measures that would support the strategy's goals, like addressing gaps in statutory authorities to implement minimum cybersecurity requirements, and codifying the recently established Cyber Safety Review Board into law.
US House committee votes in favor of TikTok ban.
As the US and other governments around the world continue to issue bans on the use of TikTok, the US House Foreign Affairs Committee voted yesterday to give President Biden the authority to ban the Chinese-owned social media platform. Representative Michael McCaul, the Republican chair of the committee who sponsored the bill, commented, “TikTok is a national security threat ... It is time to act. Anyone with TikTok downloaded on their device has given the CCP (Communist Party of China) a backdoor to all their personal information. It’s a spy balloon into their phone." Security Week offers an overview of the growing international concern surrounding TikTok and its access to massive amounts of global user data which paved the path to the measure. Reuters notes that the Committee vote was 24 to 16, with Democrats opposed to the measure stating that it needs more finetuning and consultation. Representative Gregory Meeks, the top Democrat on the committee, said that while he understands the need for caution when it comes to the popular video-streaming platform, he is opposed to the legislation’s sweeping approach to prohibition. Meeks stated, "The Republican instinct to ban things it fears, from books to speech, appears uninhibited." The bill, which would be the most far-reaching US restriction on any social media app, still needs to be passed by the full House and the Democrat-controlled Senate before it can be signed into law.
Knowing your customer in the cloud.
The US Department of Commerce has resumed work on implementing a "know-your-customer" Executive Order that dates back to the previous Administration. The intent of the Executive Order (and of the measures Commerce will develop to enforce it) is to render it more difficult for foreign actors to stage attacks on US cloud services. Duncan Greatwood, CEO of Xage Security, wrote to discuss the implications of this work:
“The U.S. Department of Commerce’s renewed focus on this executive order comes at a critical time, with Nation-State actors and cybercriminals increasingly leveraging public cloud services to scale up cyberattacks in recent years. One of the most prominent recent examples was the SolarWinds SUNBURST supply chain attack in 2019, in which attackers leveraged public cloud services to activate malware.
"This legislation is an important next step in safeguarding public cloud environments. It will enable IaaS providers to verify their customers’ identities and retain better record-keeping logs that they could share with law enforcement if a bad actor were to maliciously use their services. At the same time, the executive order could also raise privacy and intellectual property concerns when it comes to the level of details IaaS service providers will be asked to gather and provide.
"Security is everyone’s responsibility, and IaaS providers are responsible for taking reasonable steps to ensure that their own infrastructure does not get used by bad actors to carry out cyberattacks, and especially for preventing very large scale attacks that could be enabled by the scale of the public cloud. Equally, though, other technology users also need to take responsibility, so that technology they deploy is subject to granular access control and cannot interact with unknown malware-control servers on the Internet, whether those unknown servers are hosted privately or in the public cloud.”