At a glance.
- Britain’s National Protective Security Authority defends against foreign threats.
- Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
- White House’s proposed 2024 budget increases cybersecurity funding.
- CISA head pushes for integration of security by design into university curricula.
Britain’s National Protective Security Authority defends against foreign threats.
On Monday the British government announced it will be establishing the The National Protective Security Authority (NPSA), a new arm of MI5 that will advise companies and other organizations on protecting themselves from “state-sponsored attempts at stealing sensitive research and information.” As the Record by Recorded Future reports, the new security agency was introduced in an update to the government’s Integrated Review on defense and security policies (IR23), an update motivated by “emerging geopolitical threats like Russia’s invasion of Ukraine and China’s attempts at cyber espionage. Computer Weekly explains that the NPSA will work in collaboration with existing agencies like the Government Communications Headquarters including GCHQ’s National Cyber Security Centre and the National Counter Terrorism Security Offices and will absorb the responsibilities of the Centre for the Protection of National Infrastructure, but with a broader purview that extends beyond critical infrastructure operators. Security minister Tom Tugendhat stated, “We know that hostile actors are trying to steal intellectual property from UK institutions to harm our country. The National Protective Security Authority will play a crucial role in helping businesses and universities better protect themselves and maintain their competitive advantage.”
Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
The US Cybersecurity & Infrastructure Security Agency (CISA) yesterday announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP), a support program designed to help critical infrastructure entities protect themselves against ransomware attacks. The announcement explains, “CISA recently initiated the RVWP by notifying 93 organizations identified as running instances of Microsoft Exchange Service with a vulnerability called “ProxyNotShell,” which has been widely exploited by ransomware actors. This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations.” Authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. The RVWP will help CISA detect vulnerabilities susceptible to exploitation by ransomware and alert critical infrastructure operators so that the flaws can be mitigated before attacks occur. As Bleeping Computer notes, the RVWP is part of the US’s wider initiative to defend against the rising threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA at vulnerability@cisa.dhs.gov to enroll.
Jamie Boote, Associate Software Security Consultant at Synopsys Software Integrity Group wrote to set CISA's announcement into a larger policy context:
“This scanning effort is likely part of a larger plan. On March 2nd, the White House announced that it released a strategy to improve the nation’s cybersecurity by increasing cooperation between government agencies and industry providers of critical infrastructure. According to one of the Strategic Objectives, “CISA enables persistent, multi-directional threat information sharing with the private sector through the JCDC and, in coordination with the FBI, uses that information to accelerate victim notification and to reduce the impact of identified intrusions.” CISA’s scanning and threat identification of critical infrastructure would be in line with the information sharing and impact reduction in line with its strategic role.
"While external infrastructure scanning like this is a good starting point for cybersecurity, it should be noted that problems and vulnerabilities rarely show up alone. Whenever a vulnerability is found through an external scan, security teams should use that as an opportunity to break the find-and-fix loop and investigate what caused that vulnerability to be released to production, how to find others like it, and how to prevent it in the future. These scanning efforts are just the beginning, both in terms of federal cybersecurity efforts and for the teams that are on the receiving end of a vulnerability disclosure.”
White House’s proposed 2024 budget increases cybersecurity funding.
The Biden administration has proposed that $74.4 billion be allotted for federal IT spending in fiscal 2024, a nearly $9 billion (or 13%) increase over 2023, and much of those funds will go toward bolstering federal cybersecurity. FedScoop notes that this funding doesn't include the $67.4 billion requested to be devoted to the Department of Defense’s digital capabilities.
The budget request states, “Technology serves as the foundation of the Federal Government’s ability to deliver on its mission. The Administration is leading on the technology issues of our time—stopping foreign intrusions into U.S. agencies, balancing difficult trade-offs in digital identity and artificial intelligence, redefining security expectations for software and the cloud, and maximizing the impact of taxpayer dollars to drive digital transformation across the Government to deliver a better customer experience for the American people.” Approximately 40% of the proposed funding would go to the the departments of Veterans Affairs, Health and Human Services, and Homeland Security, and $12.7 billion of it would go to cybersecurity-related activities. A top priority will be adoption of zero-trust security, as mandated by President Biden’s 2021 executive order on cybersecurity. $500 million will go to improving the customer experience (CX) in the digital space by launching or expanding CX offices at federal agencies, partly by taking on 120 full-time employees trained in customer services and digital product delivery. A fact sheet on CX efforts reads, “These new hires will support cross-agency life experience projects, customer research, and service improvement activities at agencies considered High Impact Service Providers (HISPs).”
CISA head pushes for integration of security by design into university curricula.
CISA Director Jen Easterly has published a blog post emphasizing the importance of making security a top priority in the design of tech products. It reads, “we need a new model where consumer safety is front and center in all phases of the technology product lifecycle—with security designed in from the beginning—and strong safety features enabled right out of the box, without added costs. In short, strong security should be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on daily.” She sets out three main steps to achieving this goal: shifting responsibility for product security from the consumer to tech manufacturers; increasing transparency between manufacturers and the public about security challenges; and calling tech company leaders to make security-by-design and security-by-default part of their business plan. As Cybersecurity Dive explains, the blog post comes on the heels of Easterly’s speech at Carnegie Mellon University, in which she urged higher ed institutions to incorporate security into computer science coursework. “Students need to be well educated on security – including on memory safety and secure coding practices, and professors have a major role here,” Easterly writes. “Steps taken today at universities around the country can help spur an industrywide change towards memory safe languages and add more engineering rigor to software development which in turn, will protect all technology users.”