At a glance.
- CSC calls for president to nominate new National Cyber Director.
- SECURE IT Act calls for election machine pentesting.
- The EU's "Big Sister" of online CSAM legislation.
- US states work to distribute DHS cyber funding.
CSC calls for president to nominate new National Cyber Director.
On Friday the co-chairs of the US Cyberspace Solarium Commission (CSC) submitted a letter to President Joe Biden urging him to fill the currently vacant role of National Cyber Director (NCD). Since Chris Inglis left the position over three months ago, his former deputy Kemba Walden has been serving as Acting Cyber Director, and Senator Angus King, an Independent of Maine, and Representative Mike Gallagher, a Republican of Wisconsin, wrote that they feel Walden should be officially nominated for the role. “We believe the answer to this vacancy is at the ready,” the letter reads. “Since Chris Inglis’ departure and even prior, Acting NCD Kemba Walden has demonstrated that she is highly qualified for and well suited to the position. We urge you to send her nomination to Congress soon, where we believe she will receive fair consideration and swift confirmation.” It’s worth noting that the establishment of the role of NCD was first recommended by the CSC.
SECURE IT Act calls for election machine pentesting.
Voting security has been a top concern for US lawmakers in recent years, and two US Senators last week introduced a bipartisan measure aimed at bolstering the cybersecurity of the nation’s election infrastructure, Nextgov.com reports.The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (or SECURE IT) Act would require voting machines undergo penetration testing inorder to be certified for election use. Senators Mark Warner, Democrat of Virginia, and Susan Collins, Republican ofMaine, say the legislation would allow researchers to simulate cyberattacks in order to identify vulnerabilities in the machines before election day. While existing regulations call for the Election Assistance Commission (EAC) to test and certify voting machines, penetration testing is not specifically required. Warner stated, “The SECURE IT Act would allow researchers to step into the shoes of cybercriminals and uncover vulnerabilities and weaknesses that might not be found otherwise. As foreign and domestic adversaries continue to target U.S. democracy, I’m proud to introduce legislation to harness a critical cybersecurity practice that will help safeguard our elections infrastructure.” The EAC and the National Institute of Standards and Technology would work together to accredit the entities that would conduct the pentesting. Tom Burt, CEO and president of Election Systems & Software, the US’s largest manufacturer of voting systems, issued a press release stating, “Programmatic testing performed by independent security experts helps ensure equipment stays ahead of threats, and it helps increase voter confidence in the overall security of elections.”
The EU’s “Big Sister” of online CSAM legislation.
Wired offers a closer look at EU Home Affairs Commissioner Ylva Johansson, who has garnered much criticism in her crusade to protect minors on the internet by ridding the web of child sexual abuse material (CSAM). While her mission seems admirable, privacy advocates argue that her tactics border on surveillance. She has introduced a divisive bill that would require tech platforms, even those that promise end-to-end encryption, to examine users’ messages for CSAM or evidence of inappropriate sexual activity directed at minors. Opponents, who have dubbed the legislation the “chat control” bill, worry it could lead to unbridled censorship, and have compared Johansson to Big Brother. “I think I have a moral obligation to act,” Johansson told Wired. “If I don’t, who am I? I will be a little mouse. I will be nothing.” Current EU law gives tech companies permission to search their platforms for CSAM, but that law expires in August 2024, and Johansson’s legislation would serve to replace it. Most importantly, Johansson sets out to make scanning for CSAM mandatory, not voluntary, and to include even encrypted platforms in that mandate. Any red flags would be sent to the EU child abuse center, essentially overriding any promises of encrypted private messaging. Privacy advocates worry such legislation would be ripe for abuse. IT security expert Karl Emil Nikka explains, “If we, as the EU, can mandate service providers to scan for some content through a backdoor, other states will also be able to say that you have to scan for [something else] through the same backdoor.” The European Parliament will debate Johansson’s proposal over the next two months.
US states work to distribute DHS cybersecurity funding.
The Biden administration’s $1.2 trillion infrastructure spending law, which was passed in 2021, includes a $1 billion cybersecurity grant program for state governments from the Department of Homeland Security (DHS). The bill requires that states pass on at least 80% of those funds to local entities like town governments and school districts, but exactly how to divvy up those funds was not specified. It's essentially a choice between subgrant programs, which would likely require a lengthy bureaucratic distribution process, or shared services – granting local governments access to the state’s existing cybersecurity tools. StateScoop spoke with state CISOs to get their take, and the majority say the latter is the preferred tactic. New Hampshire’s state CISO Ken Weeks says the state’s Department of Information Technology is traveling to local entities to offer their assistance in implementing security measures like multifactor authentication and shifting local websites to the .gov domain. Building on relationships already developed through federal election assistance programs, Illinois’ statewide security operations center will support local governments in implementing endpoint detection capability for services like sheriffs’ departments and water districts. And some state governments say they are willing to share more than the required 80% of funding if need be. New Hampshire Chief Information Officer Denis Goulet said, “While the state doesn’t have enough funding as we need for cyber, we’re in way better shape than municipalities. We’ve decided not to take the full 20% allowed.”