The federal government and private sector are still reeling from the SolarWinds supply chain hack, and Congress is on edge as it begins a new term beset by fears of domestic terrorism. It would seem all bets are off in terms of the previous legislative agenda for cybersecurity, at least in the near-term. The relevant committees in the new 117th Congress have yet to weigh in on specific pieces of legislation, but it’s clear that cybersecurity will be a big focus across both the House and Senate. First, in the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. Late last week, the Biden team made good on that promise when announcing its Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency. One of the legislators leading the fight for cybersecurity legislative initiatives in Congress, Representative Jim Langevin (D-RI), applauded Biden’s push for more cybersecurity spending. “I’m also grateful to see the president-elect pushing for important investments in cybersecurity in the wake of the SolarWinds hack, which has placed a spotlight on the need to act now to protect Americans and our interests in cyberspace,” he said in a statement lauding the overall rescue package. Warner: Raise breach reporting requirements Incoming Intelligence Chair Mark Warner (D-VA) said he would hold hearings on the SolarWinds hack and plans to reexamine the concept of a mandatory national data breach notification law. Speaking at an Aspen Institute webinar on January 7, the day after the rioters’ siege of the Capitol, Warner said that the SolarWinds breach, a devastating breach likely perpetrated by Russian state actors, nevertheless “paled in comparison to the damage done to our country in the last 24 hours.” To Warner, the question is whether the SolarWinds incident is within the bounds of acceptable espionage. To answer that question, Warner thinks we need to “create some level of international norm-setting, some rules of the road. Better cyber hygiene alone is not going to win the battle.” In terms of mandatory breach reporting requirements, Warner said, “We’re going to need a fulsome review. The fact that the public enterprises don’t even have to fully report to CISA, let alone the private sector where, if the [breach] doesn’t reach a level of materiality, doesn’t even have to report, needs to be fully reviewed.” More attention on state and local government defense, ransomware Two other topics that have climbed in priority over the past few months that will likely receive top attention on the Hill include: The State and Local Cybersecurity Improvement Act, which was introduced in February but passed by the House in September. House Homeland Security Committee Chairman Bennie Thompson (D-MS) said he plans to re-introduce the bill, which will allocate more funds through a $400 million grant program so that state and local governments can build better cybersecurity defenses. Ransomware attack legislation: Up-and-coming Democratic party star Lauren Underwood (D-IL), who ascended to head the House Homeland Security Committee’s cybersecurity subcommittee, said in November that legislation aimed at addressing widespread ransomware attacks would be a top priority, to give local governments funds to grapple with the attacks. To date, only three bills that specifically mention cybersecurity have been introduced in the 117th Congress. The first is HR 117, introduced by Representative Sheila Jackson Lee (D-TX), which amends the Homeland Security Act to establish a DHS cybersecurity on-the-job training and employee apprentice program. The second bill is HR 1, For the People Act, introduced by Representative John Sarbanes (D-MD), which encompasses several election security measures. The third cybersecurity-related bill is HR 21, the FedRAMP Authorization Act, introduced by Representative Gerald Connolly (D-VA), to enhance the security, innovation, and availability of cloud computing in the federal government. Capitol siege raises cybersecurity priority “From a cybersecurity perspective, the [siege of the Capitol] should only amplify the prioritization of the [cybersecurity] agenda,” Kiersten Todt, managing director of the Cybersecurity Institute, tells CSO. Moreover, the SolarWinds breach highlights the fact that supply chain security ought to be a major topic for discussion. “We still don't have a solid strategic and actionable approach to supply chain security,” Todt said. “You've got the things coming out of the Pentagon and all these things, but we're not really looking at it holistically and strategically from a senior level. I'd like to see the national cyber director take this on again in a very actionable way,” she says, referring to a revived role for a cyber “czar” in the White House approved by Congress in late 2020. Todt thinks two other issues that the new Congress should address are the role of CISA and the continued improvement in election security. CISA has a “very lean and scarce workforce that in May of last year was responsible for protecting the presidential election, securing government and private infrastructure, and responding to a pandemic,” she says. “While we had success absolutely with the 2020 election, I don’t think we solved the problem. I think what we certainly need to do is to recognize that our election process is the foundation of our democracy, and we have to institutionalize it. I don't think we can be relying on an all-volunteer workforce.” Security of the Capitol itself will be examined Another new topic on the legislative agenda might be the Capitol's own cybersecurity, along with the protection of associated Congressional buildings and all the IT networks that run throughout the legislative branch. At this early stage, it’s still not clear how the mob that broke into the Capitol might have damaged the security of any IT system or hardware devices. Numerous experts say that one thing is clear: There are IT security implications from the events of January 6 that warrant further investigation and, possibly, mandated changes in how the legislative branch operates. “If the House were appropriately prepared, which means they had an inventory of all the devices being used for professional purposes and they were able to cross-reference that inventory to determine which devices were missing and then able to wipe those devices clean,” then whatever damage the mob caused would not make us concerned about the theft of property, Todt says. “Additionally, if every member of Congress and staffer had the appropriate protocols in place about strong passwords, etc., then we shouldn’t have a concern. What I don’t know is if that is actually true.”
About Cynthia BrumfieldThis author has not yet filled in any details.
So far Cynthia Brumfield has created 21 blog entries.
One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds’ Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated. [ Learn what you need to know about defending critical infrastructure . | Get the latest from CSO by signing up for our newsletters. ]The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign. Most experts, however, won’t rule out that out the possibility that the Russian intelligence team behind the breach weren’t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack’s impact is how it affected the nation’s power grid. To read this article in full, please click here
What is Egregor? Egregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal,” according to Recorded Future’s Insikt Group. Although descriptions of the malware vary from security firm to security firm, the consensus is that Egregor is a variant of the Sekhmet ransomware family. It arose in September 2020, at the same time the Maze ransomware gang announced its intention to shut down operations. Affiliates who were part of the Maze group appear, however, to have moved on to Egregor without skipping a beat. Insikt and Palo Alto Networks’ Unit 42 think Egregor is associated with commodity malware such as Qakbot, which became prominent in 2007 and uses a sophisticated, evasive worm to steal financial credentials, as well as other off-the-shelf malware such as IcedID and Ursnif. These pieces of malware help attackers gain initial access to victims’ systems. All security researchers seem to agree with Cybereason’s Nocturnus Team that Egregor is a rapidly emerging, high-severity threat. According to security firm Digital Shadows, Egregor has claimed at least 71 victims across 19 different industries worldwide.
While at the federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays, states have been moving ahead to push through an impressive number of important bills that help fill in the gaps. A search of the Legiscan database reveals that hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia. The most comprehensive piece of state-level legislation across these often-intertwined categories that has been enacted over the past two years is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. Inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR), the legislation aims to give the state’s consumers greater control over how businesses collect and use their personal data. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency and aligns privacy regulations more closely with the GDPR. The CCPA is slated to take effect on January 1, 2020, giving those who believe the bill was too broad or too narrow time enough to limit or expand its scope. So far two bills have been introduced in the California Assembly to expand the scope of CCPA, while nine draft bills seek to limit its impact. In the sections below, we summarize the current provisions of the CCPA, along with other major pieces of state legislation that have been recently enacted and signed into law. Each of these recently adopted measures in its own way significantly impacts privacy, data security, cybersecurity or data breach notification requirements in the respective states. Privacy laws California Consumer Privacy Act (CCPA) California Privacy Rights Act (CPRA) Nevada Senate Bill 220 Online Privacy Law Maine Act to Protect the Privacy of Online Consumer Information California Consumer Privacy Act (CCPA) The CCPA incorporated many of the GDPR-inspired provisions in what had previously been a ballot measure in the state called the Consumer Right to Privacy Act of 2018. The legislation’s provisions “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.” The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information. Among some of the more noteworthy of the many expansive provisions in the law are sections that: Require a business to make disclosures about the personal information it collects and the purposes for which it is used. Grant a consumer the right to request deletion of personal information and require the business to delete that information upon receipt of a verified request. Grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to verifiable consumer requests. Authorize a consumer to opt out of the sale of personal information by a business and prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. Require businesses that disclose personal data to deliver that data free of charge to verifiable consumers upon request. Grant consumers the right to control selling their information to third parties via a “Do Not Sell My Personal Information” link in their privacy policies. Give individuals the ability to direct businesses to delete their information. Prohibit businesses from selling information about consumers between the ages of 13 and 16 without their explicit consent and require them to obtain parental consent before selling information about a consumer under the age of 13. Expand the definition of personal information to include such things as IP addresses, device IDs, cookie IDS, and psychographic profiles based on customers’ preferences, characteristics, behavior, interests and many other variables. California Privacy Rights Act (CPRA) California voters approved this ballot measure in November, making it law effective on January 1, 2023, though with a six-month grace period on enforcement. The CPRA mandates the creation of a consumer privacy agency, which takes responsibility for privacy law violations away from the state's attorney general. The most significant changes from the CCPA are: Companies serving fewer than 100,000 California residents or households are not subject to the privacy regulations. The CCPA's threshold is 50,000 and includes devices. Companies must delete personal information once it is no longer necessary. How regulators will define "necessary" is open to interpretation. Consumers may force a company to correct inaccuate personal data. Companies must ensure that any third parties with whom they share personal data comply with the CPRA. Consumers may opt out of companies sharing their data. Under the CCPA, consumers can only opt out of their data being sold. Breach liability now includes exposure of email addresses combined with security questions. If a breach includes personal data of minors, fines may be tripled. Companies might still be subject to private rights of action and statutory damages after a breach even if they fix what caused the breach. Consumers no longer need to show harm to be able to sue for a breach. Nevada Senate Bill 220 Online Privacy Law While California’s CCPA grabbed all the headlines, Nevada quietly passed its own tougher online privacy law, Senate Bill 220, which was signed into law by the governor on May 30, 2019. The bill amended Nevada’s existing privacy law by requiring businesses to offer consumers an opt-out regarding the sale of their personal information, with some exceptions. The bill goes into effect on October 1, 2019 prior to the effective date of CCPA, making Nevada’s legislation the first in the U.S. to grant consumers a right to opt out of the sale of their personal data. Unlike CCPA and GDPR, Nevada’s bill does not add any new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices. Organizations that violate these terms may be subject to a penalty up to $5,000 per violation as well as a temporary or permanent injunction. Under the law, the attorney general’s office will have the power to bring actions for violations but must allow offenders a 30-day period to fix violations other than those that deal with opt-out rights. Maine Act to Protect the Privacy of Online Consumer Information On June 7, 2019, Maine Governor Janet Mills signed a bill to protect the privacy of online consumer information. The bill goes into effect on July 1, 2020. The legislation specifically bars broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access,” with some exceptions. The bill also prohibits broadband providers from refusing to serve a customer or charging them more if they don’t consent to the use, disclosure, sale or access of their personal data. The bill further requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. Under the bill, personal information is defined as (a) “personally identifiable customer information” about the customer and (b) information derived from the customer’s use of broadband internet access services such as web browsing history, geolocation data, device identifiers and a number of other technical data points that can be used to identify individuals. Cybersecurity, data security and data breach notification laws New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500) New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51) Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154) Oregon Consumer Information Protection Act (OCIPA) SB 684 Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071) New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500) Regulators at the New York Department of Financial Services (DFS) adopted new rules, 23 NYCRR 500, on February 16, 2017 that place certain minimum cybersecurity requirements on all covered financial institutions. These rules require each company to assess its specific risk profile and design a program that addresses its risks in a robust manner. The deadline for certain required regulatory activities under the new rules was March 2019. Under the requirements, any DFS-regulated entity that meets certain criteria (more than 10 employees, more than $5 million a year in revenue and year-end assets exceeding $10 million) that is doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control. Smaller entities have to meet other obligations, including limiting access to information, assessing their risk, implementing policies related to third-party data control, and their own data disposition. All regulated entities are obliged to report data breaches, regardless of size. The rules further require covered entities to designate a Chief Information Security Officer, and maintain audit trails, among a host of other good cybersecurity practices spelled out in the regulation. New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), which expands the state’s current data breach law and imposes affirmative cybersecurity obligations on covered entities. Among other things, the bill: Expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers. Broadens the definition of a data breach to include unauthorized access to private information. Applies the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State. Updates the notification procedures companies and state entities must follow when there has been a breach of private information. Creates data security requirements tailored to the size of a business. The first four provisions go into effect on October 23, 2019 while the last one mandating security requirements goes into effect on March 21, 2020. Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches Signed into law by Governor Charlie Baker on January 10, 2019 and effective as of April 11, 2019, the new law: Previous 1 2 Page 2 Amends the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached Requires businesses to offer free credit monitoring services for at least 18 months to residents whose social security numbers have been affected by a breach and the breached entity must provide all necessary information for enrolling in credit monitoring services. The breached entity cannot condition the services on the resident’s waiver of his or her right to a private right of action. Requires a range of new content requirements for breach notifications, including the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents. Stipulates that breach notification may not be delayed on grounds that the total number of residents affected is not yet ascertained. New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51) Approved by Governor Phil Murphy on May 10, 2019 and effective as of September 1, 2019, the bill treats credentials for any online account, including a personal account, as personal information subject to state breach notification laws. Specifically, the bill treats any of the following as personal information: Social Security number; driver's license number or state identification card number; account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. Dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. The law also clarifies that any relevant entity may not provide data breach notifications through email accounts that have been affected by a security breach and must find some other notification method. Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154) Approved by Governor Larry Hogan on April 30, 2019 and effective as of October 1, 2019, the law extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business. These businesses are also now required to conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. Those businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents. The law also places certain limitations on information relative to the breach. Oregon Consumer Information Protection Act (OCIPA) SB 684 Signed into law by Governor Kate Brown on May 24, 2019 and effective as of October 1, 2019, the legislation amends state law by expanding the definition of personal information under the statute to include online account credentials on their own. The bill also creates, with some exceptions, additional notification obligations for "vendors" that maintain or process personal information on behalf of other businesses, who will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved. However, all vendors must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred. Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council Signed by Governor Greg Abbott on June 14, 2019 and effective as of January 1, 2020, the legislation amends state law to change the time period for breach notification from “as quickly as possible” to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” If the breach affects more than 250 residents of the state, a person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred. The notification must also contain a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged. Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071) Approved by Governor Jay Inslee on May 7, 2019 and effective as of March 1, 2020, the law expands the scope of Washington’s existing data breach law by revising the statutory definition of personal information to include an individual's first name or initial and last name in combination with other data elements such as full date of birth, student ID number, passport number, health insurance policy or identification number, private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and biometric information. Under the amended law, businesses now only have 30 days, rather than 45 days, to deliver the required notifications. Notifications must include a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. A business must update the attorney general if all this information is unknown at the time of the breach. Editor's note: This article, originally published on August 8, 2020, has been updated to include information on the CPRA.
The insertion of malware into SolarWinds’ popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services. Reuters broke the story that a foreign hacker had used SUNBURST to monitor email at the Treasury and Commerce Departments. Other sources later described the foreign hacker as APT29, or the Cozy Bear hacking group run by Russia’s SVR intelligence agency. Subsequent press reports indicated that the malware infection's reach throughout the federal government could be vast and includes—only preliminarily—the State Department, the National Institutes of Health, the Department of Homeland Security (DHS), and likely parts of the Pentagon. Former director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said in a tweet after news broke of the intrusion, “this thing is still early,” meaning that it will likely be months—possibly years—before the true scope of the damage is known. SolarWinds said that up to 18,000 of its 300,000 customers downloaded the tainted update, although that doesn’t mean that the adversary exploited all infected organizations. CISA issued a rare emergency directive calling on all federal agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” The FBI, CISA and the Office of the Director of National Intelligence (ODNI) issued a joint statement acknowledging they established a Cyber Unified Coordination Group (UCG) to mount a whole-of-government response under the direction of the FBI. On December 17, CISA issued an alert that spells out the threat actor’s tactics and techniques in detail. The alert also offers steps that organizations should take to apply mitigations to networks using the Orion product. The alert further states that CISA is investigating evidence of additional initial access vectors, other than the SolarWinds Orion platform.
This year’s National Defense Authorization Act (NDAA), the annual “must-pass” spending bill that ensures the continued funding of the nation’s military, has a wealth of information security recommendations that come from the bi-partisan, bi-cameral, public-private initiative known as the Cyberspace Solarium Commission (CSC). The CSC was itself established in 2019’s NDAA bill and was asked to come up with a new strategic approach to cybersecurity. [ Learn 12 tips for effectively presenting cybersecurity to the board and 6 steps for building a robust incident response plan. | Sign up for CSO newsletters. ]Last spring, the CSC issued a report that offered 82 policy and legislative recommendations to improve cybersecurity. Of those, 26 will likely become law given that both the House and Senate last week passed the bill by overwhelming margins. The veto-proof vote count is needed given that President Donald Trump has repeatedly vowed to veto this year’s NDAA unless it also contains provisions that strip internet companies of legal liability protections granted them in Section 230 of the Communications Decency Act of 1996. Over the weekend, Trump reiterated via Tweet his intention to veto the NDAA. To read this article in full, please click here
Regulation surrounding artificial intelligence technologies will likely have a growing impact on how companies store, secure, and share data in the years ahead. The ethics of artificial intelligence (AI), particularly facial recognition, by law enforcement authorities, have received a lot of attention. Still, the US is just at the beginning of what will likely be a surge in federal and state legislation regarding what companies can and cannot do regarding algorithmically derived information. “It's really the wild west right now in terms of regulation of artificial intelligence,” Peter Stockburger, partner in the Data, Privacy, and Cybersecurity practice at global law firm Dentons, tells CSO. Much like the California Consumer Protection Act (CCPA), which spelled out notice requirements that companies must send to consumers regarding their privacy protections, “a lot of people think that's where the AI legislation is going to go, that you should be getting giving users notification that there's automated decision making happening and get the consent.” To read this article in full, please click here
Matt Travis, the former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), kicked off this year’s Aspen Cyber Summit yesterday with a keynote interview by journalist Kara Swisher. Travis provided an insider’s view of the events leading up to the firing of CISA director Christopher Krebs and discussed the fallout from President Donald Trump’s attempts to undermine the agency. To read this article in full, please click here
As the world moves toward interconnection of all electronic devices, the proverbial internet of things (IoT), device manufacturers prioritize speed to market and price over security. According to Nokia’s most recent threat intelligence report, IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections. This ratio will likely grow dramatically as the number of IoT devices continues its exponential growth. A recent report from Fortinet warns that the rapid introduction of edge devices will create opportunities for more advanced threats, allowing sophisticated attackers and advanced malware to “discover even more valuable data and trends using new EATs [edge access Trojans] and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.” The Internet of Things (IoT) Cybersecurity Improvement Act, passed by the House in September and unanimously approved by the Senate last week, is a step toward warding off these threats and providing greater security in IoT devices. The act is headed to the desk of President Trump, who is expected to sign it into law. The goal of the act, in the words of Congresswoman Robin Kelly (D-IL), one of the original sponsors of the legislation along with Representative Will Hurd (R-TX), is to “ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.” It aims to create “standards and guidelines” for the federal government to follow with the hopes that the requirements also make their way into private sector manufacturing. NIST to publish IoT security standards within 90 days The bill expects these standards and guidelines to be developed “collaboratively within and among agencies in the executive branch, industry and academia” and defines the IoT according to the second draft of the National Institute for Standards and Technology (NIST) Interagency or Internal Report NISTIR 8259, which was first published in January 2020 and then revised in July. Consistent with that NIST Definition, IoT devices must: Have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional information technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood. Can function on their own and cannot only function when acting as a component of another device, such as a processor. Under the bill, the legislation requires the director of NIST to publish within 90 days of enactment standards for the federal government on the appropriate use and management of IoT devices by agencies, including minimum information security requirements for managing cybersecurity risks associated with such devices. These standards and guidelines have to be compatible with NIST’s existing efforts related to IoT devices and must incorporate identity management, patching and configuration management. Six months after NIST publishes its standards, the director of the office of management and budget (OMB) will, after consulting with the director of the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS), review the standards published by NIST. Any policy related to the act published by OMB will not apply to telecommunications or information systems that involve intelligence, military, or weapons systems. OMB will also be responsible for updating any policy or principles every time the NIST director reviews the IoT standards and guidelines, which the act says should be every five years. The act also requires the NIST director to consult with industry and academia to develop within 180 days guidelines to report, coordinate, publish, and receive information about security vulnerabilities in IoT devices. The NIST director will also be responsible for reporting such vulnerabilities and disseminating information about them. Finally, every two years after the bill’s enactment, the comptroller of the US will submit unclassified reports to the relevant House and Senate Committees to report on a waiver process set up in the act that allows OMB to issue waivers of the law’s provisions. One year after the Act is enforced, the comptroller general will brief the same committees about the broader IoT effort and submit the same report every two years. Legislation envisioned by Cyberspace Solarium Commission The successful passage of this legislation and the overwhelming support it garnered among lawmakers is due in no small part to the Cyberspace Solarium Commission, a bicameral, bipartisan public-private initiative designed to tackle some of the more intractable problems in digital security. In May, the Commission issued a white paper on “Cybersecurity Lessons Learned From the Pandemic,” which recommended that Congress pass an IoT security law. Arguing that the law should only be minimally prescriptive, as the IoT Cybersecurity Improvement Act is, the paper advocated that “law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” The original set of recommendations from the Commission did not specifically mention IoT devices. Still, the pandemic drove home the point that the vast swath of devices people use to work from home greatly expand the US digital attack surface, Robert Morgus, director of research and analysis for the Commission, said when introducing the IoT legislation recommendation in June. “We wanted to be minimally prescriptive when we talked about this, so we really went for real baseline requirement and recommendations, things like ensuring you have unique authentication built-in by default and asking that when an IoT device first gets connected to the network that the user has to enter a new authentication user ID and password and ensuring that devices are patchable.”
As China’s Huawei faces ongoing banishment and retrenchment in Europe, the question arises whether Huawei and its peers, including telecom gear maker ZTE, will get a reprieve under the incoming Biden administration. Huawei clearly thinks it has a shot of improving its relationship with its European customers in the post-Trump era: Huawei Vice President Victor Zhang has been lobbying UK Prime Minister Boris Johnson to revisit the ban against using his company’s technology in Britain’s 5G network build-out. Huawei landed in its current predicament due to the Trump regime’s fears that the company works with the Beijing government to implant malware in its equipment. It might not fare better under a Biden administration. China’s likely continued exclusion from US markets even under a Biden administration was a top topic at a webinar on supply chain security hosted by US Telecom and Inside Cybersecurity. “The cybersecurity policies overall between the Obama Administration and to Trump and now to president-elect Biden should be relatively consistent,” Norma Krayem, vice president and chair of the Cybersecurity, Privacy and Digital Innovation Practice at Van Scoyoc Associates, said. “I think that’s important for the private sector to see that there is that theme.” Taking a tough stance Although Trump and Biden agree on few issues, they may share common ground regarding supply chain security. “Vice President Biden has seen what Russia and China and what nation-state actors can do,” Krayem said. Vice President-elect Harris will also likely continue the tough stance with China regarding supply chain threats because she “has obviously been sitting on the Judiciary and the Intel committees.” “We have some really profound questions to address in the context of 5G, and we all know about them,” Robert Mayer, senior vice president for cybersecurity and innovation at US Telecom, said. “We have China, which by all expectations and all evidence plays to different rules and has different values.” On top of that, the Chinese government subsidizes Huawei. Moreover, Chinese law requires companies to provide information to the country’s intelligence agencies. “All of these things make for a risky proposition for deployment on a global level,” Mayer said, suggesting that China’s role in the supply chain of all emerging technologies be closely watched. “We’re going to have to think about how serious a threat China is more broadly in technology, whether that’s AI, quantum or bio-engineering, telecom." Education, collaboration and coordination wanted A key consideration in any supply chain shift under a new administration should be better communications with US industry and commercial players. “My advice to the next administration is that we are dealing with US companies and it’s so important that we have three main points in any issue that we’re dealing with: education, collaboration, and coordination,” Diane Rinaldo, senior vice president of the Open RAN Policy Coalition, said. “You need to provide US companies with as much insight as possible, whether it’s passing classified information through secure means or declassifying information to educate our private sector on what the threats are in the landscape.” The Trump Administration has surprised the US business world a few times by springing wide-ranging supply chain executive orders on them with little consultation. “I work with global corporations, and you can’t just drop an EO, which is what happened [with Huawei bans and Department of Commerce export rules], which said effectively immediately you cannot be doing work with any of these companies,” Krayem said. “You can’t just flip a switch and away go the bad parts in your supply chain. You want to be sure you can call the CEO of that company and say ‘the Secretary of Commerce is about to come out with a determination. We highly suggest you move in another direction.’” Supply chain security assessment needed Mayer said the incoming administration should conduct a 360-degree assessment of all the diverse government agency actors who affect supply chain security. The White House, Congress, Department of Defense, the Department of Homeland Security, the Federal Communications Commission, National Institute of Standards and Technology, and many other government arms drive supply chain security policy. Mayer thinks there is a need for a lead agency to hold the reins on the varied government initiatives. “We need to understand who’s doing what, where can they leverage each other’s work. I don’t think [a DHS supply chain task force which Mayer chairs] brings all that together. We are going to have challenges.” Other changes in cybersecurity more generally could impact supply chain security activities, including those put forth by the Cyberspace Solarium Commission, an initiative composed of legislators and government officials, and outside experts to solve some of the thornier problems of cybersecurity. “We definitely need to restore the national cybersecurity director role within the White House,” Mayer said, echoing one of the Solarium Commission’s top recommendations. In April 2018, the White House effectively eliminated the “cyber czar” role in the White House when it pushed out highly respected cybersecurity expert Tom Bossert. Bossert’s departure was quickly followed by that of cybersecurity coordinator Rob Joyce, another respected expert. The future of FASC One government entity that should be looked at closely under the Biden administration is the Federal Acquisition Security Council (FASC), created in 2018 after the Department of Homeland Security (DHS) concluded that Russian security company Kaspersky Lab posed security threats to government networks. The FASC is made up of representatives from seven agencies, including DHS, the Department of Defense, the Office of Management and Budget, the General Services Administration, the Office of the Director of National Intelligence (ODNI), the Department of Justice and the Department of Commerce. The federal CISO is the FASC chairperson. Among the council’s chief functions are recommending supply-chain risk management standards and working on how to share information among agencies and other parties. Although it could become a powerful body, the FASC is new, with its interim final rule, an instantly effective final rule without a proposed rule open for comment in advance, published in early September. “The challenge that we have right now is that the interim final rule that came out provided some structure, but for many in the private sector, there are more questions than answers,” Krayem said. She fears companies could be shut out of what might be a black box decision-making process. “If you’re told you can’t bid on a particular contract … you’re going to want to know what was said about you and what that means,” she said. “This could be almost a de facto debarment. There is a very limited appeals process. The information flow and protections are very unclear at this point.”