Articles

A year later, Biden’s cybersecurity executive order driving positive…

Notable experts say the cybersecurity executive order has improved the nation’s security posture, but more work is to be done.

In late February, the National Institute of Standards and Technology (NIST) issued a request for information (RFI) to evaluate and enhance its Cybersecurity Framework, or CSF, first produced in 2014 and last updated in 2018. Many developments in the swiftly changing cybersecurity field prompted NIST to revisit its complex and well-received template designed to help organizations best manage cybersecurity risk.

In its RFI, NIST asked a series of questions about how to improve the use of the framework. Among those questions are whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the framework’s impact, and what challenges organizations face in using the framework. NIST also asked how to better align or integrate the CSF with other NIST resources, such as the NIST Risk Management and Privacy Frameworks. Finally, NIST asked how it could help identify supply chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the CSF.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Pete Linforth from Pixabay

 

Articles

U.S. White House releases ambitious agenda to mitigate the…

The Biden administration issued an executive order to ensure U.S. leadership in quantum computing and a memorandum to mitigate its security risks.

Since at least the early 1990s, computer scientists have warned that quantum computing, despite its potential to provide exponentially more powerful computing capabilities, can break traditional encryption methods and expose digital assets to prying eyes and malicious actors. As the era of quantum computing comes into view, the Biden administration announced it is taking steps to advance the field of quantum computing while mitigating the risks quantum computers pose to national and economic security.

Last week the White House issued two directives on quantum information science (QIS). The first is an executive order (EO) to “ensure continued American leadership in quantum information science and its technology applications.”

The second is a national security memorandum that spells out “key steps needed to maintain the nation’s competitive advantage in quantum information science (QIS) while mitigating the risks of quantum computers to the nation’s cyber, economic, and national security.” The EO and the memo represent a “third line” of effort beyond the administration’s already existing efforts to modernize cybersecurity efforts and improve American competitiveness, an administration official said.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Pete Linforth from Pixabay

 

Articles

Biden’s cryptocurrency executive order addresses illicit financial risks

Early indications are that the cryptocurrency industry will work with the U.S. government to help minimize risk and make it harder for cybercriminals to profit from their activities.

The Biden administration issued its much-anticipated cryptocurrency executive order, laying out a wide-ranging investigation into digital assets to gain at least a preliminary grasp on how to address the rapidly growing $3 trillion financial market and its role in ransomware and other illicit activities. The order, entitled “Ensuring Responsible Development of Digital Assets,” outlines a series of far-reaching goals, including reducing the risks that digital assets could pose to consumers and investors, improving business protections, financial stability, and financial system integrity, combating and preventing crime and illicit finance, enhancing national security, fostering human rights and financial inclusion, and addressing climate change and pollution.

“Without oversight, the explosive growth in cryptocurrency use would pose risks to Americans and to the stability of our businesses, our financial system, and our national security,” an administration official said during a press briefing preceding the order’s release. “The absence of sufficient oversight can also provide opportunities for criminals and other malicious actors to leverage cryptocurrencies to launder the proceeds of their crimes or circumvent justly-applied sanctions,” the official said.

Reflective of the order’s even-handed tone, the official added, “At the same time, however, digital assets can also provide opportunities for American innovation and competitiveness, and promote financial inclusion.” To ensure that the U.S. government is not left out of these opportunities, the order also spells out a series of measures to create a federal central bank digital currency (CBDC) that at least 80 monetary authorities around the world are also exploring, and, in some cases, have introduced.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

NIST gears up for software security and IoT labeling…

Intended to help consumers make more secure software and IoT device purchases, the labeling guidelines are voluntary and self-policing at this time.

President Biden’s wide-ranging cybersecurity executive order issued last May directs the National Institute of Standards and Technology (NIST) to create pilot labeling programs to educate the public on the security of the internet-of-things (IoT) devices and software products they buy. The order requires NIST to produce by February 6, 2022, IoT cybersecurity criteria for a consumer labeling program and, separately, identify secure software development practices or criteria for a software labeling program.

To those ends, NIST held a workshop in September and solicited comments from stakeholders and experts. Based on the input received in these efforts and after issuing preliminary draft papers that outline various approaches, NIST issued draft Baseline Criteria for Consumer Software Cybersecurity Labeling on November 1 and a discussion draft on Consumer Cybersecurity Labeling for IoT Products on December 3.

After NIST produces both the IoT and software criteria in February, it will begin a labeling pilot testing phase. That phase will consist of NIST engaging with organizations that currently offer consumer labeling options. NIST says it may also decide to establish measures to demonstrate further proof of concept based on the criteria it publishes.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Biden’s cybersecurity executive order, a progress report

Of the 46 tasks President Biden mandated to protect digital government assets, 19 are now completed, though not all agencies have reported their progress.

On May 12, 2021, President Biden released a comprehensive cybersecurity executive order, EO 14028, entitled Improving the Nation’s Cybersecurity. The complex order responded to a chain of startling and damaging cybersecurity incidents that primarily occurred during Biden’s first few months in office.

The EO gave several federal government agencies tight deadlines to produce new rules and guidance on stringent cybersecurity requirements that the White House hopes will better protect government offices from malicious digital activity. In addition, the administration designed the order to spur federal government hardware and software suppliers to ratchet up their security efforts to hang onto their government contracts. The hope is that by exercising the power of the purse, the federal government’s new rules would have a positive spillover effect for private sector organizations, too.

Cybersecurity EO mandates 46 actions

The order requires 46 actions to be carried out by the Commerce Department, the Department of Homeland Security (DHS), the Defense Department (DOD), the Office of Management and Budget (OMB), the National Security Agency (NSA), the Director of National Intelligence, the Attorney General, the Federal Acquisition Regulatory (FAR) Council, and other government-related entities. Exemplifying the whole-of-government approach favored by this White House, virtually all the tasks assigned under the EO require collaboration by multiple government agencies.

Some government agencies, notably the NSA, have made little to no public comment on some or all their tasks under the EO. Therefore, it isn’t easy to gauge how far along some actions are to completion. Moreover, the deadlines for at least 11 of those tasks have yet to arrive.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Christina Kirschnerova on Unsplash

Articles

Software cybersecurity labels face practical, cost challenges

The federal government wants consumer software to have cybersecurity labels; experts question the feasibility of the mandate.

As part of his extensive cybersecurity executive order issued in May, President Biden directed the National Institute of Standards and Technology (NIST) to develop two pilot labeling programs on the cybersecurity capabilities of internet-of-things (IoT) consumer devices and software development practices. Although these pilot programs won’t be mandatory for device or software sellers, they could likely raise market expectations. In addition, whatever labels come out of these programs would also carry with them some sense of government authority and might ultimately become part of the government contracting process.

Last week NIST held a two-day workshop on these topics. Of the two pilot programs, the consumer software labeling initiative is the trickier one given the ever-changing nature of software and the absence of any similar existing consumer software labeling initiative.

To help it grasp the more complex task of developing labels for software, NIST solicited one- to two-page labeling position papers from interested parties. In calling for these papers, NIST cited “the challenges and practical approaches to consumer software labeling,” asking` for feedback on the “technical criteria needed to support validation of consumer software security assertions that reflect a baseline level of secure practices.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

Biden Administration announces flurry of new anti-ransomware efforts

The defensive initiatives include a reward for information on nation-state actors and the formation of a new interagency ransomware task force.

Under pressure to halt ongoing and highly damaging ransomware attacks from Russian criminal groups, the Biden administration yesterday announced a flurry of defensive initiatives to deal with the crisis. These announcements come one week after President Biden issued a stark warning to Russian President Vladimir Putin to deal with the ransomware threat groups in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program, which the Diplomatic Security Service administers, will give a $10 million reward to anyone offering information that leads to identifying state-sponsored threat actors. Specifically, rewards will be given to those who supply information that leads to the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web reporting site to protect the safety and security of potential sources. Additionally, the RFJ program works with interagency partners to enable the rapid processing of information and the possible relocation of and payment to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced it would convene a FinCEN Exchange in August 2021 focused on ransomware concerns. The Exchange will be composed of financial institutions, other key industry stakeholders, and federal government agencies. The goal of the meeting is to inform FinCEN’s next steps in addressing ransomware payments.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

NIST’s EO-mandated software security guidelines could be a game-changer

While experts applaud the new security guidance, it’s unclear whether software vendors will completely embrace and implement the needed security practices.

Following a string of high-profile supply chain hacks, President Biden’s wide-ranging executive order on cybersecurity (EO) issued on May 12 directed the National Institute of Standards and Technology (NIST) to produce guidance on a series of software security matters. First, the EO asked NIST to produce a definition of critical software, which it released at the end of June. Second, the EO directed NIST to publish guidance on security measures for EO-critical software use, which NIST released last Friday.

To tackle the complex issue of keeping software secure, NIST solicited papers from interested parties and held a two-day workshop to gain insight from industry and other experts.  NIST defined five objectives for the operational-only (not covering development and acquisition matters) security measures:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage. Measures here include use of multi-factor authentication, following privileged access management principles, and employing boundary protection techniques.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. Measures here include maintaining a data inventory, protecting data at rest and in transit, and back up data with a tested recovery plan.
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation. Measures here include maintaining a software inventory, have a patch management plan, and use configuration management practices.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms. Measures here include recording necessary logging information, continuous security monitoring, and using endpoint and network security protection.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms. Measures here include training all users and administrators of EO-critical software and conducting frequent awareness activities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Fotis Fotopoulos on Unsplash