Articles

Tech sector embraces public-private collaboration on open-source software security

Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”

The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Biden’s cybersecurity executive order, a progress report

Of the 46 tasks President Biden mandated to protect digital government assets, 19 are now completed, though not all agencies have reported their progress.

On May 12, 2021, President Biden released a comprehensive cybersecurity executive order, EO 14028, entitled Improving the Nation’s Cybersecurity. The complex order responded to a chain of startling and damaging cybersecurity incidents that primarily occurred during Biden’s first few months in office.

The EO gave several federal government agencies tight deadlines to produce new rules and guidance on stringent cybersecurity requirements that the White House hopes will better protect government offices from malicious digital activity. In addition, the administration designed the order to spur federal government hardware and software suppliers to ratchet up their security efforts to hang onto their government contracts. The hope is that by exercising the power of the purse, the federal government’s new rules would have a positive spillover effect for private sector organizations, too.

Cybersecurity EO mandates 46 actions

The order requires 46 actions to be carried out by the Commerce Department, the Department of Homeland Security (DHS), the Defense Department (DOD), the Office of Management and Budget (OMB), the National Security Agency (NSA), the Director of National Intelligence, the Attorney General, the Federal Acquisition Regulatory (FAR) Council, and other government-related entities. Exemplifying the whole-of-government approach favored by this White House, virtually all the tasks assigned under the EO require collaboration by multiple government agencies.

Some government agencies, notably the NSA, have made little to no public comment on some or all their tasks under the EO. Therefore, it isn’t easy to gauge how far along some actions are to completion. Moreover, the deadlines for at least 11 of those tasks have yet to arrive.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Christina Kirschnerova on Unsplash

Articles

US sanctions Russian government, security firms for SolarWinds breach,…

The Biden administration places economic sanctions on Russian government organizations, individuals, and companies including several security firms.

The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behavior, including its massive hack of SolarWind’s software, attempts to interfere with the 2020 elections, and other destructive deeds against the US. The administration’s actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime’s digital and disinformation operations. In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.

First, President Biden signed a new sanctions executive order that strengthens authorities to “impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions.” Under the EO, the Treasury Department is implementing multiple actions to target “aggressive and harmful activities” against the Russian government, including a directive that “generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Alejandro Mayorkas

Experts fear that Biden’s cybersecurity executive order will repeat…

President Biden is expected to issue an executive order soon in response to the SolarWinds and Exchange Server attacks. Leaked details suggest it might not focus on the most effective actions.

Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.

Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

Biden administration brings expertise, new attitude to cybersecurity

The US president promises a reckoning for SolarWinds hackers and places cybersecurity at the top of the administration’s agenda.

The Biden administration has hit the ground running on cybersecurity, reportedly getting ready to nominate what some have called a “world-class” cybersecurity team of officials and prioritizing efforts to tackle the worst hack in US history, the SolarWinds breach. The renewed effort to tackle cybersecurity matters couldn’t come soon enough. The Trump administration all but gutted the White House and other government offices of cybersecurity expertise. In a series of steps that started with the elimination of a White House cybersecurity coordinator and ended with the firing of Christopher Krebs, the highly respected head of the Cybersecurity and Infrastructure Security Agency (CISA), the government suffered a serious cybersecurity brain drain during the Trump era.

The first sign that the current administration plans to take cybersecurity more seriously than the previous one did is the hiring of National Security Agency (NSA) official Anne Neuberger to fill the new position of Deputy National Security Adviser for cyber and emerging technology. Neuberger led the NSA’s cybersecurity defense operations and created the Russia small group at the agency to protect the 2018 mid-term elections from the kind of digital damage that marred the 2016 presidential election.

Biden has also tapped former senior national security officials with expertise in cybersecurity. Among them are Michael Sulmeyer, who serves as senior director for cybersecurity; Elizabeth Sherwood-Randall, named homeland security adviser; Russ Travers, deputy homeland security adviser; and Caitlin Durkovich, now a senior director for resilience and response at the National Security Council.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by René DeAnda on Unsplash

 

Articles

Cybersecurity under fire: CISA’s former deputy director decries post-election…

Matt Travis talks about CISA’s role in the recent US elections and how President Trump and his surrogates have politicized the security function.

Matt Travis, the former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), kicked off this year’s Aspen Cyber Summit yesterday with a keynote interview by journalist Kara Swisher. Travis provided an insider’s view of the events leading up to the firing of CISA director Christopher Krebs and discussed the fallout from President Donald Trump’s attempts to undermine the agency.

The just-concluded president election represented “the most secure election in American history,” according to Krebs. Despite this achievement, or perhaps because of it, Krebs was summarily fired by Donald Trump via a tweet on November 17. Before Krebs was dismissed, the White House asked for the resignation of Brian Ware, the highly regarded assistant director for cybersecurity for CISA. After Krebs’ forced departure, Matt Travis, CISA deputy director and Krebs’ right-hand man at CISA, resigned from the agency.

On Sunday, Krebs, a lifelong Republican, told 60 Minutes’ Scott Pelley that he has complete confidence in the election outcome. He dismissed as conspiracy theories some of Trump’s increasingly convoluted stories of how President-Elect Joe Biden “stole” the election. Krebs said that Trump’s attorney Rudy Giuliani’s promotion of unproven election fraud was an “attempt to undermine confidence in the election, to confuse people, to scare people.”

Following the 60 Minutes interview, another Trump attorney, Joseph DiGenova, said that Krebs should be “taken out and shot” for contradicting Trump’s unsubstantiated claims of voter fraud. Yesterday, Krebs told CBS’s Savannah Guthrie that he is looking into potential legal action following DiGenova’s bald threat. Alex Stamos, former Facebook CISO and founder of the Stanford Internet Observatory, filed a complaint against DiGenova with the DC Bar’s Office of Disciplinary Counsel and encouraged his fellow infosec peers to do the same.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

China’s exclusion from US 5G market likely to continue…

lead centered=”no”
Telecom insiders discuss supply chain security and call for better communication, collaboration, and transparency from the federal government about threats within their industry.
/lead

As China’s Huawei faces ongoing banishment and retrenchment in Europe, the question arises whether Huawei and its peers, including telecom gear maker ZTE, will get a reprieve under the incoming Biden administration. Huawei clearly thinks it has a shot of improving its relationship with its European customers in the post-Trump era: Huawei Vice President Victor Zhang has been lobbying UK Prime Minister Boris Johnson to revisit the ban against using his company’s technology in Britain’s 5G network build-out.

Huawei landed in its current predicament due to the Trump regime’s fears that the company works with the Beijing government to implant malware in its equipment. It might not fare better under a Biden administration.

China’s likely continued exclusion from US markets even under a Biden administration was a top topic at a webinar on supply chain security hosted by US Telecom and Inside Cybersecurity. “The cybersecurity policies overall between the Obama Administration and to Trump and now to president-elect Biden should be relatively consistent,” Norma Krayem, vice president and chair of the Cybersecurity, Privacy and Digital Innovation Practice at Van Scoyoc Associates, said. “I think that’s important for the private sector to see that there is that theme.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Kamil Kot on Unsplash

5G

Domestic 5G development at core of US communications security…

lead centered=”no”
New NTIA document outlines White House 5G security goals, which promote home-grown R&D and call for continuous risk assessment and management.
/lead

In late March, during the first phase of the coronavirus lockdown, the White House issued a little-noticed document entitled The National Strategy to Secure 5G of the United States, which articulates a “vision for America to lead the development, deployment, and management of secure and reliable 5G communications infrastructure worldwide, arm-in-arm with our closest partners and allies.” The document was the White House’s effort to comply with the Secure 5G and Beyond Act, which required the president to” develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure in the United States.”

The Act also required the president to submit within 180 days an implementation plan developed in consultation with a host of government departments and agencies. In May, the Commerce Department’s National Telecommunications and Information Administration (NTIA) began a proceeding to receive comments on how it might implement the vision of the White House Strategy, with the comment period ending on June 25. Early this week, NTIA posted the comments it received from 80 organizations, corporations and interested individuals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Bipartisan bill could bring back the White House national…

lead centered=”no”
Cyberspace Solarium Commission leaders introduce the National Cyber Director Act to reintroduce cybersecurity expertise into the White House.
/lead

Last week a bipartisan group of US House of Representatives legislators introduced the National Cyber Director Act to create the position of a national cyber director within the White House. The creation of this role is one of the chief recommendations of an increasingly influential intergovernmental group known as the Cyberspace Solarium Commission.

The commission issued its report — the product of months-long deliberations by four members from congress, four senior executive agency leaders and six experts from outside of government – just as the coronavirus pandemic quarantine kicked in during March. Nevertheless, the commission’s 80 recommendations, such as creating a national cyber director, are quickly being translated into actionable legislation on Capitol Hill.

Two of the commission’s leaders, Cyberspace Solarium Chair Congressman Jim Langevin (D-RI) and Solarium Co-Chair Congressman Mike Gallagher (R-WI), introduced the bill. Other legislators backing the bill include House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), Ranking Member of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure and Innovation John Katko (R-NY), former Ranking Member of the House Intelligence Committee C. A. Dutch Ruppersberger (D-MD), and Ranking Member of the House Intelligence Committee’s Subcommittee on Intelligence Modernization and Readiness Will Hurd (R-TX).

This article appeared in CSO Online. To read the rest of the article please visit here.