Tech sector embraces public-private collaboration on open-source software security

Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”

The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.

This article appeared in CSO Online. To read the rest of the article please visit here.


Alejandro Mayorkas

Tech giants pledge at least $30 billion to improve…

Technology, financial, and education leaders commit to a wide range of initiatives to enhance the nation’s cybersecurity posture in collaboration with the Biden Administration.

Industry leaders from the technology, financial, and education sectors have pledged a wide range of private-sector initiatives to tackle the nation’s cybersecurity problems. Those efforts include increasing the cybersecurity talent pool, boosting security awareness, and better securing the software supply chain. Microsoft pledged $20 billion and Google pledge $10 billion to develop more advanced security solutions in areas such as security by design, zero-trust, software supply chain, and open-source software.
That announcement came at a meeting hosted by the Biden Administration yesterday where private sector leaders met with national security and cabinet team members to tackle the nation’s cybersecurity problems. Among the attendees from the government were:

Commerce Secretary Gina Raimondo
Energy Secretary Jennifer Granholm
Homeland Security Secretary Alejandro Mayorkas
SBA Administrator Isabel Guzman
National Security Advisor Jake Sullivan
Director of the National Economic Council Brian Deese
Senior Advisor and Director of the Office of Public Engagement Cedric Richmond
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
National Cyber Director Chris Inglis
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly

This article appeared in CSO Online. To read the rest of the article please visit here.


Biden administration releases 100-day plan to address electric system…

The plan focuses largely on supply chain risks to the electric grid, requests input on the DOE’s role in coordinating cybersecurity efforts.

On April 20, the Biden administration, through the United States Department of Energy (DOE), issued what it is calling its 100-day plan to address cybersecurity risks to the US electric system. The plan is a coordinated effort among DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). It “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to US national and economic security,” according to the announcement.

The idea is that DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), working with utilities, will “continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.” To achieve this goal, the efforts undertaken in this “sprint” focus on encouraging power grid players to:

  1. Implement measures or technology that enhance their detection, mitigation and forensic capabilities.
  2. Deploy technologies that enable near real-time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.
  3. Enhance the security posture of their IT networks.
  4. Deploy technologies to increase the visibility of threats in ICS and OT systems.

This article appeared in CSO Online. To read the rest of the article please visit here.



US sanctions Russian government, security firms for SolarWinds breach,…

The Biden administration places economic sanctions on Russian government organizations, individuals, and companies including several security firms.

The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behavior, including its massive hack of SolarWind’s software, attempts to interfere with the 2020 elections, and other destructive deeds against the US. The administration’s actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime’s digital and disinformation operations. In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.

First, President Biden signed a new sanctions executive order that strengthens authorities to “impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions.” Under the EO, the Treasury Department is implementing multiple actions to target “aggressive and harmful activities” against the Russian government, including a directive that “generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021.”

This article appeared in CSO Online. To read the rest of the article please visit here.


Alejandro Mayorkas

Experts fear that Biden’s cybersecurity executive order will repeat…

President Biden is expected to issue an executive order soon in response to the SolarWinds and Exchange Server attacks. Leaked details suggest it might not focus on the most effective actions.

Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.

Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash



26 Cyberspace Solarium Commission recommendations likely to become law…

Once passed, the National Defense Authorization Act will create a White House cybersecurity director role, expand CISA’s capabilities, and create a K-12 security education assistance program.

This year’s National Defense Authorization Act (NDAA), the annual “must-pass” spending bill that ensures the continued funding of the nation’s military, has a wealth of information security recommendations that come from the bi-partisan, bi-cameral, public-private initiative known as the Cyberspace Solarium Commission (CSC). The CSC was itself established in 2019’s NDAA bill and was asked to come up with a new strategic approach to cybersecurity.

Last spring, the CSC issued a report that offered 82 policy and legislative recommendations to improve cybersecurity. Of those, 26 will likely become law given that both the House and Senate last week passed the bill by overwhelming margins. The veto-proof vote count is needed given that President Donald Trump has repeatedly vowed to veto this year’s NDAA unless it also contains provisions that strip internet companies of legal liability protections granted them in Section 230 of the Communications Decency Act of 1996. Over the weekend, Trump reiterated via Tweet his intention to veto the NDAA.

Solarium co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) expressed their delight in turning substantive cybersecurity recommendations into legislative provisions. “From the first day we embarked on crafting America’s cyberdoctrine, we were determined to create a plan of action, not a report collecting dust on a shelf. It is only because of the hard work and commitment of our commissioners and tireless staff that we were able to create such a robust report earlier this year. It is due to them that we were able to inform national policy on such a remarkable level,” the pair said in a statement.

The Commission’s top accomplishment in the bill is the reestablishment of cybersecurity leadership in the White House by creating a national cyber director position. Senator Mike Rounds (R-SD) garners much of the credit for this achievement. “The creation of a national cyber director position in this year’s NDAA was the result of years of hard work,” Rounds said in a statement.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Louis Velazquez on Unsplash



Cybersecurity under fire: CISA’s former deputy director decries post-election…

Matt Travis talks about CISA’s role in the recent US elections and how President Trump and his surrogates have politicized the security function.

Matt Travis, the former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), kicked off this year’s Aspen Cyber Summit yesterday with a keynote interview by journalist Kara Swisher. Travis provided an insider’s view of the events leading up to the firing of CISA director Christopher Krebs and discussed the fallout from President Donald Trump’s attempts to undermine the agency.

The just-concluded president election represented “the most secure election in American history,” according to Krebs. Despite this achievement, or perhaps because of it, Krebs was summarily fired by Donald Trump via a tweet on November 17. Before Krebs was dismissed, the White House asked for the resignation of Brian Ware, the highly regarded assistant director for cybersecurity for CISA. After Krebs’ forced departure, Matt Travis, CISA deputy director and Krebs’ right-hand man at CISA, resigned from the agency.

On Sunday, Krebs, a lifelong Republican, told 60 Minutes’ Scott Pelley that he has complete confidence in the election outcome. He dismissed as conspiracy theories some of Trump’s increasingly convoluted stories of how President-Elect Joe Biden “stole” the election. Krebs said that Trump’s attorney Rudy Giuliani’s promotion of unproven election fraud was an “attempt to undermine confidence in the election, to confuse people, to scare people.”

Following the 60 Minutes interview, another Trump attorney, Joseph DiGenova, said that Krebs should be “taken out and shot” for contradicting Trump’s unsubstantiated claims of voter fraud. Yesterday, Krebs told CBS’s Savannah Guthrie that he is looking into potential legal action following DiGenova’s bald threat. Alex Stamos, former Facebook CISO and founder of the Stanford Internet Observatory, filed a complaint against DiGenova with the DC Bar’s Office of Disciplinary Counsel and encouraged his fellow infosec peers to do the same.

This article appeared in CSO Online. To read the rest of the article please visit here.



White House strategy paper to secure 5G envisions America…

lead centered=”no”Though light on details, the paper offers clues as to how the US government sees the development and security of 5G communications moving forward./lead

With curiously little fanfare, the White House released last week a six-page document called the National Strategy to Secure 5G, a blueprint that was mandated by the Secure 5G and Beyond Act. That bill, signed into law by President Trump on the same day, March 23, that the White House released its strategy paper, directed the president to release his strategy paper within 180 days of the bill’s enactment.

The paper’s stated goal is to articulate a vision “for America to lead the development, deployment and management of secure and reliable 5G communications infrastructure, worldwide, arm-in-arm with our closest partners and allies.” The four “lines of effort” driving this vision include:

  • Facilitating the domestic roll-out of 5G
  • Assessing the security risks and core principles for infrastructure
  • Managing those economic and security risks
  • Promoting responsible global development and deployment of the 5G infrastructure

The domestic roll-out of 5G, coordinated by the National Economic Council, primarily lies with the Federal Communications Commission (FCC), which has what it calls its 5G FAST plan. FAST makes more radiofrequency spectrum available, streamlines government processes, and “modernizes” regulation to promote the deployment of 5G backhaul. The Commerce Department is also working on a National Spectrum Strategy to plan for future generations of wireless networks.

This article appeared in CSO Online. To read the rest of the article please visit here.