[updated July 20, 2011, 6:10 pm EDT] Correction: Broadbandbreakfast.com incorrectly reported that the Cybersecurity and Internet Freedom Act of 2011 does not contain a provision for a Director of the proposed Office of Cyberspace Policy.
WASHINGTON, July 20, 2011 – Despite bipartisan agreement over the need for effective cyber security legislation, members remain divided over authority and enforcement specifics.
In a letter to the Editor in the Saturday edition of the Washington Post, Rep. Jim Langevin (D-RI) critiqued another article published early July in which Sens. Joe Liebermann (ID-CT), Susan Collins (R-ME) and Tom Carper (D-DE) recommended proposed legislation that would grant the Department of Homeland Security (DHS) statutory authority to work with industry to identify and evaluate critical cyber infrastructure and establish best practices between government and the private sector in order to improve security.
“The alternative could be a digital Pearl Harbor — and another day of infamy,” stated the senators.
Rep. Langevin, however, feels avoiding a “digital Pearl Harbor” with a cyber security gold-standard might be missing the mark, Langevin spokesman Jonathon Dworkin told BroadbandBreakfast.com on Saturday.
“We are supportive of their overall efforts, but [the senators] – and the White House – continue to leave out one of the core recommendations of the CSIS Commission, which is a strong White House Director that has the necessary authority to lead and coordinate the kind of comprehensive strategy we need,” said Dworkin.
The increasing dependence upon networked systems, and the vulnerabilities of critical infrastructure systems, makes fears of a major assault by a cunning adversary with digital weaponry no longer sound like something out of the show “24.” The string of publicized cyber intrusions and data breaches against major U.S. companies and government agencies make these fears ever more real.
The lack of strong diplomatic and military components to the senators’ plan was Langevin’s main concern.
“Defense Secretary Leon Panetta has warned of threats posed by other nations and terrorist organizations,” said Langevin – who founded the Congressional Cybersecurity Caucus – in his letter.
“The senators’ plan would give primary responsibility for our nation’s cyber-strategy to the Department of Homeland Security. However, while Homeland Security is doing impressive work domestically, our international effort requires a whole-of-government approach.”
While the Lieberman, Collins and Carper’s plan advocates giving more authority to DHS, Langevin is a believer in of the creation of a new position Executive Branch position that would coordinate cyber security efforts across government.
“The bipartisan Center for Strategic and International Studies’ cybersecurity commission, which I co-chaired,” said Langevin, “emphasized the need for a White House cybersecurity director, confirmed by the Senate, who would have budgetary and policy authority across government to require that agencies apply sufficient resources to protect themselves online.”
Despite some confusion in Rep. Langevin’s office as to the content of the bill, all parties seem in agreement: Section 102 of the Senate bill does, in fact, contain a provision for a White House Office of Cyberspace Policy Director, appointed by the President and confirmed by the Senate.
“Our legislation – the Cybersecurity and Internet Freedom Act – would establish an office of cyberspace policy at the White House, headed by a Senate-confirmed Director, to coordinate cyber security efforts across the federal government,” said the senators through a joint release Wednesday afternoon. “The Director would ‘oversee, coordinate, and integrate all policies and activities of the federal government across all instruments of national power relating to ensuring the security and resiliency of cyberspace, including … diplomatic, economic, military, intelligence, homeland security, and law enforcement policies and activities within and among federal agencies,’ very similar to what Congressman Langevin calls for. We appreciate Congressman Langevin’s commitment to cyber security and agree with him that it is imperative Congress pass comprehensive cyber security legislation.”
Langevin, announced the establishment of the Rhode Island Cyber Disruption Team last Monday, and was in attendance during the Pentagon’s cyber strategy announcement on Thursday.
[July 20, 2011, 6:37 pm EDT] Update: Jonathon Dworkin, Communications Director for Rep. Langevin issued a statement concerning his previous correspondence in regards to the Senate bill: “My email was misleading because the Senators’ bill, unlike the White House proposal, does have a Senate-confirmed White House position. While there are differences in our respective proposals, we continue to be supportive of what [the Senators] are doing and look forward to continuing to work together to most effectively strengthen our cybersecurity.”
Cyber Notification Bill Critical, But Won’t Stop Bad Actors Entirely, Says Senator
Congress recently passed legislation including a requirement for critical infrastructure entities to notify government on cyber attacks.
WASHINGTON, March 15, 2022 – Mandatory cyber attack reporting is critical to keeping up cyber defenses against potential Russian attacks, a U.S. senator said, following the passing by Congress of legislation that would require certain companies to report such attacks within 72 hours.
But Senator Mark Warner, D-Virginia, and a former State Department cyber expert, said the bill will not stop bad actors entirely.
“We probably cannot be 100 percent effective on keeping the bad guys out,” Warner said Monday during a Center for Strategic and International Studies event discussing the Russian invasion of Ukraine. “We shouldn’t aim for 100 percent perfection on defense, but what we should aim for is this information sharing, so that we could then share with the private sector.”
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, part of a larger budget bill, requires certain critical infrastructure owners, including in the communications, energy and healthcare sector, and operators to notify the Cybersecurity and Infrastructure Security Agency of cybersecurity on attack incidents in certain circumstances. It was passed by both chambers and President Joe Biden is expected to sign the bill into law soon.
The bill’s passing comes after a year of high-profile cyber attacks that targeted software companies, a meat producer and an oil transport firm. Following those attacks, lawmakers and cyber officials urged Congress to push the bill forward. Late last year, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.
It also comes as Russia continues its war in Ukraine, which some have suspected will ramp up global cyber attacks.
Chris Painter, president of the Global Forum on Cyber Expertise Foundation and former coordinator for cyber issues at the State Department, agreed with Warner on Monday, saying that he thinks “that we will see that [cybersecurity attack capability] is being held in reserve, so I think shields up is really the right approach for the U.S.
“With a dedicated adversary like Russia,” Painter said “you could be very good at defense, [but] they’re still going to get in.”
Warner, who said the notification requirement is a “giant step forward,” said the bill doesn’t “want to hold the company accountable, [but] we do want to go after malware actors.” He added this is about being resilient in the face of incoming attacks.
But in a January congressional hearing about cybersecurity, Ross Nodurft of the Alliance for Digital Innovation, warned Congress against an “overly prescriptive definition of a [cybersecurity] incident” to avoid running the risk of “receiving so many notifications that the incidents which are truly severe are missed or effectively drowned out due to the frequency of reporting.”
Justin Reilly: Rising Ransomware Threats on Schools Require Better Approach to Cybersecurity
Ransomeware attacks are a costly lesson for educators.
Since the advent of the pandemic, education has been in a state of vulnerable flux. The rapid embrace of technology, sparked by the need to introduce remote learning, has given many educators whiplash. They need time to normalize, but recent trends threaten their ability to do so.
Against the backdrop of technological chaos, opportunistic hackers have been targeting schools with heightened fervor, causing harmful delays and disruptions on both a systemic and financial level. It’s time for schools to start getting proactive about cybersecurity, or they risk paying a hefty tuition to learn why they should have acted sooner.
Education technology use is surging across the nation. A recent study showed ed-tech up 52 percent over pre-pandemic levels, with U.S. school districts using nearly 1,500 different digital tools on average each month. While these digital tools possess the power to ultimately streamline and transform classroom management for the better, teachers are still feeling overwhelmed by the number of technology solutions they’re being asked to implement.
This issue is being exacerbated by many tech-resistant districts and teachers being forced to catch up all at once. When the pandemic hit, using devices and technology in the classroom was no longer an option – learning quickly needed to be online and accessible. By now, the dam has fully broken on tech adoption and we’re only likely to see these trends accelerate. Of course, as other sectors have seen firsthand over the last two years, these unchecked developments often cast unsavory shadows.
An appealing target for hackers
School districts were already an appealing target for hackers ahead of the pandemic, but the rapid adoption of technology – often outstripping security measures equal to these digital strides – has effectively chummed the waters for malicious elements looking for a “soft” target.
Cyberattacks against school districts went up by 18 percent in 2020, the height of the pandemic. The trend has continued since and isn’t expected to slow down in 2022. Among attacks against school districts, ransomware – an attack that locks users out of files on their own systems and then demands ransom money to return their rightful access – is by far the most common variety.
Just a few weeks into 2022, there were already multiple major headlines involving ransomware targeting school districts. The biggest story was the hacking of education website service provider FinalSite, which shut down the websites of 5,000 schools and colleges. Another story involved the cancellation of classes for 75,000 students after the Albuquerque Public Schools district fell victim to a ransomware attack it had been fending off for several weeks.
Yet another case, also in New Mexico, affected the town of Truth & Consequences. The town suffered a cyberattack just after Christmas and, as of mid-January, had still not regained control of its computer systems.
There’s no time left for district leaders to drag their feet on cybersecurity. It can be tough, especially given budget challenges, but the gap between digital advancement and lacking cybersecurity presents too great of a risk for schools.
Make cybersecurity a priority in hiring
So what can school districts do to prepare? The first step is to make cybersecurity a proper priority – and that includes budgeting and hiring. Many schools still don’t have dedicated cybersecurity officers, instead relying on – in many cases at best – a CIO who happens to be tech-savvy.
This is starting to turn around in light of recent events, with more and more schools hiring chief cybersecurity officers and point-persons. Keeping up with this trend will be critical for setting a strong foundation.
Budgeting will always be a challenge, of course, seeing as many school districts still don’t have any budget at all dedicated to cybersecurity. This needs to change, but some schools have started getting creative on this front in the meantime. One possibility is to fold cybersecurity efforts into operating budgets. Another timely approach is to capitalize on new and improved “cyber grants” being offered by federal and local governments to meet this increasing need.
The most important thing is simply not to be ad hoc about cybersecurity. School districts can proactively gather data to find out where their needs are, what the wants are from teachers, and how they can properly address them. It’s far better to start gathering this data early rather than wait until it’s too late.
Consider this: schools can either make the investment now or pay much more a short way down the road. Should a school or district become the victim of ransomware, they’ll have to pay both to resolve the immediate crisis and for cybersecurity upgrades, all of which will have been unbudgeted and leave them reeling long after the attack. The norms of education are changing, and priorities need to change with them.
Justin Reilly is the CEO of Impero Software, which offers a virtual private network solution for schools and also serves more than half of the Fortune 100. This Expert Opinion is exclusive to Broadband Breakfast.
Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to firstname.lastname@example.org. The views reflected in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.
Preventing Cyber Attacks Lies With Security Hygiene and Multi-factor Authentication, Experts Say
Panelists said everyone who is connected should be prepared.
WASHINGTON, March 1, 2022 – Security hygiene, multi-factor authentication, and employee training are key to preventing cyber attacks, experts said at a Federal Communications Bar webinar on Thursday.
“We’re all targeted” for cyber attacks, regardless of the size of the company, said Paul Kay, senior vice president and chief information officer of EchoStar Corporation, a provider of satellite and internet services.
Panelists flagged basic security hygiene as the best way to prevent cyber attacks. Kay spoke to the importance of not reusing credentials, activating multi-factor authentication, and being aware of the various kinds of fishing schemes, such as smishing, where suspicious links that are meant to bypass your security are sent via SMS on your phone.
According to John Ansbach, vice president at cyber security firm Stroz Friedberg, half of all cyber attacks were stopped by multi-factor authentication. “It’s not foolproof, but it works,” he said.
At an event early last month, the executive director of the National Cybersecurity Alliance, which has on its board members including Lenovo, Facebook and Microsoft, advocated for mandatory two-factor authentication, which requires another method to verify identity.
A lot of people who deal with sensitive information on a regular basis are now working from home and it’s never been more crucial to have good cyber security measures, added Elizabeth Rogers, partner at the Michael Best law firm. “We’re in a permanent hybrid workforce situation,” she said.
Training employees is also crucial to preventing and recovering from attacks, the experts said. According to Vincent Paladini, senior attorney at energy and water resource management firm Itron, 85 percent of cyber attacks involve a human element, and 61 percent involve credentials.
Good cyber security involves “training the workforce on all levels,” said Rogers. “We’re only as strong as our weakest link.”
Additionally, Kay recommended that larger businesses look at incident response firms. “If you’re a good-sized business, it makes good sense to take a look at these firms,” he said. “You need to be prepared to clean up the aftermath [of a cyber attack].”
- FCC Opens Broadband Data Collection Program
- FCC Commissioner Supports Rural Telco Efforts to Implement ‘Rip and Replace’
- States Must Ease Zoning, Permit Regulations for Broadband Buildouts
- Broadband Prices Decline, AT&T’s Fiber Build in Texas, Conexon Partners for Build in Georgia
- Leo Matysine: The Impact of C-Band on Advancements in Mobile and Fixed Broadband
- Proposed Antitrust Legislation Not the Way to Regulate Big Tech, Panelists Say
Signup for Broadband Breakfast
Broadband Roundup2 months ago
Google Facing App Store Suit, Shareholder Suit Against Twitter Buy, Fiber Optic Technician Training Nationwide
Fiber2 months ago
AT&T Q1 Reflects Fiber Growth, Fixed-Wireless Still Plays Crucial Role for Rural Americans
Broadband Roundup4 weeks ago
Crypto Regulation Bill, Ziply Fiber Acquires EONI, AT&T Tests 5G via Drone
Fiber3 weeks ago
AT&T Says Gigabit Download Speed Demand Continues to Grow
Broadband Roundup2 months ago
AT&T and DISH Agreement, FCC Adds More States in Robocall Fight, $50M from Emergency Connectivity Fund
Broadband Roundup3 weeks ago
Global Tech Competition Bill, AT&T Hits 20 Gbps Symmetrical, Hargray Fiber in Georgia
#broadbandlive3 months ago
Broadband Breakfast for Lunch on June 8, 2022 — Preparing for Federal Broadband Funding with the Rural Utilities Service’s Christopher McLean
Broadband Roundup2 months ago
AT&T’s 911 Tech, Russia Cyberattacks, Musk’s Twitter Would Reinstate Trump