Connect with us

Cybersecurity

Congress Must Avoid ‘Overly Prescriptive’ Incident Reporting To Avoid Missing Larger Cyberattacks

Too many reports could burden federal officials, said the executive director of the Alliance for Digital Innovation.

Published

on

Rep. Debbie Shultz
Rep. Debbie Schultz, D-Florida

WASHINGTON, January 11, 2022 — The executive director of an organization that pushes information technology reform in government testified Tuesday in front of the House Oversight committee that any incident reporting requirements that Congress is considering should not burden officials so much that they end up missing more serious breaches of cybersecurity.

Ross Nodurft of the Alliance for Digital Innovation told lawmakers studying the reform of the Federal Information Security Management Act, a 2002 law which implements an information security and protection program, that the amended legislation should consider keeping Congress abreast of incidents, but should be mindful of how it defines a security problem.

“As Congress considers defining major incidents or codifying vulnerability response policies, any legislation should be mindful of the dynamic nature of responding to cybersecurity challenges facing government networks,” Nodurft said. “If Congress is overly prescriptive in its definition of an incident, it runs the risk of receiving so many notifications that the incidents which are truly severe are missed or effectively drowned out due to thee frequency of reporting,” he said in prepared remarks.

The comments come on the heels of a year that included major cybersecurity attacks, including the attacks on software company SolarWinds, oil transport company Colonial Pipeline, which prompted a Senate hearing on the matter. The House Oversight committee released details of its investigation into some of the breaches in November.

The comments also come after lawmakers proposed new reporting requirements on companies. Those proposed laws would make it mandatory that small and large companies report incidents to the government so they can best prepare a response to protect Americans.

In July, Sens. Mark Warner, D-Virginia, Marco Rubio, R-Florida, and Susan Collins, R-Maine, introduced the Cyber Incident Notification Act of 2021, which requires federal and private sector cybersecurity intrusions to be reported to the government within 24 hours.

Cyber incident reporting was recently left out of a Senate bipartisan version of the National Defense Authorization Act.

Lead cybersecurity officials in government have been calling for mandatory breach reporting to government. Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, told the same Oversight committee in November that Congress should force companies to share that kind of information. Last summer, a Department of Justice official said he supports mandatory breach reporting.

In October, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.

Agency roles should be clarified

Rep. Debbie Schultz, D-Florida, talked about the varied organizations and institutions in her state that have been affected by cyberattacks and threats, including the Miami-based software company Kaseya, which experienced a major ransomware attack.

Schultz stated that there are two entities that are critical to federal cybersecurity: the Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director.

Grant Schneider, senior director of cybersecurity services, Venable, said that the Office of the National Cyber Director acts as a conductor in the framework of FISMA. These organizations work with other organizations, such as the National Institute of Standards and Technologies, and the Office of Management and Budget.

With so many organizations, Nodurft explained how important it is for the roles within these organizations to be defined. He talked about how important it is for agencies to know where to turn to report cyberattacks. In part with this, he continued, agencies who “are proactively trying to mitigate their cyber risks” need clear reporting channels and clear areas of jurisdiction to go to for various issues.

According to Nodurft, these defined roles would “make it much easier for [agencies] to work together, to build a broader defensive structure.”

Cybersecurity

Lawmakers Should Incentivize Cybersecurity in Private Sector: Cisco Executive

One weak link can threaten the entire system.

Published

on

Photo of Jeetu Patel of CISCO

WASHINGTON, May 25, 2023 – A Cisco executive urged Congress at a Semafor event Thursday to provide more incentives for companies to ensure their cybersecurity posture is up to date. 

While Jeetu Patel, general manager of security at the information technology giant, didn’t specify what types of incentives can be used, he said the incentives must push private infrastructure to have high security standards. 

Both private and public sectors have a part to play in improving the nation’s security, he noted, adding private companies must build products that are secure by design. 

There is “tremendous” need for cross-nation coordination around cyberattacks, said Patel. He urged lawmakers to democratize cybersecurity by simplifying the process, adding the nation must be united to gain traction against attackers.

The cybersecurity industry has not made conversations simple to follow or technology easy to use, he said. Simplifying cybersecurity is the only way we can democratize it and when it’s democratized, it can be made universal, said Patel. 

He warned that the country cannot let the financial constraints of a few companies put the whole system at risk. Regardless of how affluent a country is, the weakest link controls the strength of the chain, he said. 

Artificial Intelligence will change cybersecurity fundamentally, he noted. It is important to remember that AI tools are also available to attackers. Currently, the majority of attacks stem from fraudulent emails which AI can make more personalized and difficult to discern from real communication, he said.  

Cybersecurity defenses must evolve

We need to develop an idea of civic responsibility for tech innovators and students in STEM fields, added Suzanne Spaulding, senior advisor of Homeland Security at the Center for Strategic and International Studies. Civic responsibility is the antidote to disinformation and is the change central to democracy, she continued.  

Spaulding warned companies against relying on existing cybersecurity measures. Resilience is about having layers of plans and assuming they all will fail, she said.  

This comes at a time of Congressional focus on cybersecurity. In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

In 2021, President Joe Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020.   

Continue Reading

Cybersecurity

Sector Specific Agencies a Resource for Cybersecurity Concerns

Federal agencies are equipped to support sectors dealing with cybersecurity concerns.

Published

on

Photo of Puesh Kumar of Department of Energy

WASHINGTON, May 16, 2023 – Sector specific agencies, federal departments responsible for infrastructure protection activities in a designated critical infrastructure sector, are prepared to address cybersecurity concerns across various industries, said witnesses at a House Energy and Commerce Committee hearing on Tuesday. 

Malicious actors are targeting U.S. infrastructure, said witnesses. In 2021, President Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020. 

In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

The Administration for Strategic Preparedness and Response addresses increasingly sophisticated and frequent attacks on hospital and public health centers by providing each hospital with personalized and specific instruction on mitigation and disaster response best practices. 

Cyberattacks on hospitals have a negative effect on the surrounding area similar to that of a natural disaster, claimed Brain Mazanec, deputy director of the Office of Preparedness at ASPR. There have been more than double cyber-attacks on hospitals from 2016 to 2021, he said. 

The Environmental Protection Agency is responsible for addressing water system cyberattacks, said David Travers, director of Water Infrastructure and Cyber Resilience Division at EPA. The EPA’s Evaluating Cybersecurity guidance is intended to assist states with building their own secure systems for water and sewer systems.  

It is essential that sector specific agencies develop strong relationships with sectors under their jurisdiction well before disastrous incidents occur, said Puesh Kumar, director of the office of cybersecurity at the Energy Security and Emergency Response at the Department of Energy. 

The Energy and Commerce Committee also participated in a markup of the Energy Emergency Leadership Act Tuesday which would amend the Department of Energy Organization Act to elevate the leadership of the DOE’s emergency response and cybersecurity functions. 

“Establishing assistant-secretary leadership at the department will reflect the importance of managing this threat,” said Subcommittee on Energy, Climate, and Grid Security Chair Jeff Duncan. 

The Act passed on unanimous vote to report to the full committee without amendment. 

Duncan also emphasized the importance of a strong domestic supply chain, calling for a “‘Made in America’ system for nuclear fuel” in order to “give the domestic industry the market certainty they need to invest and build out the necessary infrastructure.”

On June 27, Broadband Breakfast’s Made in America Summit will examine energy infrastructure and international supply chain issues in depth.

Continue Reading

Cybersecurity

Charter Suggests Network Authentication Layer for Equipment Certification

The telecom said manufacturers are in the best position to ensure security.

Published

on

Illustration from Security Architect

WASHINGTON, April 5, 2023 – Charter Communications is recommending the Federal Communications Commission require device manufacturers seeking equipment authorization to add a layer of authentication security to protect against cyberthreats.

In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.

This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”

“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”

The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.

In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.

As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.

“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.

Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”

The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.

FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.

Continue Reading

Signup for Broadband Breakfast News



Broadband Breakfast Research Partner

Trending