The White House releases important cybersecurity guidelines today

Welcome to Cybersecurity 202! The mismatched musical covers are a mixture of stunts and surprising efficiency, but the Afghan Whigs version of “Creep” by TLC won’t get out of my brain so for me it’s the last one. Although…since the Whigs have convincingly argued that they’re an R&B band despite forming as a “grunge” band, maybe it’s not that badly matched.

Below: Peiter “Mudge” Zatko testifies on Capitol Hill, and the US government denounces Russia’s foreign influence operations. First:

First in The Cybersecurity 202: Highly Anticipated Security Advice Arrives Today from the Biden Administration

A White House office is issuing guidelines this morning on how federal agencies and government contractors will comply with President Biden‘s last year required federal systems and vendors to meet common cybersecurity standards.

The memo — which The Cybersecurity 202 reports for the first time – is perhaps the most anticipated Office of Management and Budget (OMB) cybersecurity guide since the Chief Information Security Officer Chris DeRusha joined the Biden administration in early 2021, he told me.

This risks affecting the security of government systems and therefore the federal government’s ability to deliver services, as well as the process of multi-billion dollar federal contracts. That, in turn, could put pressure on any company that wants to do business with the federal government to meet government standards, as a senior administration official told reporters last year before rolling out Biden’s executive order that spawned today’s memo.

“We all use Outlook email. We all use Cisco and Juniper routers,” the official said. “So basically, by setting these secure software standards, we’re benefiting everyone as a whole.”

Besides the memo, OMB is set to release a blog post from DeRusha this morning.

“The guidelines, developed with input from the public and private sectors as well as academia, direct agencies to use only software that meets secure software development standards…and will allow the federal government to quickly identify security flaws. security when new vulnerabilities are discovered,” he writes.

The OMB has not yet widely shared the final draft with the industry, who had expressed some nervousness about how decree detailsand today’s memomight look like.

Biden Executive Order on Cybersecurity May 2021 listed numerous mandates, ranging from requiring agencies to use security tools such as encryption to creating a cybersecurity review board to analyze major cyberattacks. The memo followed a series of high-profile hacks, one of which, the breach of software company SolarWinds, left spies sneak into at least nine federal agencies.

One of the directives in the memo was for the National Institute of Standards and Technology to create a foundation for the development of secure software. The NIST Final Framework includes high-level steps such as:

  • “Produce well-secured software with minimal security vulnerabilities in its releases.”
  • “Identify residual vulnerabilities in software releases and respond appropriately to address these vulnerabilities and prevent similar vulnerabilities from occurring in the future.”

The OMB has ordered agencies to start adopting this framework this March, but omitted some steps, which brings us to today’s memo.

What the memo hopes to accomplish

“The main thing we heard from the industry was, ‘We all want to follow secure development practices, but we need to ensure a consistent approach between agencies and vendor processing; we don’t want 100 agencies doing this a hundred different ways.’” DeRusha said.

A somewhat controversial subject is at the center of one of the stages of the memo. Agencies must receive what is called a “self-attestation” from a software producer before using that software. Essentially, the software vendor vouches for the security of their product. If a provider is later found to be non-compliant, an agency will no longer be able to use it, according to the OMB.

A Department of Defense program to verify the cybersecurity of Pentagon contractors used third-party auditors because the department determined that self-attestations were not a reliable indicator of contractor security , Nextgov reported. The DOD later withdrew from this requirement, to a degree.

Another major element of the memo is the amount of information agencies could collect under it. For example, it states that federal agencies can require potential contractors to provide a list of ingredients for technology systems, known as a software bill of materials. Some have touted this as a measure that could have helped quickly clean up the bug in an extremely popular piece of code known as log4j.

This is data that “we can leverage to protect all other federal agencies,” DeRusha said.

It may take some time for all of this advice to come true. The memo contains an appendix with a dozen deadlines for federal agencies, ranging from three months to two years.

But DeRusha bragged about the situation in his blog post.

“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and enable us to fulfill our commitment to continue to lead by example while protecting national and economic security. of our country”, he writes.

Twitter whistleblower sheds light on company’s cybersecurity practices during testimony before Senate panel

Former Chief Security Officer of Twitter Peiter “Mudge” Zatko told members of the Senate Judiciary Committee that company executives were financially incentivized to ignore key cybersecurity issues, and he also expanded on claims that agents of foreign governments may have gained access to sensitive data of the company, Cat Zakrzewski, Joseph Menn, Faiz Siddiqui and the report of Cristiano Lima. Zatko also based his testimony on examples the senators could relate to — such as hacking into their own Twitter accounts.

“It doesn’t matter who has the keys if you don’t have locks on the doors,” he said. “It’s no exaggeration to say that a company employee could take over the accounts of every senator in this room.”

During the hearing, Zatko also warned of insider threats on Twitter. “A week prior to his firing in January, Zatko said, the FBI notified security personnel that a Chinese agent from the Department of State Security was employed at the company,” my colleagues write. “Twitter ads paid for by the Chinese government could also have obtained information, including the locations of users who click on them, he said.”

Russia has secretly spent more than $300 million on foreign political campaigns since 2014, US says

A new US intelligence review said the money had been funneled to candidates and political parties in more than two dozen countries, Missy Ryan reports. The Biden administration has declassified the review in an effort to try to counter Russian foreign influence attempts around the world, a senior US official told reporters.

In a cable provided to reporters, the State Department named Russian oligarchs it said were involved in “funding schemes”. The oligarchs understand Yevgeny Prigozhinwho US officials accused in 2018 of trying to interfere in the 2016 election by funding a Russian troll farm.

The Biggest Election Disinformation Event of the 2022 Midterm Primary: SMS (NBC News)

EU intelligence chief cancels trip to Taiwan after Beijing learns of his secret plans (Politico Europe)

Buenos Aires Legislature Announces Ransomware Attack (The Record)

Indonesia set to pass new data privacy law after series of leaks (Bloomberg)

Former NSA chief Keith Alexander accused of pump-and-dump investment scheme (The Intercept)

  • Current and former leaders of social media companies bear witness before the Senate Homeland Security Committee today at 10 a.m.
  • A panel of the Senate Judiciary Committee holds a hearing on protecting Americans’ personal information from hostile foreign actors today at 3:30 p.m.
  • Deputy National Security Advisor Anne Neuberger speak at a DefenseScoop event Thursday at 9 a.m.
  • The House Homeland Security Committee holds a hearing on the cybersecurity of industrial control systems on Thursday at 10 a.m.
  • A panel of the House Oversight and Reform Committee holds a hearing on federal IT Friday at 9 a.m.
  • representing Mike Turner (R-Ohio), the House Intelligence Committee’s top Republican, speak at a Heritage Foundation event on countering foreign misinformation and disinformation while protecting civil liberties Monday at 1 p.m.

Thanks for reading. Until tomorrow.

Comments are closed.