Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Vanessa Montalbano
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! David DiMolfetta is going to be the full-time researcher for both us and The Technology 202, and he contributed on his very first day! On occasions when he takes over in my absence, he’s surely going to diversify the music recommendations I’m prone to giving around here. Please give him a warm welcome.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: The National Security Council is hosting a roundtable on artificial intelligence today with experts from the United States and European Union, and the U.S. Marshals Service suffered a “major” security breach last week. First:
Congress should advance legislation allowing software manufacturers to be held legally liable for the insecurity of their products, and it should also shield companies that develop secure software from legal liability, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said Monday.
By calling for that proposal, Easterly waded into one of the toughest cyber issues to crack.
But Easterly mentioning it “made my day,” said Mark Montgomery, who was executive director of the solarium commission and serves in the same role in its successor organization CSC 2.0. It’s “one of the hardest kinds of legislation to get done in Congress,” he told me, because it would hold a whole industry accountable for its security missteps.
Easterly’s proposal comes amid a CISA push for tech companies to offer products that are “secure-by-design,” meaning that security is baked into the design process from the beginning, and “secure-by-default,” which refers to products that arrive with secure settings at no additional cost.
“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said during a speech at Carnegie Mellon University.
Easterly elaborated afterward in a question-and-answer session with the audience:
But she hasn’t reached out to Congress or industry to gauge interest in the legislative proposal, she told reporters after the event. She said she expects to see “some of the ideas I previewed today in the national cyber strategy,” a long-awaited Biden administration policy blueprint. The Office of the National Cyber Director worked with industry on the document, she noted.
“Obviously we want to work any of these things very closely with the Congress, and frankly, cybersecurity is an issue that has enjoyed bipartisan support and we want to continue to have that bipartisan support,” Easterly said. “Industry realizes the importance of this as well, so I’m looking forward to having robust conversations with both.”
Because of the push-and-pull between software companies that want protections and consumer advocates who want accountability, the idea has been tough to get off the ground, Montgomery said.
“If she can thread that needle, good on her,” he said of Easterly. Further complicating matters, Montgomery said, is deciding specifics like, “When does that liability end? When you stop doing software upgrades?” Microsoft supported Windows 7, released in 2009, with patches until 2020.
The Solarium panel drafted sample legislation as a starting point for any lawmaker who wants to embrace the issue, but it has had trouble finding takers, as of a CSC 2.0 report in the fall.
It shares space among the commission’s most difficult proposals with consolidating congressional oversight of cybersecurity into one committee each in the House and Senate. Lawmakers are notorious for not wanting to give up their existing oversight powers.
Two arguments cautioning against the liability legislation idea go like this, courtesy of Chris Wysopal, a member of the famed hacker collective L0pht and the founder and chief technology officer of the cybersecurity company Veracode:
In addition, House Republicans like Homeland Security Committee Chairman Mark Green (R-Tenn.) have appeared skeptical of imposing additional cybersecurity regulations on the private sector. A spokesperson for Green did not respond to a request for comment.
One industry group that represents prominent software makers, BSA | The Software Alliance said in response to Easterly’s comments that it has been pushing secure software guidelines and has listed improving software security as its top cyber agenda item.
“Laws and policies that seek to improve software security should be risk-based, technology and vendor-neutral, and incentivize innovation,” Aaron Cooper, vice president of policy at the group, told me via email.
The Information Technology Industry Council, another group, “has long advocated for secure-by-design practices as an important component of a holistic approach to cybersecurity risk management,” said John Miller, its senior vice president of policy and general counsel.
The groups look forward to working with the Biden administration and Congress, Cooper and Miller said.
Jay Bhargava, a spokesperson for Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.), said, “We’re currently examining this issue.”
The National Security Council is hosting a high-profile group of artificial intelligence and policy experts today as part of a new collaboration between the U.S. and E.U. on AI, according to details shared exclusively with The Cybersecurity 202.
The meeting is meant to kick-start discussions about the technology’s growing threat across the globe. It will feature presentations by research teams in both countries about their progress so far in delivering benefits for extreme weather and climate forecasting, emergency response management, health and medicine improvements, electric grid optimization, and agriculture optimization, according to an NSC spokesperson who spoke on the condition of anonymity to speak candidly on the matter.
The collaboration comes as the cyber world is wrestling with how to deal with artificial intelligence because many of its impacts remain unknown. Last month’s announcement of the collaboration said it would be crucial to establishing a secure internet and maintaining digital privacy.
The U.S. Marshals Service on Monday confirmed that it suffered a significant data breach earlier this month in which hackers were able to access sensitive law enforcement information about the subjects of agency investigations, NBC News’s Andrew Blankstein, Michael Kosnar, Jonathan Dienst, and Tom Winter report.
In a statement Monday, Marshals Service spokesperson Drew Wade told NBC that the Feb. 17 extraction “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”
He added that ransomware affected a stand-alone system, which was quickly disconnected from the network. The Justice Department has already launched a forensic investigation into the breach and the agency has also been able to create a workaround so that it can still conduct critical business.
A senior official familiar with the matter who spoke on the condition of anonymity to discuss the incident said that it did not involve the database related to the witness protection program, and that none of those individuals were in danger because of the breach.
Itemized lists of components that make up software products, known as Software Bills of Materials (SBOMs), are increasingly recognized as helpful in advancing software security, an industry group said in a policy paper today — but it stressed that policymakers should not rush to institute SBOMs in statutory cyber reporting requirements.
The Information Technology Industry Council said in the paper it shared exclusively with The Cybersecurity 202 that SBOMs can help organizations identify their potential risk vulnerabilities. But requirements now would be impractical because present-day SBOM reports would not necessarily align with other reporting requirements developed later, and the concept still needs time to develop before becoming law, the group said. Lawmakers excluded an SBOM proposal from last year’s defense policy bill.
Many thanks to our new colleague David DiMolfetta for helping report this item.
White House gives agencies 30 days to impose federal device TikTok ban (CNBC)
House panel to debate bill allowing president to ban TikTok (The Hill)
‘Take It Down’ tool helps young people remove explicit online images (Wall Street Journal)
Danish hospital websites targeted in cyber attack (The Local Denmark)
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (Bleeping Computer)
Murdoch admits some Fox hosts ‘were endorsing’ election falsehoods (By Jeremy Barr, Sarah Ellison and Rachel Weiner)
TikTok banned on all Canadian government mobile devices (Associated Press)
Study: 96 Percent Of Humans Would Rather Be Animatronic Bear https://t.co/yXIe8DFwXh pic.twitter.com/juqVjntwDZ
Thanks for reading. See you tomorrow.
Leave a Reply