Risk mitigation Log4j. State coordinators of the CISA. Arizona Cyber ​​Command Center is operational. Announcement of FCC Working Groups. Hybrid warfare and forward defense.

In one look.

  • CISA on Log4j Risk Mitigation.
  • FTC on Log4j and regulatory risk.
  • The CISA State Coordinators join us.
  • Arizona Cyber ​​Command Center considers cybersecurity training a mission critical.
  • Announcement of FCC Working Groups.
  • Hybrid warfare and forward defense.

CISA reports the federal agency’s compliance with Emergency Directive 22-02.

The U.S. Cyber ​​and Infrastructure Security Agency (CISA) told MeriTalk that the federal agencies it oversees have largely complied with Emergency Directive 22-02, which requires them to take specific action. to mitigate risk by December 23, and report their status by December 23. December 28. A CISA spokesperson said: “Agencies have responded with great urgency to successfully correct assets running vulnerable Log4j libraries, even during the holiday season, or to mitigate the majority of identified affected applications that support “solution stacks” that accept data entry from the Internet. CISA has received status reports from all major agencies, which have either corrected or deployed alternative mitigation measures to address the risk of thousands of internet-connected assets, at the center of the recent emergency directive . “

The FTC is clear on its business expectations for Log4j.

Yesterday, the United States Federal Trade Commission (FTC) gave companies it regulates direct advice on how seriously they should take newly discovered Log4j vulnerabilities: “The duty to take reasonable steps to mitigate vulnerabilities Known software involves laws including the Federal Trade Commission Act and Gramm Leach Bliley Act. It is essential that businesses and their suppliers relying on Log4j act now, to reduce the risk of harm to consumers and avoid FTC lawsuits. It explicitly reminds companies of what happened when Equifax failed to fix:

“According to Equifax’s complaint, failure to fix a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax has agreed to pay $ 700 million to settle Federal Trade actions. Commission, the Consumer Financial Protection Bureau, and the Fifty States The FTC intends to use all of its legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or Similar known vulnerabilities in the future. “

The Commission refers companies to the Apache Log4j Vulnerability Guidance from CISA. If, after self-inspection and due diligence, an organization is exposed to vulnerabilities, it should take the following steps without delay:

  • “Update your Log4j software to the most recent version available here: https://logging.apache.org/log4j/2.x/security.html(link is external)”
  • “Consult the CISA guidelines to mitigate this vulnerability. “
  • “Make sure corrective action is taken to ensure your business practices don’t violate the law. Failure to identify and correct instances of this software may violate FTC law. “
  • “Distribute this information to all relevant third party affiliates who sell products or services to potentially vulnerable consumers.”

Going forward, the FTC clearly intends to take a close look at the supply chain risks of open source software:

“The Log4j vulnerability is part of a larger set of structural problems. It is one of thousands of unannounced but critically important open source services that are used by a nearly countless variety of Internet companies. These projects are often created and maintained by volunteers, who do not always have adequate resources and personnel for incident response and proactive maintenance, even though their projects are critical to the Internet economy.[1] This global dynamic is something the FTC will consider as we work to address fundamental issues that put user safety at risk. “

CISA takes a state-by-state approach to cybersecurity.

The US Agency for Cyber ​​Security and Infrastructure Security (CISA) is starting to implement plans announced last year for state-level cybersecurity advice and information sharing by creating a network of fifty states of federal cybersecurity coordinators. Laura Delaney, CISA deputy deputy director for the integrated operations division, told Nextgov: “CISA’s state cybersecurity coordinators play a central role in sharing threat intelligence with state partners. , but it also happens through each state fusion center which typically includes several other federal partners. , as well as the Multi-State Information Sharing and Analysis Center. States share an overview of their cybersecurity programs and practices, and having people on the ground in States gives CISA a valuable resource for identifying incidents that may have a national impact. In addition to information sharing, the coordinators run workshops on best practices in cybersecurity at the state level and also provide advice to candidate states for the Homeland Security Grants program. To date, thirty-seven coordinators have been hired and the selection process has started for five more.

That said, the hiring process could be difficult, as it is difficult, especially at the local level, to compete with the attractive salaries that private companies offer to cybersecurity professionals. Delaney expects CISA’s new cybersecurity talent management system, which “includes new hiring processes, new compensation structures and new development approaches designed specifically to recognize employees for their core business skills. cybersecurity and their contributions to the mission, ”will help. Candidates are currently sought for cybersecurity coordinator programs in Alabama, Colorado, Iowa, Louisiana, Mississippi, New Mexico, South Carolina, and Tennessee.

The Arizona Cyber ​​Command Center will focus on cybersecurity training.

States are also focusing on cybersecurity, last fall the state of Arizona launched its Cyber ​​Command Center. Chamber Business News reports that Arizona and New Jersey are the only two states that officially classify cybersecurity as a homeland security issue, and during the Center’s launch ceremony, Governor Doug Ducey said, “Our company is increasingly interconnected through technology, and cybersecurity has become one of the most significant issues facing Arizona. This new command center will be essential in protecting the people of Arizona and ensuring that our cyber infrastructure remains safe and secure. Arizona Department of Homeland Security director Tim Roemer, who oversaw the launch of the center, told Chamber Business News: A coalition and partnership between private sector business leaders and the government of State. In September alone, the Arizona Department of Homeland Security detected 68 million cyber threats, and between 2005 and 2020, data breaches cost the state more than $ 1.6 billion. To solve this problem, Roemer is advocating for better training of employees in cybersecurity and the creation of a “culture of cybersecurity awareness”.

FCC announces the composition of a working group.

The United States Federal Communications Commission (FCC) Communications Security, Reliability, and Interoperability Council advises the agency on maximizing the security and solvency of the nation’s communications systems. MeriTalk reports that on December 30, the FCC announced the lists of six CSRIC working groups, which focus on topics such as the safety and reliability of 5G signaling, open radio access network equipment, wireless emergency alerts and virtualization technology. Group members include industry experts from AT&T, Oracle, Mavenir and VMware.

Hybrid war and the prospect of a more assertive American advanced defense.

An Atlantic Council policy document recommends that the United States recognize that, like it or not, this is indeed a period of hybrid warfare (both cyber and kinetic) and the United States United should act accordingly. “The [US Department of Defense] must be competitive now and engage in offensive hybrid warfare actions, ”the recommendations say. “The United States needs to respond where competition with China and Russia takes place today, primarily by playing an increased role in gray area competition.”

There is and has been, it should be noted, a lot of vague talk about war and cyberwarfare, where the concept of conflict is difficult to apply literally and unnecessary as a metaphor. But the Atlantic Council is thinking here of the old specter of conflicts, in which hybrid warfare occupies a sort of gray area, between espionage and clear and undeniable kinetic military operations. Hybrid Warfare includes deniable kinetic actions, but more importantly, it includes offensive cyber operations that go beyond simple surveillance and gathering to more directly disruptive actions.

The Atlantic Council explains, “Accordingly, the Pentagon must embrace the competition paradigm as a continuum from cooperation to competition to armed conflict. But embracing the continuum is not enough; the DoD, working with interagency partners where appropriate, must defend itself more aggressively and take offensive action in the gray area, consistent with U.S. values. “

Source link

Steven L. Nielsen