Mary Ward was a pioneer. She was considered to have a talent for drawing, researching insects and writing several books on microscopy, which made her one of the most prominent scientists in the British Isles – a novelty for a woman at the time. Another novelty was her steam-powered carriage, in which she rolled through Ireland. In 1869, her vehicle earned her a sad notoriety: Ward is considered the first road traffic fatality. On a bend, the 42-year-old slipped off the bench, fell in front of the cart, which then ran over her. Seat belts, which might have saved the life of the mother of eight, were not mandatory at the time. It was only around 1900 that rules for traffic as we know them today emerged. Rules to avert damage and to make the interaction of everyone safer for all, something which is also the case today in the IT world. Countries are pushing ahead with legislation with the aim of protecting companies, administrations, and individuals from dangers from cyberspace.

Traffic regulations for more cyber security

From North America to India and Asia – all over the world, digital traffic regulations are in demand. Politicians are looking for ways to make the digital economy more resilient. The goal: To establish a culture of security in all private and public spheres. A look at Europe shows how this might be achieved. The European Union is currently pushing ahead with the new version of the directive for Network and Information Systems (NIS2). The union of states is pursuing the idea of modernizing the existing legal framework and adapting it to the intensifying threat situation. Although more digitalization also creates more opportunities for value creation, every additional digital opportunity also opens up potential gateways for third parties with nefarious intentions.

Whether it’s the energy, water, banking, finance, or health sectors, NIS2 extends the group of companies and public institutions that must make their IT landscape more resilient. And this applies to all sectors that are of crucial economic and social importance and are particularly dependent on information and communication technologies. The rules apply directly to a wider range of institutions and indirectly to companies that are part of a supply chain. The example of Crowdstrike shows why this is crucial: On July 19, 2024, the cybersecurity provider delivered a faulty update that caused computer systems around the world to fail. Around 8.5 million Windows devices at airlines, hospitals and retailers, were affected. It was a simple glitch, but in a fully digitally networked economy, it turned into an unprecedented problem. 

Authorities, standards and guidelines to mitigate cyber risks

From hackers and botnets to accidents and mishaps, more and more digitalized and industrialized economies are arming themselves against threats like these. In 2022, for example, the Strengthening American Cybersecurity Act was passed in the US. The law updates existing federal information security regulations, requires operators of critical infrastructure to report cyber and ransomware attacks, and improves the security of cloud services for federal agencies. Not unlike Malaysia: Malaysia’s first standalone Cyber Security Act 2024 came into force in 2024. The law sets regulatory standards for cybersecurity and aims to protect the national critical information infrastructure. A dedicated agency – the National Cyber Security Committee – is to implement and monitor the requirements. The same applies to India and Singapore: The subcontinent has set up its own government agency, the Indian Computer Emergency Response Team, which publishes guidelines and recommendations for companies and is responsible for preventing cyber attacks. And the city state aims to protect critical information infrastructures with their Cybersecurity Act introduced in 2018.

Internet Exchanges and cyber resilience: More resilience for providers and customers

Critical infrastructure with a particularly high economic importance and need for protection: This is precisely the situation of telecommunications companies in many countries around the world. The basic principle is that to make networks resilient, all levels – from undersea cables to Internet Exchanges to data centers – must be individually secured. In practical terms, this means that each infrastructure is only as resilient as the individual elements of which it is composed. So, if all the components of a shared infrastructure – be it the roads or the global telecommunications infrastructure – are designed to be redundant and diversified, the overall system will be more resilient for everyone. On the one hand, for the providers who provide their services in this way and, on the other hand, for the customers who build their own IT on such mutually secured services and solutions.

Telecommunications providers in particular are setting a good example in this respect. In contrast to other industries, they often have a fully integrated resilience approach, as figures from PwC’s Global Crisis and Resilience Survey 2023 show: Technology, Media and Telecommunications has the most integrated resilience programs (28%), ahead of Health (24%), Energy (24%), and Financial Services (22%). This includes interconnection providers in Europe and Germany – in view of NIS2, some operators will have to tighten up their identity and access management, but in principle, interconnection services already belong to the “critical infrastructure” category (according to NIS1). In addition, many Internet Exchanges are now certified according to national regulatory requirements such as the so-called IT-Grundschutz from the German Federal Office for Information Security and ISO27001. Both are recognized frameworks and standards for IT and information security, which NIS2 demands.

Not just a compliance exercise: Weighing up IT risks in our own economic interest

Whether in Berlin, Kuala Lumpur, New Delhi or Washington – companies that want to ensure professional and secure IT operations for themselves and their customers have always been well advised to follow guidelines and standards for greater IT security. And that is true even out of pure economic self-interest. The experts at PWC, for example, recommend that laws for more cyber resilience should not be dismissed as mere compliance and checklist exercises, but should be recognized as a competitive advantage. Those who do not base their actions solely on how the law will affect them elevate their own corporate interests to the level of the common good of society.

Self-interest as the basis for the common good? Whether on the information superhighway or on the road, it makes sense. Since they came into force in 1934, Germany alone has amended its road traffic regulations more than 30 times – from speed limits to lane markings to the general requirement to wear seat belts. Very much in the spirit of Mary Ward.

The post Why Cyber Resilience Legislation is Vital to Safeguarding Our Networks appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/pt1fJ8B
via IFTTT

Cybersecurity and resilience have grown in priority for both the public and private sectors as threat surfaces reach unprecedented scales and threat actors gain new capabilities. The growing scale and complexity of cyber-attacks not only pose a threat to national security but also cost victims trillions of dollars each year. As the nation transitions from one administration to the next, U.S. leaders must continue to build on the successes of previous administrations, address gaps that exist in the nation’s cybersecurity ecosystem, and continue leaning on public-private partnerships that have proved valuable in the past. 

Carrying Best Practices Into a new Administration

Within the last eight years, the Biden-Harris and the Trump-Pence administrations have taken tangible steps to fortify the country’s security posture. In 2018, President Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018 to establish CISA, a first-of-its-kind component agency dedicated to U.S. cybersecurity. Following multiple cyber-incidents in the U.S., in 2021, President Biden issued Executive Order 14028 (EO 14028), aimed at modernizing and protecting federal networks, improving public-private partnerships, and strengthening the ability to respond to incidents.

In 2022, Congress and the Biden-Harris Administration took this action a step further by enacting the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), requiring covered entities to report covered cyber-incidents and ransom payments to CISA. Later that year, former President Biden issued a memorandum to EO 14028, directing federal agencies to only use software provided by software producers who can attest to complying with the “NIST Guidance” outlined in the memorandum. In this case the “guidance” refers to the NIST Secure Software Development Framework and the NIST Software Supply Chain Security Guidance.

Both CIRCIA and the subsequent memorandum marked pivotal steps to improve public-private partnerships to defend and respond to threats, while also shifting liability onto software producers who fail to take reasonable precautions to secure their software. 

Software vendors can take multiple steps to build security into the products that agencies will use, much like car seatbelts fitted for safety. Chief among them is the adoption of a secure-by-design framework and software build environment incorporating security into the products from their inception. For example, security vendors should base their build environment on four central tenets:

1. Base the build system on ephemeral operations that leave no long-lived environments available for attackers to compromise.
2. Produce deterministic artifacts to ensure security.
3. Build in parallel, utilizing isolated and distinct build environments, standard validation, and security. Each build environment should have very limited access, and no single person should have access to them all. 
4. Verify every build step and produce cryptographically signed statements of fact for each of the tasks executed in the pipeline, creating an immutable record of proof and providing complete traceability. 

As vendors employ multiple build environments for engineers and application security teams to validate and test the software to ensure it operates effectively and securely, enacting an assumed breach mindset is also important. An assumed breach mindset takes zero-trust a step further, reducing the attack aperture and risk by eliminating implicit trust relying on artificial intelligence (AI) and analytics to continuously validate connections between users, data and resources through identity access management, multi-factor authentication, and other measures to insulate the environment from security threats.  

Coupled with observability, organizations can gain single-pane-of-glass visibility into the entire environment to proactively identify issues, including potential breaches. The assume breach model needs accurate information to mitigate risks. Observability clarifies how assets fit into the ecosystem and provides critical data about infrastructure and indicators to protect the most critical assets. 

However, the responsibility for strengthening our nation’s cybersecurity posture does not rest solely on organizations.

Filling in the Gaps 

The federal government also plays a vital role in addressing systemic challenges. While the U.S. has made positive strides hardening federal information systems and networks during the last decade, the Trump-Vance Administration must address remaining gaps to bolster the resilience of the nation’s digital ecosystem. One of those gaps is workforce development.

As our world becomes more connected through technology, the demand for cybersecurity professionals to address the expanding threat landscape will continue to grow. For example, according to the World Economic Forum’s Global Cybersecurity Outlook 2024, 52% of public organizations said that a lack of resources and skills is their biggest challenge when designing cyber resilience. Another contributing factor to the cyber-workforce shortage is the rapid proliferation of emerging technologies such as cloud computing and AI. While these technologies have introduced numerous benefits and capabilities, they have also widened the workforce gap creating additional skill shortages. The International Information System Security Certification Consortium reports that of 14,865 cybersecurity professionals surveyed globally, 92% said their organization suffers from skills gaps in one or more areas. 

The federal government is attempting to address this widening gap through various skills-based initiatives to expand the cyber-talent pipeline. In 2023, the Office of the National Cyber Director (ONCD) began implementing the National Cyber Workforce and Education Strategy (NCWES) aimed at growing the cyber workforce, increasing diversity, and improving access to cyber education and training through partnerships across the private sector. Another potential pathway, recently introduced in a bill by House Homeland Security (HLS) Chairman Mark Greene (R-TN-07), aims to provide full-scholarships for cyber training and education for students, who in turn, will work for the federal government for a certain number of years. While both initiatives have enormous potential, they will take time to implement and mature to their full potential. 

The public and private sectors will have to continue finding creative ways to recruit, train, and retain cyber-talent to defend cyber space from malicious actors now and into the future. For instance, SolarWinds CEO Sudhakar Ramakrishna has proposed an initiative in which industry partners provide one full-time equivalent (FTE) employee to CISA to work together as a community. We are all resource constrained. Supplementing CISA with hundreds, if not thousands, of FTEs from across the industry could yield a relatively large, skilled workforce focused on creating best practices, advanced threat intelligence, and broadly sharing that information across the ecosystem. Such an initiative would help fill the gap immediately and strengthen the public-private partnership through a shared defense of our nation’s digital ecosystem. 

The Importance of Public-Private Partnerships

Another gap for the Trump-Vance Administration to quickly fill, is the role of former CISA Director, Jen Easterly. Since becoming the operational lead for U.S. federal cybersecurity, CISA has been vital in heightening the security and resiliency of our digitally interconnected ecosystem through public-private partnerships to fortify our nation’s security posture. The public-private partnership fostered by CISA has been instrumental in addressing multiple large-scale attacks, but there is still a lot of work to be done to harmonize legislative and regulatory requirements across the industry. 

Like cyber-workforce challenges, legislative and regulatory harmonization will also require strong public-private partnerships to deconflict and standardize reporting requirements. In 2023, the Department of Homeland Security (DHS) identified 45 in-effect cyber-incident reporting requirements administered by 22 federal agencies according to the Harmonization of Cyber Incident Reporting to the Federal Government report. Depending on the critical infrastructure sector, some businesses could be required to report the same incident to multiple federal agencies, at different deadlines, with varied methods (online form, email, verbal, etc.) of submission. Hopefully, CIRCIA will provide some clear parameters and coordination mechanisms to minimize regulatory overlap and conflict among the various federal agencies in that sector.

U.S. Congress must also continue its path to agency harmonization regarding cybersecurity legislation and regulations. Recently, Congressman Clay Higgins (R-LA-3) introduced a bill aimed at streamlining federal cyber-security efforts and removing duplicate reporting requirements. The bill would establish a “Harmonization Committee” consisting of members from ONCD and other regulatory agencies to “develop a regulatory framework for achieving harmonization of the cybersecurity requirements of each regulatory agency.” Clear parameters, standardized reporting channels, and a safe harbor framework are much needed to alleviate confusion about the reporting requirements and allow the victim to focus on mitigating and resolving the threat, rather than worrying about personal liability. 

The Road Ahead

In a CIRCIA hearing last year, Congressman Eric Swalwell (D-CA-14) shared an alarming conversation with a former Fortune 100 CISO, who told him “when an attack happens now, rather than respond to the attack, the first thing that you do is you huddle all of the lawyers and you’re losing precious response time because you’re worried about […] your personal liability on any action that you take, which means that consumer data and consumer information and potentially critical infrastructure could be seriously jeopardized as that’s taking place.” 

We must have a unified, whole-of-nation approach through public-private partnerships to protect federal information systems and networks without imposing legislative and regulatory liabilities that will discourage entry into the cyber workforce. As the outgoing National Cyber Director recently stated in a blog titled Service for America: Cyber Is Serving Your Country, “In an increasingly digital and interconnected world, all cyber jobs are vital to our national security and serve our public interest.” 

In this era of AI, growing cloud architectures, and more dangerous nation-state actors, the new administration has its work cut out to protect national cyber-territory. The good news is that it has a strong foundation on which to build. If the federal government continues to foster positive public-private partnerships to collectively build a sustainable cyber workforce pipeline and harmonize legislative and regulatory processes — the nation will be prepared for whatever cyber-future is on the horizon.

The post Fortifying the Nation’s Cybersecurity Posture in a New Administration appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/USyQVj0
via IFTTT