+1 206 446 0600 umv@merysolsecurity.com

The US Preparing for Cyberwar – Part 2

Fighter_Plane_destroying-a-target

What we are doing to Prepare.

In the post The US Preparing for Cyber War – Part 1, we described how the US built a powerful arsenal of cyber weapons over the last 30 or 40 years and yet neglected to build strong cyber defenses to protect itself from similar attacks by our adversaries. We described that now, as a result, the US is the victim of escalating Ransomware attacks that threaten our economy and even worse, our critical infrastructure. 

In this post, we strive to describe the initiatives that the US Federal Government is pursuing to drastically improve our cybersecurity defensive posture and become more resilient to attacks.  Especially those devastating cyber attacks coming from enemies declaring war on the US by their deeds.

As we have already mentioned, what is needed is to drastically increase our awareness of the evolving cybersecurity challenge and mobilize people to alter their behavior to become more cybersecurity resilient and less vulnerable.

The US Federal Government and by that we mean the Cybersecurity and Infrastructure Agency (CISA), created in November 2018 as part of the Department of Homeland Security, is going about this by implementing a very large number of initiatives. While it would be too lengthy to list them all individually, we will categorize them into 3 major groups and describe some of the significant efforts within each category.

CISA’s major initiatives may be categorized as follows:

1 – Cybersecurity for US Critical Infrastructure.

Modern plans for the protection of US critical infrastructure can be traced to the 2006 National Infrastructure Protection Plan (NPP or National Plan). This plan was updated in 2009 and again in 2013. The initial versions of the National Plan did not stress the Cybersecurity threats as much as the latest version. The main evolving threats were considered to be Extreme Weather; Accidents or Technical failures; Acts of Terrorism; Pandemics; and Cyberthreats. The National Plan organizes critical infrastructure into 16 sectors and designates a Federal department or agency as the lead coordinator for each sector. You can read the entire 2013 NPP here if you are curious.

The sectors identified were: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Damns, Emergency Services, Information Technology, Nuclear Reactors- Materials & Waste, Food & Agriculture, Defense Industrial Base, Energy, Healthcare & Public Health, Financial Services, Water & Waste Water Systems, Government Facilities, and Transportation Systems.

Unfortunately, the sectoral nature of the NPP resulted in a patch-work of sector-specific cybersecurity laws and regulations adopted piece-meal as data security threats gained public attention.  See the above table.

Given the evolving threat faced, the Feds are promoting a new approach via multiple initiatives. Examples of these inititatives are:

 a) The Executive Order signed May 12, 2021 to improve the Nation’s cybersecurity and protect federal government netowrks. This order modernizes the national cyber defense and improves information sharing between the Public and Private sectors. In addition, it ads improvements to the Software Supply-Chain security and to cyber attack investigative and remedial measures.

b) the Industrial Control Systems (ICS) initiative provising threat visibility, indicators, detections and warnings. ICS began in April 2021 with the ELectricity subsector. To date, m ore than 150 electrical utilites representing more than 90 million residential consumers are deploying new cyber-resistant control systems. Similar initiatives fro Natural Gas Pilelines and other sectors are in the works.  Critical Fuel Pipelines are now required to implement measures against Ransomware attacks and periodic reviews of their cybersecurity posture.

c) Signing of the Cyber Incident Reporting for Critical Infrastructure Act in March 15, 2022.  This regulation creates two new reporting obligations to the owners and operators of critical infrastructure across all sectors:

– An obligation to report certain cyber incidents to CISA within 72 hours, and

– An obligation to report ransomware payments within 24 hours

Needless to say, companies in many sectors will be potentially subject to these reporting requirements. And, thus, must evaluate their preparedness to comply and act accordingly. 

 

2 – Data Privacy and Cybersecurity for US Consumers

The second large group of cybersecurity initiatives is directed towards the US Consumers. These measures primarily address data privacy which clearly cannot be achieved without strong cybersecurity protection.

For these initiatives, the US Congress has taken the lead. In June 21, 2022, the House Energy and Commerce Committee introduced the bi-partisan bill the American Data Privacy and Protection Act (ADPPA) H.R. 8152.  If passed, ADPPA would create a comprehensive federal consumer privacy framework.

Among the salient points:

Coverage. ADPPA would apply to most entities including non-profits and common carriers. Some of those defined as large data holders that meet certain thresholds, or service providers that use data on behalf of other covered entities, would face additional requirements.

Covered Data. The data covered would apply to information that identifies or is linked or reasonably linked to an individual.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to China, Russia, Iran or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, inclusing the right to access, correct, and delete their data held by an entity.

Youth Protection. It would create additional data protection for individuals under 17.

Data Security.  It would require adoption of data securty practices that are reasonable based on their size and activities. The FTC would be in charge ofelaborating these data security requirements.

Small and Medium-size Businesses.  These businesses would be relieved from complying to severl requirements but  not all. FOr example,, they may respond to a consumer request to correct their data by deleting it, rather than correcting it.

Enforcement. The FTC and State Attorneys General would enforce the new law.

ADPPA is similar to other Privacy bills recently introduced on Congress like the Consumer Online Provacy Rights Act ( S.3195 – 201/2022), the Data Care Act (2021), the Online Privacy Act (2021), and the Control Our Data Act (2021).  None of them have been signed into legislaiton.

However, what is different about ADPPA is that it has bipartisan support and it generally preempts State laws. THis simplifies its enforcement for companies doing business in multiple states. Just the fact that Data PRovacy has som nuch traction in COngress, makes it likely to it will be made into law.

What is important for Consumers, cybersecurity-wise, is that the passing of ADPPA will significanlty increase the awareness of cybersecurity in the Private Sector. And, with that, its behavior towards becoming more cyber crime resilient. 

And, finally,

3 – CISA’s Cybersecurity Awareness Program

CISA has a website dedicated to promoting Cybersecuroty Awareness. It can be viewed here.

It is a site full of information, resources and an extensive set of links to other related content.  There is so much information there that it is hard to know where to start but it certainly is an excellent reosurce.

 

Summary

We have seen how the US Federal Government as well as Congress have become very active dealing with Cybersecurity and the country’s preparedness to cyber attacks. It is clear that the result of these attacks could be very damaging and, whether part of an actual war attack, or not,  the US must be ready to protect itself.

Merysol Security is a company focused on raising cybersecurity awareness and preparedness. Please contact us if you”dlike to have a conversation about how to become more resilient to cyber crime.

You May Also Like …

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *