Lower: Peter “Mudge” Zatko testifies on Capitol Hill and the US government calls out foreign influence operations from Russia. First:
First on The Cybersecurity 202: Long-awaited security guidance arrives today from the Biden administration
A White House office is releasing guidance this morning on how federal agencies and government contractors will comply President BidenIt required last year that federal systems and vendors meet common cybersecurity standards.
memorandum – which Cybersecurity 202 is reporting first — is perhaps the most anticipated cybersecurity guidance from the Office of Management and Budget (OMB) since the Chief Information Security Officer –Chris DeRusha joined the Biden administration in early 2021, he told me.
It will affect the security of government systems and therefore the federation’s ability to deliver services, as well as the process of federal contracts worth billions of dollars. That, in turn, could put pressure on any company that might want to do business with the federal government to meet government standards, a senior administration official told reporters last year before issuing the executive order. Biden who issued today’s memo.
“We’re all using Outlook email. We’re all using Cisco and Juniper routers,” the official said. “So basically, by establishing those secure software standards, we’re all benefiting broadly.”
In addition to the memo, OMB is set to release a blog post this morning from DeRusha.
“The guidance, developed with input from the public and private sectors as well as academia, directs agencies to use only software that conforms to secure software development standards … and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered. he writes.
OMB has not yet widely shared the final draft with industry, who had expressed some nervousness about how details of the executive orderAND today’s memoit may seem.
Biden’s May 2021 cybersecurity executive order listed many mandates, ranging from requiring agencies to use security tools like encryption to creating a Cybersecurity Review Board to analyze major cyberattacks. The memo followed a series of high-profile hacks, one of which, the breach at software company SolarWinds, allowed spies to break into at least nine federal agencies.
One of the directives of the memorandum was for the National Institute of Standards and Technology to establish a foundation for the development of secure software. NIST Final Framework includes high-level steps such as:
- “Produce well-secured software with minimal security vulnerabilities in its releases.”
- “Identify remaining vulnerabilities in software releases and react appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.”
OMB directed agencies to start adopting that framework this March, but left out a few steps, which lead us to today’s memo.
What the memorandum hopes to achieve
“The number one thing we heard from the industry was, ‘We all want to follow safe development practices, but we need to ensure a consistent approach across agencies and vendor handling—we don’t want 100 agencies doing it in a hundred different ways,” DeRusha said. “Absolutely agree with that. And so that is the purpose of this memorandum.”
A somewhat controversial topic is at the center of one of the memo’s steps. Agencies must obtain something called “self-certification” from a software manufacturer before using that software. Basically, the software provider guarantees the security of their product. If a provider is later found to be out of compliance, an agency can no longer use it, according to OMB.
A Defense Department program to verify the cybersecurity of Pentagon contractors introduced third-party auditors because the department determined that self-certifications were not a reliable indicator of contractor security, Nextgov reported. DOD has since backed off this requirement, to some extent.
Another key component of the memo is the amount of information agencies can collect under it. For example, he says, federal agencies can require potential contractors to provide a list of components for technology systems, known as a Software Bill of Materials. Some have defended this as a measure that could have helped quickly clean up the bug in a hugely popular piece of code known as log4j.
That’s data that “we can use to protect all other federal agencies,” DeRusha said.
It may take some time for all of this guidance to become a reality. The memo contains an appendix with baker’s dozen deadlines for federal agencies, ranging from three months to two years.
But DeRusha promoted the big picture in his blog post.
“The guidance released today will help us build trust and transparency in the digital infrastructure that supports our modern world and allow us to fulfill our commitment to continue to lead by example while protecting our nation’s national and economic security.” he writes.
Twitter whistleblower highlights company’s cybersecurity practices in testimony before Senate panel
Former head of security at Twitter Peter “Mudge” Zatko told members of the Senate Judiciary Committee that company executives were financially incentivized to ignore major cybersecurity problems, and he also expanded on allegations that foreign government operatives could have access to sensitive data at the company, Cat Zakrzewski, Joseph Menn, Faiz Siddiqui and Cristiano Lima report. Zatko also based his testimony on examples that senators could understand — like the hijacking of their Twitter accounts.
“It doesn’t matter who has the keys if you don’t have locks on the doors,” he said. “It’s not a stretch to say that one employee within the company could take over the accounts of all the senators in this chamber.”
At the hearing, Zatko also warned about insider threats on Twitter. “A week before his January firing, Zatko testified, the FBI had alerted security staff that a Chinese agent for the Ministry of State Security was employed by the company,” my colleagues wrote. “Twitter ads paid for by the Chinese government may also have leaked information, including the location of users who click on them,” he said.
Russia has secretly spent more than $300 million on foreign political campaigns since 2014, US says
A new US intelligence review said money was sent to candidates and political parties in more than two dozen countries, Missy Ryan reports. The Biden administration declassified the review in an effort to counter Russia’s foreign influence efforts around the world, a senior US official told reporters.
In a cable provided to reporters, the State Department named Russian oligarchs it said were involved in “funding schemes.” Oligarchs include Yevgeniy Prigozhinwhich US officials accused in 2018 of trying to interfere in the 2016 election by funding a Russian troll farm.
The biggest election disinformation event of the 2022 midterm primaries: Text messages (NBC News)
EU intelligence chief cancels trip to Taiwan after Beijing learns its secret plans (Politico Europe)
Buenos Aires Legislature Announces Ransomware Attack (The Record)
Indonesia to pass new data privacy law after flurry of leaks (Bloomberg)
Former NSA chief Keith Alexander charged in pump-and-dump investment scheme (The Intercept)
- Current and former executives of social media companies testify before the Senate Homeland Security Committee today at 10 a.m.
- A panel of the Senate Judiciary Committee holds a hearing on protecting Americans’ personal information from hostile foreign actors today at 3:30 p.m.
- Deputy National Security Advisor Anne Neuberger speaks at a DefenseScoop event Thursday at 9 a.m
- The House Homeland Security Committee is holding a hearing on industrial control systems cybersecurity Thursday at 10 a.m.
- A House Oversight and Reform Committee panel holds a hearing on federal IT Friday at 9 a.m.
- Rep. Mike Turner (R-Ohio), the top Republican on the House Intelligence Committee, speaks at a Heritage Foundation event on countering disinformation and foreign disinformation while protecting civil liberties Monday at 1 p.m.
Thanks for reading. See you tomorrow.
