Move comes after high-profile hacks, including attack on crucial fuel pipeline.
Read the whole story
Read the whole story
Biden signs executive order to strengthen US cybersecurity
- Thread starter JournalBot
- Start date
We call it cyberwarfare, but at which point do actions by bad actors sponsored by foreign nation-states against government systems constitute an act of war in which a limited response (drone strike) is justified, along with perhaps a conciliatory payment to the families of the deceased?
Upvote
-3
(2
/
-5)
The way the government could help? Two things: First more funding of coding research , especially security coding, at the college level. Second: Tax break for security expenses.
Upvote
-6
(0
/
-6)
Every agency and their vendor have been required to submit Security Technical Implementation Guides (STIG) https://public.cyber.mil/stigs/ for over a year now
Upvote
5
(5
/
0)
Yep. But CMMC is different and requires an independent third-party attestation. Plus, STIGs don't generally require the establishment of an information security management system (ISMS) like CMMC functionally requires. STIGs are great, but STIGs plus CMMC is better, and CMMC also flows downstream to subcontractors, dramatically expanding the number of companies who now have to implement security and demonstrate it.
Upvote
6
(6
/
0)
While I agree that SMS-based MFA is less than ideal... if its SMS vs nothing, ill take the SMS everytime.
Upvote
11
(11
/
0)
That doesn't work for everyone. Some can't have their phone in their office.
Upvote
7
(7
/
0)
Same old same old ... I am totally unimpressed.
More firewalls sold, more data encrypted at rest, more end-points audited even though no one reviews the audit trails or knows what in the audit trail is a smoking gun.
You cannot prevent me from breaking into your house if you think putting a lock on the front door is the solution. I carry a brick and am perfectly capable of going around the back and tossing it through a window. Anyone think they have a network I cannot penetrate with a high tech tool called a resume needs to buy a clue?
If you want to stop bank robberies ... hire a bank robber.
When they want to get serious about IT security ... they should look to those of us that carry bricks to work.
More firewalls sold, more data encrypted at rest, more end-points audited even though no one reviews the audit trails or knows what in the audit trail is a smoking gun.
You cannot prevent me from breaking into your house if you think putting a lock on the front door is the solution. I carry a brick and am perfectly capable of going around the back and tossing it through a window. Anyone think they have a network I cannot penetrate with a high tech tool called a resume needs to buy a clue?
If you want to stop bank robberies ... hire a bank robber.
When they want to get serious about IT security ... they should look to those of us that carry bricks to work.
Upvote
-9
(3
/
-12)
As long as companies find that paying the ransom is less expensive than improving their own network security, no matter how disingenuously the come to that conclusion, they'll just keep paying the ransoms instead.
Never mind that by paying the ransom, Colonial probably just gave the entire ransomware business a lot of encouragement.
Upvote
10
(10
/
0)
Upvote
12
(12
/
0)
BevansDesign
Ars Scholae Palatinae
I really think blocking foreign misinformation and manipulation campaigns needs to be part of our cybersecurity plans in the future. We already know that some countries (particularly Russia) have been working to destabilize our society by spreading false information and conspiracy theories, sowing discord, and getting their preferred candidates elected.
Upvote
2
(4
/
-2)
Upvote
8
(8
/
0)
lol.. yep.. no phones allowed in scifs. I worked in an old office building that was an old vault converted to office space. the metal embedded in the walls cut off every one's wireless signals once you pass the threshold. Made all our mobile phones useless.
Upvote
4
(4
/
0)
Or areas of open processing (of certain things). They're not quite scifs but many of the same rules apply.
Upvote
2
(2
/
0)
Or chemical/radiological/biological laboratory. It might be worth banning (government) use of software that doesn't properly use hardware tokens a la FIDO2/U2F/etc...
Upvote
3
(3
/
0)
Not sure how you're gonna do that. To use Russia as an example: they've moved the bulk of their manure spreaders to Africa over the last couple of years, and they've got plenty of water carriers within the US happy to work independently. So you're left with the basically impossible task of examining every byte of data traversing the Internet, every second of every day, looking for misinformation.
There are better ways to approach social media disinformation specifically, but they inevitably involve expending resources on monitoring people like Justin Bieber or the Kardashian clown car.
It's not as simple as refusing traffic from specific countries, by a long shot.
Upvote
3
(3
/
0)
There's a big part of me that wants to make paying ransoms illegal across the board, but then I also realize that might mean people would try and hide the ransom demand from the police so they can keep their options open. Sort of like how making prostitution illegal (rather than only making pay-for-sex illegal) strengthens the position of pimps and other abuses of prostitutes because the victims are less likely to seek help.
I suppose you could get around it by making laws about public disclosure (of hacks) and scaled increasing penalties related to delay in a: discovery, and b: disclosure. That could also be coupled with automatic penalties for failing to follow a certain security standard. So no specific penalty for paying ransom, but penalties for both bad performance and delayed reporting. That could incentivize asking for help as soon as a breach has occurred, even though it will automatically trigger a base level penalty if security wasn't done right. It would still be cheaper than hiding the disclosure for any length of time.
Upvote
6
(6
/
0)
Federal agencies in general already do have to do all of those things to meet NIST 800-53 requirements for most systems that require it. In fact, with HSPD-12 PIVs, 2FA in the federal government is generally stronger than pretty much anything in the private sector outside of banking. Neither 2FA or encryption at rest (using FIPS 140-2 of course, three years old and already cracked by China too!) would have prevented the SolarWinds incident. I think the real teeth here are the review board, and enforcing business that work with agencies to adopt the same security posture.
Now if only we could get Infrastructure companies to also adopt FISMA like frameworks and be accountable to following them.
Upvote
3
(3
/
0)
Right, but there is two issues with the current system:
1. NIST Score is submitted on the honor system. That has proven to not work.
2. Scores don't mean anything right now anyway (especially if submitted with remediation date in the future).
CMMC with audits every 2 years is meant to fix these issues.
Upvote
6
(6
/
0)
Well, part of it is that companies that sell their software to the Federal Government will have to improve the security of that software.
This will benefit private companies, because they often buy software that is also sold to the U.S. Government.
Unlike some European countries, the U.S. government still uses Microsoft Windows on some of its computers, for example.
Upvote
5
(5
/
0)
"Mandate"?
How about criminal penalties from the top down for failing to implement and assure use? Forbid insurance payouts, in the case of public utilities, forbid passing costs on to rate payers.
Upvote
4
(4
/
0)
Neat trick!
Some of these companies have completely outsourced development through intricate "business" arrangements with equity/VC companies.
Upvote
0
(0
/
0)
Maybe nothing. Are Treasury and Health & Human Services secure? If so, getting other government agencies and private companies working with the government to follow their good example will be sufficient.
However, it does seem to me that I read about the U.S. Treasury being the victim of a hack recently. At least one other thing seems to be included in this Executive Order: the quality of the third party software sold to government departments like the U.S. Treasury with respect to security is to be improved.
EDIT: Yes, the news story about a hack obtaining access to some E-mails at the U.S. Treasury appeared on the 21st of December last year (2020).
Upvote
0
(0
/
0)
I quit working for the government back around 2014, and the final straw was filling out an IT requirements doc (700 pages long) to stand up a wordpress site. One of the questions, and it was literally the straw that broke my back in gov't, was (paraphrasing) "What is the mixture of concrete used in the floor of the data center where the rack will be bolted that will hold the server where this system will be installed?"
As Neils Bohr used to say to some graduate students, "That's not even wrong."
And it's processes like this, that are "kitchen sink" that give the appearance of effectiveness, while diluting effort and attention from real problems like, "How are you going to secure the admin credentials of the wordpress site; or, how are you going to make sure wordpress gets timely updates and patches?"
The government isn't just doing nothing, it's literally CYA by focusing on the wrong things.
Upvote
6
(6
/
0)
Maybe. But in my experience, CMM is a way to generate tuition fees for trainers who come in and instruct you how to qualify - and qualification in other CMM realms seems to be tightly coupled to the ability of the check you write to clear. Underneath all the suggested practices is the get-out-of-jail-free card that lets you do whatever the hell you want, as long as you document departures from suggested practice to the extend of saying, "Yeah, we're not gonna do that."
I would hope that CMMC will be better about such things, but I'm pretty jaded by experience with other implementations.
Upvote
2
(2
/
0)
Exactly this - is not like we haven't had this shit written down and known for decades.
Next executive order will mandate using seat belts in cars.
Upvote
-1
(1
/
-2)
Cyber security is only one (admittedly serious) part of the problem. Imagine if there were only one highway that served 40% of users along the east coast. What about one set of power lines on a single grid? There's actually only one pipeline operator for many customers on the east coast and not only are the pipeline operators largely untroubled by anti-trust considerations, they also given the power of eminent domain.
The good news for the owners of the pipeline is that they will still get paid for supplying the same amount of fuel to the same customers if only after a small delay. In a few days we'll all forget that we were briefly jealous of electric car owners.
Did they never test their backup and fail disaster plan?
The good news for the owners of the pipeline is that they will still get paid for supplying the same amount of fuel to the same customers if only after a small delay. In a few days we'll all forget that we were briefly jealous of electric car owners.
Did they never test their backup and fail disaster plan?
Upvote
3
(3
/
0)
Not every US government agency is... equal in it's bureaucracy. Where I worked they brought in people from the NSA to do our IT security training and the big key message every single time was "mission first." If getting the mission done (including time/deadline considerations) was incompatible with security, then security had to be the side to adapt. To not attempt to meet/exceed infosec standards was certainly negligence, but to say that one wouldn't be allowed to attempt to accomplish one's primary job due to IT security concerns was even more unacceptable.
It was a good message. It reminded IT that they are a support group for the main mission and it reminded everyone else that we had to put up with anything IT asked for that didn't seriously impact our ability to get the job done (even if it could be inconvenient). Also, because it came from NSA - chief of the paranoid - it was hard for anyone to argue with it.
Friends I knew that worked with/for other parts of the government didn't quite get the same message and I thought that unfortunate.
Edit: PS - My condolences for the paperwork.
Upvote
12
(12
/
0)
Watching the WH press conference today, and of course, they would rather that the private sector company did not pay the ransom, but then, they can't order them not to do so.
Which is interesting.
Think an "Executive Order" will fix that?
Which is interesting.
Think an "Executive Order" will fix that?
Upvote
-1
(0
/
-1)
It's a hard push under executive orders, at least if it's to be challenged in court. Outside of limited emergencies where the President essentially has the power to suspend the constitution (e.g. pandemics, civil war, etc...), or at least bend it around any lens of strict scrutiny, it's difficult for the executive government to make new rules that have force of law. Well at least that hold up in the judicial branch's opinion over the long run.
It'd work best if the president can cite existing law and his order is an interpretation of that law and a directive to the rest of the executive branch to follow up on that. So if he defined ransomware attacks on infrastructure/healthcare/other critical industries as terrorism, and then applied Patriot Act (and related) powers then it might fly. Could also approach it as buying bulk cryptocurrency and giving it to criminals is an active part of money laundering and perhaps even going as far as criminal conspiracy (probably a stretch, but it wouldn't be the first successful implementation of prosecutor overreach by a long shot).
That said, I think either of the above examples would be sufficient justification for executive orders.
Upvote
1
(1
/
0)
So is there going to be another branch Cyberspace Force?, CyberICE?, Cyber Guard?…
Upvote
0
(0
/
0)
Oh! It's got to be an ICE variant to make all the cyberpunk I've ever read come true. Then there can be white ICE and black ICE!
Upvote
2
(2
/
0)
The three letter agencies revel in the status quo, so they'll put a stop to anything meaningful. Like other goverment mandates, legislation will have no teeth and favor big money Tech companies with barrels of lobbying cash. When inevitably hacked, these companies will fall back on "we followed the guideline". There are official and best practice standards already in place. Security is slow, difficult to implement correctly and money intensive. Even the pros have bad days, so some "star" or "up/down" rating will mean nothing.
Upvote
-3
(1
/
-4)
How about making illegal the sale of cryptocurrency. (Not the software or mining of). That would have a huge effect overnight. Companies could not legitimately purchase crypto. So ransomware payments would have to go through regular channels, making detection much easier and risk for the ransomers much higher.
Would also burst a lot of bubbles.
Would also burst a lot of bubbles.
Upvote
3
(3
/
0)
Not a terrible idea, but why is it 1 of 2 main(?) points of this executive order? This will not help at all since all attacks so far have been against data in transit.
Just like banning 3D printed guns. Nobody ever with an IQ of <90, those that are responsible for all urban crime, has printed a gun and shot someone. Nobody.
Upvote
-2
(1
/
-3)
Baloney, eyewash and smoke and mirrors. The DOD and most other US Government agencies has had 2FA to control user and admin IT level access for almost 2 decades using CAC cards with an embedded chip to control access along with strong passwords that are required to be reset every 90 to 180 days depending on agency. The problem the government has is they pay too little money to the people that run the back end protective structures of government IT, so they get what they pay for. Indeed A lot of DOD IT infrastructure is "supposedly protected" by the DOD cyber security force, including knuckle draggers brought over from the National Guard. (and the guard is actively seeking to get more of that to build their empire). I saw how lame and dumb the IT people working for all levels of the DOD were when I was serving, in the guard it was multi levels worse. Think of the dumbest people people you have ever met in life, and then picture them in charge of being your front line security for IT systems. This is pure political posturing, and nothing much will come of it. Because they have been beating that same drum for 20 years and very little they have done has made things more secure.
Upvote
-3
(0
/
-3)
I'm a bit surprised at how popular this opinion is turning out to be here.
Upvote
0
(0
/
0)
Geeze, I can hardly wait until I live in a full non-stop "smart home" with EVERYTHING including my vehicles and bank account all conveniently connected to my smartphone! The IoT's is ready to Rock'n'Roll..
Upvote
3
(3
/
0)
Because fuck those standards. It was only recently that they stopped recommending password expiry, and remember FIPS compliant cipher suites where you couldn’t use anything newer? Google’s post quantum also isn’t in the list of “approved ciphers”. Maybe when they can keep up with OSS development.
Upvote
2
(2
/
0)