The Cybersecurity and Infrastructure Security Agency (CISA) has solicited feedback on the list for months, and granted an extension through last week for trade associations and others to deliver their commentary. While the goals are voluntary, some industry officials are uncomfortable about whether the “performance goals” are a prelude to regulation, among other concerns.
A couple examples of the goals on the 22-page list:
- “Owners/operators should define which utilities are essential to maintain operations (such as water, power, and HVAC), and deploy and regularly test failover systems to ensure uninterrupted supply of these resources.”
- “Owners/operators should provide basic cybersecurity training to all organizational employees and contractors to reduce the risk of both malicious and inadvertent threat activity. Reviewers should verify that all personnel receive training at least once annually.”
The goals also include major risks that each goal addresses and ways to measure progress.
The White House ordered CISA last year to work with the National Institute of Standards and Technology to develop the goals in the wake of ransomware attacks on Colonial Pipeline and IT firm Kaseya. A senior administration official who briefed reporters beforehand on the condition of anonymity because they were not authorized to comment publicly couched it in terms of the administration pursuing both regulations and recommendations.
“These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them,” the official said.
In a written statement, CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein told me that “the cybersecurity performance goals are critical to improving our nation’s cybersecurity by providing a shared understanding of the baseline practices that critical infrastructure owners and operators can adopt on a voluntary basis to protect their systems.”
The goals “really encourage folks to think through what the building blocks of success look like,” Chris Cummiskey, a former Department of Homeland Security official who now serves as chief executive of Cummiskey Strategic Solutions, told me.
CISA, which is a part of the Department of Homeland Security, received more than 1,000 comments it solicited and that the agency received at workshops on the performance goals. Among the complaints:
- The checklist-like nature of the goals means that “even though this is not written as a set of requirements, it lends itself to being transformed into a set of requirements by a regulator,” John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, told me.
- One coalition of telecommunications groups, as well as another trade organization for the sector, told CISA that the goals are too “prescriptive,” potentially directing companies toward specific technologies or practices that could quickly become outdated.
- Miller said some of his members, as well as other industry groups, were unhappy that the performance goals don’t fully align with NIST’s widely embraced cybersecurity framework, itself a set of voluntary cyber guidelines that is in the midst of its own update — potentially leading to further conflict.
On the last point: “NIST doesn’t like it because it doesn’t look like the framework and it seems like DHS is trying to insert itself here,” an official involved in the deliberations who spoke on the condition of anonymity to comment freely on a process that’s not finished told me. NIST didn’t answer a request for comment on the performance goals.
Despite their complaints, industry officials have offered nearly unanimous praise for CISA’s receptiveness to their feedback, saying the agency already made improvements from an earlier set of goals.
“We appreciate the ongoing collaboration to refine the common baseline goals and maintain consistency with existing regulatory requirements within the financial sector,” Ron Green, chief security officer for Mastercard and chair of the Financial Services Sector Coordinating Council, told me.
Nor is the substance of the industry feedback surprising. “Anytime the government comes out and says you’re going to do X, Y and Z, you’re going to get some pushback from industries that, particularly, may not have spent as much time and resources on developing programs,” Cummiskey said.
CISA plans to update the draft one more time. A spokesperson couldn’t provide a specific date for when CISA would complete its task. Last year’s memo ordering the agencies to write the performance goals set a deadline of Sept. 22, 2021, for the preliminary goals and one year later for the final goals; CISA released the first list a few days after last year’s deadline.
- “CISA and NIST received invaluable feedback from critical infrastructure partners and the general public during the recent comment period, which we are now incorporating into an updated version of the goals,” Goldstein said. “We will continue this collaboration even after publication of the baseline goals to ensure that critical infrastructure partners gain the greatest value from this important work, including working with sector risk management agencies and industry stakeholders on the development of sector-specific goals that incorporate unique sectoral considerations.”
After that, one year in the future, the agencies must come up with sector-specific performance goals for each category of critical infrastructure, such as energy and water. Cummiskey said it would be even more “challenging” for the agencies to narrow down its goals sector-by-sector.
Top lawmakers investigate Twitter whistleblower complaint
Democratic and Republican lawmakers appeared united in their responses to a whistleblower complaint filed by former Twitter security chief Peiter “Mudge” Zatko, with the policymakers saying the disclosures raised important national security and privacy issues, Cat Zakrzewski reports. Zatko spoke with three congressional committees on Tuesday, Zatko attorney John Tye said at a Twitter Spaces event hosted by The Post. And the leaders of three key congressional committees said they’re reviewing Zatko’s disclosures.
- Sen. Richard Blumenthal (D-Conn.), who leads the Commerce panel focused on consumer protection, called on the Federal Trade Commission to investigate Zatko’s claims and bring “enforcement actions” like fines against the company where appropriate.
- Rep. Jan Schakowsky (D-Ill.) said the disclosures show that the FTC “absolutely needs more resources.”
- The political fallout could intensify amid concerns by Republicans that Twitter has unfairly suppressed their tweets. “Twitter has a long track record of making really bad decisions on everything from censorship to security practices,” said Sen. Marco Rubio, the top Republican on the Intelligence Committee. “That’s a huge concern given the company’s ability to influence the national discourse and global events.”
The complaint could also inject new urgency into talks over privacy and other technology-related legislation. Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), the top lawmakers on the Energy and Commerce Committee, said that if Zatko’s allegations are true, they “reaffirm” the need for Congress to protect Americans’ data by passing privacy legislation.
Twitter has pushed back on Zatko’s complaint, with spokeswoman Anna Hughes saying that it appeared to have “inconsistencies and inaccuracies and lacks important context.” Security and privacy are “companywide priorities” at Twitter, Hughes said. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” she said.
A major crypto firm is defying U.S. sanctions on Tornado Cash
Tether, which issues the world’s largest token pegged to the dollar, isn’t blacklisting accounts associated with Tornado Cash, a cryptocurrency anonymization service called a “mixer” that the Treasury Department sanctioned this month, Tory Newmyer reports. Cybercriminals including North Korean hackers have used Tornado Cash to obscure the proceeds of their crimes, Treasury said.
“Tether has not been contacted by U.S. officials or law enforcement with a request” to freeze Tornado Cash transactions, Tether Chief Technology Officer Paolo Ardoino said, noting that it “normally complies with requests from U.S. authorities.”
It’s not clear whether Tether has a legal obligation to comply with the sanctions. The company, which is based in Hong Kong, suggests it doesn’t because it “does not operate in the United States or onboard U.S. persons as customers,” Ardoino said. But he said the company does consider Treasury sanctions “as part of its world-class compliance program.”
Experts said the matter is debatable. But Tether’s move could be perilous. “It’s never a very good idea to test OFAC. Right now, it’s a particularly bad time for any crypto-related company to do that,” a former senior official for the sanctions-enforcing Office of Foreign Assets Control said. “It looks like that’s what they’re doing.”
Thanks for reading. See you tomorrow.
This news is republished from another source. You can check the original article here
Be the first to comment