President Joe Biden extended for a year the national emergency declaration in then-President Donald Trump’s May 2019 executive order under the International Emergency Economic Powers Act to protect U.S. information and communications technology supply chains against interference by foreign adversaries, says a notice for Friday’s Federal Register. The order was due to expire Sunday. Bad actors’ “unrestricted access” to ICT “augments the ability” of foreign adversaries to exploit “vulnerabilities” in the U.S. supply chain, “with potentially catastrophic effects,” said the notice. The “unusual and extraordinary threat” continues to the national security, foreign policy and economy of the U.S., it said. For this reason, the national emergency declaration “must continue,” it said.
The National Association of Attorneys General created a cyber and technology center to support state AG offices in understanding new technologies, doing cybercrime probes and strengthening resiliency of private sector networks and infrastructure, NAAG said Monday. NAAG tapped Faisal Sheikh, a counsel for its research arm National Attorneys General Training and Research Institute, to lead the cyber center.
The U.S. will establish new cryptographic standards for federal agencies to guard against quantum computing cybersecurity threats, President Joe Biden announced Wednesday through a national security memorandum and executive order. The National Institute of Standards and Technology will work with the Office of Management and Budget, the national cyber director, the National Security Agency and the Cybersecurity and Infrastructure Security Agency to establish requirements for “inventorying all currently deployed cryptographic systems, excluding National Security Systems.” Agencies will need to establish “comprehensive plans” to protect U.S. intellectual property, R&D and other “sensitive technology from acquisition by America’s adversaries,” the White House said. The initiatives lay the groundwork for continued American leadership, the White House said: “America must start the lengthy process of updating our IT infrastructure today to protect against this quantum computing threat tomorrow.”
FCC Chairwoman Jessica Rosenworcel said the recently relaunched Cybersecurity Forum of Independent and Executive Branch Regulators should focus on reporting as it starts work. “Right now, there’s a lot of fragmentation across sectors and jurisdictions in what information gets reported, when and how it is reported, and how that information can be used,” she said Friday: “We’ll discuss using this Forum as a place to work toward greater convergence on these matters.” Rosenworcel also urged a focus on executive order 14028, handed down by President Joe Biden in May on improving the nation’s cybersecurity. “When it comes to cybersecurity, there is no question that the risks are real, the stakes are high, and our defenses need to evolve and improve,” she said: “This Forum is part of the nuts-and-bolts work to help get us to where we need to be.” The FCC said officials representing 30 regulatory and advisory agencies participated in the meeting, which included “briefings from senior leaders, updates on the Russia-Ukraine conflict and recent cybersecurity legislation, and discussion of goals and processes.”
The Cybersecurity and Infrastructure Security Agency is compiling a list of “systemically important” critical infrastructure entities to ensure the U.S. can depend on organizations providing vital, everyday services under threat from cyberattack, Executive Assistant Director-Cybersecurity Eric Goldstein told the House Cybersecurity Subcommittee during a hearing Wednesday. Chair Yvette Clarke, D-N.Y., said Congress is searching for the next cyber proposal to tackle after passing a new law requiring such entities to report cyber incidents to CISA. She noted the Cyberspace Solarium Commission recommended a new designation for critical infrastructure entities that are systemically important to national security. She asked about the need to codify the new designation into law, which would include new security requirements for entities. CISA is developing a list that aligns closely with the Solarium Commission’s recommendation, said Goldstein. This would mean CISA could drive more effective collaboration with organizations to drive down risks, he said. A much smaller list of systemically important entities is needed so Americans can be assured they can depend on certain services, said the White House’s acting Principal Deputy National Cyber Director Robert Knake.
The FCC encouraged companies that use uninterruptible power supply (UPS) devices as a primary or backup power source to pay attention to a recent security warning by the Cybersecurity and Infrastructure Security Agency and Department of Energy. “Those agencies have become aware of threat actors gaining access to a variety of internet-connected UPS devices, often through unchanged default usernames and passwords,” the FCC said Thursday. It advised companies to “immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet” or make sure they have “compensating controls, such as ensuring the device or system is behind virtual private network, enforcing multifactor authentication, and applying strong, long passwords.”
Officials seized Hydra Market, the “world’s largest and longest-running darknet market,” DOJ announced Tuesday. The department said Hydra carried about “80% of all darknet market-related cryptocurrency transactions” in 2021 and has received about $5.2 billion in cryptocurrency since 2015. The German Federal Criminal Police coordinated with U.S. officials in seizing “servers and cryptocurrency wallets containing $25 million worth of bitcoin” in Germany Tuesday, DOJ said. The department announced criminal charges against Russian resident Dmitry Olegovich Pavlov for narcotics and money laundering activity in connection with operation of Hydra servers.
The House Homeland Security Committee plans a hearing Wednesday on Russian cyberthreats. The hearing is set for 2 p.m. in 310 Cannon. Witnesses: CrowdStrike Senior Vice President-Intelligence Adam Meyers, Financial Services Information Sharing and Analysis Center CEO Steve Silberstein, American Water Works Association Federal Relations Manager Kevin Morley and Tenable CEO Amit Yoran.
The lack of “any visible cyber activity” from Moscow is one of many “surprises about the campaign that Russia is waging against Ukraine,” Keir Giles, Chatham House senior consulting fellow-Russian and Eurasian affairs, said Friday on a Conference Board podcast. “There are a lot of areas of Russian capability that were expected to be deployed against Ukraine that somehow haven’t materialized.” The impact of major Russian cyber operations against Ukraine would be “huge,” and many experts are speculating “that is actually why Russia is being restrained and is holding off from mounting the campaigns that were expected,” said Giles. “If Russia conducts cyberattacks against Ukraine only, it may be very hard for them to contain the effects to Ukraine only.” Giles worries that in the “later stages of Russia’s war on the West” there will materialize cyberattacks from Moscow that “are far less restrained,” he said. “If and when Russia does move on from Ukraine, and it comes away from Ukraine thinking that at least it had met some of its objectives, then the next stage of the attack on the West will almost certainly include those cyberattacks that are far less discriminating.” If Russia succeeds in removing access to the internet “in large sectors of large countries,” the economic impact obviously will be significant, said Giles. “Everybody that is data-dependent or that manages civilian telecommunications infrastructure needs to be prepared,” he said.
The “great resignation” phenomenon among skilled labor that’s plaguing all industries is hitting the cybersecurity field “especially hard,” an Information Systems Audit and Control Association survey found. ISACA canvassed 2,031 security professionals, finding 63% reporting they have unfilled cybersecurity positions, up 8 points from the 2021 survey, it said Wednesday. One in five respondents said it takes more than six months on average “to find qualified cybersecurity candidates for open positions,” it said. More than six in 10 reported difficulties retaining qualified cybersecurity professionals, up 7 points from 2021, it said. Recruitment by other companies is the top reason (59%) for cybersecurity professionals leaving their jobs, followed by insufficient salary or bonus (48%); limited advancement opportunities (47%); high stress on the job (45%); and poor management support (34%).