At a glance.
- Poachers and gamekeepers down under.
- The cybersecurity of US water and wastewater treatment facilities.
- US Department of Homeland Security explores alternatives to the Pentagon’s CMMC program.
- Industry reaction to CISA’s playbooks.
ASD head says cyber offense and defense are two sides of the same coin.
Australian officials have been considering whether to separate the government’s defensive and offensive cybersecurity activities, removing the defensive cybersecurity unit from the Australian Signals Directorate (ASD) and placing it under the auspices of another agency or creating a national anti-scam center. However, Rachel Noble, head of the ASD, says the cyber spy agency’s offensive and defensive tactics go hand-in-hand and should remain fully integrated. In future speech notes she shared with the Sydney Morning Herald Noble states, “The idea that we could draw a line somehow between these functions would take away the very cutting edge that Australia has, and needs, over our adversaries.” With the country having suffered from a surge of cyberattacks last year which authorities believe originated from China, Noble feels that the future of warfare will be rooted in cyberspace, and as such, cyber offense is integral to all aspects of Australia’s national security. “In cyberspace, ASD is increasingly becoming the first and last line of digital defence that protects our country from cyber attacks, and thwarts those who seek to attack Australia by launching offensive cyber operations of our own,” Noble explains.
Report says EPA should put more funding into water.
Washington think tank the Center on Cyber and Technology Innovation is publishing a report highlighting the cybersecurity inefficiencies faced by US water supply facilities, the Wall Street Journal reports. Mark Montgomery, senior director of the Center on Cyber and Technology Innovation, says a lack of funding and security standards has left water facilities vulnerable to the growing number of ransomware attacks. Indeed, the Cybersecurity and Infrastructure Security Agency says there have been five attacks on water supply facilities since 2019, four of which were ransomware. While the White House this year introduced new rules for other critical infrastructure providers like pipeline operators, the Environmental Protection Agency (EPA), which oversees the water system, has no binding cybersecurity standards for water facilities. Mongomery suggests the EPA should increase its budget for cybersecurity and disaster management to $45 million (from around $15.4 million requested for 2022) and focus on cybersecurity hiring and training.
DHS launches pathfinder for federal contractor cybersecurity.
Though the US Department of Homeland Security (DHS) has had cyber hygiene clauses in for contractors since 2015, the agency has never had an evaluation system in place, until now. Federal News Network explains that DHS launched a pathfinder this summer to assess how well contractors are meeting cybersecurity standards, and so far they’ve completed the evaluation of one contractor. DHS has been observing the Pentagon’s Cybersecurity Maturity Model Certification (CMMC), and Ken Bible, chief information security officer at DHS, says the Pentagon’s approach at first seemed too harsh for DHS, as it left small businesses at a disadvantage. Last month, however, the Pentagon revamped the CMMC, and now requires only a self-attestation of cybersecurity practice from most defense contractors seeking to win an award. Bible says the Pentagon’s approach might be too lax, as he feels it’s important for contractors to demonstrate evidence of their cybersecurity hygiene. Pathfinder, he says, strikes a balance, holding contractors accountable without putting industry at a disadvantage. “It is a systematic approach,” Bible says. “But this is about managing risk, not necessarily trying to eliminate it, because I don’t think we will be able to eliminate it completely.” This is part of a broader initiative to improve supply chain risk management strategies, as last year’s SolarWinds attack revealed chinks in the armor.
Reaction to CISA’s playbooks.
Purandar Das, Co-founder and President at Sotero sees CISA’s playbooks as a basic but necessary step toward improved resilience:
“This move is indicative of the overall changes and enhancements being put in place by the administration and the law enforcement agencies. As basic as this move sounds it can be and is a powerful instrument and guidance. Many organizations are not prepared for dealing with a cyber-attack. The pace and speed of the attack coupled with the complexities that it exposes causes many organizations to become paralyzed. Dealing with complexities that related to communication, resolution and seeking help when operations are crippled, and communications disabled can be overwhelming. Having a playbook and a plan in place can be the difference in successfully recovering and dealing with a cyber-attack. One of the sectors that can certainly benefit from this is the SLED sector. This would help their staff and management put together a plan in place more effectively.”