White House Calls on America's Most Critical Companies To Improve Cyber Defenses (reuters.com) 66
The White House is signaling to U.S. critical infrastructure companies, such as energy providers that they must improve their cyber defenses because additional potential regulation is on the horizon. From a report: U.S. President Joseph Biden signed a national security memorandum on Wednesday, launching a new public-private initiative that creates "performance controls" for cybersecurity at America's most critical companies, including water treatment and electrical power plants. The recommendations are voluntary in nature, but the administration hopes it will cause companies to improve their cybersecurity ahead of other policy efforts, said a senior administration official. The announcement comes after multiple high profile cyberattacks this year crippled American companies and government agencies, including a ransomware incident which disrupted gasoline supplies. "These are the thresholds that we expect responsible owners and operators to go," said the official. "The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today."
By the definition of "worst" (Score:2)
Because they pre-requisites for that are low IQ and a deep sense of inferiority/jealousy, which not only make them ripe to turn to racism, but also make the easily manipulated by politicians and others who seek to benefit from an "us vs them" mentality?
In other words, you've asked why morons are always dumb.
However, I don't think the dumb ones are actually the worst racists. Their stupidity makes them easy to ignore. Far more insidious, because people take it seriously, is the stealth racism of paternalism.
Re: (Score:2)
Funny you mention "separate, but equal" in the end, because that's PRECISELY what the stealth racists, those who calm themselves "anti-racists", are advocating for - separation. They wish to divide us. Except with the equal part. They want "separate, but not equal".
And no, the fact that my marriage wouldn't be legal in dumbfuckistan today or in Virginia a hundred friggin years ago doesn't affect me. I live in 2021, not 1921. What DOES effect me is all the idiots in 2021 telling our daughter that her somethi
Ps - fair warning (Score:2)
I normally try to be nice. I want to let you know, I am FUCKING PISSED about some of the crap these assholes say to my daughter. This is the one subject I am not capable of being nice about.
If you choose to reply, I will probably be an asshole. I hope you don't take it personally.
The basic idea of CRT, critical race theory in one sentence, is as follows:
A person's identify is mostly defined by their race (where their great-great-grandparents were born), and if their great-great-grandparents were born in Eur
Re: (Score:2)
Go read the CRT papers, instead of some idiot's Twitter, then tell me what you think they say. After you read the. CRT is very much NOT history, and Crenshaw, who originated it, would tell you that loudly and very clearly. Per Crenshaw and any of the other CRT papers (especially the 1980s ones that brought the idea into education), CRT is about how an individual's identify and values are decided by their race.
There is another term for the idea that an individual's identity and values are determined by their
Re: (Score:2)
Ps - if you believe in Critical Race Theory, you're not allowed to be mean to me. You need to grovel because you oppress me.
Re: (Score:2)
Me: I'm a person, a human being, not "a negro", or "a black".
You: White supremacist!
They've REALLY got your head twisted, don't they?
Anyone who doesn't let you ignore their humanity and call them by their race is a "white supremacist". See how absolutely crazy that is?
You're freaking out because I'm saying I'm my own person, not a pet for white people. Unable to cope with that, you fall back the "in case of emergency" tactic they taught you - whenever someone challenges anything CNN told you, just scream "
Re: (Score:2)
> You are trying to erase the history of black people in America.
Black people may have been owned by your ancestors, but we aren't any more, so fuck off with your attempt to claim you own me.
Re: (Score:2)
It really is entertaining to watch how you freak out when an "uppity" one tells you to screw off, we're leaving your plantation.
Lol you actually screamed "white supremacist" when I told you I'm a person like you, not your pet negro. That was fucking priceless.
Re: (Score:2)
But you're right, racism certainly continues today.
In fact, since it's now official policy in many ways, racism is at all-time high.
Your racism sure continues in this thread, as you throw an absolute fit that one "those people" has the audacity to tell you that you are not their master. You don't get to decide what black people think and do. Your meltdown over hearing that shows your racism not only continues, it's boiling over. So much that it's shut down your brain to the extent you actually screamed "rac
Government, heal thyself (Score:1)
Mod parent "confusing". I think you're being trolled away from the story.
Mostly just want to remind y'all of Cyber Warfare by Richard Clarke. A bit long in the tooth, but still the best book I've read on the topic. Short summary: China has the best overall balance of offense, defense, and minimized vulnerability. (And the Chinese believe the "bad" and "unfair" 19th Century justifies their approach.)
However my main reaction to the story is that the US Government should be showing how to do it before they t
Jail the Execs (Score:4, Informative)
Until the executives of hacked companies face hard time, or at least, complete impoverishment, they will NEVER commit the resources for proper defense. This has always been the problem. What did it cost the execs at Xperian, for example, when the credit records of tens of millions were exposed? Nothing.
Re: (Score:3)
Agreed: Biden needs to wield a bigger stick than 'calling' or 'signalling'. 'Voluntary' is not good enough.
Re: (Score:2)
The problem is that all any company has to do, is hire an offshore consulting company, who will pay the ransom for the client, and that is enough plausible deniability to keep the LEOs at bay... and because the consulting company that pays the ransom is in a place where there are no extradition provisions, nobody is going to be hauled off anywhere, and this keeps on going.
That won't protect them. There are already laws in place to deal with that because otherwise companies use the same tactic to pay bribes. They can't hide it - the transfer into the bitcoin wallets is public information, and it is easy to see that the ransomware gang sent the key.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Me four (and justified in my longer comment).
Re:Jail the Execs (Score:4, Informative)
What is the precise nature and legal basis for this stick you are imagining? An American can't punish companies for not doing something he thinks they ought to. He needs to have some kind of statutory justification.
Re: (Score:2)
Well actually you can, it's a process. First part of the process, establish what the proper way to manage computer network security. The NSA come up with a series of network setups that are safe, secure and reliable. The government must commit, the NSA must audit the hardware and software to ensure it is secure.
So range of software, range of hardware and method to manage to, network set up and by default parrallel networks. One secure for internal, controlled access at all points, the other less secure of
Re: (Score:2)
I don't know what insurance regulations can be implemented, but it might help.
I've filled out a ton of surveys for smaller orgs buying "cyber insurance" which is supposed to cover these events. The forms all ask, in an abbreviated way, for mitigation information. I suspect they don't really care and its just tied to actuarial risk models.
But what if you implemented regulations that prohibited cyber insurance payouts if firms were dishonest (I'm pretty sure most forms I've filled out have been filled out a
Re: (Score:2)
Some are getting serious. I actually just filled out one of those forms today. It was more detailed than the ones I have completed in the past, which was interesting.
Working with our breach counsel (external attorneys), they made it clear that dishonesty on the form is grounds for nullification of the policy if a breach occurs. I had to provide supporting evidence along with my answers to our internal counsel before the form was signed off on by the CISO and CIO.
$10 million as a ransomware rider is nice, bu
Re: (Score:2)
Sure, lying about insurance qualification questions has always been grounds for policy nullification. That's not really new.
But I suppose maybe insurance companies are both demanding more upfront documentation and maybe conducting audits to ensure the systems actually are in place.
Re: Jail the Execs (Score:2)
They only require those hoops if we file a claim. Pulling it all together in advance was the external lawyers justifying their ungodly fee.
Re: (Score:2)
The trick is to get the regulations. They must start from some bill Congress passed. You can just see the lobbyists lining up and lining their pockets for such a bill. Every industry will have some variant of: Oh, not us, we're Special, you need to regulate those Other Guys.
Re: (Score:2)
Until the executives of hacked companies face hard time, or at least, complete impoverishment, they will NEVER commit the resources for proper defense. This has always been the problem. What did it cost the execs at Xperian, for example, when the credit records of tens of millions were exposed? Nothing.
Fines would be more effective, otherwise the C-Level execs will just pass the blame along to Bill the Engineer (like VW tried to do with Dieselgate) and Bill ends up being jailed. High priced lawyers will see that execs are protected and a (likely false) paper trail will implicate Bill
Hurting the bottom line will have shareholders asking why this happened and they can't wring 100 million out of Bill the Engineer, legally or otherwise because he doesn't have it.
However the point of both our posts is th
Security has no ROI... (Score:2, Insightful)
Unless the top brass of a company see jail time, it will be business as usual, and attackers will be emboldened. Security has no ROI, and companies know that. Plus, when a publically traded business gets hit, it is a major cash source to short sell the company stock before the announcement of a breach is made, then buy it back a few days later, ensuring proper compensation for hard working CEOs.
Nothing is going to change, and government in the US and Europe solely exists to ensure business can succeed.
Re: (Score:1)
Security has no ROI...
Wrong.
Make paying ransoms that stem from cyberattacks illegal, and I can assure you that they'll understand the ROI of either being in business, or shutting the fucking doors, since most of them can't manage to secure and back up their shit properly (also known as the reason ransomware is a multi-billion dollar business.)
Don't negotiate with terrorists. That should apply to cyber-terrorism as well, especially when they're going to steal your data before encrypting it, and extort you monthly to prevent leak
Re: (Score:2)
You have a choice. Don't negotiate and have your data leaked and stolen, or strike up a deal, and have a chance at doing business again.
Most often, the ransom is cheaper than setting up backups anyway, so pay it, write it off as a cost of business, and go on with life.
When you say "cost of business", are you referring to the monthly shakedown tactics that will almost assuredly become commonplace? How exactly do you "go on with life" again when your IP gets leaked, because greedy criminals are dishonest about deleting your IP once they get paid, and instead sell it off? And what exactly will you explain to the Board as to the "write it off" expenses that used to be quarterly Board distributions? To the shareholders who are watching your stock tank based on the whirlwin
Re: (Score:2)
Per the business, it would cost 10 million dollars to address all the technical debt. For one product out of 250, it costs about $100,000 just to run all the necessary tests and checks to move it into production. Just one product (it is the biggest one though). While the average ransomware attack is 300k a year, it's not hitting the same company every time.
With the company laying folks off willy nilly, eliminating Operations and moving management of applications to the Devs and Engineers and migrating every
Re: (Score:2)
Per the business, it would cost 10 million dollars to address all the technical debt. For one product out of 250, it costs about $100,000 just to run all the necessary tests and checks to move it into production. Just one product (it is the biggest one though). While the average ransomware attack is 300k a year, it's not hitting the same company every time.
With the company laying folks off willy nilly, eliminating Operations and moving management of applications to the Devs and Engineers and migrating everything to the cloud, they're saving tons of money just for that ransomware attack.
[John]
The "tons" of money you're referring to, ends up in the pockets of executives as bonuses. Ransom payouts are what fucking insurance is for. Or if you're Too Big to Fail, taxpayers.
Duh.
And 95% of companies do this with "extra" money. The ones that don't, are the obscenely wealthy ones who can't possibly shift that much revenue into pockets, and their tax coffers in Ireland are quite bursting.
And when it comes to preventing ransomware attacks, the most expensive "product" you have to fix, is the click-happy
Re: (Score:2)
Make paying ransoms illegal? That's interfering the Supreme Court given rights of treating them like children. Conservatives and Libertarians would scream you are interfering in the economy. Republicans would tear their hair out and threaten to stop watching Fox News. . .I lied on that last one. . .just a little.
Re: (Score:2)
Make paying ransoms illegal? That's interfering the Supreme Court given rights of treating them like children. Conservatives and Libertarians would scream you are interfering in the economy. Republicans would tear their hair out and threaten to stop watching Fox News. . .I lied on that last one. . .just a little.
Perhaps you're right. Just ignore it. Don't do a damn thing, including securing anything.
Enjoy the monthly shakedowns from the Digital Mafia. The Cyber Insurance Complex will be the next corrupt industry taxpayers are cursing.
Re: (Score:2)
Plus, when a publically traded business gets hit, it is a major cash source to short sell the company stock before the announcement of a breach is made, then buy it back a few days later, ensuring proper compensation for hard working CEOs.
No CEO would do such a blatantly illegal thing.
Start with the NSA (Score:2)
Re: (Score:2)
They know the holes and keep them to themselves so they can hack other governments. Require them to open source every hacking tool they have, and tell the vendors of any holes they find.
They DID open source their tools (cough, EternalBlue, cough)
It just wasn't ah shall we say...voluntary.
Re: (Score:2)
Plus public announcements of C-level HEAVY fines and cancelled govt contracts. OPM decision makers should have been jailed. Same for Equifax.
Re: (Score:2)
What has Fauci ever done to you except attempt to keep you from dead? Biden seems to have done more in six months that the entire term of the former alleged president. . .Fran Drescher had book called "Enter Whining", every time I see the former alleged president, his mouth is open and I think of that book.
Re: (Score:1)
For a working cyber security strategy .. (Score:2)
Start with ditching Windows (Score:1)
There is a first step in every rehab, it is recognizing the addiction. So recognize it and ditch Windows. (And by that I do not mean go diving into the sneakware Apple ecosystem)
Re: (Score:2)
Modded down by a slithering Apple smurf no doubt. Sneaking again.
Re: (Score:1)
And ditch Intel hardware while you're about it!
I have the solution :] (Score:1)
Don't hire morons to run your critical infrastructure!
Re: (Score:2)
Technically it's the management teams that are the morons (or have other priorities). The techs that run the infrastructure are doing their best with bailing wire and duct tape. If management won't spend the money to keep the infrastructure current, don't blame the folks running things.
[John]
Idiots (Score:2)
This is the usual "if you don't do it voluntarily, we will force you by regulation." "Oh, you did it voluntarily, so you're lucky -- no regulation." Then, it turns out that "it" was trivial and does not really work.
Real regulation is needed. Period. Not nicey-nice stupidity.
Make security audits ... (Score:2)
A condition of government contracts and subsidies.
Nah, forget it, lobbying would mean that will never happen.
Re (Score:1)