Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States Security

White House Calls on America's Most Critical Companies To Improve Cyber Defenses (reuters.com) 66

The White House is signaling to U.S. critical infrastructure companies, such as energy providers that they must improve their cyber defenses because additional potential regulation is on the horizon. From a report: U.S. President Joseph Biden signed a national security memorandum on Wednesday, launching a new public-private initiative that creates "performance controls" for cybersecurity at America's most critical companies, including water treatment and electrical power plants. The recommendations are voluntary in nature, but the administration hopes it will cause companies to improve their cybersecurity ahead of other policy efforts, said a senior administration official. The announcement comes after multiple high profile cyberattacks this year crippled American companies and government agencies, including a ransomware incident which disrupted gasoline supplies. "These are the thresholds that we expect responsible owners and operators to go," said the official. "The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today."
This discussion has been archived. No new comments can be posted.

White House Calls on America's Most Critical Companies To Improve Cyber Defenses

Comments Filter:
  • Jail the Execs (Score:4, Informative)

    by dltaylor ( 7510 ) on Wednesday July 28, 2021 @01:55PM (#61630987)

    Until the executives of hacked companies face hard time, or at least, complete impoverishment, they will NEVER commit the resources for proper defense. This has always been the problem. What did it cost the execs at Xperian, for example, when the credit records of tens of millions were exposed? Nothing.

    • Agreed: Biden needs to wield a bigger stick than 'calling' or 'signalling'. 'Voluntary' is not good enough.

      • by GoTeam ( 5042081 )
        I think we're reforming the wrong part of the judicial system. Too many people get to hide behind exploited loopholes. There is no way my brother should be free right now, but he is thanks to a moronic DA(this doesn't count as proof or a reference since it is my personal circumstance).
      • Re:Jail the Execs (Score:4, Informative)

        by hey! ( 33014 ) on Wednesday July 28, 2021 @03:57PM (#61631507) Homepage Journal

        What is the precise nature and legal basis for this stick you are imagining? An American can't punish companies for not doing something he thinks they ought to. He needs to have some kind of statutory justification.

        • by rtb61 ( 674572 )

          Well actually you can, it's a process. First part of the process, establish what the proper way to manage computer network security. The NSA come up with a series of network setups that are safe, secure and reliable. The government must commit, the NSA must audit the hardware and software to ensure it is secure.

          So range of software, range of hardware and method to manage to, network set up and by default parrallel networks. One secure for internal, controlled access at all points, the other less secure of

    • I don't know what insurance regulations can be implemented, but it might help.

      I've filled out a ton of surveys for smaller orgs buying "cyber insurance" which is supposed to cover these events. The forms all ask, in an abbreviated way, for mitigation information. I suspect they don't really care and its just tied to actuarial risk models.

      But what if you implemented regulations that prohibited cyber insurance payouts if firms were dishonest (I'm pretty sure most forms I've filled out have been filled out a

      • by chill ( 34294 )

        Some are getting serious. I actually just filled out one of those forms today. It was more detailed than the ones I have completed in the past, which was interesting.

        Working with our breach counsel (external attorneys), they made it clear that dishonesty on the form is grounds for nullification of the policy if a breach occurs. I had to provide supporting evidence along with my answers to our internal counsel before the form was signed off on by the CISO and CIO.

        $10 million as a ransomware rider is nice, bu

        • Sure, lying about insurance qualification questions has always been grounds for policy nullification. That's not really new.

          But I suppose maybe insurance companies are both demanding more upfront documentation and maybe conducting audits to ensure the systems actually are in place.

          • They only require those hoops if we file a claim. Pulling it all together in advance was the external lawyers justifying their ungodly fee.

      • by gtall ( 79522 )

        The trick is to get the regulations. They must start from some bill Congress passed. You can just see the lobbyists lining up and lining their pockets for such a bill. Every industry will have some variant of: Oh, not us, we're Special, you need to regulate those Other Guys.

    • by mjwx ( 966435 )

      Until the executives of hacked companies face hard time, or at least, complete impoverishment, they will NEVER commit the resources for proper defense. This has always been the problem. What did it cost the execs at Xperian, for example, when the credit records of tens of millions were exposed? Nothing.

      Fines would be more effective, otherwise the C-Level execs will just pass the blame along to Bill the Engineer (like VW tried to do with Dieselgate) and Bill ends up being jailed. High priced lawyers will see that execs are protected and a (likely false) paper trail will implicate Bill

      Hurting the bottom line will have shareholders asking why this happened and they can't wring 100 million out of Bill the Engineer, legally or otherwise because he doesn't have it.

      However the point of both our posts is th

  • by Anonymous Coward

    Unless the top brass of a company see jail time, it will be business as usual, and attackers will be emboldened. Security has no ROI, and companies know that. Plus, when a publically traded business gets hit, it is a major cash source to short sell the company stock before the announcement of a breach is made, then buy it back a few days later, ensuring proper compensation for hard working CEOs.

    Nothing is going to change, and government in the US and Europe solely exists to ensure business can succeed.

    • Security has no ROI...

      Wrong.

      Make paying ransoms that stem from cyberattacks illegal, and I can assure you that they'll understand the ROI of either being in business, or shutting the fucking doors, since most of them can't manage to secure and back up their shit properly (also known as the reason ransomware is a multi-billion dollar business.)

      Don't negotiate with terrorists. That should apply to cyber-terrorism as well, especially when they're going to steal your data before encrypting it, and extort you monthly to prevent leak

      • by gtall ( 79522 )

        Make paying ransoms illegal? That's interfering the Supreme Court given rights of treating them like children. Conservatives and Libertarians would scream you are interfering in the economy. Republicans would tear their hair out and threaten to stop watching Fox News. . .I lied on that last one. . .just a little.

        • Make paying ransoms illegal? That's interfering the Supreme Court given rights of treating them like children. Conservatives and Libertarians would scream you are interfering in the economy. Republicans would tear their hair out and threaten to stop watching Fox News. . .I lied on that last one. . .just a little.

          Perhaps you're right. Just ignore it. Don't do a damn thing, including securing anything.

          Enjoy the monthly shakedowns from the Digital Mafia. The Cyber Insurance Complex will be the next corrupt industry taxpayers are cursing.

    • Plus, when a publically traded business gets hit, it is a major cash source to short sell the company stock before the announcement of a breach is made, then buy it back a few days later, ensuring proper compensation for hard working CEOs.

      No CEO would do such a blatantly illegal thing.

  • They know the holes and keep them to themselves so they can hack other governments. Require them to open source every hacking tool they have, and tell the vendors of any holes they find.
    • They know the holes and keep them to themselves so they can hack other governments. Require them to open source every hacking tool they have, and tell the vendors of any holes they find.

      They DID open source their tools (cough, EternalBlue, cough)

      It just wasn't ah shall we say...voluntary.

    • by schwit1 ( 797399 )

      Plus public announcements of C-level HEAVY fines and cancelled govt contracts. OPM decision makers should have been jailed. Same for Equifax.

  • Comment removed based on user account deletion
  • ... start with introducing the death penalty for using MS products.
  • There is a first step in every rehab, it is recognizing the addiction. So recognize it and ditch Windows. (And by that I do not mean go diving into the sneakware Apple ecosystem)

    • Modded down by a slithering Apple smurf no doubt. Sneaking again.

      • Tough Love [slashdot.org]: “There is a first step in every rehab, it is recognizing the addiction. So recognize it and ditch Windows. (And by that I do not mean go diving into the sneakware Apple ecosystem)

        And ditch Intel hardware while you're about it!
  • Don't put your critical infrastructure on the Internet.

    Don't hire morons to run your critical infrastructure!
    • by Bigbutt ( 65939 )

      Technically it's the management teams that are the morons (or have other priorities). The techs that run the infrastructure are doing their best with bailing wire and duct tape. If management won't spend the money to keep the infrastructure current, don't blame the folks running things.

      [John]

  • This is the usual "if you don't do it voluntarily, we will force you by regulation." "Oh, you did it voluntarily, so you're lucky -- no regulation." Then, it turns out that "it" was trivial and does not really work.

    Real regulation is needed. Period. Not nicey-nice stupidity.

  • A condition of government contracts and subsidies.

    Nah, forget it, lobbying would mean that will never happen.

  • by Ultimer ( 8105522 )
    Actually, I don't know, but maybe it's a good thing. I am always very worried about security, and national security is important for our population. I would do anything to protect the nation. I even did a lot to protect my house. I gave a decent amount of money to install motion sensors, smoke sensors, and water leakage sensors to protect myself from a fire or flood or much worse hacking. So far, these Ajax sensors https://ajax.systems/ [ajax.systems] are working very well, so I'm calm, but we really should think about na

Genius is ten percent inspiration and fifty percent capital gains.

Working...