Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration (nextgov.com) 24
President Joe Biden has signed into law the National Defense Authorization Act of 2022 which codifies an approach to cybersecurity that depends on the decisions of private-sector entities to protect the bulk of the nation's critical infrastructure. From a report: The NDAA has become the go-to legislative vehicle for efforts to manage the federal government at large, and to regulate the private sector on cybersecurity issues. On the government side, the law requires the Cybersecurity and Infrastructure Security Agency to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness. It seeks to "ensure that the National Guard can provide cyber support services to critical infrastructure entities -- including local governments and businesses," according to Sen. Maggie Hassan, D-N.H. It also establishes a grant program at the Homeland Security Department to foster collaboration on cybersecurity technologies between public and private-sector entities in the U.S. and Israel.
Lawmakers also highlighted the inclusion of provisions codifying existing public-private partnerships at CISA which aim to offer continuous monitoring of industrial control systems -- an effort known as the CyberSentry program -- and to develop 'know your customer' guidelines for companies like cloud and other service providers comprising the "internet ecosystem." Such companies are described as the plank bearers of CISA's Joint Cyber Defense Collaborative. But provisions all rely on the voluntary participation by industry, which owns and operates the vast majority of the nation's critical infrastructure. Despite bipartisan calls after massive breaches at SolarWinds, Microsoft Exchange, Colonial Pipeline and other hacks, the NDAA made it through the House without mandatory incident reporting requirements for the private sector.
Lawmakers also highlighted the inclusion of provisions codifying existing public-private partnerships at CISA which aim to offer continuous monitoring of industrial control systems -- an effort known as the CyberSentry program -- and to develop 'know your customer' guidelines for companies like cloud and other service providers comprising the "internet ecosystem." Such companies are described as the plank bearers of CISA's Joint Cyber Defense Collaborative. But provisions all rely on the voluntary participation by industry, which owns and operates the vast majority of the nation's critical infrastructure. Despite bipartisan calls after massive breaches at SolarWinds, Microsoft Exchange, Colonial Pipeline and other hacks, the NDAA made it through the House without mandatory incident reporting requirements for the private sector.
Blabla... (Score:4, Interesting)
Biden buzzwords, more buzzwords, voluntary law, buzzy buzz...
In short: nothing will happen, businesses will not do anything unless non-compliance gets them a considerable fine.
Liability (Score:2)
If you want a short and non-vacuous Subject. Still a weak FP. (It's actually a topic worth some serious thought, but no time now.)
Re: (Score:2)
It's called NDAA because you'll feel like you'll need a drink after reading it.
Re:Blabla... (Score:4, Funny)
They're not "Biden buzzwords".
The bill passed the House by a vote of 316 to 113. It passed the Senate 84-15.
Sure, private industry (Score:5, Insightful)
That private industry? We're screwed.
Re: (Score:2)
All things considered, it does a pretty good job. Economies that have traditionally relied on the public sector/governments to do all of that tend to perform even worse than this, even during the best of times. Hell, the USSR was the wealthiest and most powerful of those types of economies, and they struggled to even get grocery stores to just have a limited stock of the very basic staples like flour, sugar, etc. Never mind luxury goods like consumer electronics, which were extraordinarily rare in the USSR
What a joke (Score:2)
Re: (Score:2)
I am actually opposed to regulation on principle. But there are industries that are screwing up so badly and doing so much damage to society that there really is no other choice. The software and IT industry is doing so abysmally bad that this simply cannot continue. So regulate it, require minimal-standards of everything, including the people writing software and maintaining IT installations. For security-critical software and systems, require at the very least least a BA engineering degree with a speciali
Re: (Score:2)
Re: (Score:2)
Nope. One of the things I do these days is regulatory audits for IT Security. In many things I have to do two audits: 1. Compliance 2. Technical security. Sometimes these have opposite requirements. The reason I am opposed to regulation is that the rules generated are usually disconnected from reality and sometimes do more harm than good. The reason I see no other way than regulation is the accountability that comes with it.
Here is one more hint: Standardization and regulation are two different things.
Also,
Re: (Score:2)
Also, "this country"? Nationalist much? I am not US-based.
You... did see the subject of the article you posted your comment under, right? I don't know if you are familiar with how such things generally operate, but when Biden signs a bill into law, it is normally in the US.
Re: (Score:2)
Yeah that's a pretty typical European move. They go to a US based website that primarily covers US issues, and then complain in an article on said site that specifically applies to the US that you're ignorant because you aren't thinking of them as well, the fact that the topic has no impact on them is notwithstanding. They just want to feel important.
Re: (Score:2)
The thing that is so hard about regulating technology is that it changes so rapidly, which is basically something that software enables. With physical inventions, it costs a lot more and takes a lot more time to iterate on your designs. With software it's easy, I just change a few bytes and get a completely different output. I can prototype a LOT more in software than I can with hardware. Even with electronic hardware, if I make a mistake, I might fry an expensive part and then have to order another one and
Re: (Score:2)
The only way you get something effective is to establish standards and regulations. Of course we are dealing with decades of neglect and FUD when it comes to regulations.
Effective at what? Sabotaging security? Clipper and Dual_EC_DRBG were magnificent standards.
The government burned that bridge decades ago now. They cannot be trusted with computer security.
Insurance (Score:2)
"Voluntary Collaboration" Again (Score:2)
Another law that ensures US federal money is spent buying overpriced, and minimum quality, services from rich 'people'.
Will this affect me? (Score:2)
Re: (Score:2)
Password: 123456
Hey, that's the same as the combination on my luggage!
The real source of the cybersecurity problem (Score:2)