Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration

President Joe Biden has signed into law the National Defense Authorization Act of 2022 which codifies an approach to cybersecurity that depends on the decisions of private-sector entities to protect the bulk of the nation's critical infrastructure. From a report: The NDAA has become the go-to legislative vehicle for efforts to manage the federal government at large, and to regulate the private sector on cybersecurity issues. On the government side, the law requires the Cybersecurity and Infrastructure Security Agency to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness. It seeks to "ensure that the National Guard can provide cyber support services to critical infrastructure entities -- including local governments and businesses," according to Sen. Maggie Hassan, D-N.H. It also establishes a grant program at the Homeland Security Department to foster collaboration on cybersecurity technologies between public and private-sector entities in the U.S. and Israel.

Lawmakers also highlighted the inclusion of provisions codifying existing public-private partnerships at CISA which aim to offer continuous monitoring of industrial control systems -- an effort known as the CyberSentry program -- and to develop 'know your customer' guidelines for companies like cloud and other service providers comprising the "internet ecosystem." Such companies are described as the plank bearers of CISA's Joint Cyber Defense Collaborative. But provisions all rely on the voluntary participation by industry, which owns and operates the vast majority of the nation's critical infrastructure. Despite bipartisan calls after massive breaches at SolarWinds, Microsoft Exchange, Colonial Pipeline and other hacks, the NDAA made it through the House without mandatory incident reporting requirements for the private sector.

Blabla...

[suss]

Biden buzzwords, more buzzwords, voluntary law, buzzy buzz...

In short: nothing will happen, businesses will not do anything unless non-compliance gets them a considerable fine.

Liability

[shanen]

If you want a short and non-vacuous Subject. Still a weak FP. (It's actually a topic worth some serious thought, but no time now.)

Re:

[magusxxx]

It's called NDAA because you'll feel like you'll need a drink after reading it.

Re:Blabla...

[PopeRatzo]

Biden buzzwords

They're not "Biden buzzwords".

The bill passed the House by a vote of 316 to 113. It passed the Senate 84-15.

Sure, private industry

[smooth wombat]

The same place which can't keep people's data secure [slashdot.org] for even a month, who routinely are held ransom [slashdot.org] because they're too inept to secure themselves, who can't keep shelves stocked or make product available [cnn.com] when the tiniest thing goes wrong, who have bribed elected officials to get rid of as much competition as possible, who at this point are writing laws to benefit themselves [nytimes.com], who can't even regulate themselves [nymag.com]?

That private industry? We're screwed.

Re:

[ArmoredDragon]

All things considered, it does a pretty good job. Economies that have traditionally relied on the public sector/governments to do all of that tend to perform even worse than this, even during the best of times. Hell, the USSR was the wealthiest and most powerful of those types of economies, and they struggled to even get grocery stores to just have a limited stock of the very basic staples like flour, sugar, etc. Never mind luxury goods like consumer electronics, which were extraordinarily rare in the USSR

What a joke

[Revek]

The only way you get something effective is to establish standards and regulations. Of course we are dealing with decades of neglect and FUD when it comes to regulations.

Re:

[gweihir]

I am actually opposed to regulation on principle. But there are industries that are screwing up so badly and doing so much damage to society that there really is no other choice. The software and IT industry is doing so abysmally bad that this simply cannot continue. So regulate it, require minimal-standards of everything, including the people writing software and maintaining IT installations. For security-critical software and systems, require at the very least least a BA engineering degree with a speciali

Re:

[Revek]

Of course you are. You have swallowed the idea that its bad for you. Deregulation is why we have boom/bust gas prices. Its the reason why we don't have better consumer protections. Its what is destroying the US. You idea of regulation is nothing more than a self serving version of it. Until we do away with the deregulation myth and move forward we can't only fail as a nation. Regulation made this country great. It made the railroads compatible. The electrical grid possible. In short it made things

Re:

[gweihir]

Nope. One of the things I do these days is regulatory audits for IT Security. In many things I have to do two audits: 1. Compliance 2. Technical security. Sometimes these have opposite requirements. The reason I am opposed to regulation is that the rules generated are usually disconnected from reality and sometimes do more harm than good. The reason I see no other way than regulation is the accountability that comes with it.

Here is one more hint: Standardization and regulation are two different things.

Also,

Re:

[LeeLynx]

Also, "this country"? Nationalist much? I am not US-based.

You... did see the subject of the article you posted your comment under, right? I don't know if you are familiar with how such things generally operate, but when Biden signs a bill into law, it is normally in the US.

Re:

[ArmoredDragon]

Yeah that's a pretty typical European move. They go to a US based website that primarily covers US issues, and then complain in an article on said site that specifically applies to the US that you're ignorant because you aren't thinking of them as well, the fact that the topic has no impact on them is notwithstanding. They just want to feel important.

Re:

[ArmoredDragon]

The thing that is so hard about regulating technology is that it changes so rapidly, which is basically something that software enables. With physical inventions, it costs a lot more and takes a lot more time to iterate on your designs. With software it's easy, I just change a few bytes and get a completely different output. I can prototype a LOT more in software than I can with hardware. Even with electronic hardware, if I make a mistake, I might fry an expensive part and then have to order another one and

Re:

[Agripa]

The only way you get something effective is to establish standards and regulations. Of course we are dealing with decades of neglect and FUD when it comes to regulations.

Effective at what? Sabotaging security? Clipper and Dual_EC_DRBG were magnificent standards.

The government burned that bridge decades ago now. They cannot be trusted with computer security.

Insurance

[photonrider]

For a long time it's been speculated that it'd take insurance companies to pressure corporations to step up their infosec game. We're starting to see that happening in the last couple years. This year it's gotten to the point that if you don't have certain tickets punched it costs a 5-10% co-insurance fee. It's still not enough, but the pendulum might be starting to shift.

"Voluntary Collaboration" Again

[NotEmmanuelGoldstein]

... private-sector entities in the U.S. and Israel.

Another law that ensures US federal money is spent buying overpriced, and minimum quality, services from rich 'people'.

Will this affect me?

[VeryFluffyBunny]

I'm a subcontractor to the CIA, NSA & Pentagon (not) & my credentials on every server I work on are Username: root, Password: 123456 (It's worked fine so far as far as I can tell, so why change it?). Will Biden's cyber security NDAA affect me?

Re:

[LeeLynx]

Password: 123456

Hey, that's the same as the combination on my luggage!

The real source of the cybersecurity problem

[takionya]

Anyone who used cyber in a sentence is a fcuking idiot. The root cause of the problem is Microsoft Windows running on Inter hardware. both of which should be taken outback and shot!