US National Cyber Strategy To Stress Biden Push on Regulation (washingtonpost.com) 29
The Biden administration is set to unveil a national strategy that for the first time calls for comprehensive cybersecurity regulation of the nation's critical infrastructure, explicitly recognizing that years of a voluntary approach have failed to secure the nation against cyberattacks, according to senior administration officials. From a report: The strategy builds on the first-ever oil and gas pipeline regulations imposed last year by the administration after a hack of one of the country's largest pipelines led to a temporary shutdown, causing long lines at gas stations and fears of a fuel shortage. The attack on Colonial Pipeline by Russian-speaking criminals elevated ransomware to an issue of national security. The strategy, drawn up by the White House Office of the National Cyber Director (ONCD), is moving through the final stages of interagency approval -- involving more than 20 departments and agencies -- and is expected to be signed by President Biden in the coming weeks, according to the officials, who spoke on the condition of anonymity because the document is not yet public.
"It's a break from the previous strategies, which focused on information sharing and public-private partnership as the solution," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank. "This goes well beyond that. It says things that others have been afraid to say." For instance, according to a draft copy of the strategy, one of the stated goals is: "Use Regulation to support National Security and Public Safety." Under that, it says that regulation "can level the playing field" to meet the needs of national security, according to two individuals familiar with the draft. It also states that "while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes."
"It's a break from the previous strategies, which focused on information sharing and public-private partnership as the solution," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank. "This goes well beyond that. It says things that others have been afraid to say." For instance, according to a draft copy of the strategy, one of the stated goals is: "Use Regulation to support National Security and Public Safety." Under that, it says that regulation "can level the playing field" to meet the needs of national security, according to two individuals familiar with the draft. It also states that "while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes."
More and more government.... (Score:1, Insightful)
Surprise surprise, Government's response to all issues is more government and more control
the United States is not the free country people still blindly believe it is.
Re:More and more government.... (Score:4, Insightful)
Really? Cybersecurity for infrastructure hardly seems like government overreach. In fact, it's one of the first policy shifts I've seen in a long time that could rightfully be reported as, "In a Shocking Twist, Government Decides to Do It's Job!" Protecting infrastructure is a government's main task. Critical cyber infrastructure (who would have guessed that would be a thing forty years ago) is crucial and has been long before the government finally got the memo.
Don't get me wrong, the United States Government is not without sin in this regard. But if we're going to protest their actions that strip us of rights, seemingly on a daily basis, let's not lose sight of reality in the process. This could be a good thing, depending on how they implement. And while I get the urge to decry all government actions as tyrannical overreach? This one strikes me as one of the more sane changes we've seen at the national level in a long, long time. Let's not scold them for trying to do the right thing, even if it's a little late.
Re: (Score:2)
Protecting infrastructure is a government's main task.
I'm not sure I would say "main," but backing up a bit, the fundamental question is does the vulnerability of our infrastructure derive from the malice of others using some sophisticated attack, or is it more a matter of institutional negligence? If a sinkhole opens up in a road because poor materials were chosen, the people doing the work lack qualification and supervision, and once in use, there was no maintenance of the road, I don't see the problem as a lack of regulation but a lack of accountability. I
Re: (Score:3, Insightful)
> This could be a good thing, depending on how they implement.
I agree, but I highly doubt they will implement it wisely. Big regulatory regimes (like SOX, HIPPA, GDPR, etc.) tend to create a lot of activity around documenting and auditing. It takes a lot of energy away from developers/engineers who are actually interested in solving these problems. Worse, auditors don't know shit about technology: they often focus on irrelevant minutiae, overlook actual problems, and push the product in questionable dire
Re:More and more government.... (Score:4, Insightful)
Your brethren have been fed the "government is always evil" lie for far too long for them to recognize any good coming from government. Welcome to the radicalization of modern American conservatives.
Scope (Score:2)
The problem with regulating "critical cyber infrastructure" is scope. What exactly do you deem critical? Sure - energy is critical, water is critical, healthcare...
What about logistics? Say an adversary takes down FedEX and UPS at the same time and the economy grinds to a halt, and people who need critical deliveries start dying? Are they now critical?
What about retail? Look at the chaos around baby formula recently. Now imagine that was amped up to 11 and done on purpose via orchestrated attacks against al
Re: (Score:2)
That isn't a problem, it is already fairly well defined [cisa.gov].
Re: Scope (Score:2)
I realize that list exists, thanks.
My point is that it is outdated thinking to view this as all there is to critical infrastructure.
Re: (Score:2)
The actual definition is:
As defined by USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), critical infrastructure includes any "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
It is fairly flexible and supports your assertion that the nitty-gritty of what is "critical infrastructure" is up to interpretation and ever-changing.
Re: (Score:2)
Cybersecurity for infrastructure hardly seems like government overreach.
Who gets to decide if my system is 'infrastructure'? Look at all the crap we got when it was proposed to make telecoms 'common carriers'. They just said "No, we're not." And that was the end of it. They'll just say that they are providing interconnections for gaming or buying stuff off Amazon. And and anyone who uses these systems for anything else is just violating some T&C that states the provider is not liable for any damages for its use (like Microsoft does).
Utilities figures this out years ago and
Re: (Score:3, Insightful)
Surprise surprise, Government's response to all issues is more government and more control the United States is not the free country people still blindly believe it is.
Actually, we have seen the opposite, until now the Republican party has no ability to govern
In the end, the no regulations crowd became reality television and "pwning the libs" and regulations of any sort is communism.
And it fails hard. Governments were not ever meant to be run like Orange County Choppers.
Re: (Score:2)
I like to give those people seizures by asking what we should do about our socialized roads!
Re: (Score:2)
I like to give those people seizures by asking what we should do about our socialized roads!
Gaddamed socialist snowplows tryin' to take over every winter.
Or the Tea party retread with his "Keep your damned goverment hands of my Medicare!"
And my favorite - "What the hell is the damned government doing launching these damned weather satellites anyhow? They can just get the weather information from The Weather Channel, like everyone else!"
Re: (Score:2)
Right. Tell us, why do you think there are government regulations? Have you ever seen a politician say they wanted to regulate something, without a huge groundswell from the voters? We partially deregulated banking in the late eighties (regulations from the Great Depression)... and the S&L scandal was the result, and a recession. We deregulated telecom in the late nineties, and the result was the tech bubble, and recession. We got rid of Glass-Steagal... and got the world-wide collapse of '08.
Yeah, come
Re: (Score:2)
Actually, Government's response to the industry being unable to fix their act is to force them to do it and very late too. Do you have some comprehension disability?
Simple Start (Score:3)
Re: (Score:2)
Re: (Score:2)
less cost effective but far more secure.
And there's your answer; capitalism. Our power infrastructure is largely owned by corporations who have no interest in anything other than maximizing profits. Without regulation, any corner than can be cut will be cut.
Re: (Score:2)
Because you are going to get a lot of push back from engineers and managers who want to log on and check or maintain the status of some SCADA system from Starbucks.
Using the same laptop that they use to surf porn.
Re: Simple Start (Score:1)
You are assuming that a private network does not need to verify outside that entity who is a current end user and what they are currently doing. That is technically what presentation/application layers historically assume and is also where most exploits are.
Re: (Score:2)
That sounds nice in theory and is infeasible in practice.
You want more security? (Score:3, Funny)
Make Microsoft Windows illegal on any government-owned computers and also include banks, power generation, space and military.
Wapo me wapo (Score:2)
Paywalln't link [msn.com]
Best Option Not the Most Likely One (Score:2)
Re: (Score:2)
They already do that [cisa.gov].
"Voluntary" does not work (Score:2)
Most C-levels are too greedy for that. They all hope to get out with a big bonus and that it hits the next guy but not them. Hence regulation. And it is past time that the incompetent bumbling about of the industry in the critical infrastructure sector is stopped. I predict the rest of the industry will get that too eventually, the cost to society is just way too large otherwise.