The annual RSA conference in San Franscisco launches today with a packed agenda that includes sessions on cyber incident reporting, software security and the national cyber strategy, and features heavy hitters including CISA Director Jen Easterly, National Cyber Director Harry Coker and Homeland Security Secretary Alejandro Mayorkas.
The theme of the 2024 RSA conference is “The Art of the Possible.” Mayorkas kicks off the Tuesday agenda in a keynote session on the Department of Homeland Security’s artificial intelligence work...
The Cybersecurity and Infrastructure Security Agency is providing details on current practices for sharing Software Bill of Materials information, as part of a community-led working group’s efforts to promote the adoption of transparency best practices.
The group is providing “examples of how software bill of materials (SBOM) can be shared between different actors across the software supply chain,” according to the white paper published on May 3.
The white paper comes from a CISA-facilitated community working group focused on...
The Cybersecurity and Infrastructure Security Agency has agreed to an industry request for an additional 30 days to comment on the proposed cyber incident reporting regulation for critical infrastructure, moving the deadline for comments on the landmark rulemaking to July 3.
The extension was formally announced in a Federal Register notice today, but House Homeland Security cyber subcommittee Chairman Andrew Garbarino (R-NY) publicly revealed CISA’s move at a May 1 hearing on the rulemaking under the Cyber Incident...
A Senate Commerce subcommittee considers moves to enhance the security and privacy of consumer data this week, while House appropriators examine the Federal Communications Commission’s budget request for fiscal 2025.
The Senate Commerce subcommittee on consumer protection, product safety and data security holds the data privacy hearing on Wednesday. The subcommittee will hear from James Lee of the Identity Theft Resource Center, Sam Kaplan of Palo Alto Networks and New America’s Prem Trivedi.
Homeland Security Secretary Alejandro Mayorkas is recognizing Microsoft’s progress in addressing cybersecurity shortcomings identified in an April Cyber Safety Review Board report, as the tech giant in a blog post details its commitment to security principles.
“We applaud Microsoft for its commitment to strengthen its security by embracing and acting upon the recommendations of the Cyber Safety Review Board and further advancing the company’s Secure Future Initiative,” Mayorkas said today in a statement.
Mayorkas said, “Microsoft’s full cooperation with the...
An updated version of the implementation plan for the national cybersecurity strategy should focus on near-term efforts to address supply chain issues with new authorities and build the cyber workforce, according to former Office of the National Cyber Director official Camille Stewart Gloster.
The iterative implementation planning process for the national cyber strategy is meant to “focus on targeted actions in the near-term and doesn’t seek to boil the ocean,” Stewart Gloster explained in a Thursday webinar hosted by...
Director of National Intelligence Avril Haines stressed the need to improve cybersecurity practices in critical infrastructure amid one of the “most pernicious transnational threats” facing the United States, at a Senate Armed Services Committee hearing on the intelligence community’s 2024 global threat assessment.
“We have seen a massive increase in the number of ransomware attacks globally in the last year, which went up as much as 74 percent in 2023. U.S. entities were the most heavily targeted, with attacks against...
Senate Intelligence Chairman Mark Warner (D-VA) and Sen. Thom Tillis (R-NC) have introduced a bill to leverage and supplement existing cybersecurity vulnerability disclosure and tracking programs for use in the artificial intelligence realm, with provisions including a new “voluntary database to record AI-related cybersecurity incidents including so-called ‘near miss’ events,” according to the senators.
The bill, the “Secure Artificial Intelligence Act,” was introduced Wednesday and aims to “improve the tracking and processing of [AI] security and safety incidents and...
The Cybersecurity and Infrastructure Security Agency and FBI are raising awareness of best practices to eliminate vulnerabilities in software directories, in the latest entry of the secure by design alert series.
“Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations,” CISA said in the alert issued on Thursday.
CISA’s secure by design alert series is aimed at illuminating how...
Lawmakers at a House hearing sought to get an understanding of how the Cybersecurity and Infrastructure Security Agency can implement an effective mandatory incident reporting regime that meets the intent of the 2022 law, including harmonizing requirements across agencies and scoping what information is needed to provide value to all stakeholders.
“Since CIRCIA was signed into law, the American people have continued to feel the impacts of numerous costly intrusions into critical infrastructure sectors by cyber threat actors, from the...
The Cybersecurity and Infrastructure Security Agency is urging industrial control system and operational technology owners to take actions to address threats from Russian “hacktivists” targeting water and wastewater systems and other critical infrastructure sectors, in a new alert with federal and international partners.
Through a fact sheet, the multi-seal product “provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and...
Bob Kolasky, former chief of the CISA National Risk Management Center, says there are opportunities for more oversight over cloud service providers under President Biden’s national security memorandum updating the government’s decade-old policy for the resilience and security of critical infrastructure.
“The NSM maintains the sector structure as it is, which is not a surprise given the goals of the policy to maintain continuity of how industry and government work together. It does leave open the opportunity to adjust the...
Senate Finance Committee Chairman Ron Wyden (D-OR) compared the February cyber attack on Change Healthcare to the 2015 Office of Personnel Management breach at a Tuesday hearing, in terms of the impact to sensitive medical information of individuals and military personnel held by UnitedHealthcare Group.
“Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of American patients’ records pass through its digital doors,” Wyden said in opening remarks at the committee hearing.
The Department of Homeland Security will take a central role in President Biden's update to a decade-old policy directive outlining the government's new approach to addressing critical infrastructure resilience, including the development of a nationwide plan for risk management informed by work at the Cybersecurity and Infrastructure Agency and sector-specific agencies.
“The Secretary of Homeland Security shall develop and submit to the President on a recurring basis every 2 years a National Infrastructure Risk Management Plan (National Plan), which shall...
Stakeholders from the financial, telecom and electricity sectors will share their views today on CISA’s proposed rule to establish mandatory cyber incident reporting requirements for critical infrastructure at a House hearing.
“While we continue to believe that CIRCIA will play an important role in our collective defense against nation-state attacks and malicious criminals, we urge CISA to substantially revise the proposed rule in several key areas to ensure its requirements are simple and directly support CISA’s ability to have better...
CISA Director Jen Easterly provided three priorities for the upcoming fiscal year to House appropriators at a Tuesday hearing, including protecting the federal enterprise, addressing threats from China and providing resources to help under resourced entities.
“As the operational lead for the .gov, we leverage some $600 million to defend these .gov networks as a single enterprise, protecting America’s sensitive data and federal agencies. Through Congress’s support, we’ve been able to detect and respond faster than ever before,” Easterly said...
UnitedHeath Group is pushing for a collaborative approach to creating mandatory minimum cyber controls for healthcare organizations following a February cyber attack on its subsidiary Change Healthcare, according to CEO Andrew Witty, who is set to testify today at two hearings.
“We support mandatory minimum security standards -- developed collaboratively by the government and private sector -- for the health care industry. Importantly, these efforts must include funding and training for institutions that need help in making that transition, such...
The Cybersecurity and Infrastructure Security Agency is providing guidance to critical infrastructure owners and operators on how to secure their systems against cross-sector impacts from the use of artificial intelligence.
The guidelines were developed to fulfill a tasking from President Biden’s Oct. 30 AI executive order and were “informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems,” according to a Department...
The National Institute of Standards and Technology is asking for input on a draft generative artificial intelligence companion profile to the NIST Secure Software Development framework, as part of the agency’s work to meet requirements from President Biden’s Oct. 30 AI executive order.
The draft publication “augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model...
BSA-The Software Alliance is asking the Commerce Department to make changes to its proposed customer identification program where U.S. infrastructure-as-a-service providers will need to provide information on their foreign customers to fulfill an obligation in an upcoming federal regulation.
Commerce issued a notice of proposed rulemaking on Jan. 29 outlining a proposal where U.S. IaaS providers would need to verify the identity of their foreign customers, based on a Trump-era executive order, and take “special measures to deter...
