Witnesses at a House Financial Services hearing outlined collaboration opportunities to respond to ransomware threats, highlighting the need for more organizations to institute best practices and improve coordination efforts to respond to attacks.
“The current cyber threat landscape demands that we all work together. The scourge of ransomware has taken cybersecurity, which was once seen as an IT issue, to something with day-to-day relevance for many Americans and presents reputational, operational and financial risk for organizations of all sizes,” Palo...
The Senate Intelligence Committee is postponing an elections hearing scheduled for Wednesday, due to changes in the Senate schedule for floor activities.
The hearing was expected to focus on 2024 election threats with CISA Director Jen Easterly scheduled to testify along with Director of National Intelligence Avril Haines and Larissa Knapp, executive assistant director for the FBI’s national security branch.
CISA launched its 2024 election security campaign in February called #PROTECT2024. The agency has created a new hub on...
MITRE raises issues with potential costs for contractors who want to do business with the Defense Department in addressing assessment gaps and accommodating for potential future changes in the maturity model for the upcoming Pentagon cyber certification program, in response to a proposed rule to implement the program.
“The DoD needs to have a plan to track the status of the DIB and be prepared to make quick changes to the program to accommodate unintended outcomes of the process. MITRE...
Ransomware attacks in the food and agriculture sector are impacting the operations of production facilities in the U.S., according to a report from the sector’s information sharing and analysis center.
"While there are fewer ransomware incidents in the industry than other sectors, ransomware actors have shown a level of sophistication and understanding of sector victims" the Food and Agriculture Information Sharing Analysis Center says today in a release on the report.
A new report from the Congressional Research Service provides an overview of CISA’s notice of proposed rulemaking published on April 4 to establish a mandatory cyber incident reporting regime for critical infrastructure.
Congress directed CISA under the 2022 Cyber Incident Reporting for Critical Infrastructure Act to develop a regime where covered entities would report incidents within 72 hours and 24 hours for a ransom payment. The law gives 18 months following the release of the NPRM to issue a final...
FCC Chairwoman Jessica Rosenworcel’s net neutrality rulemaking to be considered at an April 25 meeting strikes the right balance between addressing national security concerns and signaling opportunities for further action, according to former security bureau chief David Simpson.
Simpson compared Rosenworcel’s proposal to former Chairman Tom Wheeler’s efforts in 2015 that were ultimately rolled back in 2018 by Trump’s FCC Chairman Ajit Pai.
“This net neutrality order has much greater focus and reliance on addressing the FCC’s authorities vis-à-vis...
The Treasury Department wants to expand the authority of the Committee on Foreign Investment in the U.S. to demand information from companies in its reviews of transactions for national security implications and hike penalties on companies found to have misrepresented themselves.
Treasury issued a notice of proposed rulemaking on April 11 laying out new measures that would allow CFIUS to require that companies provide it with information about transactions even if those companies have not notified CFIUS of the...
Two Republican lawmakers on the House Transportation and Infrastructure Committee have introduced a bill to establish a public-private “Water Risk and Resilience Organization” that would create and enforce cybersecurity standards in the water and wastewater sector.
“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks,” bill sponsor Rep. Rick Crawford (R-AR) said in...
The Institute for Security and Technology outlines steps to minimize ransomware threats in a new report explaining four lines of effort to help organizations bolster their security practices and prepare the government and private sector for a potential ban on ransom payments.
The eight co-chairs of IST’s Ransomware Task Force “have developed steps that governments and the private sector could take together to reduce the need for a prohibition on ransomware payments, or alternatively could provide a roadmap to facilitate...
Rep. Patrick McHenry (R-NC), chair of the House Financial Services Committee, has reintroduced a bill designed to deter hackers from asking for large ransom payments and requiring financial institutions to take steps to notify the Treasury Department before making a payment.
“Ransomware attacks pose a serious threat to the stability of our financial system. The bipartisan Ransomware and Financial Stability Act will help deter, deny, and track down cyber criminals who threaten the financial infrastructure that makes everyday economic activity...
The National Institute of Standards and Technology is offering three introductory “courses” focused on NIST Special Publication 800-53, the agency’s massive catalog of security and privacy controls, and two associated publications.
“The courses provide a high-level overview of foundational security and privacy risk management concepts based directly on their respective NIST Special Publications,” NIST says in a Wednesday announcement.
The NIST 800-53 course provides an introduction to the 800-53 “control catalog and each control family,” according to NIST.
The electric industry should consider how to better protect the systems that enable sharing of telemetry between control centers, according to a report detailing findings from the latest "GridEx" tabletop exercise led by the North American Electric Reliability Corporation and the Electricity Information Sharing and Analysis Center.
The sector should “evaluate technologies and processes that could be used to increase the resilience of Inter-Control Center Communications Protocol (ICCP) telemetry exchange” and “consider the potential impact of a complete loss of...
The Cybersecurity and Infrastructure Security Agency has publicly released an emergency directive urging federal agencies to take specific actions to mitigate a campaign from Russia-backed threat group Midnight Blizzard.
“Midnight Blizzard is using information initially exfiltrated from Microsoft corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to certain Microsoft customer systems. Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified...
Homeland Security Secretary Alejandro Mayorkas argued for full funding in fiscal 2025 of the Cybersecurity and Infrastructure Security Agency’s request to build out the resources for mandatory cyber incident reporting as required by law, at a Senate Appropriations hearing.
The 2022 Cyber Incident Reporting for Critical Infrastructure Act is “a transformative piece of legislation that is really going to, when implemented, enhance the cybersecurity of our country,” Mayorkas said in response to a question from Senate Homeland Security Chairman Gary...
The Federal Energy Regulatory Commission must complete cybersecurity audits of hydroelectric dams and update sector-specific cybersecurity standards to protect them, according to Sen. Ron Wyden (D-OR), who chairs a subcommittee focused on the water sector.
“Dams that generate our hydropower are no exception to the serious threats that we are facing in cybersecurity,” Wyden said in opening remarks at a Wednesday hearing of the Senate Energy and Natural Resources water and power subcommittee.
Requirements for organizations to appoint privacy and security officers in the recently unveiled Cantwell-Rodgers data privacy bill could change the way the private sector approaches data security management from the executive level, according to two policy analysts from the Future of Privacy Forum.
“Knowing that as a company scales up, they have to have at least one [officer] in place, and then will be required to have additional expertise as they get larger and have more impact, is positive movement,”...
The Cybersecurity and Infrastructure Security Agency has updated its malware analysis capabilities with new system called Malware Next-Gen that will allow organizations to submit details for the agency to review and provide actionable intelligence.
“Malware Next-Gen allows CISA to more effectively support our partners by automating analysis of newly identified malware and enhancing the cyber defense efforts,” CISA says in a Wednesday release.
CISA says, “Timely, actionable intelligence on malware, such as how it works and what it is...
The Defense Department, the General Services Administration and NASA are asking for input on what should be included in a new part of the government’s Federal Acquisition Regulation focused on supply chain policies.
The three agencies recently issued a final rule to establish part 40 of the FAR. The RFI says, “The final rule does not implement any of the information security and supply chain security policies or procedures; it simply established FAR part 40.”
Sen. Ron Wyden (D-OR) is proposing a bill to establish security standards for software used by the federal government, in response to the DHS-led Cyber Safety Review Board’s investigation into the 2023 Microsoft Exchange Online intrusion.
“The Secure and Interoperable Government Collaboration Technology Act would require the government to set new secure, open standards for collaboration software, which would also promote competition and save taxpayer dollars,” according to a Monday release from Wyden’s office on the draft bill....
The National Security Agency has released guidance on how to protect data at rest and in transit, as part of a series to support zero trust adoption in national security systems, the Defense Department and the defense industrial base.
“Malicious cyber actors continuously increase their ability to infiltrate networks and gain access to sensitive data,” NSA cybersecurity director Dave Luber said in a Tuesday release.
Luber said, “Assuming that breaches will occur, implementing the pillars of the Zero Trust...
