Inside Cybersecurity

October 24, 2020

Daily News
Cyber Reg Watch: Analysis

Cybersecurity’s big policy streams unlikely to be interrupted by an election pause, or by the November results

July 22, 2020

The election-year calendar is reaching the point where policy initiatives typically begin to freeze up and the political agenda takes over, which may be happening in other domains, but in cyber the major efforts appear to be on sound nonpartisan footing and likely to proceed straight through Election Day without interruption.

“The cyber initiatives have stayed under the radar of partisanship,” commented Kiersten Todt, executive director of the Cyber Readiness Institute and former director of the 2016 presidential Commission on Enhancing National Cybersecurity. “Industry has been very involved and the focus is on the policy.”

She said CISA Director Christopher Krebs “has done a great job keeping this a [nonpartisan] ‘industry-government’ collaboration.” CISA’s focus on election security has drawn bipartisan support, she said, as has its guidances on telework.

Todt said CISA and private-sector efforts to provide businesses with tools to manage security in a work-from-home environment have been a significant success story in the COVID-19 pandemic.

The Cyber Readiness Institute has put out eight guides on remote-work security since March, Todt pointed out. “People are starving for information,” she said. “Our downloads for the ‘remote’ guidances have skyrocketed, they’re 80 percent higher than anything else.”

Among the signs that things aren’t slowing down in the cyber policy realm, a joint industry-CISA initiative on information and communications technology supply chain security has just added a new workgroup to identify lessons and policy needs arising from the COVID-19 pandemic.

“COVID-19 has revealed many lessons about the functioning and resilience of ICT supply chains, particularly global supply chains,” Bob Kolasky, director of CISA’s National Risk Management Center, told Inside Cybersecurity. “Recognizing that, the Task Force decided to undertake a systematic study of those lessons and make recommendations about opportunities to build additional security and resilience into ICT supply chains in the future. Those recommendations will support policy and operational decisions intended to strengthen supply chains in the future.”

On another hot-button supply chain issue, the General Services Administration has announced an Aug. 12 webinar to help companies navigate a new rule requiring contractors to eliminate equipment and services from Chinese firms Huawei and ZTE. The rule goes into effect Aug. 13 – and business groups are still pushing for a delay in implementation.

Separately, the Federal Communications Commission approved a Declaratory Ruling that it has fulfilled requirements under a recently passed law to prohibit telecoms from using equipment and services from Huawei and ZTE, and released a second Notice of Proposed Rulemaking seeking more information on implementing other provisions in the Secure Networks Act.

It's also full steam ahead for work on the Pentagon’s Cybersecurity Maturity Model Certification program, with the independent accreditation body now formally opening applications for a range of certifications, after a month-long soft launch which generated approximately 300 organization and 775 individual registrations.

And the Defense Department is expected to publish a proposed acquisition rule before the month ends that’s needed in order to implement CMMC, although it’s unclear whether a planned public hearing will be held on the proposal.

Meanwhile, U.S. policymakers and industry are sorting though a European Court of Justice ruling that invalidated the “Privacy Shield” program governing EU-U.S. data transfers.

Information Technology Industry Council vice president John Miller said that while the decision was unwelcome, the language provides for “critical continuity and stability of business operations” that will allow for careful consideration of next steps by stakeholders.

Commerce Secretary Wilbur Ross said work would begin immediately to fully understand the ruling and find a solution.

Overall, it’s obvious that pandemics, supply-chain issues and evolutions in the cybersecurity ecosystem won’t bend to the U.S. political calendar, and policymakers seem determined to keep grinding ahead with important initiatives designed to find lasting and flexible approaches that are useful beyond the needs of the current moment. – Charlie Mitchell (cmitchell@iwpnews.com)