Search

EXCLUSIVE: What's in the new zero-trust strategy - Politico

ersamoyor.blogspot.com

Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.

Quick Fix

MC has your first look at the Biden administration’s new plan for protecting the government with zero-trust networking.

— Two Senate committees will have to iron out their differences on cyber incident reporting soon if they want to hitch a ride on a must-pass bill.

— The Biden administration and the European Union are making plans to tackle challenges posed by encryption.

HAPPY TUESDAY, and welcome back to Morning Cybersecurity! If you’re reading this message, it means that we got through the long Labor Day weekend without any devastating cyberattacks. Maybe everyone really listened to Anne Neuberger after all. Sam will be back tomorrow, so send your thoughts, feedback and especially tips to [email protected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.

White House

FIRST IN MC: DON’T TRUST, VERIFY — The White House this morning is releasing for public comment a draft version of its strategy for implementing “zero trust” principles across federal networks. The Biden administration sees zero-trust networking — in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded — as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users’ access to data and protect network traffic from prying eyes.

Among the 18 steps required by the end of fiscal 2024: Every agency will have to use one “single sign-on” service to let employees access all of its applications; ditch multi-factor authentication systems — such as codes delivered by text message — that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. They’ll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers can’t easily slip from one application to another. And they’ll have to make one internal system securely accessible from the internet to reduce the use of VPNs.

Along with the draft zero-trust strategy, CISA is also releasing a “maturity model” that provides a roadmap for agencies’ implementation of zero-trust policies, as well as a guidance document to help agencies securely migrate their applications to the cloud.

The zero-trust plan is part of President Joe Biden’s cyber executive order, which also launched several other initiatives that have impending due dates. By Thursday, for example, agencies must submit progress reports on their rollout of multi-factor authentication and encryption. CISA has until Thursday to develop a cyber incident response playbook that every agency can use. And DHS and OMB have until Thursday to set up procedures to ensure that contractors report cyber incidents to the appropriate agencies.

On the Hill

SENATE SHOWDOWN — As Congress’ summer recess nears its end, lawmakers face a big question: How will they reach agreement on the best way to require companies to report hacks? And more specifically, what will happen to the Senate Intelligence Committee’s cyber incident reporting bill now that the Senate and House homeland security panels have teamed up on more industry-friendly legislation?

Senate Intelligence’s bill differs widely from the Senate Homeland measure that yours truly scooped last week, especially in terms of its minimum reporting timeframe, the types of companies covered and the punishments for noncompliant companies. In letters to Congress and at last week’s hearing, industry groups criticized the Intelligence bill’s provisions.

There is “strong industry support” for the House and Senate Homeland bills’ approach, said Ron Bushar, an executive at the cyber firm FireEye who testified on the House bill last week. And Senate Homeland has another advantage over Senate Intelligence — it has jurisdiction over any reporting bill, so it will play a significant role in shaping whatever legislation emerges. FireEye CEO Kevin Mandia will meet with Senate Homeland Security Chair Gary Peters (D-Mich.) on Wednesday, according to Stacy O’Mara, the company’s director of government affairs.

But the Senate Intelligence bill has powerful sponsors, including perennial swing vote Susan Collins (R-Maine) and committee chair Mark Warner (D-Va.), an influential voice on national security. Warner and his colleagues are still revising their bill, and his office says it’s having productive meetings with interested parties.

The homeland-security panels are collaborating closely on their bills, according to an aide for the House panel. And Senate Homeland Security ranking member Rob Portman (R-Ohio) has been talking to the Senate Intelligence bill’s sponsors, a Senate aide said. Both aides requested anonymity to discuss legislative negotiations.

It’s “critical for Congress to listen to industry stakeholders and ensure what’s written into law in Washington makes sense practically when implemented in the real world,” House Homeland Security ranking member Andrew Garbarino (R-N.Y.) told MC.

Homeland and Intelligence face a tight deadline to resolve their differences. Multiple people tracking the process said the best hope for incident reporting legislation was to attach it to the fiscal 2022 defense policy bill, which is being marked up now. Senate Homeland’s outreach to industry included a request for feedback by Sept. 14.

Another reason to hurry is that implementation will take a while. “You're looking at a minimum of half a year anyway” between passage of a bill and standup of a reporting platform, Bushar said. “The longer you delay the bill, the more time it takes before you can have a regime in place that can actually start to have an impact.”

Encryption

BOTH FORMS OF CRYPTO — The Biden administration and the European Union have recommitted to collaboratively seeking a solution to the encryption debate, a top EU official told MC, suggesting that while this policy challenge has simmered under the surface for several years, it’s still top of mind for policymakers behind closed doors.

“Encryption is important, but we have to always avoid a black-or-white discussion,” EU Home Affairs Commissioner Ylva Johansson said in an interview after meetings in Washington with DHS Secretary Alejandro Mayorkas and Attorney General Merrick Garland. “It's not like we should protect privacy or protect vulnerable children. We need to do both.”

Johansson, who discussed encryption with Garland, said that while the attorney general didn’t reveal the Biden administration’s agenda for resolving the long-running “crypto wars,” the EU and the U.S. “are very much close to each other on these issues.” Both leaders, she said, agreed that tech companies “need to take their responsibility to develop proper technical solutions for this.”

Apple has received withering criticism from security experts over a proposal to identify child sexual abuse imagery on its customers’ phones. On Friday, the company said it was pausing the rollout of that feature “to collect input and make improvements.” Speaking before that news broke, Johansson applauded the company’s effort. “Apple’s solution might not be the perfect one,” she said, “but I welcome a company that really tries to … find a balanced approach protecting both privacy and children.”

Johansson and her U.S. counterparts also “agreed on the scope for a common working group on ransomware,” she said. The new group will focus on investigative cooperation, tracing ransom payments (which Johansson identified as a particular priority) and building digital resilience against hackers. The group will present its initial report at the next EU-U.S. Ministerial Meeting on Justice and Home Affairs later this year.

Vulnerabilities

STILL EVADING — The U.S. government continues to brush off suggestions that it was involved in firewall maker Juniper Networks’ use of an encryption algorithm backdoored by the NSA, despite a Bloomberg story saying the Pentagon leaned on the company to adopt the code. Asked about Bloomberg’s reporting during Thursday’s White House press briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the Juniper/NSA saga as “an old story that’s been reported, and I think we’ve continuously noted that there isn’t substantiation for it.”

Security experts first proposed a link between the NSA and the backdoored Juniper code in 2015, several months after the company announced that sophisticated hackers had breached its systems by modifying that code. But until last week’s Bloomberg story, it remained unclear why Juniper had used the widely criticized code in the first place. NIST told companies to stop using it in 2014, one year after leaked documents revealed that the NSA had secretly tampered with it and paid a leading vendor $10 million to use it.

ICYMI

During MC’s break, yours truly conducted the first in-depth interview with inaugural National Cyber Director Chris Inglis. Pros can read the story about his priorities and the full Q&A. He also revealed that the Biden administration is pushing Microsoft to make full log data free for all customers.

Tweet of the Day

University of California, Berkeley computer science professor Nicholas Weaver with some real talk: “The Ivermectin of Computer Science is “Blockchain”

Quick Bytes

How Kuwait punished a security expert for revealing a major bank’s embarrassing hack. (CyberScoop)

Nextgov interviewed Allan Friedman, the man behind the government’s software bill of materials campaign, as he moves from NTIA to CISA to bring SBOMs to life.

The Justice Department launched a cyber fellowship program for prosecutors.

NIST wants feedback on its proposed criteria for an internet of things security labeling program.

Chat soon.

Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).

Adblock test (Why?)



"strategy" - Google News
September 07, 2021 at 09:00PM
https://ift.tt/2Vksw68

EXCLUSIVE: What's in the new zero-trust strategy - Politico
"strategy" - Google News
https://ift.tt/2Ys7QbK
https://ift.tt/2zRd1Yo

Bagikan Berita Ini

0 Response to "EXCLUSIVE: What's in the new zero-trust strategy - Politico"

Post a Comment

Powered by Blogger.