NetworkTigers discuss the US government and cybersecurity. What is being done to protect businesses and individuals?
The 2020s: cyber threats escalate
The decade has barely begun but already we can look back on the 2020s as a time of unprecedented cyber activity and global disruption.
In March of 2020, SolarWinds hack sent shockwaves through both the private and public sectors, as the attack saw the company unknowingly send malicious code to over 18,000 customers.
May 2021’s hack of the Colonial Pipeline left large swathes of the US without fuel and sent civilians into a brief but chaotic gas-hoarding panic, bringing to the forefront just how disastrous a cyberattack carried out against the supply chain could be.
February of 2022 saw Russian forces invade Ukraine in an effort by Putin to regain territory and put an end to what he believed to be Ukraine’s growing loyalty to the West. Throughout this invasion, Moscow engaged in cyber warfare with Ukraine and countries that sought to assist the country in its defense.
Ukraine, no slouch when it comes to tech savvy, amassed what it referred to as a volunteer “IT army” of coders, hackers and developers. The group countered Russia’s meddling and inflicted damage on Moscow’s infrastructure and influence. Additionally, independent hacking collectives such as Anonymous and Russia-aligned ransomware groups the world over drew lines in the sand and added their loyalty to whatever side of the battle called to them.
The age of the cyber war has finally arrived.
The scourge of ransomware, malware and phishing attacks heightened to a level that resulted in federal institutions issuing cybersecurity guidance for businesses and individuals facing a tumultuous new cyber environment. IT administrators were spread thin in the transition to remote operations boosted by COVID, meaning some businesses were more vulnerable than they otherwise may have been.
State governments struggle to keep pace
Many US states lack robust cybersecurity laws and privacy protection. While some states such as California have laws in place that protect personal data from law enforcement and even restrict what can be collected by Internet of Things devices, others have not yet come around to making cybersecurity a priority.
Idaho, for example, provides little more than a website of suggestions for individuals and companies facing a cyber incident and has no meaningful government response mechanism.
The US government and cybersecurity
The federal government has made strides to update, fortify and diversify the nation’s cyber defenses.
President Biden, who came into office on the heels of the SolarWinds hack, described improving the nation’s cybersecurity as a “top priority” for the administration in his March 21st Interim National Security Strategic Guidance letter.
In the time between his election and now, cyberthreats have continued to plague the country. Nuisance DDoS campaigns, ransomware attacks, phishing schemes and cyber espionage efforts from China, Russia and North Korea continue to worm their way through backdoors into networks that may give state actors a peek into the nation’s weaknesses.
The FBI stated that cybercrime cost the US $6.9 billion in 2021 alone.
May 2021: The Executive Order on Improving the Nation’s Cybersecurity
The Executive Order on Improving the Nation’s Cybersecurity mandated that Executive branch government agencies use multifactor authentication, endpoint detection and response and encryption. It also called for government agencies to put zero trust architecture in place and created new guidelines to follow when a federal department evaluates any software it may need for its IT infrastructure.
Additionally, the order removed obstacles that limit the sharing of cybersecurity information between agencies and created a Cyber Incident Review Board to investigate cybersecurity issues and recommend security improvements.
November 2021: The Bipartisan Infrastructure Investment And Jobs Act
The Bipartisan Infrastructure Investment And Jobs Act, signed into law in November of 2021, includes three main components to be used by the US Department Of Homeland Security Cybersecurity Programs to address security concerns:
- A $1 billion State and Local Cybersecurity Grant program that provides funds for state, local, tribal, and territorial governments to use to address security risks and threats.
- A Cyber Response and Recovery Fund that puts $100 million over the course of five years into a fund that CISA can use if other resources aren’t enough to address a significant cyber event.
- Continued funding of the department’s existing Cybersecurity program that puts $14.5 million into the research and development necessary to strengthen the defenses of the nation’s telecommunications and industrial control systems.
March 2022: The Cyber Incident Reporting for Critical Infrastructure Act
On March of 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
CIRCIA requires companies that operate in critical infrastructure sectors to report any cyber incidents within 72 hours. Payments made to ransomware attackers need to be reported within 24 hours.
According to a response from CISA, the enactment of the law requires the development and implementation of “regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”
If a company fails to report a cyberattack or ransomware payment as directed, CISA can push an information request. If the company does not comply to CISA’s satisfaction within a 72 hour period, they can issue a subpoena to force the issue. Further refusal may see the Attorney General bring civil action against the company.
Companies that operate in industries not described in the bill, however, will find it to be somewhat toothless.
James Turgal, former executive assistant director for the FBI’s Information and Technology branch, points out that for companies outside of the critical infrastructure sector, “the reporting is voluntary and probably not going to happen.”
May 2022: The Better Cybercrime Metrics Act
On May 5th of 2022, President Biden signed into law the Better Cybercrime Metrics Act. The law was written to improve and streamline the federal government’s ability to track, measure, analyze and prosecute cybercrime.
Many commended the effort to facilitate the operation of the government with regard to cyber issues which, up until this point, had been “opaque and uncoordinated” according to Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance.
Rep. Abigail Spanberger (D-Va.), a sponsor of the bill, said that it “will allow US law enforcement agencies to better identify cyberthreats, prevent attacks, and take on the challenge of cybercrime.”
Other noteworthy actions
- In July of 2021, the US, NATO member states, the European Union, the UK, Japan, Australia and New Zealand joined together in condemning China for the country’s actions regarding the hack of Microsoft Exchange Server. The nations created an alliance to ease communication between them regarding malicious cyber activity originating from China, Russia and other countries that harbor and employ cybercriminals.
- In July of 2022, a National Cyber Workforce and Education Summit took place at the White House. Hosted by National Cyber Director Chris Inglis, the event saw private corporations and government officials participate in a series of roundtable discussions that outlined plans to provide citizens with the knowledge and education they need to navigate cyberspace and prepare for the jobs of the future.
- Inspired by Energy Star, the White House is planning to debut a labeling system in 2023 that will help consumers know whether or not the Internet of Things devices they purchase meet basic cybersecurity standards.
- The National Institute of Standards and Technology (NIST) announced four new encryption algorithms that are to become standard in order to defend against future hackers using quantum computing technology.
- The National Quantum Initiative and issuance of National Security Memorandum-10 (NSM-10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems has more than doubled the country’s investment in the research of quantum technologies and serves to move the country into the development and adoption of quantum-resistant cryptography.
- StopRansomware.gov provides individuals with a singular source for ransomware information, tips and mitigation recommendations. It is the first website created for such a purpose and is a joint effort across several federal government agencies.