UK NPSA. US Ransomware Vulnerability Warning Pilot and President’s 2024 Budget. Security by Design.

Take a look

  • Britain’s National Protection Security Authority defends itself against foreign threats.
  • The ransomware vulnerability warning pilot is supported by critical infrastructure operators.
  • The White House’s proposed 2024 budget increases funding for cybersecurity.
  • CISA director drives integration of security by design into college curricula.

Britain’s National Protection Security Authority defends itself against foreign threats.

On Monday, the British government announced that it will establish the National Protection Security Authority (NPSA), a new arm of MI5 that will advise businesses and other organizations on how to protect themselves from “state-sponsored attempts to steal sensitive research and information.” “. As Record by Recorded Future reports, the new security agency was featured in an update to the Integrated Government Review of Defense and Security Policy (IR23), an update prompted by “emerging geopolitical threats such as Russia’s invasion of Ukraine and the China’s cyber espionage attempts. . Computer Weekly explains that the NPSA will work in collaboration with existing agencies such as Government Communications Headquarters, including GCHQ’s National Cyber ​​Security Center and the National Counter-Terrorism Security Offices, and will absorb the responsibilities of the Center for the Protection of Information National Infrastructure, but with a broader focus. scope that extends beyond the operators of critical infrastructures. Security Minister Tom Tugendhat said: “We know that hostile actors are trying to steal intellectual property from UK institutions to harm our country. The National Protection Security Authority will play a crucial role in helping companies and universities to better protect themselves and maintain their competitive advantage.”

The ransomware vulnerability warning pilot is supported by critical infrastructure operators.

The US Cybersecurity and Infrastructure Security Agency (CISA) announced yesterday the launch of the Ransomware Vulnerability Warning Pilot (RVWP), a support program designed to help critical infrastructure entities protect themselves against attacks. of ransomware. The announcement explains: “CISA recently initiated the RVWP by notifying 93 identified organizations running Microsoft Exchange Service instances with a vulnerability called “ProxyNotShell”, which has been widely exploited by ransomware actors. This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk mitigation as we further scale the RVWP to additional vulnerabilities and organizations.” Authorized by the Critical Infrastructure Cyber ​​Incident Reporting Act (CIRCIA) of 2022. The RVWP will help CISA detect vulnerabilities that can be exploited by ransomware and alert critical infrastructure operators so failures can be mitigated before they occur The attacks. As Bleeping Computer points out, the RVWP is part of a broader US initiative to defend against the growing threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA at [email protected] to sign up.

Jamie Boote, associate software security consultant at Synopsys Software Integrity Group, wrote to place the CISA announcement in a broader political context:

“This scanning effort is probably part of a bigger plan. On March 2, the White House announced that it has launched a strategy to improve the nation’s cybersecurity by increasing cooperation between government agencies and industry critical infrastructure providers. According to one of the Strategic Objectives, “CISA enables the sharing of persistent, multi-directional threat information with the private sector through the JCDC and, in coordination with the FBI, uses that information to expedite victim notification and reduce the impact of identified intrusions. ” CISA’s scanning and threat identification of critical infrastructure would be in line with information sharing and impact reduction in line with its strategic role.

“While external infrastructure scanning like this is a good starting point for cyber security, it should be noted that problems and vulnerabilities rarely appear on their own. Any time a vulnerability is found through an external scan , security teams should use that as an opportunity to break the find-and-fix loop and investigate what caused that vulnerability to be released to production, how to find others like it, and how to prevent it in the future.These scanning efforts are just the beginning, both in terms of federal cybersecurity efforts and for the teams that are on the receiving end of a vulnerability disclosure.”

The White House’s proposed 2024 budget increases funding for cybersecurity.

The Biden administration has proposed that $74.4 billion be allocated for federal IT spending in fiscal year 2024, an increase of nearly $9 billion (or 13%) over 2023, with much of that funding going to bolster the federal cybersecurity. FedScoop notes that this funding does not include the $67.4 billion requested to dedicate to the Department of Defense’s digital capabilities.

The budget request states: “Technology serves as the foundation of the federal government’s ability to accomplish its mission. The Administration is leading the technology issues of our time: stopping foreign intrusions into US agencies, balancing the tough trade-offs in digital identity and artificial intelligence, redefining security expectations for software and the cloud, and maximizing the impact of US dollars. taxpayers to boost digital technology. transformation across government to deliver a better customer experience for the American people.” Approximately 40% of the proposed funding would go to the departments of Veterans Affairs, Health and Human Services, and Homeland Security, and $12.7 billion would go to cybersecurity-related activities. A top priority will be the adoption of zero-trust security, as mandated by President Biden’s 2021 executive order on cybersecurity. $500 million will go toward improving the customer experience (CX) in the digital space by launching or expanding CX offices at federal agencies, in part by hiring 120 full-time employees trained in customer service and delivery of digital products. A fact sheet on CX’s efforts says, “These new hires will support interagency life experience projects, client research, and service improvement activities at agencies deemed High Impact Service Providers (HISPs).”

CISA director drives integration of security by design into college curricula.

CISA Director Jen Easterly has published a blog post emphasizing the importance of making security a top priority in the design of technology products. He says: “We need a new model where consumer security is front and center in all phases of the technology product lifecycle, with security designed from the ground up, and strong security features enabled out of the box, without additional costs. In short, strong security should be a standard feature of virtually all technology products, and especially those that support the critical infrastructure that Americans rely on every day.” She lays out three main steps to achieve this goal: transfer responsibility for product safety from the consumer to technology manufacturers; increase transparency between manufacturers and the public about security challenges; and calling on technology company leaders to make security by design and default part of their business plan. As Cybersecurity Dive explains, the blog post comes on the heels of Easterly’s speech at Carnegie Mellon University, in which she urged higher education institutions to incorporate security into computer science courses. “Students need to be knowledgeable about security, including memory safety and secure coding practices, and teachers have an important role here,” she Easterly writes. “The steps taken today at universities across the country can help drive an industry-wide shift toward memory-safe languages ​​and add more engineering rigor to software development that will, in turn, protect all users from technology”.

Source link

James D. Brown
James D. Brown
Articles: 9344