White House, Congress Aligned on Cybersecurity Goals
WASHINGTON – As Congress edges closer to putting a final infrastructure bill on President Joe Biden’s desk, it looks like lawmakers and the White House are aligned in their commitment to bolster U.S. cybersecurity through increased federal investment, focusing on prevention and utilizing public-private partnerships to establish baseline standards.
With the pandemic strong-arming both public and private sectors to “shift operations online,” the global health crisis has “exponentially expanded the surface area for cyberattacks,” said Rep. Yvette Clarke, D-N.Y, yesterday during an Information Technology Industry Council event on “Securing the Information and Communications Technology and Services Supply Chain.”
The continuous cyberattacks on essential companies like SolarWinds, Microsoft Exchange and Colonial Pipeline have “blurred” the lines between cybersecurity and the security of physical assets, Clarke said. The first steps of defense begin with “effective information sharing between government and the private sector” to prevent the attacks from even happening, she urged, as these partnerships will “bring valuable industry perspectives.”
Brian Scott, director of critical infrastructure cybersecurity at the White House National Security Council, added that industry engagement has been a core element of Biden’s Executive Orders on cybersecurity. The ongoing engagement with stakeholders has resulted in the Department of Commerce’s expected direct investment of $75 billion for the private sector in domestic semiconductor manufacturing, and can be seen within Biden’s cybersecurity Executive Order 14028 on “Improving the Nation’s Cybersecurity,” which essentially calls for the federal government to partner with companies by the first paragraph.
Scott noted that the National Institute of Standards and Technology has been directed to consult with the private sector to come up with “specific guidance, identifying practices, standards, procedure and criteria of the software supply chain” and for software development by February 2022.
Behind drafting the order was the “need to shift our thinking from response to prevention,” he said.
Section 4 of the order, which Scott emphasized, focused heavily on the threat in the software supply chain. It aims to “improve the security of software by establishing baseline security standards for the development of software sold to the government,” Scott said, by requiring transparency by developers and applying a “change throughout the ecosystem” from the bottom up – building security into the product itself.
And software is another area that needs industry collaboration, as “[the order] stands up a concurrent public-private process to develop new and innovative approaches to secure software development and it uses the power of federal procurement to incentivize the market,” Scott said.
“By next March, [the Office of Management and Budget] will take action to mandate agencies to use software conforming to this guidance,” he said, referring to the guidance NIST has been directed to issue after it defines what is critical infrastructure and then couple with the nation’s cyber quarterback, the Cybersecurity Infrastructure and Security Agency, to “provide use and configuration guidance to [federal] agencies.” NIST also has 270 days to establish two pilot programs for product labeling over Internet-of-Things devices and software development to inform the public on security measures, he added.
Executive Order 140147, which preceded the latest cybersecurity order and was a “whole-of-government approach” to review the U.S. supply chains, revealed an issue that Scott said was already well-known: a shortage of semiconductors chips that run just about everything from smartphones to your televisions.
“Once a global leader in semiconductor production with robust public support, the U.S. has outsourced and offshored too much semiconductor manufacturing in the recent decades,” Scott charged. In the last 20 years, he explained, the U.S. went from manufacturing 37% of the world’s semiconductors to 12%.
Both Scott and Clarke said robust investment in bolstering domestic manufacturing of semiconductors and research and development is needed quickly. Executive Order 14028, Scott said, backs the administration’s efforts to “build back better to modernize defenses, return to the international stage on cyber issues with allies and partners, and be better postured to lead and compete globally.”
Thus, Biden’s American Rescue Plan, his American Jobs Plan and increased investment are “three critical investments” necessary in “the wake of the [cyberattacks],” Clarke urged, noting this was a bipartisan imperative on the Hill that she is prepared to lead.
This is a “once in a generation investment” that will “create jobs, rebuild our critical infrastructure” and allow the U.S. to be a global competitor again, Clarke continued. But it will come down to ensuring the U.S. is also building up the workforce it needs to be able to perform these jobs.
“The emerging landscape for warfare…is all cyber,” Clarke charged, and “the sooner that we embrace that understanding, the sooner we stand up a robust defense” with mitigation and detection strategies.
In The News
WASHINGTON — Sen. Elizabeth Warren, D-Mass., can use campaign funds to pay for the cost of reasonable cybersecurity measures to... Read More
WASHINGTON — Sen. Elizabeth Warren, D-Mass., can use campaign funds to pay for the cost of reasonable cybersecurity measures to protect her home network, the Federal Election Commission announced on Friday. The decision came in response to an advisory opinion request on behalf of Warren Democrats... Read More
WASHINGTON — As cybercrimes are on the rise, the Cybersecurity and Infrastructure Security Agency is asking people, businesses and other... Read More
WASHINGTON — As cybercrimes are on the rise, the Cybersecurity and Infrastructure Security Agency is asking people, businesses and other organizations for feedback on what its new reporting rules should look like. The agency released the eight-page request for information Friday asking people how the agency... Read More
WASHINGTON — The Atlantic Council outlined Tuesday how the U.S. government and businesses can work together to protect the nation’s... Read More
WASHINGTON — The Atlantic Council outlined Tuesday how the U.S. government and businesses can work together to protect the nation’s power grid from cyberattacks. The United States’ power grid is increasingly reliant on digital technology and the internet. This is especially true as the country moves... Read More
HOOVER, Ala. — As the National Computer Forensics Institute comes up for congressional reauthorization, forensics and cybersecurity experts told The... Read More
HOOVER, Ala. — As the National Computer Forensics Institute comes up for congressional reauthorization, forensics and cybersecurity experts told The Well News how the institute’s standardized curriculum is critical to contemporary law enforcement activities. Having a centralized hub for preparing police for handling incidents related to... Read More
WASHINGTON — The entity charged with protecting federal agencies from bad cyber actors issued a rare emergency directive Thursday, warning... Read More
WASHINGTON — The entity charged with protecting federal agencies from bad cyber actors issued a rare emergency directive Thursday, warning they should quickly take steps to protect themselves from vulnerabilities found in VMware. VMware is a cloud computing and virtualization technology company headquartered in Palo Alto,... Read More
WASHINGTON — The Department of Justice can now get a handle on the number of cybercrimes happening in the U.S.... Read More
WASHINGTON — The Department of Justice can now get a handle on the number of cybercrimes happening in the U.S. after President Joe Biden signed a bill into law Thursday granting the department the ability to track crimes that have become increasingly prevalent in recent years.... Read More