Cyber-attacks: the US gets up and back in the ring 2.

After the previous introductory post, here are the main developments!

A few days after the Colonial Pipeline incident, a Presidential Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021) was issued. Its most important elements are:

  1. A shift from a response-centric to a prevention-centric strategy
  2. substantially improving the exchange of information between government and the private sector, removing contractual etc. barriers to this,
  3. encouraging private sector companies to implement measures at federal level on their own initiative,
  4. applying the Zero Trust Architecture to government systems,
  5. enhancing the security of cloud services,
  6. transforming the federal procurement system to enforce cybersecurity requirements,
  7. Establishing a Cybersecurity Review Commission, to be jointly operated by government and the private sector, along the lines of the National Transportation Security Board,
  8. Developing a federal cyber incident response policy and encouraging the private sector to implement it,
  9. strengthen incident detection capabilities for federal systems,
  10. Improve investigation and recovery capabilities.

The President’s Executive Order received wide press and professional publicity. Perhaps the most comprehensive picture of the considerations behind the Executive Order was provided by an online event at the Center for Strategic & International Studies (CSIS), where Anne Neuberger, Deputy Assistant National Security Advisor for Cyber and Emerging Technologies, provided a detailed briefing and participated in a panel discussion that followed.

She stressed that the government is determined to force the procurement of significantly more secure hardware and software by changing the procurement criteria and to encourage the private sector to do the same.

While the direction of the measures taken so far is seen by the US press as basically the right one, they are still largely considered insufficient to achieve the desired goal.

And all this logically raises questions about the domestic situation (not in order of importance). For example:

1. Is the domestic information flow on ICS incidents adequate?

2. Do our current public procurement rules for ICSs give sufficient weight to cybersecurity considerations?

3. Is there a case for establishing a public-private body to investigate incidents, including those involving ICSs?

Note: Although the above focuses on what has happened in the US, we welcome your input on relevant developments (e.g. India?) and actions in other countries, both in today’s post and in future posts, in what we hope will be a virtual dialogue.

We welcome messages on the above, whether you agree or disagree. These could be the subject of a further post, for example, in response to which a substantive exchange of views could be initiated.

Translated by DeepL.