The memo also said the budget submissions should be consistent with the Biden administration’s national cyber strategy released earlier this year. The OMB and ONCD will review agencies’ upcoming budget submissions to “identify potential gaps” and “potential solutions to those gaps.”

“OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process,” the memo said.

The five in the memo are the same as the National Cybersecurity Strategy: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.

The memo comes as the White House is preparing multiple strategies such as the implementation plan for the National Cybersecurity Strategy expected this summer as well as a national cyber workforce strategy. ONCD and OMB also said that a separate memo will be released with additional guidance focused on cybersecurity research and development priorities.

The memo said federal agencies need to defend critical infrastructure by modernizing federal defenses by implementing the federal zero-trust strategy, improving baseline cybersecurity requirements and scaling public-private collaboration.

Additionally, the memo pointed out that ransomware continues to be a national security threat and that some agencies should focus on dismantling threat actors by focusing on investigating and disrupting criminal infrastructure, “prioritize staff to combat the abuse of virtual currency,” and to participate in interagency task forces.

Beyond that, the administration directed agencies to use their buying power to influence the cybersecurity market, to use skills-based hiring methods to strengthen the cyber workforce, follow national security memorandums surrounding a post-quantum future, strengthen international partnerships and secure global supply chains for information, communication and operational technologies.

The post White House releases cybersecurity budget priorities for FY 2025 appeared first on CyberScoop.

A new voluntary cyber incentive framework from the Federal Energy Regulatory Commission that was required by the Biden administration’s bipartisan Infrastructure Investment and Jobs Act will allow utilities to make the case for receiving an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program.

The new rule also helps clear the path for one of the biggest issue for critical infrastructure owners and operators: a lack of money to invest in cybersecurity.

“It’s about removing the excuses and one of the huge excuses for anyone in the utility space to do anything with cyber has to do with resources and dollars,” said Ron Fabela, field CTO at cybersecurity firm XONA Systems. “Whether it’s an investor-owned utility or a local co-op, they are still beholden to the approved rates for power and that rate is heavily regulated and they can’t necessarily go to the ratepayer — you and me — to cover all their expenditures.”

For instance, in most states public utility commissions are unlikely to approve a rate increase unless it’s directly tied to the ability to generate and deliver power to customers, says Fabela. Those requirements can change depending on the state but nearly all are an arduous process and how they will respond to new cyber investments is still an open question, he said.

“This is essentially telling the public utility commissions that utilities that wish to invest in cybersecurity in these areas and these ways can effectively get rate relief from their customers,” Fabela said.

The new rule that goes into effect July 3 comes as the federal government is grappling with ways to add cyber mandates for critical infrastructure and to help “target rich, cyber poor” owners and operators improve digital defenses. Additionally, the recently released National Cybersecurity Strategy outlined goals for the administration to pursue more cybersecurity regulations for critical infrastructure.

The electric sector is already regulated by FERC, an independent agency under the Energy Department, and the North American Electric Reliability Corp., an international nonprofit corporation. FERC can tell NERC to develop a certain standard to mitigate a threat with input from industry. Once NERC develops new rules, FERC considers whether to implement them. NERC then acts as the enforcer with regular audits and fines.

However, that process can take years from concept to enforcement. And the slow pace of NERC rule-makings has been a common concern among experts as cyberthreats can quickly outpace policy. The cyber incentives plan could help utilities adopt to new threats at a faster pace, experts say.

“There’s the carrot and the stick and sometimes the stick is going to have limitations,” said Jason D. Christopher, director of cyber risk at industrial cybersecurity firm Dragos. “If NERC CIP hasn’t made it mandatory, enforceable, then it’s harder for utilities to get rate recovery and it’s hard for them to necessarily fund the initiative and this provides that flexibility.”

For instance, one of the two pre-qualified investments is internal network security monitoring, which is also a new standard the NERC drafting team is exploring. That proposed rule would require covered utilities to have internal network security monitoring within environments that impact the bulk electric system. However, that rule is still in an early phase and will likely be years before the standard is in place.

“So, we’re talking about years of a period where there’s not going to be a mandatory regulation in place for internal network security monitoring, which is — in our [operational technology] context — how we detect whether or not attackers are in our systems,” said Christopher. “The incentives order says, ‘Hey, if you want to do this before it’s mandatory, enforceable we will help you with that and will provide an incentive in those areas.”

So far, only internal network security monitoring and joining an ISAC are on the pre-qualified list for investments. However, FERC plans on allowing for case-by-case incentives where a utility can make a case why the investment would “materially improve a utility’s security posture.”

Additionally, FERC would consider additional controls from the National Institute of Standards and Technology catalog of “security and privacy controls for information systems and organizations,” NIST’s cybersecurity framework technical subcategory, and specific recommendations from federal agencies like CISA, the FBI, National Security Agency, or DOE.

Other potential investments have yet to be defined as the commission needs “a high degree of confidence that such items will likely materially improve cybersecurity for all utilities,” according to the rule. FERC will re-evaluate the pre-qualified investment list “from time to time.”

The post Federal incentives could help utilities overcome major cybersecurity hurdle: money appeared first on CyberScoop.

The creation of the task force comes as the agency confronts a number of data protection issues facing customers of U.S. telecoms, such as the sharing of sensitive consumer data, the collection of geolocation data and repeat data breaches at major carriers. Rosenworcel said that the new task force will lead the agency’s recently proposed efforts to modernize its 15-year-old data breach rule.

The task force — which will be led by Loyaan Egal, the agency’s enforcement chief — will also coordinate the FCC’s rulemaking efforts aimed at preventing SIM swapping and creating standards for carriers to authenticate a customer before transferring a number to a new device or a new carrier.

“This kind of fraud demonstrates how powerful these forces are and how privacy is so important for communications and digital age trust,” Rosenworcel said about SIM-swapping, a kind of attack in which cybercriminals use a victim’s personal information to steal their phone number and swap it into a scammer-controlled device.

During her remarks on Tuesday at the Center for Democracy and Technology, a Washington think tank, Rosenworcel said she has serious concerns about how mobile carriers collect and share users’ private data, such as geolocation data. Queries from the FCC found last year that ten of the top 15 mobile carriers in the United States collect geolocation data and provide consumers no way to opt-out.

Rosenworcel said that the agency is carrying out a follow-up investigation about how to address the collection of geolocation data that has now been delegated to the new task force.

Rosenworcel also noted concerns about carriers selling sensitive user data and called on her fellow FCC commissioners to finalize $200 million in proposed fines brought in 2020 against AT&T, Sprint, T-Mobile and Verizon for sharing customer location data without their consent, penalties that won’t come into effect until the agency votes to approve them.

During her speech, Rosenworcel hinted at an upcoming “enforcement action against two companies that have put the security of communications customers at risk.”

“I can’t say more right now, but I can say this right out of the gate: We are showing that this task force means business,” said Rosenworcel.

The post New FCC privacy task force takes aim at data breaches, SIM-swaps appeared first on CyberScoop.

Furthermore, the Cybersecurity and Infrastructure Security Agency — the key agency inside the Department of Homeland Security responsible for helping defend critical infrastructure — is not set up to quickly and effectively facilitate rapid response to cyberattacks on the most sensitive systems, according to CSC 2.0, which is a continuation of the Cyberspace Solarium Commission that Congress established in 2019.

In a lengthy and detailed report released Wednesday, the commission pointed to the 2021 Colonial Pipeline ransomware attack, which crippled gas deliveries across the country, as a key example of how current policies and government agencies aren’t optimized for the nature of today’s threats.

“This incident illustrates the challenges faced by the national critical infrastructure system in a moment of crisis and the limits of the public-private partnership model that the government has tried to cultivate,” the group said.

The White House and many government officials have acknowledged there needs to be a different approach to protecting U.S. critical infrastructure. In November, the Biden administration announced it is in the process of rewriting presidential policy directive 21, which established in 2013 for how federal agencies engage with private critical infrastructure owners and operators.

The threat landscape has drastically changed over the past decade. Ransomware attacks have become a scourge for both the federal and private sector with criminals holding critical infrastructure in the U.S. hostage and Russian and Chinese hackers increasingly targeting sensitive U.S. networks.

Meanwhile, the full scope of cyberattacks in the U.S. remains a large question mark as most organizations do not have to notify anyone that they were the victim of a cyberattack. Recently passed legislation would require certain critical infrastructure owners and operators to report cyberattacks to CISA, but the agency is still in the rule-making process.

PPD-21 outlines the 16 critical infrastructure sectors — such as dams, chemicals hospitals and emergency services — as well as the agencies that are the federal go-to for support of incident management and mitigating vulnerabilities. But while the document outlines the overall responsibilities for federal departments such as DHS, it lacks guidance on how to carry out key cybersecurity responsibilities.

“Why is it so important to update this? It’s a 2013 era policy. It’s outdated. The security environment has shifted substantially over the past decade. Technologies have evolved, the risk environment has evolved. And as policies and regulations have evolved with those risks, it’s been done very frequently in an ad hoc way and not really in a systemic or holistic manner,” Mary Brooks, a public policy fellow at the Wilson Center and co-author of the report, said during a briefing on the report earlier this week.

The report comes amid major policy updates on federal cybersecurity such as the release of the Biden administration’s National Cybersecurity Strategy, a forthcoming strategy implementation plan and other documents such as a cybersecurity workforce strategy.

A strategy intended for a different time

The inadequacies in the current framework for critical infrastructure date back years and are “not the fault of this administration,” said report co-author Mark Montgomery, senior director of the Foundation for Defense of Democracy’s Center on Cyber and Technology Innovation and former executive director of the Cyberspace Solarium Commission.

“This stretches back to the original setting up of all this in 2000 during the end of the twilight of the Clinton administration, but we are massively inconsistent across federal agencies in our performance as SRMA’s and across the sectors in their willingness to cooperate and participate,” he said.

PPD-21 has only been updated once since 2013 when officials added responsibilities to the sector-specific agencies in charge of those 16 critical infrastructure sectors. The Cyberspace Solarium Commission issued a recommendation that ultimately was signed into law in the 2021 defense bill that elevated those agencies to Sector Risk Management Agencies.

But while agencies were given new responsibilities, not all SRMA’s are up to the task, the CSC 2.0 report notes. Some agencies such as the Energy Department are largely known as among the most well-resourced and mature when it comes to collaboration with the private sector. Others, however, such as the Transportation Security Administration or the Environmental Protection Agency have either historically struggled or face many of the same issues as the private companies they are supposed to help protect: a lack of resources from funds to employees.

“While owners and operators bear some responsibility for the sector’s poor cybersecurity, an underlying cause is weak leadership and poor resourcing of the SRMA, for which both the EPA and Congress are to blame. Over the past 20 years, the EPA has not been organized or resourced to identify and support the sector’s cybersecurity needs,” the report reads.

The EPA’s efforts to issue cybersecurity standards using existing authorities has long been a point of contention with the private sector. Three states are suing EPA for the rule that they claim exceeded the agency’s authorities and two water trade associations have joined in as intervenor status. Furthermore, the EPA’s congressional request for a $25 million cybersecurity grant program for fiscal year 2023 was rejected by lawmakers, the report notes.

The gaps in the existing federal framework to protect critical infrastructure cybersecurity perhaps best exemplified in the Colonial Pipeline ransomware attack. While the incident was the largest to hit the energy sector, the federal government also had its own crisis of communication during the incident, the report notes.

Once Colonial Pipeline alerted the FBI about the attack, CISA should be informed since it’s the agency responsible for responding to these kinds of incidents and offering technical assistance and mitigation. But that didn’t happen, according to CSC 2.0. Neither Colonial Pipeline nor the FBI notified CISA, the Transportation Security Administration or the Transportation Department for hours.

“The whole process, the whole episode, really showed how the seams and the overlaps within the current framework means just the whole thing is poorly suited to speed and crisis response,” said Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, one of the co-authors of the CSC 2.0 report.

But while Colonial highlighted the gaps in one area, the report notes that this isn’t an isolated incident. Federal agencies’ guidance for their sectors is not always easily available and it’s not clear how responsibilities are divided among the SRMA’s, the co-SRMA’s where multiple agencies are in charge of different portions of a sector, and CISA. The end result is a “complex and inconsistent web of responsibilities” the report notes.

Other strategy documents like the National Infrastructure Protection Plan, which outlines how government and critical infrastructure collaborate, hasn’t been updated since 2013, either. Sector specific plans that are statements of purpose identifying key assets, risks, and threats have similarly not been updated since 2015 even though the initial releases were little more than “cut and paste” versions of a template with little highlighting key differences.

CISA’s priorities and effectiveness

CISA, meanwhile, has its own share of issues as the national risk management agency, according to the CSC 2.0 report. “CISA is not, in many cases, serving as the leader that most interviewees said was needed to realize the full potential of the SRMA framework,” the authors note, going on to say that the agency has seemingly prioritized cybersecurity at the expense of physical security. DHS has warned that violent domestic extremist pose among the largest threats inside the U.S. and there has been a marked rise of physical attacks against substations and critical infrastructure in recent years.

Additionally, the report notes, CISA is not able to fulfill it’s responsibilities as “it does not receive the inter-agency support necessary to act effectively as the national risk manager.”

The report does offer a dozen recommendations for the administration to consider as they’re revamping PPD-21. For instance, it recommends that a new version of the policy identifies strategic changes such as improving the focus on resilience — keeping systems running when a breach happens — instead of just cyber defense.

The report also recommends that the government update responsibilities for key strategy documents and ensure accountability through clearly defined roles and expectations. Additionally, clarify CISA’s roles as the national risk management agency as well as the agency’s “ability to compel minimum security standards and to convene or require collaboration or engagement” such as information sharing.

The authors recommend that the updated PPD-21 document identify critical infrastructure sub-sectors and detail how additional sectors will be added or removed from the list of 16. Additional resources for agencies responsible for the sectors will likely be needed to properly serve various industries, the report notes. “Not all sectors need the same amount of support. Not all SRMAs need the same budgets. But all SRMAs should have sufficient resources to meet the needs of their sector,” it says.

CISA should have more “consistent organization roles and responsibilities, as well as clear operational doctrine, for its [national risk management agency] role,” which may include reviewing responsibilities so that the agency doesn’t have too wide of a remit. “CISA also must have the appropriate taskings to implement its authorities to update all policy documents and instruct SRMAs to update their SSPs,” the report notes.

Critical infrastructure is undergoing rapid transformation with the increase in digitization and interconnectivity, creating a complex web of risks that are not fully understood. As such, the White House should organize more collaboration to understand systemic and cross-sector threats, the report notes. And, among the many other recommendations from the CSC 2.0, industries need a single point of contact in the government when the next Colonial Pipeline attack happens.

The post White House needs to urgently fix nation’s approach to protecting critical infrastructure, group says appeared first on CyberScoop.

“I’m sure all of you experience what I experience, which is the shortage of available cyber workforce. We need to think that through. We’re developing our national cyber strategy for workforce and education, considering the pipeline for filling that workforce,” Walden said during a speech to the National Security Telecommunications Advisory Committee, a cohort of executives that advises the administration. She said the full cyber strategy implementation plan should be out by this summer.

“The point of the national cyber strategy was to really lift the burden off of people, individuals, communities, small medium businesses and shift it to those that are more capable of doing so,” Walden said, referring to companies and organizations with more resources and capability to defend against cyberthreats.

The national cyber strategy that the administration released in March was a long-awaited document designed to outline how the White House plans to work across the government and private sector to more effectively fight against malicious hackers and ensure systems are designed with built-in security measures. However, experts have noted that it is only as good as its implementation plan, which is eagerly awaited by cybersecurity experts and policymakers.

Walden said the implementation plan — so far as it is still being drafted — has four pillars: Equipping every American with foundational cyber skills, transforming cyber education, growing the national cyber workforce and increasing the federal cyber workforce. The administration is also expected to release a national cyber workforce strategy in the coming months.

Walden noted that the first pillar could include aspects like digital literacy, computational math and digital resiliency. “This multi-year, multi-stakeholder approach is ambitious, I recognize that,” Walden said. “When you talk about computational math my eyes actually do glaze over, but maybe that’s not true for my 10-year-old.”

The post White House plan to implement cyber strategy includes ambitious digital education effort appeared first on CyberScoop.

Attendees at the premier hacking conference held annually in Las Vegas in August will be able to attack models from Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI in an attempt to find vulnerabilities. The event hosted at the AI Village is expected to draw thousands of security researchers. 

A senior administration official speaking to reporters on condition of anonymity ahead of the announcement said the red-teaming event is the first public assessment of large language models. “Red-teaming has been really helpful and very successful in cybersecurity for identifying vulnerabilities,” the official said. “That’s what we’re now working to adapt for large language models.”

The announcement Thursday came ahead of a meeting at the White House later in the day between Vice President Kamala Harris, senior administration officials and the CEOs of Anthropic, Google, Microsoft and OpenAI.

This won’t be the first time Washington has looked to the ethical hacking community at DEF CON to help find weaknesses in critical and emerging technologies. The U.S. Air Force has held capture-the-flag contests there for hackers to test the security of satellite systems and the Pentagon’s Defense Advanced Program Research Agency brought a new technology to the conference that could be used for more secure voting.

Rapid advances in machine learning in recent years have resulted in a slew of product launches featuring generative AI tools. But in the rush to launch these models, many AI experts are concerned that companies are moving too quickly to ship new products to market without properly addressing the safety and security concerns. 

Advances in machine learning have historically occurred in academic communities and open research teams, but AI companies are increasingly closing off their models to the public, making it more difficult for independent researchers to examine potential shortcomings. 

“Traditionally, companies have solved this problem with specialized red teams. However this work has largely happened in private,” AI Village founder Sven Cattell said in a statement. “The diverse issues with these models will not be resolved until more people know how to red team and assess them.”

Among the risks posed by these models are using them to create and spread disinformation; to write malware; to create phishing emails; to provide harmful knowledge not widely available to the public, such as instructions on how to create toxins; biases that are difficult to test for; the emergence of unexpected model properties and what industry researchers refer to as “hallucinations” — when an AI model gives a confident response to a query that isn’t grounded in reality.  

The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces training for AI applications. Participants will be given laptops to use to attack the models. Any bugs discovered will be disclosed using industry-standard responsible disclosure practices. 

Thursday’s announcement coincided with a set of White House initiatives aimed at improving the safety and security of AI models, including $140 million in funding for the National Science Foundation to launch seven new national AI institutes. The Biden administration also announced that the Office of Management and Budget will release guidelines for public comment this summer for how federal agencies should deploy AI.

The post Coming to DEF CON 31: Hacking AI models appeared first on CyberScoop.

The push is part of an effort championed by the White House and the Cybersecurity and Infrastructure Agency to reduce the number of vulnerabilities in commercial software and shift the burden for maintaining cybersecurity from consumers back to tech vendors.

“Small and medium businesses, local school districts, water utilities, local hospitals, are not going to be successful in managing cybersecurity risk alone if they ever get in the crosshairs of a ransomware gang or an APT actor,” said Eric Goldstein on Wednesday during the annual RSA Conference here that brings together government officials and industry executive. “Those who can bear the burden are held accountable for providing services that are safe and secure by design by default.”

Jack Cable, a senior technical adviser at CISA, told CyberScoop that CISA held two listening sessions recently with industry partners as well as one with the open-source community. He said the agency plans to build on secure by design principles recently outlined in a white paper the agency published. “This is the first chapter of the story here and we want to work closely with industry and governmental partners with this.”

A related and complimentary effort at the Department of Energy’s cyber informed engineering program is designed to help industrial organizations apply secure by design strategies to operational technology. “They’re very much connected as we really move toward a converged infrastructure future,” said Cherri Caddy, deputy assistant national cyber director at the Office of the National Cyber Director, during an RSA panel here on Wednesday. “So how can we shift the liability for software security, for system security onto the makers and away from the end users?”

The Energy Department’s cyber informed engineering approach was announced last year after Congress mandated the development of a strategy in the 2020 National Defense Authorization Act to fund the development of a plan to reduce the risk of cyberattacks on physical plants.

“We have systems that are built to withstand extremes of weather … but an adversary that is deliberately attacking a system doesn’t usually fall into the calculus,” said Caddy, who was previously worked at DOE before joining the White House.

“We wrote the strategy with the flavor of the energy sector and electrical systems, but also with the intention of expanding it out,” she said. “This is for all engineers, not just electrical engineers. It’s everything, it’s building systems, it’s space systems, it’s weapons platforms, it’s really all of these physically engineered systems.”

Universities such as the Auburn University have already begun to establish cyber informed engineering in their courses, either as a separate course or building it into already existing classes. “We’re driving toward a broader community center of excellence concept of how can we get more resources that we could share with the whole community to advance this practice,” Caddy said.

The post US cybersecurity officials step up push for companies to adopt secure by design practices appeared first on CyberScoop.

In a speech Friday that accompanied the release of the Third Quadrennial Homeland Security Review, a statutorily required strategic document that assess how threats to the United States have changed, Mayorkas said that the department’s look at the threat posed by China will take a close look at how to defend U.S. critical infrastructure against Chinese cyberattacks.

“As threats of the past have changed in form complexity and magnitude, so to have new threats emerged. This is perhaps nowhere more acute than in cyberspace,” Mayorkas said. “Today, malicious cyber actors are capable of disrupting gasoline supplies across an entire region of our country, preventing hospitals from delivering critical care and causing disruption in some school systems around our country.”

Friday’s announcements are the latest in a string of Washington initiatives to counter the influence of China, the most recent of which is a workshop to be held Friday that aims to prevent the United States from falling behind China in the deployment of 6G telecommunications infrastructure.

DHS’s 90-day examination of threat posed by China will focus on six areas: defending against attacks on critical infrastructure; disrupting the fentanyl supply chain; screening travelers who are exploiting the immigration system to collect intelligence, steal intellectual property, or harass dissidents; mitigating China’s influence on the supply chain, including the safe navigation and resource development in the Arctic and Indo-Pacific; and international information sharing on the counterintelligence threats posed by China.

The IC’s annual threat assessment recently concluded that China “probably currently represents the broadest, most active, and persistent cyberespionage threat to U.S. Government and private-sector networks.” That threat is diverse in nature, with U.S. prosecutors accusing 44 people earlier this week of working for the Chinese government with the aim of suppressing dissidents within the Chinese diaspora in the United States.

Additionally, DHS is creating an Artificial Intelligence Task Force aimed at using AI to “advance our critical homeland security missions,” including by integrating AI into supply chain monitoring and using AI to screen cargo. The task force will examine how to better detect fentanyl shipments, apply AI to digital forensic tools to help authorities with child sexual exploitation and abuse and assess the impact of AI on critical infrastructure.

With AI applications widely proliferating and machine learning making rapid advances in recent years, Mayorkas said that progress marks “the dawn of a new age.”

The post Homeland Security chief Mayorkas announces 90-day China sprint and AI task force appeared first on CyberScoop.

In a new report released Friday, the commission said that the official critical infrastructure designation would close cybersecurity gaps in the industry such as “uneven” defenses and an approach to safeguarding hardware that is often more focused on harsh weather conditions than cyberattacks.

“Major portions of American space systems are still not designated as critical infrastructure and do not receive the attention or resources such a designation would entail,” according to the commission, which Congress established in 2019 to the develop a strategic approach to defending U.S. cyberspace. “The majority of today’s space systems were developed under the premise that space was a sanctuary from conflict, but this is no longer the case.”

Over the past several years, at least 18 of the commission’s 82 recommendations are set to be implemented, according to its 2021 annual report.

Space technology is far from immune from cybersecurity threats. For instance, at the start of the Ukraine war Russian hackers targeted U.S.-based satellite company Viasat in an attempt to disrupt communications in one of the more significant cyberattacks so-far during the way. Additionally last year, the Cybersecurity and Infrastructure Security Agency found the notorious Russian hackers Fancy Bear snooping inside U.S. satellite networks.

Other critical infrastructure, such as energy and water, rely heavily on space technology for services like controlling remote facilities, timing for grid monitoring, and other uses for industrial control system.

The report also attempts to avoid “conceptual debates” around whether space should be considered infrastructure or simply a domain by using “space systems” — a term taken from the Trump administration’s memorandum on space cybersecurity policy — which includes “ground systems, sensor networks, and space vehicles.”

“Quite simply, space is an indispensable critical infrastructure, and it’s time it should be treated as such. Labels are important to show it’s a priority,” said Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security, who was one of the more than 30 experts consulted on the report.

“It’s infrastructure on which the United States depends and relies on. The disruption or destruction of space assets and access would have a debilitating effect on national and economic security that would ripple across the globe,” Harrell said in a statement. “The technologies and capabilities in the space sector are unique and not replicated in other sectors of the economy, so they should be better protected.”

The commission recommends that the National Aeronautics and Space Administration should be the sector risk management agency for space systems. However, the report also notes that even though NASA undoubtedly has the industry expertise and private partnerships needed, the agency “has yet to demonstrate interest in becoming an SRMA” and would have to “scale up” to better protect those systems.

Additionally, the commission does not recommend giving the space agency a regulatory role as “space systems are already regulated through other rule sets.”

The report calls for two subgroups within the new designation, similar to the energy sector which includes both electricity and oil and natural gas. The Defense Department would continue it’s role as the SRMA of defense and intelligence systems and the Federal Communications Commission for the space-based communications systems.

The commission recommends that Congress should give NASA an initial investment of $15 million per year with 25 full-time employees to take on any added SRMA responsibilities. The Congressional Research Service should also undergo a legislative review to identify gaps in existing laws, the report notes.

Industry, meanwhile, should organize the commercial space sectors to “play an instrumental role in governance” and establish a Space Systems Sector Coordinating Council similar to the influential Electric Sector Coordinating Council that is made up of CEO’s and executives.

Additionally, the sector should begin working to reduce risks and increase resilience of commercial space technology, the report notes. The industry is maturing in cyberspace. The Space Information and Sharing Analysis Center announced in March the launch of a 10-person analysis team, a first for the relatively young ISAC which started in 2019.

This isn’t the first call for space as critical infrastructure, or even the second. There have been plenty of op-eds over the years calling for the designation. Additionally, lawmakers have also introduced legislation to make space critical infrastructure.

CISA also suggested that space should be considered critical infrastructure in a report to President Biden that assessed the framework for protecting critical infrastructure.

Marking space systems as critical would “stimulate policy and stakeholder attention and resources needed to secure the space systems that support the (national critical functions) which is a current gap for the United States,” Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at Aerospace Corporation, told Congress last July.

“Without this designation, space technology will be diluted and subordinate to the other sector specific protection,” Bailey said at the time. “Without a critical mass of focus on space technology, there is not likely sufficient focus to protect the critical space-based capabilities.”

However, there have also been roadblocks. Chris Inglis, then-National Cyber Director, said last year that “we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”

The post Cyberspace Solarium Commission says space systems should be considered critical infrastructure appeared first on CyberScoop.

Witnesses at the Senate Homeland Security and Governmental Affairs Committee told lawmakers that while there is a plethora of information doled out by private industry groups and federal government agencies such as the Cybersecurity and Infrastructure Security Agency, the issue is for smaller hospitals to find resources such as cybersecurity-focused employees to apply them in an actionable way.

Ransomware attacks against U.S. hospitals and health care organizations are becoming increasingly common with headlines occurring seemingly every day and stories about hackers selling health records on the dark web. In 2022, at least 25 ransomware attacks against healthcare providers impacted up to 290 hospitals, according to cybersecurity firm Emsisoft.

On Monday, a Pennsylvania cancer patient sued the health care provider for negligence after the criminal ransomware gang AlphV/BlackCat posted her nude photos online — an aggressive tactic that signals ransomware operators are becoming more brazen in their efforts to convince victims to pay up. And many are. U.S. and South Korean officials warned in February that North Korea is using profits from ransomware attacks against hospitals to fund their own cyber operations.

“In recent years, increasingly sophisticated cyberattacks in the healthcare and public health sectors posed alarming threats to people in Michigan, as well as across the country,” said Chairman Gary Peters, D-Mich.

Last year saw the passage of both cyber breach notification law that requires critical infrastructure including the health care sector to notify CISA of significant incidents as well as requiring the Food and Drug Administration to oversee cybersecurity for medical devices.

Kate Pierce, senior virtual information security officer at cybersecurity firm Fortified Health Security, advocated for establishing minimum cybersecurity laws for the health care sector that are “reasonable, achievable, and continually evolving” alongside more funding for rural hospitals that have little in terms of resources to defend themselves against hackers.

“We also saw cybercriminals shift their focus to small and rural hospitals with this group lagging behind in strengthening their defenses,” said Pierce. “Our rural hospitals are facing unprecedented budget constraints with up to 30% or more in the red, with the public health emergency scheduled to end in May.”

Greg Garcia, executive director for cyber security at the Healthcare and Public Health Sector Coordinating Council, noted that the health care sector is also undergoing a long list of changes that complicate hospitals trying to safeguard their networks. “Consider that health care innovation is going direct to the consumer to wearable and home medical technology and tele-medicine,” said Garcia. “This expands the so-called attack surface for connected technology outside the clinical environment which is harder for hospitals to secure remotely with patients.”

An increasing number of mergers and acquisitions in the healthcare sector means that organizations are trying to integrate incompatible systems with different suppliers that increase the complexity of protecting those systems, Garcia said. Additionally, the health care industry is also moving to cloud service providers that outsource clinical data management and software, which also increases the overall impact of a single cyberattack, he noted.

During a ransomware attack, hospitals often can’t schedule appointments, perform procedures or surgeries. Additionally, they must switch to a paper-based environment that slows down the delivery of care, Garcia said. While there’s a “glut of information security best practices out there, we need to pick one because there is a lot of confusion,” he noted, stressing that everyone who works in a hospital now needs to think about cybersecurity as a key part of their job.

The post Rural hospitals need help from feds to fight ransomware, witnesses tell lawmakers appeared first on CyberScoop.