Security News in 4 Minutes: US Cyber Security Strategy

Security news in four minutes is back this week! Last week was busy and thought-provoking. These days, every week gets me more excited for the future of the industry.

I grew up with the hacker mindset: Figure out how everything works and how to repurpose technology for new uses, with an ethos of technology for people and protecting digital rights.

With this hacker mindset as a lens, I’m optimistic about the new cyber security strategy from the U.S. federal government. This strategy illustrates that the ideas of protecting internet connected infrastructure and privacy are being taken more seriously. Although it took 25 years to go from hacker discussions on BBSs and in ’zines, to policy in the White House, privacy rights and security are reaching all levels.

Execution on the new strategy will bring further industry growth, healthy debate on how we should handle and regulate data, and, if the current administration is successful, it will shape the future of cyber security. Anything at a national level takes time, and that’s a good thing. It will take time to listen and consider the full impact of proposed changes. While this memo only sets a strategic direction, it’s the beginning of a more serious stance than we have previously seen.

Here are my takeaways:

• It will be interesting to see how legislation will operationalize the idea of making tech and software companies more liable for cybersecurity. Will this be in the form of penalties for being a root cause of a breach, or will it dictate controls?
• Grants for cybersecurity research will likely come. This could fuel growth in the private sector and at universities.
  
• A national privacy law is likely coming sooner than later! While the current proposed legislation may be stalling, it may still be signed into law this year. See “Lawmakers continue push for federal data privacy law.”

Switching gears to commentary on recent attacks, the LastPass breach has been well covered but I want to note the parallels between the attack TTPs (Tactics, Techniques, and Procedures) in that breach and the attack in the news last week, “SCARLETEEL.”

In both of these attacks we see threat actors gaining access to credentials to steal data from the cloud. Initial access in each attack was very different; nonetheless, the result was the same: data theft from cloud resources (MITRE ATT&CK TA0009,T1530,T1213).

While organizations are getting better at cloud security, it shows we have a long way to go as an industry. We still need to find better answers to security that works with humans. Access controls are the most common failure point for initial access, we miss malicious use due to fatiguing monitoring programs, and our disaster recovery programs and backups are architected for legacy technology challenges, not modern cloud challenges.

To wrap up, here are a few articles worth your time:

• Ransomware Attacks: The Cyberwar Is Here | National Review
  This article is not going to be surprising to us who live in this day to day, but it’s getting attention in national security circles that look at warfare more holistically.
• The lobbying ghost in the machine | Corporate Europe Observatory
  This article was published about 1.5 weeks ago. I’m a little late to the party. It’s interesting to read the two sides of the AI ACT debate. This details lobbying opposing the AI ACT.  Tangent to security, but still relevant.
• BIPA damages accrue per transaction | Data Protection Report
  BIPA damages accrue per transaction. This is important for CISOs and leaders. When designing for security, there is consideration to the cost of managing a risk vs. the cost of risk realization. The decision outlined here by the Illinois Supreme Court creates a high cost to any organization that violates BIPA.