Clumio announces $75M Series D and 4X YoY growth in ARR

// 06 Mar 2023

Security News in 4 Minutes: US Cyber Security Strategy

Jacob Berry, Field CISO

Security news in four minutes is back this week! Last week was busy and thought-provoking. These days, every week gets me more excited for the future of the industry.

U.S. Government's Cyber Security Strategy Gets Serious

I grew up with the hacker mindset: Figure out how everything works and how to repurpose technology for new uses, with an ethos of technology for people and protecting digital rights.

With this hacker mindset as a lens, I’m optimistic about the new cyber security strategy from the U.S. federal government. This strategy illustrates that the ideas of protecting internet connected infrastructure and privacy are being taken more seriously. Although it took 25 years to go from hacker discussions on BBSs and in ’zines, to policy in the White House, privacy rights and security are reaching all levels.

Execution on the new strategy will bring further industry growth, healthy debate on how we should handle and regulate data, and, if the current administration is successful, it will shape the future of cyber security. Anything at a national level takes time, and that’s a good thing. It will take time to listen and consider the full impact of proposed changes. While this memo only sets a strategic direction, it’s the beginning of a more serious stance than we have previously seen.

Here are my takeaways:

  • It will be interesting to see how legislation will operationalize the idea of making tech and software companies more liable for cybersecurity. Will this be in the form of penalties for being a root cause of a breach, or will it dictate controls?
  • Grants for cybersecurity research will likely come. This could fuel growth in the private sector and at universities.
  • A national privacy law is likely coming sooner than later! While the current proposed legislation may be stalling, it may still be signed into law this year. See “Lawmakers continue push for federal data privacy law.”

Attackers Stealing Cloud Data

Switching gears to commentary on recent attacks, the LastPass breach has been well covered but I want to note the parallels between the attack TTPs (Tactics, Techniques, and Procedures) in that breach and the attack in the news last week, “SCARLETEEL.”

In both of these attacks we see threat actors gaining access to credentials to steal data from the cloud. Initial access in each attack was very different; nonetheless, the result was the same: data theft from cloud resources (MITRE ATT&CK TA0009,T1530,T1213).

While organizations are getting better at cloud security, it shows we have a long way to go as an industry. We still need to find better answers to security that works with humans. Access controls are the most common failure point for initial access, we miss malicious use due to fatiguing monitoring programs, and our disaster recovery programs and backups are architected for legacy technology challenges, not modern cloud challenges.

Recommended Reading

To wrap up, here are a few articles worth your time:

About the author

Jacob's background is in Cyber Security and Technology, focused on helping customers build secure cloud operating environments. He has extensive experience in offense and defense security, security operations, and working across multiple verticals in both private and public sectors.