TechCrunch reports on some changes UK recently made to their NIS Directive:
In the UK, the government has announced that organizations working in critical services like energy, transport, water and health can be fined up to £17 million ($24 million) as a “last resort” if they fail to demonstrate that their cyber security systems are equipped adequately against attacks.
Major requirements for organizations will include having the right people and organization in place to handle a cyber attack; having the right software in to protect against attacks; having the right capabilities in place to detect if an attack has taken place anyway; and having the right systems in place to minimize the impact of an attack if a system is breached (despite the other three being in place).
More detailed guidance includes how to secure other aspects of your network, such as your supply chain and how your data in the cloud.
UK is well ahead of most of the global cyber powers on oversight of critical infrastructure cyber security implementation. This is a good set of lessons learned for Japan to consider investigating to determine viability in the country.
The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017.
“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.
Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk.
NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders.
NIST issued draft report NIST Interagency Report 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning.
The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.
“I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape,” he said. “Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome.”
Adding some standardization to the process as an industry “will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach,” he said. “These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve.”
Without such standards, he said, his company has to audit them individually.
“We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward,” he said.
Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.
Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.
A new document drafted by the National Institute of Standards and Technology proposes four broad objectives for the government’s pursuit of international standards in cyberspace: improve national and economic security; ensure standards are technically sound; support standards that promote international trade; and develop standards in tandem with industry to boost innovation.
The draft guidance will be the basis of a report the administration owes Congress by December outlining how agencies will collaboratively come up with global cybersecurity standards.
If fully implemented, the guidance will “enable a comprehensive United States cybersecurity standardization strategy,” the document said. It is the latest federal contribution to the still-maturing field of global cyber standards. The State Department has been lobbying at the United Nations for a set of peacetime norms.
The actual draft guidance can be found here (PDF).
The Defense Information Systems Agency has issued three new documents targeting cloud security, including two new requirements guides and a new concept of operations, according to a report in C4ISR & Networks.
The three new documents more thoroughly define cloud security and the steps to achieving it, outlining the responsibilities of the organizations and managers increasingly capitalizing on commercial cloud offerings. The release underscores the Defense Department’s growing adoption of commercial cloud offerings.
The cloud access point (CAP) functional requirements document (FRD) prescribes a barrier of protection between the Department of Defense Information Network (DoDIN) and Internet-based public cloud service offerings, directing defense agencies to implement protections for the connection points linking the two. The first DISA-established CAP is a modified NIPRNet federated gateway, according to the documents.
This is long overdue but a very welcome addition to the already very comprehensive security requirements guide and secure technical implementation guide catalog DISA manages.
The Internet, said Mundie, is something like the Wild West, where “people feel rightly or wrongly that they can act with impunity,” adding that this state of affairs will continue until law enforcement and government step in. All the panelists agreed that it is the role of law enforcement and the government to patrol the Internet’s byways and not something businesses can address on their own. In any case, laws prohibit cyber vigilantism.
As the severity of attacks rises, the government will have to establish a set of threat levels and responses, said panelists. After Sony released The Interview, which offended the North Korean government, its devastating attack on Sony’s corporate infrastructure created a new environment, Harris said.
But the limits and expectations of what kind of response is called for remain undeclared and apparently undecided. “What are the levels of aggression that are necessary before the U.S. attacks a country for cyber attacks?” Harris asked. “If the U.S. banking system is taken down? When a few key sites are?”
“Does Congress have to declare war for the U.S. to attack a country, a rogue state, or individuals, as it must do now before U.S. troops can be involved?” Mundie said.
Because militarization of the Net is so new, no scale of threat levels has yet been created, and it is up to each victim how to respond. How many bits and bytes would an attacker have to wipe out for someone to feel compelled to respond?