The U.S. Navy has released its first cybersecurity strategy as the service tries to modernize its efforts in the space after years of staffing and preparedness issues.
The blueprint devised by Chris Cleary, the Navy’s principal cyber advisor, and its CIO, features the following seven lines of effort:
- Improve and support the cyber workforce
- Shift from Compliance to Cyber Readiness
- Defend Enterprise IT, Data, and Networks
- Secure Defense Critical Infrastructure and Weapon Systems
- Conduct and Facilitate Cyber Operations
- Partner to Secure the Defense Industrial Base
- Foster Cooperation and Collaboration
Troy Batterberry, CEO and founder, EchoMark had this comment:
“In order for the USA to achieve and maintain information superiority, we must adopt new forms of insider risk management. Nearly all major government agencies have experienced highly damaging leaks in part because the leaker (insider) felt they would never be caught. An entirely new approach is required to help change human behavior. Information watermarking is one such technology that can help keep private information private.”
Stephen Gates, Principal Security SME, Horizon3.ai follows with this:
“In the context of the Department of the Navy Cyber Strategy 2023, one line of effort stands out among the others: 2.0 Shift from Compliance to Cyber Readiness. As recent cyber events have repetitively proven, a purely defensive cyber strategy is not working and must be augmented by “adversarial assessments” of your own environments.
“These adversarial assessments are not the run-of-the-mill vulnerability scans. These assessments are cyber red team exercises whereby organizations attack themselves using the same tools, tactics, and procedures (TTPs) attackers use. The reason for this is simple. If you cannot find that hidden chink in your armor, that crack in your layered walls of defense, that blind spot you didn’t even know existed, you will never be able to adequately defend yourself against a purposeful attacker with nothing but time on their side – and disruption on their mind.
“Today, autonomous assessment solutions that let your see your environments through the eyes of an attacker are readily available. Having these solutions in the hands of highly skilled red teams allows them to force-multiply, meaning, they can do expansive cyber readiness exercises simultaneously, while using these solutions to accelerate their assessment analysis. Furthermore, these solutions also meet the objective of prioritizing mitigations and reassessment tracking to ensure issues have been remediated and readiness is confirmed.”
At least the Navy realizes that it has issues, and is moving to address them. That’s good. But everyone will be watching to see if the Navy “walks the walk” as opposed to just “talking the talk”.
EU Adopts New Rules To Protect Devices Connected To The Internet
Posted in Commentary with tags Security on December 1, 2023 by itnerdEU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:
The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.
The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.
The law will affect any product that is connected either directly or indirectly to another device or to a network.
The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.
Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.
Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary:
Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.
The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface. The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer. The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively. This is a step forward to making security a priority for all.
Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.
UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:
“Despite a lot of pushback, particularly on the 24 hour breach reporting requirements, the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.
“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.
“This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.
“This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response.
David Ratner, CEO, HYAS Infosec follows with this:
“The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility. However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”
Leave a comment »