Cybersecurity chief advocates for simplified cybersecurity laws
**Headline:** U.S. Unveils Strategies to Harmonize Cybersecurity Compliance and Bolster Critical Infrastructure Security
In a bid to address the escalating cybersecurity threats, the Biden administration has announced a series of strategies aimed at harmonizing cybersecurity compliance demands and promoting secure by design practices. These strategies were outlined by National Cyber Director Harry Coker Jr. during a speech at Columbia University's Conference on Cyber Regulation and Harmonization in New York City.
1. **Harmonization of Cyber Incident Reporting**
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 requires covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The Cyber Incident Reporting Council (CIRC) has been established to coordinate federal incident reporting efforts, ensuring that requirements are streamlined and consistent.
2. **Regulatory Frameworks**
Key regulations such as HIPAA, CCPA, and GDPR influence cybersecurity compliance in the U.S., especially for businesses handling personal data. The Office of the Comptroller of the Currency (OCC) collaborates with industry groups and federal agencies to promote sector-wide cyber exercises and share best practices.
3. **Secure by Design Practices**
To secure IoT devices, the Federal Communications Commission (FCC) and the National Institute of Standards and Technology (NIST) are introducing the Cyber Trust Mark, a voluntary labeling program. Manufacturers are adopting practices like randomized username/password combinations and QR-based configuration flows to prevent exploitation of default credentials in IoT devices.
4. **Cloud Adoption and Security**
The U.S. Treasury Department has developed a Shared Cloud Lexicon and Terminology to standardize cloud technology adoption across financial institutions. The Treasury Department also established a Public-Private Executive Steering Group to address cloud technology challenges and opportunities, promoting secure cloud adoption.
### Implementing Secure by Design Practices
To implement secure by design practices effectively, businesses should incorporate security early in development, use secure defaults, provide transparency, and regularly update and patch devices. By aligning compliance efforts with business objectives and embracing secure by design principles, organizations can improve their cybersecurity posture while building trust with stakeholders.
The focus is on bolstering the security of tech manufacturers' code to prevent future attacks on critical systems. Coker emphasized the need for federal authorities to work together with critical infrastructure providers, private sector companies, and other stakeholders. Sector-specific regulations are being rolled out by federal agencies to set minimum security standards, with the goal of reducing the burden on under-resourced users.
The regulations being implemented are intended to address the security vulnerabilities that have been exploited in recent attacks. The measures are part of a broader effort to improve the overall cybersecurity posture of critical systems. Coker stated that none of these threats are meant to imply malice towards critical infrastructure owners and operators.
The Biden administration is concerned about a major threat to critical infrastructure, with sophisticated state-linked hackers targeting the telecom industry recently. The government aims to use its IT spending power to ensure widely used tools have security built into their product design. Federal authorities are encouraging tech manufacturers to implement secure by design practices.
Other industries like energy, water utilities, and other sectors also face a combination of threats from nation-states and criminal ransomware groups. As per Coker's strategy, more investments are required to build long-term cyber resilience. Cybersecurity threats like the China state-linked Volt Typhoon pose unacceptable risks to the U.S., according to Coker.
By implementing these strategies, the U.S. hopes to create a more secure digital landscape, protecting critical infrastructure and fostering trust among stakeholders.
- Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, entities are required to report cyber incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA) to facilitate a streamlined and consistent federal incident reporting within regulations.
- The Biden administration, in an effort to strengthen the U.S.'s cybersecurity posture, is encouraging tech manufacturers to incorporate secure by design practices in the product development of devices and systems, to prevent exploitation of vulnerabilities by cyber threats like ransomware.
- To bolster the resilience of critical infrastructure, the U.S. is implementing sector-specific regulations to set minimum security standards in various industries, addressing the unacceptable risks posed by cybercriminals and state-linked actors, such as the China-linked Volt Typhoon, to the nation's cybersecurity and digital landscape.
