Cloud Hosting

Editors Note: Weekly Cybersecurity is a weekly version of POLITICO Pros daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.

MC has your first look at the Biden administrations new plan for protecting the government with zero-trust networking.

Two Senate committees will have to iron out their differences on cyber incident reporting soon if they want to hitch a ride on a must-pass bill.

The Biden administration and the European Union are making plans to tackle challenges posed by encryption.

HAPPY TUESDAY, and welcome back to Morning Cybersecurity! If youre reading this message, it means that we got through the long Labor Day weekend without any devastating cyberattacks. Maybe everyone really listened to Anne Neuberger after all. Sam will be back tomorrow, so send your thoughts, feedback and especially tips to [emailprotected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.

FIRST IN MC: DONT TRUST, VERIFY The White House this morning is releasing for public comment a draft version of its strategy for implementing zero trust principles across federal networks. The Biden administration sees zero-trust networking in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users access to data and protect network traffic from prying eyes.

Among the 18 steps required by the end of fiscal 2024: Every agency will have to use one single sign-on service to let employees access all of its applications; ditch multi-factor authentication systems such as codes delivered by text message that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. Theyll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers cant easily slip from one application to another. And theyll have to make one internal system securely accessible from the internet to reduce the use of VPNs.

Along with the draft zero-trust strategy, CISA is also releasing a maturity model that provides a roadmap for agencies implementation of zero-trust policies, as well as a guidance document to help agencies securely migrate their applications to the cloud.

The zero-trust plan is part of President Joe Bidens cyber executive order, which also launched several other initiatives that have impending due dates. By Thursday, for example, agencies must submit progress reports on their rollout of multi-factor authentication and encryption. CISA has until Thursday to develop a cyber incident response playbook that every agency can use. And DHS and OMB have until Thursday to set up procedures to ensure that contractors report cyber incidents to the appropriate agencies.

SENATE SHOWDOWN As Congress summer recess nears its end, lawmakers face a big question: How will they reach agreement on the best way to require companies to report hacks? And more specifically, what will happen to the Senate Intelligence Committees cyber incident reporting bill now that the Senate and House homeland security panels have teamed up on more industry-friendly legislation?

Senate Intelligences bill differs widely from the Senate Homeland measure that yours truly scooped last week, especially in terms of its minimum reporting timeframe, the types of companies covered and the punishments for noncompliant companies. In letters to Congress and at last weeks hearing, industry groups criticized the Intelligence bills provisions.

There is strong industry support for the House and Senate Homeland bills approach, said Ron Bushar, an executive at the cyber firm FireEye who testified on the House bill last week. And Senate Homeland has another advantage over Senate Intelligence it has jurisdiction over any reporting bill, so it will play a significant role in shaping whatever legislation emerges. FireEye CEO Kevin Mandia will meet with Senate Homeland Security Chair Gary Peters (D-Mich.) on Wednesday, according to Stacy OMara, the companys director of government affairs.

But the Senate Intelligence bill has powerful sponsors, including perennial swing vote Susan Collins (R-Maine) and committee chair Mark Warner (D-Va.), an influential voice on national security. Warner and his colleagues are still revising their bill, and his office says its having productive meetings with interested parties.

The homeland-security panels are collaborating closely on their bills, according to an aide for the House panel. And Senate Homeland Security ranking member Rob Portman (R-Ohio) has been talking to the Senate Intelligence bills sponsors, a Senate aide said. Both aides requested anonymity to discuss legislative negotiations.

Its critical for Congress to listen to industry stakeholders and ensure whats written into law in Washington makes sense practically when implemented in the real world, House Homeland Security ranking member Andrew Garbarino (R-N.Y.) told MC.

Homeland and Intelligence face a tight deadline to resolve their differences. Multiple people tracking the process said the best hope for incident reporting legislation was to attach it to the fiscal 2022 defense policy bill, which is being marked up now. Senate Homelands outreach to industry included a request for feedback by Sept. 14.

Another reason to hurry is that implementation will take a while. You're looking at a minimum of half a year anyway between passage of a bill and standup of a reporting platform, Bushar said. The longer you delay the bill, the more time it takes before you can have a regime in place that can actually start to have an impact.

BOTH FORMS OF CRYPTO The Biden administration and the European Union have recommitted to collaboratively seeking a solution to the encryption debate, a top EU official told MC, suggesting that while this policy challenge has simmered under the surface for several years, its still top of mind for policymakers behind closed doors.

Encryption is important, but we have to always avoid a black-or-white discussion, EU Home Affairs Commissioner Ylva Johansson said in an interview after meetings in Washington with DHS Secretary Alejandro Mayorkas and Attorney General Merrick Garland. It's not like we should protect privacy or protect vulnerable children. We need to do both.

Johansson, who discussed encryption with Garland, said that while the attorney general didnt reveal the Biden administrations agenda for resolving the long-running crypto wars, the EU and the U.S. are very much close to each other on these issues. Both leaders, she said, agreed that tech companies need to take their responsibility to develop proper technical solutions for this.

Apple has received withering criticism from security experts over a proposal to identify child sexual abuse imagery on its customers phones. On Friday, the company said it was pausing the rollout of that feature to collect input and make improvements. Speaking before that news broke, Johansson applauded the companys effort. Apples solution might not be the perfect one, she said, but I welcome a company that really tries to find a balanced approach protecting both privacy and children.

Johansson and her U.S. counterparts also agreed on the scope for a common working group on ransomware, she said. The new group will focus on investigative cooperation, tracing ransom payments (which Johansson identified as a particular priority) and building digital resilience against hackers. The group will present its initial report at the next EU-U.S. Ministerial Meeting on Justice and Home Affairs later this year.

STILL EVADING The U.S. government continues to brush off suggestions that it was involved in firewall maker Juniper Networks use of an encryption algorithm backdoored by the NSA, despite a Bloomberg story saying the Pentagon leaned on the company to adopt the code. Asked about Bloombergs reporting during Thursdays White House press briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the Juniper/NSA saga as an old story thats been reported, and I think weve continuously noted that there isnt substantiation for it.

Security experts first proposed a link between the NSA and the backdoored Juniper code in 2015, several months after the company announced that sophisticated hackers had breached its systems by modifying that code. But until last weeks Bloomberg story, it remained unclear why Juniper had used the widely criticized code in the first place. NIST told companies to stop using it in 2014, one year after leaked documents revealed that the NSA had secretly tampered with it and paid a leading vendor $10 million to use it.

During MCs break, yours truly conducted the first in-depth interview with inaugural National Cyber Director Chris Inglis. Pros can read the story about his priorities and the full Q&A. He also revealed that the Biden administration is pushing Microsoft to make full log data free for all customers.

University of California, Berkeley computer science professor Nicholas Weaver with some real talk: The Ivermectin of Computer Science is Blockchain

How Kuwait punished a security expert for revealing a major banks embarrassing hack. (CyberScoop)

Nextgov interviewed Allan Friedman, the man behind the governments software bill of materials campaign, as he moves from NTIA to CISA to bring SBOMs to life.

The Justice Department launched a cyber fellowship program for prosecutors.

NIST wants feedback on its proposed criteria for an internet of things security labeling program.

Chat soon.

Stay in touch with the whole team: Eric Geller ([emailprotected]); Bob King ([emailprotected]); Sam Sabin ([emailprotected]); and Heidi Vogt ([emailprotected]).

Visit link:
EXCLUSIVE: What's in the new zero-trust strategy - Politico