Latest in CISA
A new proposal improving the Cybersecurity and Infrastructure Security Agency’s ability to identify and issue notifications regarding vulnerabilities connected to the public Internet would help the agency improve American critical infrastructure cybersecurity.
The FTC’s cybersecurity enforcement program has faced increasing judicial scrutiny because of the inherent vagueness of the "reasonable" cybersecurity it seeks to require. Meanwhile, the Cybersecurity and Infrastructure Security Agency has struggled to achieve robust private sector engagement. Linking these agencies’ programs and enforcement practices will help each solve the other’s problem.
Recent stories in Cyberscoop and TechCrunch indicate that the Department of Homeland Security is asking Congress to grant the Cybersecurity and Infrastructure Security Agency (CISA) the power to issue administrative subpoenas to internet service providers (ISPs).
How do we quantify safety and security? That fundamental question underlies almost all modern national security questions (and, naturally, most commercial questions about risk as well). The cost-benefit analysis inherent in measuring safety and security drives decisions on, to cite just a few examples, new car safety devices, airplane maintenance schedules and the deployment of border security systems. In a world where resources are not infinite, some assessment of risk and risk mitigation necessarily attends any decision—whether it is implicit in the consideration or explicit.
When CISA passed the Senate back in October, many commentators warned of the panoply of ways in which a hypothetical DHS information-sharing portal would function to allow companies to collect and then funnel citizens’ private information directly into the hands of the most fearsome elements of the federal government:
We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley.
What good is CISA, anyway?
Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what are those changes, and how much difference will they make to network defenders?
Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth? That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think). Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years.
Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.
In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.
Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson.