Governments need to understand cyber security before legislating on cyber security
Governments have a significant role to play in cyber security. At least 160 governments have developed national cyber security defence strategies to combat the cyber security risks that their citizens, businesses, and critical infrastructure face.?
These are the five elements of successful national cyber security strategies:
The National Cyber Security Index (NCSI) measures more than three-quarters of the countries’ cyber security ratings in the world. The top ten countries best prepared against cyber attacks are Greece, Czech Republic, Estonia, Lithuania, Spain, Croatia, France, Finland, Denmark and Netherlands. To date, the NCSI includes cyber security data on 160 countries.
The US is often hailed by those in the US as being one of the governments that understand cyber security better than most, but most of the time US bureaucracy in place doesn’t allow for thought or deliberate risk-taking. The US legislature fails to engage with its cyber security ecosystem and ends up passing laws which have consequences that will cause problems which could and should be avoidable.?
Lawmakers in July approved the $839 billion National Defense Authorization Act — $37 billion more than the Biden administration sought in military spending. It included the creation of a new programme where government agencies and industry can submit cyber threat information and additional digital protections for certain critical infrastructure.
The underlying House bill already contained another top Solarium legislative priority to establish a “Cyber Threat Environment Collaboration Program,” a portal intended to increase data sharing among members of the Cybersecurity and Infrastructure Security Agency’s new Joint Cyber Defense Collaborative.
This should all be great news, except hidden in the detail is the clause that the Department of Defense cannot buy any software with any known CVEs in it. Again, something that should be welcomed as the principle is that it will harden security.?
Yet the problem is that with elongated supply chains, it is almost impossible for suppliers to ensure no known CVEs. A CVE or Common Vulnerabilities and Exposures is a list of publicly disclosed computer security flaws. A vulnerability is a weakness that can be exploited in a cyberattack to gain unauthorised access to or perform unauthorised actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.?
Organisations need to protect themselves and their networks by fixing all potential vulnerabilities and exposures while an attacker only needs to find a single vulnerability and exploit it to gain unauthorised access. This is why a list of known vulnerabilities is so valuable and an important part of network security.
The list of known vulnerabilities works, for example, this week Apple has released iOS 15.6.1, along with a warning to update now, because it fixes two security holes already being used to attack iPhones.
The first issue fixed in iOS 15.6.1 is a vulnerability in the iPhone Kernel tracked as CVE-2022-32894 that could allow an application to execute code with kernel privileges. “Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker says on its support page.
The other issue patched in iOS 15.6.1 is a flaw in WebKit, the browser engine that powers Safari, CVE-2022-32893, that could allow arbitrary code execution. Apple says it believes attackers have used it in real-life scenarios.
The iOS 15.6.1 upgrade “provides important security updates and is recommended for all users,” Apple says in its release.
Apple’s iOS 15.6.1 comes just weeks after iOS 15.6 and is the latest of multiple iOS fixes for already exploited issues this year.
I do not know if Apple have contracts with the Department of Defense, but if they do they can no longer sell the Department of Defense any software they have that uses the impacted Kernel (which would be most of their stock)?
The law as written will create 2 problems, the first is that hackers, especially those working for foreign governments can now perpetually tie up sales deals to the Department of Defense, by finding any bugs in a system and timing their disclosures so there’s always at least one open CVE.?
The second and more important problem is that companies such as Apple will no longer list the CVEs if they are in danger of losing out on billions of dollars from the Department of Defense and that will impact all of us detrimentally.
If the US legislature had engaged with the cyber security community, they would have understood that the way to protect us is not to ban CVEs which cannot be done but to implement huge fines for non-listing of CVEs. Whilst making the Department of Defense conduct true cyber security due diligence on the supplier and their supply chain.
Until governments like the US truly understand cyber security, they will always be behind, and this will always be to the detriment of us all.?