The SEC vs. CISA

The Easterly effect

Two federal agencies are simultaneously pursuing new rules for reporting major cyberattacks, but the difference in their approaches couldn't be starker.

An SEC proposal that would cover public companies has been met with fierce criticism from the industry. Separate rules that CISA is implementing for critical infrastructure operators seem on a less-confrontational track.

• CISA is focused on "not overly burdening the private sector" around incident reporting, agency director Jen Easterly said during a panel at the RSA Conference in June.
• Easterly has won praise from many in the cybersecurity community for her engagement efforts.
• Cybersecurity executives have said that the launch of the Joint Cyber Defense Collaborative, for instance, has been instrumental in improving relations between the public and private sectors.
• Easterly has also done an "amazing" job at expanding information sharing between the government and the private sector, said William MacMillan, a senior vice president at Salesforce and former CISO for the CIA.

While CISA's rulemaking work is just getting underway, the SEC has been receiving comments on its proposal for months.

• While the opposition isn't unanimous, "I've seen plenty of calls for [the SEC's] whole proposal to simply be set on fire and never discussed again," said Harley Geiger, senior director of public policy at Rapid7.
• By requiring public disclosure of major cyber incidents within four business days, the proposed SEC rules require companies to "make very important decisions with very little information," Juniper Networks CISO Drew Simonis told me.
• Ultimately, the proposed SEC regulations "will likely assist attackers more than investors," the Internet Security Alliance contended in its comments.

It's not yet clear what the fate will be of the two regulatory proposals.

• And even with the public-private cybersecurity partnership seemingly at an all-time high in the U.S., CISA will "have to walk a tough line" as the agency transitions from just being a partner with private industry to being a regulator of it, said Ben Miller, vice president of services at Dragos.
• That agency will still have to address industry concerns, and "the only way that that's going to happen is with an extended rulemaking period where both parties sit down and talk," said Marc Rogers, executive director of cybersecurity at Okta. Proposed rules are not due until March 2024, with the final regulations due by September 2025.
• Still, while the government has been saying for years that it wants to work more closely with industry around security, "CISA seems to be able to bring that collaborative spirit to life in a way that other agencies didn't quite accomplish," Simonis said.

Read the full report here.

SPONSORED CONTENT FROM MICRON

Chip shortage could undermine national security: The global shortage of semiconductors has impeded the production of everything from pickup trucks to PlayStations. But there are graver implications than a scarcity of consumer goods. If the U.S. does not ensure continued domestic access to leading-edge semiconductor manufacturing, experts say our national security could suffer.

Read more from Micron

Chip boom shows signs of flagging

Up until this week, the server chip business was looking pretty good. Booming, in fact. But back-to-back revenue warnings from graphics processor designer Nvidia and memory producer Micron suggest that things are not as rosy as everyone thought.

Tuesday, Micron warned Wall Street that it was likely going to generate much less revenue than executives had expected at the end of June because of a weakening market across most of its business, including memory for the cloud. At an investor conference, CFO Mark Murphy delivered his own unflattering assessment that the cloud customers are looking at the economy and, concerned, pulling back on their orders.

“We do see some isolated supply chain disruptions affecting cloud as well, but it's principally macro and market conditions, inventory adjustment,” Murphy said, according to a transcript from Sentieo. The weakness stretched across Micron’s whole business, which includes chips in smartphones, PCs and memory for vehicle and industrial uses.

The memory Micron makes has long been the most prone to the booms and busts that have defined the chip industry for decades, and it doesn’t bode well for the broader industry.

Nvidia’s warning Monday is another solid data point that tracks with what Micron said. Sales of Its graphics chips for video games are expected to drop by roughly a third. Nvidia noted that its data center chip sales were short of its expectations, but blamed supply chain disruptions.

“The significant charges incurred in the quarter reflect previous long-term purchase commitments we made during a time of severe component shortages and our current expectation of ongoing macroeconomic uncertainty,” Nvidia CFO Colette Kress said in a statement.

'Zero-days' are ruining more days

The disclosure of a previously unknown "zero-day" vulnerability is never a fun time for cybersecurity and IT teams. Unfortunately, the use of zero-days by attackers is only continuing to get worse, a growing number of security researchers warn. This week, VMware released a new survey of incident response professionals, which found that 62% had encountered a zero-day over the previous 12 months — a sizable jump from 51% a year ago.

The report follows other findings along the same lines, such as the reports by CrowdStrike and Unit 42 (a part of Palo Alto Networks) that each showed attackers are moving ever faster to exploit new vulnerabilities once they're disclosed. Tom Hegel, a senior threat researcher at SentinelOne, recently told me that hackers working for the Chinese government are especially adept at this. They’re now scanning for zero-day vulnerabilities “the second they pop up online," he said.

The bottom line, as the Unit 42 researchers point out in their report, is that the "time to patch is getting shorter." While organizations may have been accustomed to having more time for patching in the past, now they "need to ramp up patch management and orchestration to try to close these known holes as soon as possible.”

Around the enterprise

President Joe Biden signed the Chips Act into law at a White House ceremony attended by a number of semiconductor industry executives.

Cloudflare disclosed that it seems to have been hit by the same phishing attack as Twilio, though the web security provider says it thwarted the attack.

SPONSORED CONTENT FROM MICRON

Chip shortage could undermine national security: To ensure American security, prosperity and technological leadership, industry leaders say the U.S. must encourage domestic manufacturing of chips in order to reduce our reliance on East Asia producers for crucial electronics components.

Read more from Micron