At a glance.

  • US HHS called to establish a data breach reporting feedback mechanism.
  • A look at the UK’s innovation strategy for cyber-physical infrastructure.
  • UK NCSC chief exec calls for clarity in international governance of cybersecurity. 
  • US HASC calls on the Navy to create dedicated cyber designator.
  • US HHS called to establish a data breach reporting feedback mechanism.

The US Government Accountability Office (GAO) completed its audit of the Department of Health and Human Services (HHS) on Monday, and as Nextgov.com explains, the GAO recommends that HHS create a feedback mechanism for its data breach reporting process. Stats from the HHS Office of Civil Rights (OCR) show that HHS has experienced a surge in data breaches, with 3,200 incidents impacting the agency in the past seven years, an increase 843 percent since 2015. However, the GAO notes, OCR currently has no method for entities to supply feedback about breach reporting. “Without a clear mechanism to provide feedback to OCR, covered entities and business associates can face challenges during the breach reporting process. Further, soliciting feedback on the breach reporting process could help OCR improve aspects of the process,” the auditors state. 

A look at the UK’s innovation strategy for cyber-physical infrastructure.

As the British government pushes for stronger regulatory oversight of critical infrastructure, the Department for Business, Energy, and Industrial Strategy has presented ‘Enabling a National Cyber-Physical Infrastructure to Catalyse Innovation,’ its recommendations for how cyber-physical systems can advance innovation in the country. The government, however, recognizes that increasingly connected cyber-physical infrastructure comes with added risk, and acknowledges that steps must be taken to proactively secure these systems. Charly Davis, Head of Industrials at NCC Group, spoke with JDSupra about suggestions for optimizing the process. Davis suggests that the government’s definition of ‘cyber-physical systems’ should be narrowed to allow a more targeted approach, and also recommends that the government collaborate with sectorial regulators, centres of excellence, and international partners to allow for a more holistic approach to risk management. Davis highlights the need to invest in training related in the fields of AI and machine learning in order to make the UK a leader in security frameworks that might be adopted by other nations and decrease the UK’s reliance on other countries for such technology. 

UK NCSC chief exec calls for clarity in international governance of cybersecurity. 

During a speech at Tel Aviv University’s Cyber Week yesterday, UK National Cyber Security Centre (NCSC) chief executive Lindy Cameron emphasized the importance of a clear definition and enforcement of the international rules overseeing activity in cyberspace. “It is really important that every actor, from the developer to the end-user of these types of technology and capabilities acts responsibly, with appropriate safeguards to protect against misuse,” Cameron stated. Infosecurity Magazine reports that while she applauded the work of Ukrainian cyber defenders in combating Russian cyberattacks, she noted that China continues to present a large challenge. “The Chinese government’s use of technology is about coercion and control. The country’s technological and economic power means they can export this vision very widely,” Cameron stated. Computer Weekly adds that Cameron urged tech companies to take responsibility for ensuring their sophisticated cyber capabilities are not employed by malicious actors. “If we’re going to maintain a cyber space which is a safe and prosperous place for everyone, it is vital that such capabilities are produced and used in a way that is legal, responsible and proportionate,” Cameron stated. 

US HASC calls on the Navy to create dedicated cyber designator.

In a provision of the 2023 National Defense Authorization Act, the US House Armed Services Committee (HASC) tasks the Navy with creating a dedicated role focused on cyberspace, arguing that such a position is necessary to ensure institutional expertise, both in operations and in leadership. The Navy is currently the only service lacking a dedicated designator for cyber, instead relying on its cryptologic warfare community, as well as information specialists and cyber warfare engineers. (In contrast, the US Army has established a dedicated cyber branch.) 

HASC’s provision in the NDAA  directs the secretary of the Navy to create a cyber warfare operations designator distinct from the cryptologic warfare officer, as well as a cyber warfare rating for enlisted personnel. To ensure the Navy act accordingly, the provision prevents the service from assigning a member of the Navy to a billet within the core work roles of the Cyber Mission Force if a member has a rating in cryptologic warfare or associated areas. Rep. Jim Langevin, D-R.I., chairman of the HASC subcommittee on Cyber, Innovative Technologies, and Information Systems, told FedScoop, “Across several recent NDAAs, we charged the Navy to review and evaluate potential remedies. However, the Navy has not progressed as directed, and considering a continued decline of its readiness, it became apparent that if the Navy was not going to help itself, Congress would have to step in.” A Navy spokesperson responded, “The Navy remains committed to delivering exceptional and qualified cyber teams trained, ready and certified to support the Navy and the Nation.”