At a glance.

  • NIST’s draft zero-trust architecture guide is out for comment.
  • US DOJ’s strategic plan highlights ransomware.
  • Preparing quantum-resistant encryption.
  • Federal Rotational Cyber Workforce Program Act and Industrial Control Systems Cybersecurity Training Act.
  • Cybersecurity measures in the US annual defense policy bill.
  • Virginia’s incident reporting bill takes effect. 

NIST Cybersecurity Practice Guide SP 1800-35 Vol B, Implementing a Zero Trust Architecture is out in draft and open for comment.

The National Cybersecurity Center of Excellence has released preliminary draft NIST Cybersecurity Practice Guide SP 1800-35 Vol B, Implementing a Zero Trust Architecture, for public comment. The comment period closes on August 8th, 2022. NIST says it’s taking an “agile” approach to publication, releasing elements of the Guide as they’re available. The agency describes its approach as follows:

“NCCoE is collaborating with ZTA technology providers to build several example ZTA solutions and 33 demonstrate their ability to meet the tenets of ZTA. The solutions will enforce corporate security policy 34 dynamically and in near-real-time to restrict access to authenticated, authorized users and devices while 35 flexibly supporting a complex set of diverse business use cases involving a remote workforce, use of the 36 cloud, partner collaboration, and support for contractors. The example solutions are designed to 37 demonstrate the ability to protect against and detect attacks and malicious insiders. They showcase the 38 ability of ZTA products to interoperate with existing enterprise and cloud technologies with only minimal 39 impact on end-user experience.”

We received some comment from Wade Ellery, VP of Solutions Architects and project lead at Radiant Logic, one of the organizations collaborating with NIST on the project:

“The journey towards Zero Trust starts with understanding the transformative nature of this new IT security architecture. At its core, Zero Trust enhances the knowledge available to make authentication or authorization decisions in a more secure and granular way. The evolution of existing environments to a Zero Trust architecture can start today with existing infrastructure and the incremental addition of functionality with an eye on business continuity and end user experience.

“Today’s preliminary practice guide outlines several vetted scenarios across a number of off-the-shelf technologies.

“NIST has done an excellent job in ensuring companies have the information they need in a timely manner. Not only is the speed of delivery exceptional, the collaboration with their partners and use of commercially available products provides deep insights for successful Zero Trust architecture implementations. 

“We are so excited to be included in this momentous project and look forward to working closely with NIST and our fellow collaborators to make Zero Trust achievable in the private sector.”

The US Department of Justice’s ransomware strategy.

The US Department of Justice (DOJ) on Friday released its FYs 2022-2026 Strategic Plan, and one of the key objectives is fighting ransomware attacks. “The Department will bring to justice those who commit cyberattacks, whether they are lone actors, elements of transnational organized crime groups, or acting on behalf of nation states or terrorist groups. In parallel, the Department will work to disrupt and dismantle the online infrastructure that facilitates cyberattacks and to seize the criminal proceeds of such crimes,” the DOJ said. As FedScoop explains, The DOJ aims to enhance its technological capabilities in order to increase the percentage of ransomware incidents it investigates. To accomplish this, the DOJ outlined four main areas of focus:

  • “deterring, disrupting, and prosecuting cyber threats, 
  • “strengthening intergovernmental, international, and private-sector partnerships to fight cybercrime,
  • “safeguarding Justice Department data and information, [and]
  • “enhancing cyber resilience within the private sector and other government agencies.

Tim Helming, security evangelist at DomainTools, finds the Department’s focus on ransomware encouraging: “It is heartening to see the DOJ calling out the fight against cybercrime as a major priority for the administration. While there is much that the private sector can do to combat ransomware, BEC, and other kinds of crime and fraud, they can’t effectively do so alone. By providing specific KPIs on improvements they intend to make, they can show progress in the fight. Of course, many observers would like to see more than the modest increases that were announced, but it’s an important step.”

Preparing quantum-resistant encryption.

The US National Institute of Standards and Technology (NIST), at the end of a six-year competitive search, has announced the four winners in its program to develop “quantum-resistant encryption algorithms.” This represents a milestone enroute to NIST’s publication of standards for post-quantum cryptography, expected in 2024. The algorithms are:

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-DilithiumFALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.”

Taking note of NIST’s announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) outlines some steps organizations can take now, as they prepare for developments over the next two years:

“Although NIST will not publish the new post-quantum cryptographic standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which includes:

  • “Inventorying your organization’s systems for applications that use public-key cryptography.
  • “Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
  • “Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
  • “Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
  • “Decommissioning old technology that will become unsupported upon publication of the new standard; and
  • “Ensuring validation and testing of products that incorporate the new standard.
  • “Creating acquisition policies regarding post-quantum cryptography. This process should include:
  • “Setting new service levels for the transition.
  • “Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
  • “Alerting your organization’s IT departments and vendors about the upcoming transition.
  • “Educating your organization’s workforce about the upcoming transition and providing any applicable training.”

Tim Callan, chief compliance officer at Sectigo, sees the selections as important progress toward preparing for post-quantum security: “The announcement of NIST’s third round selections for post-quantum encryption algorithms is a major milestone in the journey to quantum-safe computing systems. But while this announcement marks the end of one chapter, another is only beginning. Now standards bodies, hardware and software manufacturers, and ultimately businesses across the globe will have to implement new cryptography across all aspects of their computing systems. Until we have upgraded cryptography everywhere, our digital operations remain insecure.”

Trellix Chief Standards and Technology Policy Officer Kent Landfield also applauds NIST’s work: 

“NIST’s announcement of the selection of four quantum resistant cryptographic algorithm candidates to be standardized, with four additional candidates advancing to the fourth round, is a critically important step in the process of developing U.S. post quantum cryptography capabilities. But it is just one step down the path we must travel. The next five years are critical as the U.S. risks losing its ability to protect our most sensitive data and communications from geopolitical rivals.

“The U.S. and its allies securely send tremendous amounts of encrypted diplomatic, intelligence, military, intellectual property and business confidential information across public networks. Without quantum resistant cryptographic algorithms, these highly sensitive informational assets within the government and private sector would be exposed to any geopolitical adversaries with the quantum computing capacity to break today’s commonly used vulnerable encryption mechanisms. 

“Winning this quantum technology race requires victories in three areas: the development of quantum computing te chnologies themselves, the development of quantum resistance algorithms such as those announced today, and the ability to rapidly and effectively deploy the selected quantum resistance encryption algorithms and supporting key management across the nation’s digital infrastructure. 

“NIST’s announcement of these initial algorithms today to be standardized is an important development in one prong in this three-pronged effort. However, we need to implement processes that allow us to quickly replace weaker algorithms with stronger ones as we develop and validate them.

“The most unnerving aspect of the post quantum cryptography race is we really don’t know how far ahead or behind we are, and when we do find out, it could be too late for us to catch up. The evidence could be history altering events, such as catastrophic military defeats, or more subtle history-altering trends such as persistent election interference, the inability of our government to conduct foreign policy or the inability of businesses to compete with foreign rivals. Ultimately, this technology race is about whether the people of the U.S. and its allies can maintain the technical capacity to determine their own destiny. We cannot afford to lose.” 

Federal Rotational Cyber Workforce Program Act and Industrial Control Systems Cybersecurity Training Act.

The recently signed US Federal Rotational Cyber Workforce Program Act and the Industrial Control Systems Cybersecurity Training Act have attracted some favorable industry comment. Dan Lanir, SVP of Customer Success at OPSWAT, sees the bills as an important contribution to the US cybersecurity posture:

“We should consider these bills as a crucial step toward improving the cybersecurity workforce supply. However, the supply and demand gap is huge and can only be fulfilled by a partnership between the public and private sectors -especially since ICS/OT cybersecurity demands more attention because the nation relies on it, and the skill shortage is severely affecting this industry. 

“Rotating and taking advantage of a skilled workforce when needed is an effective approach, but temporary. In the end, we need people with specialized skills to take control of critical jobs; for instance, industrial system cybersecurity, and for that, we need specialized training and certification providers. Attackers often breach the most secured system by using social engineering, it is no different for ICS/OT systems. Thus, critical industries should focus on training people about the specific threats to these ICS/OT environments, the attack vectors, and how to mitigate them.  

“Though these recent developments show that the Government is proactively taking measures to solve the most prominent problem, it still needs the private corporations’ attention. Solving the cybersecurity workforce gap is the need of an hour, and we should utilize both online/offline training/education to develop a skilled workforce.”

Cybersecurity measures in the US annual defense policy bill.

The Record by Recorded Future offers an overview of the nearly two dozen cyber-related proposals US House lawmakers included in the annual defense policy bill. Highlights include two amendments aimed at ensuring that policy recommendations made by the Cyberspace Solarium Commission are enacted. An “Office of Cybersecurity Statistics” will be established within the Cybersecurity and Infrastructure Security Agency (CISA) to analyze and report on stats related to cyberincidents. The meaning of “systemically important entities” will also be codified to ensure that critical infrastructure operators receive federal support to enact strong digital security standards. Other measures include a proposal to extend the CISA director’s tenure to five years, and an amendment calling for a CISA postmortem on the SolarWinds breach.

Virginia’s incident reporting bill takes effect. 

Last week in the US State of Virginia, Senate Bill 764 took effect, requiring state agencies and local governments to report all cybersecurity incidents to the Virginia Fusion Intelligence Center within twenty-four hours of detection. StateScoop explains, the law also tasks a working group of state and local officials to further refine incident-reporting practices and produce revised guidelines by November 15. The bill, which passed in the Virginia General Assembly in March with nearly unanimous support, adds Virginia to the increasing number of states that have passed reporting rules in the last two years. Aliscia Andrews, Virginia Governor Glenn Youngkin’s deputy secretary of cybersecurity, stated, “Cybersecurity is a priority of critical importance for the Commonwealth of Virginia, as is focused coordination of government of all levels and entities.”