At a glance.

  • Cybersecurity for US energy infrastructure.
  • Caution on early vulnerability disclosure mandates.
  • White House summit on cyber workforce issues.

Think tank release report on securing US energy infrastructure.

As the US’s energy sector becomes ever more reliant on digitization, think tank the Atlantic Council’s Task Force on Cybersecurity and the Energy Transition has released its recommendations for defending the nation’s energy infrastructure against cyberattacks. The report reads, “​​Increasingly sophisticated systems at the point of generation depend on the Internet of Things, as do energy storage, grid balancing, demand response, and other fea- tures of an advanced grid. Each one of these new connections represents a new vulnerability within the energy sector. This makes cybersecurity essential to critical energy infrastructure, and by extension, to national security.” The task force’s recommendations include investing in training on cyberhygiene, infrastructure investment, system monitoring and information sharing, vulnerability assessment, and incident reporting protocols. The group, co-chaired by Former Secretary of the US Department of Homeland Security Michael Chertoff and former General Wesley Clark, also recommends collaboration with federal authorities to establish regulatory frameworks that ensure the public sector is properly monitored and supported. 

Cybersecurity expert warns against early vulnerability disclosure mandates. 

As we noted last week, the US Homeland Security Department’s Cyber Safety Review Board released a report on the Cybersecurity and Infrastructure Security Agency’s response to the Log4j vulnerability that threatened the security of networking systems across the nation. After reviewing the report, cybersecurity firm Luta Security’s chief executive is urging the US government to avoid issuing reporting mandates regarding early vulnerability disclosure. The report states, “The requirement for network product providers to report vulnerabilities in their products to MIIT within two days of discovery could give the [Chinese] government early knowledge of vulnerabilities before vendor fixes are made available to the community.” But, Security Week reports, Luta chief executive and vulnerability disclosure expert Katie Moussouris says such reporting mandates could “meaningfully and dramatically increase the risk” of enemies learning of zero-day bugs by creating “a government-run treasure trove of unpatched vulnerabilities” that would be targeted by threat actors. Instead, Moussouris suggests, “What we do need are more organizations around the world who are prepared with asset lists, SBOMs, and well-oiled vulnerability response capabilities that are ready, able, and willing to help collectively defend the Internet that we all share.”

White House hosts summit on boosting cyber workforce.

As the White House announced yesterday, the National Cyber Workforce and Education Summit will be convening today. National Cyber Director Chris Inglis will host experts from academia and the cyber community, private sector companies, and federal agencies to discuss the urgent need for cybersecurity talent to fill the hundreds of thousands of vacant cybersecurity positions across the country. The meeting will concentrate on three core challenges: more effectively utilizing trade schools and other non-traditional educational institutions for cybersecurity training; making the field more welcoming to underrepresented communities like women and people of color; and investing in training to ensure all American workers, in cybersecurity and otherwise, are prepared for a digital economy. As SC Media notes, increasing the flow of national cyber talent has been a goal for both the Biden administration and the Trump administration, and there’s an ongoing debate about whether putting less trained workers into cyber roles could be the answer. Jake Williams, former hacker at the National Security Agency and current executive director of threat intelligence at Scythe, states, “Those trying to break into the cybersecurity field, often lament that employers need to ‘be realistic about skills’ and ‘take a chance on someone with passion to learn.’ The unfortunate reality is that [small and medium-sized businesses], many of which are making their first security hire, simply cannot afford to hire people without a broader cross section of security knowledge and/or experience.”