Lessons from FTX. The latest ESF guidance on supply chain security indicates that SBOMs are essential. DoD and DOJ Offensive Cyber ​​Operations.

In one look.

  • Lessons from FTX.
  • The latest ESF guidance on supply chain security indicates that SBOMs are essential.
  • DoD and DOJ Offensive Cyber ​​Operations.

Lessons from FTX.

The collapse of cryptocurrency exchange FTX, the third largest such exchange in the world, has amplified the debate over how to regulate the cumbersome beast that is the crypto market. The Atlantic Council offers their recommendations to prevent an implosion similar to that of FTX in the future. The first step is to ask financial regulators and industry leaders to implement “proof of reserves,” requiring large centralized exchanges and custodians to prove and document their assets and liabilities, preventing them from secretly using client funds in risky investments. Some industry players have already moved to voluntarily adopt this measure, and lawmakers could throw their weight behind making it more universal.

Second, the crypto market could self-police, much like self-regulatory bodies that implement and enforce industry standards in the traditional financial sector. And third, some big crypto companies (Binance, anyone?) are relying on the “everywhere but nowhere” argument to evade established principles regarding the competence of regulators. Some experts say regulators have a responsibility to reinforce that US regulations still apply to products and services that are regularly sold in the US – which would include crypto – to prevent fraud or other behavior illicit.

The latest ESF guidance on supply chain security indicates that SBOMs are essential.

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) published the third and final installment in a series of guidelines on securing the software supply chain. As CISA Explain, the series is an output of the Enduring Security Framework (ESF), a cross-industry public-private working group. The first two installments in the series were aimed at developers and vendors, while the third offers best practices for software customers to ensure the integrity of the software they use throughout the acquisition, deployment, and operating a software supply chain.

The Federal Information Network Remarks that the guidelines stress the importance of software bills of materials (SBOMs) in order to properly assess software content during the procurement process. “This verification should include attributes such as geolocation, vendor ownership or control, Universal Data Numbering System (DUNS) verification, and past performance,” the guide says. The inclusion of SBOMs in the guidelines is significant, as the tech industry has pushed back against legislation that would make SBOMs a requirement for federal contractors.

The Office of Management and Budget also recently recommended that government agencies require software vendors to verify that they meet security standards from the National Institute of Standards and Technology, which also recommends SBOMs. , and some federal organizations, including the military, are already pursuing SBOM adoption. . Natalie Pittore, head of the Enduring Security Framework (ESF), a public-private cross-industry working group led by the NSA and CISA, said, “ESF plans to release additional software security products. Our next releases will provide useful information on SBOM consumption and extended guidance for developers. »

DoD and DOJ Offensive Cyber ​​Operations.

The US Departments of Defense (DoD) and state have been engaged in a tussle over which branch has the authority to conduct cyber operations, and sources say the DoD has won. According CyberScoop, sources familiar with the matter say the DoD will retain the majority of powers granted to it by the Trump administration in 2018. An unnamed senior administration official said the State Department won certain concessions in as part of the revised policy document, and that the final version of the policy memorandum will require the DoD to share details of the cyber operation with the White House well in advance. The new policy also stipulates a dispute resolution process in which agencies will have the opportunity to report transactions they find of concern. According to the source, President Biden will review these authorities in a revised Trump-era National Security Policy Memorandum-13, which was intended to streamline the approval process for cyber operations. The State Department has long believed that NSMP-13 gives the DoD too much authority by prioritizing military interests in cyberspace over those of civilian agencies. The source explained: “The debate was: ‘How much authority should the state give over the railways?’ This has been the debate for the past few months, and it has moved in the direction of the DoD. The Pentagon, State Department and US Cyber ​​Command did not respond to requests for comment.

Meanwhile, while testifying at a Senate Homeland Security Committee hearing yesterday, Federal Bureau of Investigation Director Christopher Wray said his agency is conducting offensive cyber operations against cyber actors. state and non-state. fend off cyber adversaries,” Wray said. Like FOX 4 Kansas City WDAF-TV reports, Wray was responding to a question from Utah Senator Mitt Romney regarding the FBI’s offensive moves in cyberspace. Wray did not go into detail about the bureau’s cyber-offensive operations, but he said the department engages in counter-intelligence operations to shut down adversaries’ infrastructure, obstruct malicious cryptocurrency schemes and charge the cybercriminals.

Source link