IT suppliers are what?
Too bad for them. They can go piss up a rope.
Organizations that sell IT services to Uncle Sam are peeved at proposed changes to procurement rules that would require them to allow US government agencies full access to their systems in the event of a security incident. The rules were unveiled in a draft update to the Federal Acquisition Regulation (FAR) that refreshes …
Well, yeah. Arguably the proposed US regulation isn't quite as bad as India's 2022 fumble:
* It applies only to contracts with the Feds.
* The reporting requirement is 8 hours, rather than India's 6 hours. That's a 33% improvement!
* The language from CISA is arguably a bit more specific. According to the Reg, India's requirement was extremely vague and broad ("Unauthorized access of IT systems/data"), while CISA's at least qualifies it a bit more:
Any event or series of events, which pose(s) actual or imminent jeopardy, without lawful authority, to the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
Plus some additional more-specific cases around malware and data labeling. See here.
India (via CERT-In) also apparently sprang the rules on businesses with a 60-day deadline for compliance, while the US had a longer comment period and still hasn't made these regulations in force. And I'm hoping that unlike CERT-In, CISA isn't going to allow faxed reports.
But I agree. This approach backfired on India, and as the article says, having various Federal agencies attempting to impose different requirements is a mess.
The government's IT security failures do not excuse security failures in the private sector.
You are correct; they do not. I believe you misunderstood the point I was trying to make.
The U.S. government does have some highly-skilled, intelligent, knowlegable, and motivated computer security people. I've met a few. They also have at least one incompetent computer security person. I've met one. But that government organisation being what it is, and processing things in the way that it does, and prioritising things in the way that it does. virtually-guarantees that the competent and effective people will not be the ones responding to a government contractor's computer security incident(s).
I know the thought behind then post is a different direction but I had a thought too reading the headline.
Contractor reports intrusion, the submitted report gets intercepted by "bad guys" and instead of the authorities showing up demanding full access to their physical systems it is just more hackers who now have actual physical access.
"bad guys"
You mean the 3-letter agency that engineered the intrusion to be able to "legally" come to the contractor office (let us say Microsoft, although it may be better labelled as a cyber-criminal organization), and get access to all the data of foreign companies because buying it from data-brokers becomes too expensive?
I think its more of this is the government agency hamstrung by Reaganomics. Under the Reagan WH and repubs the mantry of Off The Shelf and downsizing government. The US gov has outsourced a lot of IT. Also a lot of oversight has been cut back as interference because all businesses are honest brokers.
The stringency of these requirements does not accord well with the recent proposal for software developers to self-attest. What's really needed is a coherent overarching set of standards coupled with impartial formal review of performance, not this fragmentary scatter-gun approach.
Furthermore, considering that local time to detection is still typically measured in months, reducing 72 hours to eight will almost certainly make zero improvement in incident management, but result in cascades of erroneous reports as it inevitably takes longer than this on average to work out what's going wrong.
Consequently, these proposals look a lot like politically motivated "control theatre", but that's no surprise given the number of 'national cybersecurity initiatives' over the last couple of decades that have made absolutely no difference.
As I recall, the Equifax hack went on for months (some say years) before the "exfiltration" was discovered!!!!
So...notification "within eight hours of discovery" is a sick joke!
Someone should remind Uncle Sam about the story about horses and stable doors!
....and perhaps jail time for the C-level executives responsible at the time of "discovery" might speed up the security process, too!
Yeah, I liked this part:
"The CSP-AB took particular umbrage with the FAR update's SBOM requirements, arguing cloud service providers shouldn't be required to submit them since they're so frequently subject to change – sometimes "up to hundreds of times" per day."
Maybe, if these cloud vendors stopped making hundreds of changes per day, they could focus more on writing secure code! Yeah, I thought not!
And, frankly, if your CI/CD mechanism can push a change to production, it can push a change to the SBOM. They're machine-readable, after all — typically something like CycloneDX. Updating the SBOM should take much less time than testing an update to an external component. I have zero sympathy for this particular complaint.
(Yes, one dependency may have a whole host of transitive dependencies, necessitating a fairly large and complex SBOM update. But that also means it needs fairly extensive testing. And perhaps using components that bring in hundreds of transitive dependencies wasn't such a great idea in the first place. Sympathy not incremented.)
Now, living on the opposite side of the Atlantic, I may well not get all the nuances of what is being proposed, and I’m sure that if if so then our American colleagues will take the time to explain, but it strikes me that there are some enormous assumptions being made here - although I very much doubt than the situation is that much different on this side!
Consider a supplier to the US government, the bosses would rather not lose the contract, but, the terms of the legislation? 'Within 72 hours of discovery', surely the temptation here is to, well, just not discover, so how about we just don’t have a network security team/person checking for this, or if we must (for compliance reasons) give him or her other responsibilities, cleaning the C-Suite executives cars, replacing the toilet rolls, making sure that every printer on site has at least a full ream of paper in it AT ALL TIMES!
Law of unintended consequences - anyone?
Goodhart's Law does apply, of course. People will try to game the system.
But that said, discovery may itself be discoverable. At some point an organization will discover the incident, and covering that sort of thing up for all time is risky. It gets progressively riskier as more incidents occur. I think many organizations will realize that the lowest cost will be to comply as best they can, should these go into force.
You should never rely on a government as a client. It is a toxic business model. They will screw you over as if you were the electorate at the drop of a hat. Now that they are moving to the Chinese model of state control and universal surveillance, best to keep clear blue water between yourself and governments. Lots of corporate and private buyers to sell to out there. Politely decline to sell direct under these terms. Governments can buy from third parties and play dictator with them.
One of our suppliers had a ransomware attack about a year ago. They had robust backups, and a good disaster recovery plan, and were back up and running in about two hours. Or, at least until they reported the attack to the feds.
A few hours later, the FBI showed up and demanded that they take down their servers for forensic investigation. They were down for 10 days while the feds rummaged through their systems.
We discussed this a while back during a meeting with senior management where we discussed what path we would take...
Government Agent: "Freeze everything! Allow no changes! Maintain a solid and incontrovertable chain-of-evidence we can use to prosecute and jail the perpetrators!" versus ...
IT Guy: "Our Help Desk rebooted our firewall, so no joy there. We did RAM- and register-dumps of our physical and virtual machines, and snapshots of our file systems. We also ran fiber out to the loading dock. Back up the artic lorry with your computers in it to the dock and we'll hook you up. I hope you brought a lot of blank tapes."
Well, for one thing, they do.
But for those things they buy (or lease, or contract out, or whatever), why should they? They have money. They offer vendors money in exchange for goods and services. They're free to slap burdensome contract terms on; vendors can take those or leave them. So far, the money has been an effective inducement. I don't see why the Feds have any reason to change how they do things — it's working for them.
If you're in charge of approving a sale, and you don't like their terms, then fine, turn the business down. Someone else will take it.
Well yes... This is EXACTLY why anything the government is involved with is so ridiculously expensive. You literally have to charge them 3-4x what you would charge anybody else as a paperwork tax... and since so few vendors can even get certified, its not like 'open bids' have competition a great deal of the time, you the vendor having achieved the activation energy to deal with the government can in fact name your price and they have to pay it. Not that they care, not like its the governments money anyways...
1. Government uses a proxy to launch a wimpy script-kiddie attack on Vendor X.
2. Vendor X reports the incident, as now required.
3. Government agents swoop down on Vendor X, access their systems, and plant back-door access(es).
4. Government agents peruse Vendor X's computers at-will, with no warrant needed.
5. Pwned!
There are ways around this :
separate division specifically to handle government contracts
separate hardware
separate staff, or at least a very large amount of slack in staff numbers
eyebleedingly expensive cost and contract terms for this that would make even Herod say 'wait, that's a bit severe'