Cybersecurity

Full Title or Meme

The increase in cyber-attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.

Context

• It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
• Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like Bitcoin.

Problems

• New companies like Sentinel One start advertising on national television with no known track record. (2021-10-13 on NBC)
• Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
• In most countries, like UK and EU, Cybersecurity is not required by law.

DoD

• December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
• November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
  • DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
  • Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
  • Supplier Performance Risk System (SPRS) to be considered for contract award.
  • DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
  • Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
• November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
  • 3 levels
  • Based on FAR & NIST 800-171
  • Self-attestation/3rd Party Audit
• None of that seems to apply to COTS (commercial off-the-shelf) software.
• Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.

Executive Order 14028

• Definitions of Critical Software
• NIST presentation on enhancing the software supply chain. (2021-22-19)
• Guidelines for Enhancing Software Supply Chain Security (Section 4)

Solutions

"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."^[1]

References

1. ↑ Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)

Other Material

• NIST web site on Cyber security.