U.S. Agencies have been making headlines recently for a lot of their new cyber related regulations. The following are several noteworthy of examples of what they have been up to.
The Federal Communications Commission (FCC) and Robocalls
The FCC expects phone carriers to block illegal robocalls from providers not yet registered with the Robocall Mitigation Database. The order requires blocking “voice service providers that have neither certified to implementation of STIR/SHAKEN caller ID authentication standards nor filed a detailed robocall mitigation plan with the FCC.” More can be read on STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs) protocols here. Voice providers have had ample time since the creation of the Robocall Mitigation Database back in April 2021. The FCC smartly points out the that this measure isn’t an end all solution to robocalls, and to “remain vigilant against robocall scammers.”
The FCC also proposed rules to prevent illegal foreign-originated robocalls. It would require “these companies to apply STIR/SHAKEN caller ID authentication to, and perform robocall mitigation on, all foreign-originated calls with U.S. numbers.”
The Federal Communications Commission and SIM Swapping
SIM Swapping and port-out fraud are two types of attacks that US mobile carriers have failed to meaningfully address.
FCC SIM swapping definition: “…when a bad actor convinces a victim’s wireless carrier to transfer the victim’s service from the victim’s cell phone to a cell phone in the bad actor’s possession”
FCC port-out fraud definition: “…when the bad actor, posing as the victim, opens an account with a carrier other than the victim’s current carrier. The bad actor then arranges for the victim’s phone number to be transferred to (or “ported out”) to the account with the new carrier controlled by the bad actor.”
The FCC has taken notice and begun drafting rules to minimize these attacks. One is to put further onus onto the carrier to improve customer authentication mechanisms. The rules would standardize notifications to customers when a phone number moves to a new device or carrier, when a SIM card changes, or when a port request is made.
The Department of Justice (DOJ) Civil Cyber-Fraud Initiative
The DOJ intends to pursue government contractors who fail to notify the government of cybersecurity related breaches. The Civil Cyber-Fraud Initiative will “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.”
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco. This will certainly help those who have found themselves in a legal gray area on whether to disclose a breach. It especially makes the choice easier for employees asked to keep mum on a breach, as they can now point to the consequence of defying the DOJ clear-cut expectations.
The Department of Justice and the new National Cryptocurrency Enforcement Team
The DOJ created the National Cryptocurrency Enforcement Team (NCET) to “tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” They will also focus on extortions that are often paid to ransomware groups using cryptocurrency. The NCET team “will foster the development of expertise in cryptocurrency and blockchain technologies” which will certainly go a long way for the DOJ, who are likely playing catch up to the evolving cryptocurrency systems.
The Cybersecurity and Infrastructure Security Agency (CISA) and State Coordinators
CISA intends to have a coordinator in each state by the end of the year, according to an interview The Record had with Matt Hartman, Deputy Executive Assistant Director for Cybersecurity at CISA. The Cybersecurity State Coordinator Act of 2020 includes Bill S.3207 that “requires the Department of Homeland Security to appoint a Cybersecurity State Coordinator in each state”.
Positional duties include:
- “advising on developing and maintaining secure and resilient infrastructure”
- “serving as a federal cybersecurity risk advisor”
- “facilitating the sharing of cyberthreat information between federal and nonfederal entities.”
Building local relationships and relaying security objectives from headquarters will certainly improve CISA’s efforts to protect against ransomware and nation-state attacks. Hartman states that they want to achieve “better operational visibility”.
The Transportation Safety Administration (TSA) and Rail and Aviation Operators
Homeland Security Secretary Alejandro Mayorkas spoke at the Billington Cybersecurity Summit on the department’s intention to improve security for aviation and rail operators considered high risk. The directive (not yet issued) will require operators to have a head cybersecurity official, report cyber-related incidents, and provide disaster recovery plans.
The Senate Homeland Security Committee and Cybersecurity Legislation
The Senate Homeland Security Committee approved the Cyber Incident Reporting Act of 2021 bill and Federal Information Security Modernization Act (FISMA) of 2021 bill. The Cyber Incident Reporting Act will require critical infrastructure organizations and civilian federal agencies to report cyber-attacks to CISA within 72 hours and 24 hours for ransomware payments. The FISMA bill updates the previous Federal Information Security Modernization Act of 2014 to improve coordination between federal agencies, with CISA acting as the lead agency. These bills require a vote on the Senate floor, which should have a good chance of passing based on the bipartisan efforts put into the bills.