Changes in Cybersecurity are Coming in 2022
In 2021, SEC Commissioner Elad L. Roisman gave a speech on cybersecurity to the Los Angeles County Bar Association. The speech sent signals that the SEC cannot lead registrants through the world of cybersecurity. While the SEC provides cybersecurity guidance and uses cyber-related enforcement actions to protect investors, it sees registrants as targets and victims that will more than likely be attacked.
The commissioner spoke of the mission of the SEC, its history in rulemaking, and his concern for the complexity of introducing new regulations. A surprise for me was his profound statement on the importance of the work done in 1934, before cyber needed security.
“Companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) of the Securities Exchange Act of 1934 to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from fraud.”
Roisman went on to point out that in 2017 the SEC established a Cyber-Unit with small victory this year:
“In 2021 Enforcement has brought a number of cases in the cybersecurity area. On the disclosure front, Enforcement has brought two notable settled actions this summer involving public companies’ disclosures regarding cybersecurity incidents.”
The commissioner also said he was proud of a report written by the Examinations Division (“EXAMS”).
“EXAMS has made cybersecurity a priority in its examinations for a number of years now. This has allowed them not only to encourage compliance, but also to learn a great deal about best practices—the ways that registered entities are addressing cybersecurity. Last year, EXAMS synthesized their observations regarding cybersecurity and resiliency into a useful report that I believe is helpful for all registered entities. Since the report, the staff has continued to share the perspectives they gain in their examinations in a number of cybersecurity-related Risk Alerts.”
In his conclusion, he said:
“It would be great if we could achieve a cross-federal government solution to the coordination needed among regulators,”
So in 1934 there was clear-cut direction, except there was no cyber. Today, the SEC would like to function like a guide on the path to their three-part mission to:
“protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.”
This could be disconcerting if we are expecting him to provide the same SEC leadership we know, but it is the first part that where cybersecurity enforcement will focus.
Saying this in Los Angeles, the home of the early western where cowboys and bandits fought over land, cattle, and other folks’ money was a stroke of inspiration. The cyber landscape needs a redesign—a new story for today’s cowboys, bandits, and bankers.
Agencies like the SEC are struggling with building new regulations because the lines have blurred.
For the SEC alone, there are seven other government agencies also publishing regulations. Roisman admits it is hard to write new regulations that don’t conflict with those agencies.
We live in a time of context and targets. The role of the bandit is evolving. That means our role must evolve too. Today’s cybercriminal becomes a cyberterrorist as soon as he disrupts a utility, or financial or healthcare system. When our clients are at risk, we are on point to stop the spread.
To separate our fear of cyber terror and warfare, we need to understand when it is terror and when it is warfare. Context and targets help us see the faces of the new bandits. Once we can see them, we can evolve as the new cowboy.
Dr. Tafoya, a retired FBI special agent, defines cyber terror as:
“the intimidation of civilian enterprise through the use of high technology to bring about political, religious, or ideological aims, actions that result in disabling or deleting critical infrastructure data or information.”
When an individual affects society it is cyber terror. Hacking into power systems, trading platforms, and healthcare systems impacts the lives of thousands. We all remember the WannaCry ransomware attack of 2017 and its effect on many hospital systems.
This distinction is important because in areas of financial services and healthcare we are vulnerable to terror cyber-attacks, and it doesn’t mean that it comes from the action of a foreign power or that it is even a large, organized threat.
Terror may come disguised as a crime of ransomware, extortion, or malicious fraud and it can be the act of a lone wolf hacker. The FBI can be the victim of a lone wolf as easily as it can be attacked by a foreign power.
Case in point is British teenager, Kane Gamble, who targeted the CIA, FBI, and Department of Justice databases. In 2017, Gamble impersonated a CIA chief to get confidential information.
After obtaining sensitive documents on American military and intelligence operations in Iraq and Afghanistan, Gamble leaked some of the information on the internet for terrorist organizations to access, including details of 20,000 FBI employees. He was convicted of engaging in cyberterrorism against the U.S.
So where do we go from here?
It is our responsibility to take the lessons learned from the SEC and others and figure out how to help our communities protect our clients and employees. 2022 is our next evolution.
2022 is the year of Executive Order 14028. Made up of forty-six tasks inside nine sections of responsibility it has teeth and is moving forward to change the landscape so we can become the aggressor against the cyber bandit.
On May 12th President Biden signed Executive Order 14028 on Improving the Nation’s Cybersecurity. It has the depth of direction to grant Roisman’s wish.
This executive order (EO) is not the first attempt at wrangling cybersecurity, but it is the first one that has been signed after the nation experienced the SolarWinds and Microsoft Exchange supply chain hacks and the Colonial Pipeline ransomware attack. These events together created the perfect storm – our opportunity to stand-up and show our American spirit.
Our government expects the National Institute of Standards and Technology (NIST) to:
- create a zero-trust architecture,
- define what critical software is and
- explain how to evaluate it.
The Executive Order on Cybersecurity requires the NIST to work with the Department of Homeland Security (DHS), the Defense Department (DOD), the National Security Agency (NSA), the Commerce Department, the Director of National Intelligence, the Attorney General, the Federal Acquisition Regulatory (FAR) Council, and the Office of Management and Budget (OMB). This is the land mine the SEC fears in drafting new regulations.
The NIST must align critical components to a product safety program and include well-defined criteria to use the program. Biden expects the creation of new contract language regarding information sharing – currently, an area of confusion. We can expect that language to close back-doors to bad actors.
For example, the order recognizes the growth of IoT as both an opportunity in advancement and a challenge to secure. Both healthcare and finance depend on IoT. Today, IoT remains the wild card of technologies, abandoning many cyber-security standards used by non-edge technologies. EO14028 makes the NIST mandate worth our involvement.
And it is getting the traction it needs. Already twenty of the challenges of EO 14028 have been met and some very smart folks are endorsing it.
Karen Evens, former CIO of the Department of Homeland Security, sees the new software bill of materials as a key to bringing the cyber bandit out where we can see him.
She believes that this executive order is applying the lessons learned from the SolarWinds attack. She knows it’s going to be hard for vendors to respond fast enough, but they will have clear definitions of critical software. If they hope to sell their products, they will need to go through the scrutiny that will come with a required certification status.
Tony Scott, the previous CIO of Microsoft, and the US CIO, believes the real power of EO 14028 is the creation of the review board. He knows that our security has matured to the point we require a board so we can scale up, recommend, and investigate – just as the NTSB (National Transportation Safety Board) has done since 1926. He is glad to see a directive for a structure including both government and civilian members. For him, this helps us see the true scale of our cyber security needs.
Both Evens and Scott agree that EO 14028 is a prescriptive order for agencies so that the country can bring their guidelines and frameworks together. It especially ties together the new roles and responsibilities for a CISO.
They believe that, for government agencies, it reduces the opt-out option. Issues will be reported to the special assistant who will share those excuses directly with the President. Agency leaders will need to be defend the decisions they make.
Finally, for software companies, EO 14028 will bring software applications into the sphere of product liability. Software creators will need to consider whether their product creates a liability for the company, just as car manufacturers do.
Our next steps?
We need to know the results of each of the forty-six tasks in EO 14028. At Agio we closely follow results and inform our clients of its progress as it unfolds.
Until the new NIST framework is developed, Agio offers a full suite of services to keep you compliant with the SEC, and more importantly, aware of your exposure to new cybersecurity events.
- Deploy systems against appropriate governance frameworks we continually adapt as your landscape evolves.
- Complete regular security risk assessments measuring the likelihood of your exposure to an attack
- Engage our team of highly skilled penetration testers to identify exploitable vulnerabilities and outline the steps to prevent cyber bandits from achieving their goals.
- Review and recommend updates to your security policies based on the continually changing landscape and in compliance with SEC priorities as they evolve. We never recommend action and leave you with questions. We prefer to make sure your reviews are an active part of your strategy to defend your systems.
- Test your incident responses with you in real-time. We have several cyber exercises from live tabletop sessions to detailed discussions and white board sessions to make sure that when a bandit comes calling, you are prepared to prevent him from hurting business.
- Train each member of your staff to know how to lead and live cybersecurity values everyday so that it becomes as common as showing up for work. We know when someone is living their values because we live ours too. Until you breathe easy, we keep raising the bar.
- Comb through your security architecture and never leave a hair out of place. As corporate cyber cowboys, you want to wear your hat well.
- Show up every time the SEC comes for an audit and cyber examination. By the time you’re an Agio pro, we are your best partner with every regulator interested in your responsibility “to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.”
- Monitor every security detail about you, from your domain name through your DNS services, and networks, to your cyber relationships with all your partners and vendors.
- Act as your vCISO and help you prioritize the cyber threats most likely to come calling so you can overcome the information overload you face just by doing business safely.
How to become the hero of this story
You want to be as secure or better than your competition – to be the hero of this story—that aggressive cowboy who goes full John Wayne in this new western reality show. There was only one John Wayne, despite the hundreds of cowboys in the movies. We’re here to protect your stagecoach and make sure the gold gets to your destination securely.
Contact us. We’re ready for you.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.