The industry pushed back :

Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups.

Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA—claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.

So now we have a piece of our critical infrastructure with substandard cybersecurity. This seems like a really bad outcome.

In April, Cybersecurity Ventures reported on extreme cybersecurity job shortage:

Global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021, according to Cybersecurity Ventures . The number of unfilled jobs leveled off in 2022, and remains at 3.5 million in 2023, with more than 750,000 of those positions in the U.S. Industry efforts to source new talent and tackle burnout continues, but we predict that the disparity between demand and supply will remain through at least 2025.

The numbers never made sense to me, and Ben Rothke has dug in and explained the reality :

…there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp.

[…]

Most entry-level roles tend to be quite specific, focused on one part of the profession, and are not generalist roles. For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. They are not looking for someone interested in security.

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

That makes a lot more sense, and matches what I experience.

Enlarge (credit: Lorenzo Capunata/Getty )

The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices.

For more than a decade, health care providers in the United States and around the world have been plagued by criminal cyberattacks, particularly ransomware attacks , that take advantage of medical facilities’ high-stakes work to attempt to extort big payouts. Efforts in recent years to crack down on and deter cybercriminal actors have made some limited progress, but health care attacks still occur regularly , disrupting vital services and endangering patients.

Health and Human Service’s research agency Arpa-H doesn’t specifically focus on cybersecurity innovation. The agency has programs running, for example, to spur advances in osteoarthritis treatment and medical imaging for cancer removal. But Digiheals program manager and longtime security researcher Andrew Carney says there is a dire need to make progress on digital defense tools for health care that are both effective and usable for medical facilities in practice.

Read 8 remaining paragraphs | Comments

At Black Hat last week, the White House announced an AI Cyber Challenge . Gizmodo reports :

The new AI cyber challenge (which is being abbreviated “AIxCC”) will have a number of different phases. Interested would-be competitors can now submit their proposals to the Small Business Innovation Research program for evaluation and, eventually, selected teams will participate in a 2024 “qualifying event.” During that event, the top 20 teams will be invited to a semifinal competition at that year’s DEF CON, another large cybersecurity conference, where the field will be further whittled down.

[…]

To secure the top spot in DARPA’s new competition, participants will have to develop security solutions that do some seriously novel stuff. “To win first-place, and a top prize of $4 million, finalists must build a system that can rapidly defend critical infrastructure code from attack,” said Perri Adams, program manager for DARPA’s Information Innovation Office, during a Zoom call with reporters Tuesday. In other words: the government wants software that is capable of identifying and mitigating risks by itself.

This is a great idea. I was a big fan of DARPA’s AI capture-the-flag event in 2016 , and am happy to see that DARPA is again inciting research in this area. (China has been doing this every year since 2017.)

Enlarge (credit: Bill Clark / Contributor | CQ-Roll Call, Inc. )

Today, the US Treasury Department announced that taxpayers will have the choice to go paperless for all Internal Revenue Service (IRS) correspondence in the upcoming 2024 filing season.

By 2025, the IRS plans to achieve paperless processing for all tax returns, still accepting paper documents but immediately digitizing them, to "cut processing times in half" and "expedite refunds by several weeks," the Treasury Department said.

"The IRS receives about 76 million paper tax returns and forms and 125 million pieces of correspondence, notice responses, and non-tax forms each year, and its limited capability to accept these forms digitally or digitize paper it receives has prevented the IRS from delivering the world-class service taxpayers deserve," the Treasury Department said.

Read 16 remaining paragraphs | Comments

Enlarge / The U.S. Cyber Trust Mark logos, which may or may not have an assigned order at the moment. Which one most says "secure" to you? (credit: Federal Communications Commission)

The goal of the new US Cyber Trust Mark , coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.

If you see a shield with a microchip in it that's a certain color, you'll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative's October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.

At the moment, the Mark exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. The FCC wants to hear from stakeholders about the scope of devices that can be labeled and which entity should oversee the program, verify the standards, and handle consumer education.

Read 8 remaining paragraphs | Comments

Enlarge (credit: ssuaphoto | iStock / Getty Images Plus )

On July 1, laws requiring adult websites to verify user ages took effect in Mississippi and Virginia, despite efforts by Pornhub to push back against the legislation. Those efforts include Pornhub blocking access to users in these states and rallying users to help persuade lawmakers that requiring ID to access adult content will only create more harms for users in their states.

Pornhub posted a long statement on Twitter, explaining that the company thinks US officials acting to prevent children from accessing adult content is "great." However, "the way many elected officials have chosen to implement these laws is haphazard and dangerous."

Pornhub isn't the only one protesting these laws. Last month, the Free Speech Coalition (FSC) sued Louisiana over its age-verification law, with FSC Executive Director Alison Boden alleging that these kinds of laws now passed in seven states are unconstitutional.

Read 13 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

In 2020, voters in Massachusetts chose to extend that state's automotive "right to repair" law to include telematics and connected car services . But this week the National Highway Traffic Safety Administration told automakers that some of the law's requirements create a real safety problem and that they should be ignored, since federal law preempts state law when the two conflict.

Almost all new cars in 2023 contain embedded modems and offer some form of telematics or connected car services. And the ballot language that passed in Massachusetts requires "manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application."

At this point, some of our more security-minded readers might need to have a lie down because, yes, that language does essentially mean there would be no proper security controls preventing someone from remotely connecting into a car.

Read 5 remaining paragraphs | Comments

Developers are starting to talk about the software-defined car.

For decades, features have accumulated like cruft in new vehicles: a box here to control the antilock brakes, a module there to run the cruise control radar, and so on. Now engineers and designers are rationalizing the way they go about building new models, taking advantage of much more powerful hardware to consolidate all those discrete functions into a small number of domain controllers.

The behavior of new cars is increasingly defined by software, too. This is merely the progression of a trend that began at the end of the 1970s with the introduction of the first electronic engine control units; today, code controls a car’s engine and transmission (or its electric motors and battery pack), the steering, brakes, suspension, interior and exterior lighting, and more, depending on how new (and how expensive) it is. And those systems are being leveraged for convenience or safety features like adaptive cruise control, lane keeping, remote parking, and so on.

And security?

Another advantage of the move away from legacy designs is that digital security can be baked in from the start rather than patched onto components (like a car’s central area network) that were never designed with the Internet in mind. “If you design it from scratch, it’s security by design, everything is in by design; you have it there. But keep in mind that, of course, the more software there is in the car, the more risk is there for vulnerabilities, no question about this,” Anhalt said.

“At the same time, they’re a great software system. They’re highly secure. They’re much more secure than a hardware system with a little bit of software. It depends how the whole thing has been designed. And there are so many regulations and EU standards that have been released in the last year, year and a half, that force OEMs to comply with these standards and get security inside,” she said.

I suppose it could end up that way. It could also be a much bigger attack surface, with a lot more hacking possibilities.