3 Weeks of Intense Cyber Activity
Few believed Dr. Michael Burry when he predicted the 2007 mortgage crises that eventually crippled the U.S. economy and destroyed a Wall Street investment bank. Despite evidence of his research and basic deductive reasoning, he was continuously ignored. Fifteen years later, the world may learn a similar lesson about the dangers of ignoring unbiased empirical details.
Within the last 3 weeks, the United States Government, including the top office, amplified its efforts to promote cybersecurity awareness, impose regulations to force cyber assurance, and increase cybersecurity funding on a national and state-wide scale.
On March 21, 2022, the President of the United States issued a statement about the Nation’s Cybersecurity, imploring privately-owned critical infrastructure entities to “harden your cyber defenses immediately.” According to Politico, President Biden also reached out to state governors seeking information about cyber resiliency of utility systems (big hint….?).
On March 22, 2022, the Cybersecurity and Infrastructure Security Agency collaborated with the Federal Bureau of Investigation to host a nationwide, unclassified call, to warn states, local entities, and private organizations about the increased intelligence gathered by the U.S. and its allies of the Russian government’s plans to execute targeted cyber attacks against critical infrastructure in retaliation for economic sanctions. Two days later, CISA issued an advisory warning of continuing threats against the U.S. Energy Sector Networks by Russia’s cyber operatives.
POTUS’ and CISA's actions are contemporaneous with the release of the FBI’s Internet Crime Complaint Center (IC3)’s report, which detailed cyber-crime activity in 2021, including the total cost of cyber-crime in 2021 calculated at $6.9 Billion. As with almost every category of any “thing,” the state of California led the nation in the number of cyber-crime victims and cyber-crime losses. Unsurprisingly, business email compromises and targeted phishing remained the most effective and lucrative types of crime.
On March 9, 2022, the Securities and Exchange Commission (SEC) announced amendments to the required disclosures of publicly traded companies that will require additional reporting on cybersecurity risk, management, strategy, and governance. The new SEC Rules, which will remain open for public comment for 60 days, require public companies to report cybersecurity incidents to the SEC within four (4) days and disclose the company’s policies, governance, and procedures for identifying and mitigating cyber risks. Indeed, the SEC is further mandating companies to disclose the cybersecurity expertise of its staff.
On March 11, 2022, President Biden signed the American Rescue Plan, containing $1.9 Trillion to both improve the U.S. agriculture industry and U.S. cyber resiliency. Now officially referred to as Public Law 117-2, the American Rescue Plan allots an additional $650,000,000 to CISA, $1,000,000,000 to the Technology Modernization Fund, and federal grants to improve technology infrastructure within the healthcare field. According to FedScoop.com, the Biden administration is even more recently seeking an additional $300 million in funding for the Technology Modernization fund for 2023.
And, on March 25, 2022, the Federal Communications Commission announced its addition of Kaspersky Labs to its list of banned products; a Russian company that markets popular information security products and services alongside several Chinese-based telecommunications services.
Underfunded, under-staffed, and generally disregarded by the “intelligentsia” as “dooms day preppers,” the cyber community may be nearing its “I told you so” moment but without the gratification that comes along with correctness. The efforts by the U.S. Government to broadcast the threats, available resources, and data will hopefully make an impact in a timely manner to avoid disaster and loss of life.