Saturday, December 2, 2023

Why Is The US Behind The ROW For Cyber??? Find Out Here

 


I have mentioned quite about the EU with regards to its ever-famous data privacy law, affectionately known as the “GDPR”.  While this does data security for end users, it has become a nightmare for business owners to keep up with.  Also, to make matters even more confusing and harder for organizations to come into compliance is that now it seems like each of the member nations are now coming out with their own set of data privacy laws.

One such country is Germany.  They have just recently come out with a new Cyber mandate, which is called the  IT-SiG 2.0 mandate.  Here are some of the key provisions of this new legislation:

1)     Monitor in real time:

This tenet now forces German businesses and even those international businesses that conduct transactions in the EU must monitor threat vectors in their environment on a real time basis, and counter them off at the same time as well.  It also takes a realistic view in that it states that not all Cyberthreats can be mitigated.  It now mandates that every German business, no matter how large or small, must deploy these kinds of security technologies:

Ø  Intrusion detection Systems

Ø  Security Information and Event Management (SIEM) Systems

Ø  Security Orchestration, Automation, and Response (SOAR) Systems

 

2)     Keep up the visibility

This new German law also requires that businesses must keep a constant vigilance on their Cyber Threat Landscape, and make best efforts to try to predict what the future will hold.  Just like the above, the following are also required, no matter what the size of the business is:

Ø  Regular Risk Assessments

Ø  Conducting Penetration Testing and Vulnerability Scans.

The CISA has something similar to this, and it is known as the “ Binding Operational Directive 23-01”.  The caveat with this is that it only applies to Federal Government agencies, and not to the private sector.  More details on this mandate can be seen at this link:

https://www.cisa.gov/news-events/directives/bod-23-01-improving-asset-visibility-and-vulnerability-detection-federal-networks

This Germany’s first step towards implementing a national Cyber strategy, of which all businesses must follow.  Here in the US, the Biden Administration has come up with something similar called the “National Cybersecurity Strategy”, but once again its main focus is on Critical Infrastructure (which is good) and the Federal Government. 

As far as I know, there has not been much emphasis placed on the private sector.  The other good provision that it does contain is that highly recommends a close collaboration between the Federal Government, Corporate America, and academia.

More information about this can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/white-house-releases-implementation-plan-for-cybersecurity-strategy

Another key facet of this mandate is that it also strongly emphasizes less reliance upon the adoption of new technologies, and instead, make more strategic use of what is already in place.  In other words, less is better than more, and this is where the Risk Assessment will come into key play. 

In response to this, the CISA came out with yet another new plan, which is called the “Cybersecurity Strategic Plan”.  It is meant to be active until 2026.  Once again, more details on it can be found here:

https://www.cisa.gov/news-events/news/cisa-cybersecurity-strategic-plan-shifting-arc-national-risk-create-safer-future

My Thoughts On This:

So as far as I can tell, the new German Cyber law focuses in on the following:

Ø  Combat the immediate threats.

Ø  Beef up the lines of defenses by constantly watching your threat environment.

Ø  Try to get a look into the future (AI would be a great tools to use here).

There has now been some clamor that the United States must follow the lead like Germany has done.  But here is the key difference:  While here in the United States we have all of the Cyber provisions that we need, they have not been enforced across all 50 states.

So now, the question comes, if other countries can make their provinces abide by a national strategy, how come the US can’t?  That is a tough one to answer.  I have always advocated for Federal Legislation for Cybersecurity, and have that flow down to all of the states, rather than having each state come with its own version of the CCPA. 

Another difference is that other countries, even those in Africa and the Middle East, are much more proactive than the US.  We are still reactive, and only react when something bad actually happens.  Even then we still don’t always learn our lesson well.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...