Standardizing data shared on software components is vital for identifying cyber vulnerabilities and will have an impact across industries, stakeholders told NTIA during a virtual meeting on the multistakeholder process on software component transparency Thursday. NTIA’s goal is to standardize software component data sharing so entities and users can better understand networks, which will help identify risks and affected components. NTIA plans to issue guidance for a software bill of materials. SBOMs list software components. “The NTIA SBOM initiative is driven by stakeholders, and they are ultimately responsible for setting timetables, defining deliverables and reaching consensus,” a spokesperson emailed. NTIA Director-Cybersecurity Initiatives Allan Friedman highlighted the importance of guidance. He cited a recent Snyk survey, in which 60 percent of respondents say lack a “good view into the full dependency trees of their software.” This means it’s difficult to identify newly discovered vulnerabilities, Friedman said. Survey participants included officials in software development, security and infrastructure/operations. Progress on the initiative has been “subtle” but “impactful,” said FDA Cyber Policy Adviser Jessica Wilkerson. Lack of clarity can make it difficult to map “component to vulnerability data, license data, or other data,” wrote working group co-chairs Michelle Jump, MedSec's global regulatory adviser-medical device cybersecurity, and Art Manion, a senior member of the vulnerability analysis team at Carnegie Mellon University's Software Engineering Institute. It makes it difficult for entities potentially hit in a cyberattack to determine if they are affected and where the affected software is used, Jump said.

The Chinese shot back at FBI Director Christopher Wray for accusing China of waging a "massive" cybersecurity war against the U.S. “We regret that U.S. foreign policies are kidnapped by FBI officials like Wray and other anti-China forces,” said a Foreign Affairs Ministry spokesperson Wednesday. “The words of some U.S. officials are full of political lies in negligence of basic facts, exposing their deep-seated Cold War mindset and ideological bias.” Americans are the “victims of what amounts to Chinese theft on a scale so massive that it represents one of the largest transfers of wealth in human history,” Wray told the Hudson Institute Tuesday. “If you’re an American adult, it is more likely than not that China has stolen your personal data.”

NTIA launched the communications supply chain risk information partnership (C-SCRIP), as required by 2019's Secure and Trusted Communications Network Act and effective Wednesday, says that day's Federal Register. The Office of the Director of National Intelligence, Department of Homeland Security, FBI and the FCC are working with NTIA. “This program is aimed primarily at trusted small and rural communications providers and equipment suppliers, with the goal of improving their access to risk information about key elements in their supply chain,” NTIA said: “C-SCRIP will allow for regularly scheduled informational briefings, with a goal of providing more targeted information for C-SCRIP participants as the program matures.”

Sens. Ed Markey, Mass., and Richard Blumenthal, Conn., criticized the National Highway Traffic Safety Administration Thursday for its “dangerously reactive approach to cybersecurity" in internet-connected cars. NHTSA “has taken a hands-off approach to the growing threats to public safety from vulnerabilities in internet-connected cars,” the Democrats wrote acting Administrator James Owens. “We also believe that NHTSA is neglecting to oversee and keep the public informed about over-the-air (OTA) software updates designed to fix safety defects in cars without a physical recall.” The senators “are deeply troubled by NHTSA’s deafening silence in response to the repeated reports of vulnerabilities and risks of hacking of internet-connected cars. In your reply to our initial letter, you stated that ‘NHTSA is not aware of any malicious hacking attempts that have created safety concerns for the motoring public.’ However, this statement sets aside the many examples of demonstrated vulnerabilities in cars on the road that have been publicly reported in recent years, and relies on the goodwill of those who have reported these risks.” NHTSA needs to “develop processes that will ensure automakers are publicly accountable for all safety-related defects no matter how they are fixed,” the senators said. The lawmakers sought a response by July 2. NHTSA didn’t comment.

The need for “holistic digital protection” is a business opportunity for players in the connected home security space, blogged Parks Associates Monday, saying 79% of U.S. broadband households are concerned about data security or privacy issues. Service providers could use digital protection services as a value-add for a broadband subscription, or they could be added as part of a premium service tier for a freemium business model, said analyst Brad Russell. Parks is holding a webinar Tuesday at 2 p.m. EDT with F-Secure on cybersecurity solutions.

Zoom should release an independent review of cybersecurity and privacy practices (see 2004080051), Sens. Elizabeth Warren, D-Mass., and Ed Markey, D-Mass., wrote Thursday: CEO Eric Yuan should “take all possible actions to protect” the security of users and students and to prevent “disturbing intrusions.” Report data on the “frequency and nature of Zoom classroom intrusions,” the lawmakers asked. The company appreciates "the outreach we have received from various elected officials and look forward to engaging with them," a spokesperson emailed. "Zoom is working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic, and we take user privacy, security, and trust extremely seriously.”

The National Cybersecurity Center of Excellence is collecting comment on its draft zero trust architecture for cybersecurity through April 14. The National Institute of Standards and Technology’s NCCOE is exploring a zero trust architecture concept, which treats “all users as potential threats and prevents access to data” to ensure device security.

The Public Safety Bureau seeks comment through March 27 in docket 19-351 on how the recently enacted Secure and Trusted Communications Networks Act (HR-4998) will affect FCC proceedings under new supply chain rules designating Chinese telecom equipment makers Huawei and ZTE as posing a national security threat. The companies dispute the initial designation (see 2003040030). HR-4998, which President Donald Trump signed last week (see 2003120061), allocates $1 billion to help small U.S. communications providers remove from their networks Chinese equipment determined to threaten national security. It bars federal funds buying communications equipment or services from any company that's a national security risk to U.S. telecom networks. The FCC wants feedback on “whether and how [HR-4998] should inform our consideration of the designations of Huawei and ZTE.”

President Donald Trump signed the Secure and Trusted Communications Networks Act (HR-4998) Thursday, as expected (see 2003040056). The law, which the Senate passed in February (see 2002270070), allocates $1 billion to help U.S. communications providers remove from their networks Chinese equipment determined to threaten national security (see 1912160052). The White House tied Trump’s signing of HR-4998 to a broader commitment “to safeguard America’s vital communications networks and securing technology.” Trump “is committed to the development of reliable 5G and ensuring the United States remains the global leader in technology and innovation,” the White House said. The administration “is working with allies and partners” on telecom security principles “that will foster reliable 5G networks” and “is working to ensure America’s private sector has access to spectrum, including critical mid-band spectrum, to fuel the growth of our wireless industry.” Trump is “committed to ensure” that rural Americans “have access to safe and reliable high-speed broadband,” the White House said. Trump told reporters before a meeting with Irish Prime Minister Leo Varadkar he believes if countries like Ireland use equipment from Chinese telecom equipment maker Huawei, “there's a real problem with intelligence and intelligence security. And we'll see what happens. We'll be discussing that point also.” HR-4998’s enactment drew praise from FCC Chairman Ajit Pai, U.S. lawmakers and communications sector officials. “Securing our networks from malicious foreign interference is critical to America’s wireless future, especially as some communications providers rely on equipment from companies like Huawei that pose an immense threat,” said HR-4998 lead sponsors House Commerce Committee Chairman Frank Pallone, D-N.J.; ranking member Greg Walden, R-Ore.; House Communications Subcommittee Vice Chair Doris Matsui, D-Calif.; and Rep. Brett Guthrie, R-Ky. Now “we can take steps to protect our communications networks from bad actors, while helping small and rural providers remove and replace suspect network equipment.” The law “lays the foundation to help U.S. firms strip out vulnerable equipment and replace it,” said Senate Commerce Committee Chairman Roger Wicker, R-Miss. "I hope Congress will build on this success and move forward quickly to appropriate the necessary funding to reimburse carriers for replacing any network equipment or services found to be a national security threat," Pai said. "This funding is essential to successfully transition communications networks—especially those of small and rural carriers—to infrastructure provided by more trusted vendors." Telecommunications Industry Association CEO David Stehlin called HR-4998 “an important step forward in the United States’ efforts to safeguard the integrity of our communications networks by supporting efforts to replace at-risk equipment with equipment from trusted suppliers.” The Rural Wireless Association said that “now we must push ahead in Congress to quickly appropriate the authorized funding." Mavenir considers HR-4998 “an important step,” said CEO Pardeep Kohli. Trump is "providing another policy tool to prevent China and others from interfering in our communications networks," said 5G Action Now Chairman Mike Rogers. He praised "banning the use of federal funds to buy equipment from Huawei, ZTE, and other companies deemed to be national security threats, while providing funds to allow small businesses to remove this equipment."

The U.S. Cyberspace Solarium Commission urged the federal government Wednesday to make major changes to its cybersecurity approach, including creating a Senate-confirmed national cyber director and a Bureau of Cyber Statistics. CSC urged the government to establish a special fund for cyberattack response and recovery efforts and said Congress should create stand-alone House and Senate cybersecurity committees, which has been sought for years (see 1403270046). “For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power,” the commission reported. “Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued.” CSC didn’t seek a unified federal cybersecurity agency, saying the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the State Department, Election Assistance Commission and other federal agencies with cyber responsibilities should partly restructure. “We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins)," the CSC said. It recommended the Commerce Department to establish a National Cybersecurity Certification and Labeling Authority and State to have an assistant secretary focused on cybersecurity issues. CSC Commissioner and House Armed Services Emerging Threats Subcommittee Chairman Jim Langevin, D-R.I., said "our strategy of layered cyber deterrence will provide solid guidance for transformational reforms.” House Homeland Security Committee ranking member Mike Rogers, R-Ala., and Cybersecurity Subcommittee ranking member John Katko, R-N.Y., hailed the report. It represents “thoughtful and actionable ideas,” Rogers said. The "serious, forward-leaning recommendations" can help ensure critical infrastructure can "better defend against advanced cyber threats," said BSA|The Software Alliance Senior Director-Policy Tommy Ross. "Not everyone will like every recommendation the Commission produced, but our hope is that the report will create a sense of urgency for Congress to take meaningful, bipartisan action.”