Policy Blog Templates (17)

American Cyber Defenses Must Meet the Moment to Defend Against Cyber Attack Surge

by Policy

Cyber-attacks targeting the U.S. government have reached an unprecedented peak. These attacks, ranging from targeted ransomware attacks to sophisticated state-sponsored cyber campaigns, pose a serious threat to critical infrastructure and sensitive national security data. This surge underscores the need for comprehensive cyber defenses to safeguard U.S. national security.

The newest report from the Cyber Safety Review Board (CSRB) – a public-private advisory body established in February 2022 to improve U.S. cybersecurity resilience – should raise alarm about the state of our country’s cyber defenses. The March 2024 report, which the Department of Homeland Security (DHS) released to the public in April,  dissects how Chinese state-sponsored cyber attackers accessed critically important national security data in a breach targeting Microsoft’s cloud environment. Among other things, the malicious cyber actors “accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” The CSRB called this “the espionage equivalent of gold.”

Notably, this breach occurred only months after this warning issued in the National Cybersecurity Strategy: “The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

The CSRB report is a reminder of the national security stakes involved in strong cybersecurity processes. Without innovation and proactive measures designed to boost cybersecurity capabilities, online defense measures become stagnant and out of date, providing attackers with the time they need to breach our defenses. Ultimately, those responsible for defending our national security—both government agencies and private industry across the critical infrastructure—have a responsibility to build better and better capabilities to prevent and identify the ever-evolving nature of cyberattacks.

The report also notes that a “cascade” of “avoidable errors” led to and magnified the impact of the Microsoft attack. And while some cyber attackers are capable of breaching sophisticated defenses, we must be wary of settling into an acceptance that some breaches are simply the cost of doing business. That’s where a robust system of competition for these types of federal contracts can play a role. An overreliance on any one vendor is bound to create problems for government customers, and as has been argued many times over in the ongoing debate about competition in the tech sector, competition is often the best driver for a better product and in the best interest of consumers – which in this case, is the federal government.

Put simply, our government needs the best, most efficacious and most proactive technological solutions to meet its unique needs for the highest quality of service. It must do better than keep pace with malicious actors, who are intent on making use of the latest available technology to exploit vulnerabilities. As the President declared in the May 12, 2021 Executive Order on cybersecurity,  “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Additionally, what happens in the aftermath of a cyber-attack is just as important as the preventative measures designed to stop them. Incidents are bound to happen no matter the policies and procedures that a company has in place. Careless mistakes, however, raise the risk. Transparency and accountability in the wake of a cyber-attack are critical. A quick response can minimize the damage of a cyber-attack, and incident and vulnerability disclosure practices are essential to stop similar attacks in the future.

As cyber-attacks against the U.S. continue to surge, it is critical that our cybersecurity strategy evolves to safeguard American national security. Proactive measures are paramount, and transparency and accountability are essential. Together, these measures can prevent cybersecurity pitfalls.

Policy Blog Templates (18)

Tim Childress Joins SIIA as Chief Financial Officer

by Press Release

Washington D.C., May 1, 2024 – The Software & Information Industry Association (SIIA) today announces the appointment of Tim Childress as Chief Financial Officer. He is responsible for overseeing and implementing the Association’s financial strategy and has extensive expertise in financial, risk and information technology management for non-profit organizations.

Childress has more than 20 years of experience directing strategic and operational financial management for non-profit research, policy, global public health, environmental conservation & microfinance organizations. He joins SIIA from The German Marshall Fund where he was Executive Vice President and Chief Financial Officer. Previously he was Chief Financial Officer for RARE, Global Controller for Population Services International and Director and Controller for FINCA International.

“Tim has served as our interim CFO for the past few months and we are pleased he is joining the team,” said Christopher Mohr, President, SIIA. “He is a talented financial professional with a proven track record in designing and implementing finance transformation programs that align to organizational strategic priorities. Tim will be an integral member of our executive leadership team and will have a key role in guiding SIIA’s growth.”

 

Policy Blog Templates (8)

SIIA’s Response to OMB’s Call for Responsible AI Procurement in Government

by Policy

The Software & Information Industry Association (SIIA) submitted comments in response to the Office of Management and Budget’s (OMB) Request for Information on the responsible procurement of artificial intelligence (AI) in government. SIIA praised the Administration’s efforts to promote AI innovation and stressed the importance of responsible procurement practices by government agencies.

SIIA commended efforts to integrate AI ethics into the OMB AI memo, emphasizing risk-based frameworks, transparency, and responsible governance. SIIA advocated for the continued encouragement of risk-based AI governance practices and suggested leveraging existing standards such as the NIST AI Risk Management Framework and ISO standards for responsible AI procurement.

Regarding vendor and agency responsibilities, SIIA proposed a clear distinction between the roles, with vendors providing information about their AI services while government agencies ensure proper deployment and risk assessments. SIIA highlighted the importance of transparent documentation, such as AI service cards, to enable informed decision-making by agencies.

SIIA recommended that OMB provide guidance on standard terms, conditions, and intellectual property protections to safeguard sensitive information while promoting transparency in the procurement process. SIIA also suggested that agencies prioritize products aligned with responsible AI deployment guidelines.

To mitigate risks and equity concerns, SIIA urged agencies to engage with diverse stakeholder groups and consider AI principles and guidance developed by companies. SIIA emphasized the need for agencies to incorporate equity considerations into their due diligence process when identifying and procuring AI technologies.

Full Response Here
Policy Blog Templates (7)

SIIA Comments on Proposed Regulations Addressing Malicious Cyber-Enabled Activities

by Policy

The Software & Information Industry Association (SIIA) provided comments in response to the Bureau of Industry and Security’s (BIS) request for comment on the Notice of Proposed Rulemaking (NPRM) regarding two executive orders: the IaaS EO and the AI EO. The NPRM aims to address malicious cyber-enabled activities by requiring U.S. Infrastructure as a Service (IaaS) providers to implement customer identification programs, prevent misuse of IaaS products, and safeguard national security.

SIIA supports efforts to combat cyber threats but raises concerns about the NPRM’s potential negative impacts. SIIA argue that the proposed regulations suffer from legal inconsistencies, overly broad definitions, and burdensome compliance requirements. We believe that the proposed Customer Identification Program (CIP) may not effectively deter malicious actors and could lead to evasion, increased costs, and privacy concerns, particularly for small and medium-sized businesses.

SIIA suggests that instead of a CIP, BIS should focus on an Abuse Deterrence Program (ADP) centered on cybersecurity best practices, fostering collaboration between government, industry, and international partners. We propose separating the rulemaking processes for the two executive orders and urge further stakeholder engagement to better understand the implications of the proposed regulations.

 
 
Full Response Here
Policy Blog Templates (6)

SIIA Comments on FTC’s Proposed Rule for Impersonation Regulation of Government and Businesses

by Policy

The Software & Information Industry Association (SIIA) has submitted comments in response to the Federal Trade Commission’s (FTC) supplemental notice of proposed rulemaking regarding the trade regulation rule on impersonation of government and businesses.

SIIA supports the extension of the impersonation rule to individuals but expresses concerns about the proposed liability scheme for “means and instrumentalities.” SIIA argue that this approach could lead to unintended consequences and suggest adjustments to the rule to address these concerns.

    1. Extension of the Impersonation Rule to Individuals: SIIA supports the Commission’s proposal to extend the prohibition to individuals, citing it as filling a gap in the existing rule.
    2. Concerns About Means and Instrumentalities Liability: SIIA expresses concerns about the broad application of means and instrumentalities liability, suggesting that it could deter legitimate commercial activity, create compliance challenges, and stifle online speech. They propose adjustments to the rule to mitigate these risks.
    3. Proposed Adjustments to the Rule: SIIA suggests modifications to the proposed rule text to limit liability to goods and services designed to defraud and to ensure consistency with statutory and constitutional authority.
    4. Request for Additional Process: SIIA requests further analysis and public feedback on the proposed means and instrumentalities liability rule, suggesting renewing the preliminary regulatory analysis and holding an informal hearing to address disputed issues.

 

Full Comments Here