Latest news with #CybersecurityInformationSharingAct
Axios
20-05-2025
- Business
- Axios
Exclusive: House cyber lawmakers plan Silicon Valley hearing
The House Homeland Security Committee is planning a field hearing on cybersecurity issues in Silicon Valley during the congressional recess next week, Axios has learned. Why it matters: Tensions between Washington and the cybersecurity industry have been high amid DOGE-led cuts at the nation's top cyber agency and growing concerns about nation-state cyber threats against critical infrastructure, particularly during a global trade war. Driving the news: Congress is also weighing the reauthorization of the Cybersecurity Information Sharing Act, which expires at the end of the year. Without it, industry argues they'll no longer have the legal safeguards needed to trade vital cyber threat information with the government or each other. Zoom in: The House Homeland Security Committee will hold a hearing at Stanford University next Wednesday focused on the U.S. cybersecurity posture, a spokesperson shared exclusively with Axios. Chair Mark Green (R-Tenn.), ranking member Rep. Bennie Thompson (D-Miss.) and cyber subcommittee leaders Rep. Andrew Garbarino (R-N.Y.) and Eric Swalwell (D-Calif) will travel for the hearing. Witnesses include H.R. McMaster, former national security adviser in the first Trump White House and a fellow at Stanford's Hoover Institution; Wendi Whitmore, senior vice president of Palo Alto Networks' Unit 42 threat intelligence team; and Jeanette Manfra, global director for security and compliance in Google Cloud's Office of the CISO. The committee will also hold private breakout discussions with lawmakers, cybersecurity stakeholders and researchers that same day, per the spokesperson. What they're saying: Green said in a statement to Axios that the committee is heading to Silicon Vally to hear directly form "innovators, job creators and academics" about the best ways to shore up the country's cyber defenses. "We must work together to flip the economic models of cybersecurity, deter malicious actors, bolster and better equip our cyber defenders, and find ways to harmonize the federal government's burdensome cyber regulatory regime," Green said. Thompson said he was "looking forward to hearing from companies on their turf to talk about how the government can promote and benefit from tech innovation." Swalwell said the trip was an opportunity to discuss "innovative cybersecurity solutions," and described Silicon Valley as the "epicenter of cybersecurity research and innovation."
Axios
15-04-2025
- Politics
- Axios
Cyber bipartisanship on the brink
The resilient bipartisanship that has long protected cybersecurity issues in Washington is facing its biggest test in the second Trump administration. Why it matters: Without guaranteed bipartisanship, the country's whole-of-government approach to both preventing hacks and fighting back is in jeopardy, experts say. Driving the news: A long list of controversial moves in D.C. in the last few weeks is making it harder for Republicans and Democrats to publicly work together on cybersecurity issues. President Trump ordered a Department of Justice investigation into Chris Krebs, the Cybersecurity and Infrastructure Security Agency director during Trump's first term, and revoked any of his remaining security clearances. Employees at SentinelOne, where Krebs currently works, also had their clearances suspended. CISA plans to make widespread staff cuts in the coming weeks after sending voluntary exit options to employees last week. Sen. Ron Wyden (D-Ore.) placed a hold on Sean Plankey's nomination to run CISA until the agency releases a highly sought-after 2022 report detailing security weaknesses in the telecom industry. The Trump administration fired Gen. Timothy Haugh as head of the National Security Agency and Cyber Command with no explanation, spurring outrage and confusion on Capitol Hill. The big picture: Rarely have partisan battles in cybersecurity clouded Washington's ability to pass new laws, get political nominees in office, or authorize budget requests. A big reason is that every lawmaker has a constituent who has likely faced a significant cyberattack in their community, whether it's at the local hospital, university or water plant. But since 2020 — when the question of whether the election was secure became a political minefield for Republicans — that's slowly been changing, Liana Keesing, a policy manager at bipartisan political reform group Issue One, told Axios. Since then, separating CISA's cybersecurity work from its efforts to fight foreign-backed election disinformation has been a tough needle to thread. Between the lines:"There are a lot of Republicans who disagree vehemently with the actions the administration is taking on cyber," Keesing said. "But no one wants to be the first one to take up the mantle to say that." Yes, but: Rep. Mark Green (R-Tenn.), chair of the House Homeland Security Committee, told The Record in an interview that the era of bipartisanship isn't over. "It's not an issue of an absence of bipartisanship," Green said, "it's no one wants to talk about it because they find it a political tool to say there isn't bipartisanship." Rep. Andrew Garbarino (R-N.Y.), chair of the House Homeland Security cyber subcommittee, also said at an event this month that he was "not thrilled" about earlier firings at CISA. What to watch: How lawmakers pursue reauthorization of the Cybersecurity Information Sharing Act, a key law that expires this year and enables information sharing, will be the test of how resilient cyber's bipartisanship actually is.
Forbes
04-04-2025
- Business
- Forbes
Regulatory Compliance: The Importance Of Proactive Cyber Strategies
As Simeio's CEO, Nick Rowe is responsible for driving the overall vision and strategy. getty Identity and access management (IAM) cybersecurity measures have transformed beyond a technical checkbox to an important part of business operations. Yet many organizations continue to view these protocols as something that can be kicked down the road until it's needed—a decision that can lead to major financial and reputational consequences. Consider Equifax, whose 2017 data breach exposed the personal information of more than 147 million Americans. When all was said and done, the financial toll the company paid was staggering: $575 million in settlements and immeasurable damage to its brand and reputation with customers. Data from 2019 reveals that nearly three-quarters of all data breaches involve access to privileged accounts, highlighting the direct correlation between IAM effectiveness and organizational security. And that was more than five years ago—that number has likely grown, especially as organizations have moved more of their operations online since employees began working from home during the pandemic. But even if the locations have changed, the cost of these breaches can still extend far beyond immediate financial penalties. With more information becoming available online, regulatory bodies have stepped up their enforcement on the safety of access management, with substantial penalties for non-compliance. In the United States, HIPAA violations can result in penalties ranging from $141 to $71,162 per violation in Tiers 1 through 3, with annual caps of over $2 million and potential imprisonment of up to 10 years for severe cases. Another example comes from the U.K., where TikTok was fined $15.9 million in 2023 for failing to protect the privacy of children and for collecting personal data from more than one million U.K. children under 13 without proper parental consent. And in the Netherlands, Haga Hospital was fined $516,000 under GDPR for failing to implement proper access controls, resulting in unauthorized access to a popular patient's medical records. These examples show the potential negative consequences of mismanaging cybersecurity and IAM. But how do we change this and take the steps to make it better? Based on my experiences as CEO of an IAM services organization, here are some further insights into regulatory expectations and how you can safeguard your company. Understanding The Expectations The cybersecurity industry as a whole—especially now, with the introduction of advanced AI—is constantly changing. People make new threats, and cybersecurity teams respond and act accordingly. As a result, U.S. regulators have specific cybersecurity requirements for companies, and sometimes they can change quickly if you're not paying attention. Here are just a few examples of regulations companies currently must follow: • Cybersecurity Information Sharing Act (CISA): CISA is overseen by the Department of Homeland Security (DHS) and facilitates the sharing of threat information between private companies and the government. • Gramm-Leach-Bliley Act (GLBA): Overseen by the Federal Trade Commission (FTC), the GLBA helps regulate the collection and handling of financial information. • Securities And Exchange Commission (SEC): As of 2025, the SEC requires publicly traded companies to report cybersecurity incidents within four business days. It's very important that your leadership, including CISOs, team managers and engineers, all understand where these regulations currently stand and what could change in the coming years, so you can stay in line with what agencies expect. Best Practices For Maintaining Compliance When looking to bring your company into compliance, here are a few simple steps I have found to be effective: • Use multifactor authentication (MFA). Deploy MFA across all systems and applications, including a single sign-on (SSO) system. • Stay informed on evolving regulations. Track updates from regulatory bodies like NIST, ENISA and FFIEC. This can help you anticipate future regulations, such as stricter breach notification requirements or supply chain security mandates. • Implement comprehensive IAM strategies. For example, I recommend adopting zero trust architecture by applying "never trust, always verify" principles; in my experience, this can significantly cut down the potential for breaches. • Implement data loss prevention (DLP) strategies. By classifying sensitive data and applying appropriate controls based on its importance, you can prevent unauthorized access from users who shouldn't be able to see it in the first place. • Conduct regular red team exercises. Preparedness is key, and I have found that conducting simulations of real-world attacks is a reliable way to test your organization and employees' defenses and response capabilities and to address gaps that come up in the process. • Demonstrate compliance leadership. One great way to do this is by pursuing certifications such as ISO 27001 or SOC 2 to validate your security posture publicly. This can show customers you're taking extra steps to meet compliance, increasing their trust and loyalty. Final Thoughts In my experience, robust IAM protocols can greatly reduce access-related security incidents, mitigating risks and potential damages. From an operational standpoint, companies can also experience a significant decrease in administrative overhead, freeing up valuable resources and streamlining processes. And by creating a security posture with areas like regulatory compliance in mind, you can shield your organization from reputational damage and fines associated with data breaches or compliance failures. Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
