Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

New legislation calls for penetration testing of federal systems to strengthen proactive cybersecurity measures

July 20, 2022
New legislation calls for penetration testing of federal systems to strengthen proactive cybersecurity measures

A new bill has been brought into the U.S. House of Representatives that works on investing in cybersecurity methods to fix cyber vulnerabilities ahead of adversarial attacks. The proposed measures included in the legislation are penetration testing and other proactive cyber defense actions across federal agency networks. 

Representative Eric Swalwell 

Introduced by Rep. Eric Swalwell, a Democrat from California and a member of the House Select Committee on Intelligence, House Judiciary Committee, and House Homeland Security Committee, the new bill is titled, ‘Proactive Cyber Initiatives Act of 2022.’ It mandates penetration testing for moderate to high-risk government systems with agency recommendations on needed authorities and resources. It also requires agencies to report on proactive cyber methods such as deception technologies, continuous monitoring, and proportional actions taken in response to an unlawful breach.

Swalwell’s legislation also grants the National Cyber Director authority to clear up risk conflicts between agencies with overlapping cyber jurisdiction. Additionally, it requires experts to study and recommend mitigation of risks to strengthen cyber infrastructures. 

The bill has been referred to the Committee on Oversight and Reform and the Committee on Armed Services for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

“Cybercrime is increasingly putting American families, businesses, and government agencies at serious risk. For too long, we have been addressing vulnerabilities only after a breach occurs,” Swalwell said in a media statement. “My bill shifts the focus to one that is more proactive and innovative to protect our most critical infrastructures.”

Penetration testing is not a new concept. It helps to determine susceptibility to an actual real-world attack by infiltrating the target environment using current tactics, techniques, and procedures. Specific types of testing and assessments include network, web application, wireless, war dial, and social engineering in the form of an email phishing campaign. Penetration testing also uses the simulated attack technique to identify any weak spots in a system’s defenses that attackers could take advantage of.

The U.S. is hopelessly losing the cybersecurity battle against other nations. In 2018, FBI cybercrime agents estimated that every American should expect that criminals already steal their personal information and on the dark web, Swalwell said. This is mainly because the existing cybersecurity practices are defensive, usually only patching vulnerabilities after they are exploited. 

According to Swalwell, more resources and new initiatives are needed to strengthen cyber posture. “This includes increasing federal government penetration testing to internally fix vulnerabilities, utilizing deception techniques to trap bad actors and study their behaviors, and engaging in continuous monitoring to test our systems against millions of distinct inputs,” he added.

Swalwell has previously introduced the ‘Industrial Control Systems Cybersecurity Training Act,’ to help strengthen the nation’s cybersecurity protections in light of increased Russian cyber threats. The bill seeks to amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency (CISA) to establish an industrial control systems cybersecurity training initiative and for other purposes. The bill has since been cleared.

Last week, an Atlantic Council report delivered recommendations that would enable the Task Force to strengthen American cybersecurity readiness in the energy sector. It called for a focus on government actions to support private-sector cybersecurity efforts. These include recognizing standards organizations that will develop clear guidelines for the product and supply-chain security and providing penetration testing assistance to certain critical infrastructure assets.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs