SEC and CISA reports on cyberattacks

Hello and welcome to Protocol Enterprise! Today: The SEC and CISA impose new rules for reporting cyberattacks, Micron’s revenue warning is a bad sign for the chip industry, and VMware releases its latest incident report.

The east effect

Two federal agencies are simultaneously pursuing new rules for reporting major cyberattacks, but the difference in their approaches couldn’t be more stark.

An SEC proposal that would cover Public enterprises has come under heavy criticism from the industry. The separate rules CISA is implementing for critical infrastructure operators seem on a less divisive path.

  • CISA is focused on “not overburdening the private sector” when it comes to incident reporting, agency director Jen Easterly said during a panel at the RSA conference in June.
  • Easterly has received praise from many in the cybersecurity community for his engagement efforts.
  • Cybersecurity officials said the launch of the Joint Cyber ​​Defense Collaborative, for example, has been instrumental in improving relations between the public and private sectors.
  • Easterly has also done an “incredible” job of expanding information sharing between government and the private sector, said William MacMillan, senior vice president of Salesforce and former CIA CISO.

While CISA’s regulatory work has just begun, the SEC has been receiving comments on its proposal for months.

  • If the opposition is not unanimous, “I have seen a lot of calls for [the SEC’s] the whole proposal will just be burned down and never discussed again,” said Harley Geiger, senior director of public policy at Rapid7.
  • By requiring public disclosure of major cyber incidents within four business days, the SEC’s proposed rules require companies to “make very important decisions with very little information,” Juniper Networks’ CISO told me, Drew Simonis.
  • Ultimately, the SEC’s proposed regulations “will likely help attackers more than investors,” the Internet Security Alliance asserted in its comments.

It is not yet clear what the fate of the two regulatory proposals will be.

  • And even with public-private partnership in cybersecurity seemingly at an all-time high in the United States, CISA “will have to take a hard line” as the agency transitions from just a partnership with the private sector to a regulator of this one, said Ben Miller, vice president of services at Dragos.
  • This agency will still have to address industry concerns, and “the only way to get there is with an extended rule-making period where both sides sit down and talk,” said Marc Rogers, executive director of cybersecurity at Okta. The proposed rules are not due until March 2024, with final regulations expected in September 2025.
  • Yet while the government has said for years that it wants to work more closely with industry around security, “CISA seems to be able to bring that spirit of collaboration to life in a way that other agencies don’t. haven’t quite accomplished,” Simonis said. .

Read the full report here.

—Kyle Alspach (E-mail | Twitter)


Shortage of microchips could harm national security: The global shortage of semiconductors has hampered production of everything from pickup trucks to PlayStations. But there are more serious implications than a shortage of consumer goods. If the United States does not ensure continued domestic access to advanced semiconductor manufacturing, experts say our national security could suffer.

Learn more about Micron

Chip boom shows signs of weakening

Until this week, the server chip sector was doing quite well. Booming, in fact. But back-to-back revenue warnings from graphics processor designer Nvidia and memory producer Micron suggest things aren’t as rosy as everyone thought.

On Tuesday, Micron warned Wall Street that it was likely to generate significantly less revenue than executives had expected in late June due to a weaker market in most of its businesses, including memory for the cloud. At an investor conference, CFO Mark Murphy delivered his own unflattering assessment that cloud customers are watching the economy and, worried, withdrawing their orders.

“We are also seeing isolated supply chain disruptions affecting the cloud, but these are mostly macroeconomic and market conditions, inventory adjustment,” Murphy said, according to a Sentieo transcript. The weakness extended across Micron’s business, which includes chips in smartphones, PCs and memory for vehicles and industrial uses.

Micron-made memory has long been the most prone to the ups and downs that have defined the chip industry for decades, and that doesn’t bode well for the industry at large.

Nvidia’s warning on Monday is another strong data point that follows what Micron said. Sales of its graphics chips for video games are expected to fall by about a third. Nvidia noted that its data center chip sales fell short of expectations, but blamed supply chain disruptions.

“The significant charges incurred during the quarter reflect previous long-term purchase commitments we made during a period of severe component shortages and our current expectations of continued macroeconomic uncertainty,” said Nvidia’s chief financial officer. Colette Kress, in a statement.

— Max A. Cherney (E-mail | Twitter)

Zero days waste more days

Disclosure of a previously unknown zero-day vulnerability is never a fun time for cybersecurity and IT teams. Unfortunately, attackers’ use of zero-days is only getting worse, warn a growing number of security researchers. This week, VMware released a new survey of incident response professionals, which found that 62% had experienced a zero day in the past 12 months, a huge jump from 51% a year ago.

The report follows other similar findings, such as reports from CrowdStrike and Unit 42 (part of Palo Alto Networks) that show attackers are moving faster and faster to exploit new vulnerabilities a once they are disclosed. Tom Hegel, senior threat researcher at SentinelOne, recently told me that hackers working for the Chinese government are particularly good at this. They are now looking for zero-day vulnerabilities “the second they appear online”, he said.

The bottom line, as the Unit 42 researchers point out in their report, is that “patch time is getting shorter and shorter.” While organizations may have been used to having more time for patches in the past, they “must now accelerate patch management and orchestration to try to close these known gaps as soon as possible.”

—Kyle Alspach (E-mail | Twitter)

Around the company

President Joe Biden signed the Chips Law signed into law at a White House ceremony attended by a number of semiconductor industry executives.

Cloudy disclosed that it appears to have been hit by the same phishing attack as Twilio, although the web security provider claims that it thwarted the attack.

Avaya has “substantial doubt” on its ability to continue operating, after the cloud communications provider took on $600 million in debt and cut profits by more than 60%.


Shortage of microchips could harm national security: To ensure America’s security, prosperity, and technological leadership, industry leaders say the United States must encourage domestic chip manufacturing to reduce our reliance on chipmakers. East Asia for critical electronic components.

Learn more about Micron

Thanks for reading – see you tomorrow!

Comments are closed.