The EU and Open-Source Community Introduce New Cybersecurity Measures [Weekly Cybersecurity Brief]

In the face of mounting concern over increased cyber threats, two initiatives were introduced last week that each aim to protect the varying entities and industries impacted by this trend. One comes from the EU where lawmakers came to an agreement on Friday that will strengthen rules for both private and public sectors. The other was launched by the Linux Foundation and Open-Source Security Foundation (OpenSSF) to address the rising cybersecurity issues challenging the open source and supply chain communities. Let us dive in.

After proposing additional rules to be added to NIS Directive two years ago, EU countries and lawmakers just approved the version known as NIS 2 Directive. The expansion outlines requirements “on the cybersecurity of network and information systems,” as described by Reuters. In response to the growing target placed on infrastructure, the directive is dedicated to enhancing security practices for organizations within fields including energy, transport, banking, financial market infrastructure, health, vaccines, and medical devices, drinking water, wastewater, digital infrastructure, and public administration. However, other sectors like postal services, food manufacturing, online marketplaces, social networking platforms and more are also covered in the initiative. 

Under the regulations, these organizations have been instructed to conduct cybersecurity risk assessments and notify authorities of any suspicious findings within a 24-hour window. They must also patch such vulnerabilities uncovered and implement risk management plans to avoid them in the future. If organizations fail to take these steps, they may be forced to pay fines. While pointed out that some are worried that this legislation could undercut end-to-end encryption (E2EE) guards, The Hacker News reported that the directive “stressed that ‘Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.’” Therefore, there are a number of industries that it has not included such as defense, national security, law enforcement and central banks.

As a part of the NIS 2 Directive, EU countries and the EU cybersecurity agency, ENISA, have also been granted permission to review the risks associated with critical supply chains, which relates to another mission discussed at a recent convening of executives and other leaders. Hosted as a follow-up to the White House summit in January that came as the Log4j vulnerability’s widespread impact was being exposed, the meeting was held by the Linux Foundation and OpenSSF to announce the release of a 10-point plan designed to better open source and supply chain security. According to Cybersecurity Dive’s coverage, around 90 industry figures attended and agreed to collectively contribute more than $150 million over the course of two years to fix and shield against the recurrence of such detrimental exploits. Among the companies taking part in the pledge are Amazon, Ericsson, Google, Intel, and Microsoft. Although significant, an OpenSSF representative noted that this amount of funding is minor compared to what costs could be if action in this field of security is not taken.

Key Takeaways:

“EU governments, lawmakers agree on tougher cybersecurity rules for key sectors” – Foo Yun Chee, Reuters

https://www.reuters.com/technology/eu-governments-lawmakers-agree-tougher-cybersecurity-rules-key-sectors-2022-05-13/

  • After proposing additional rules to be added to NIS Directive two years ago, EU countries and lawmakers just recently approved the version known as NIS 2 Directive.
  • The expansion outlines requirements “on the cybersecurity of network and information systems,” as described by Reuters.
  • The directive is dedicated to enhancing security practices for organizations within fields including energy, transport, banking, financial market infrastructure, health, vaccines, and medical devices, drinking water, wastewater, digital infrastructure, public administration and more.

“Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity” – Ravie Lakshmanan, The Hacker News

https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html

  • Under the NIS 2 Directive, organizations have been instructed to conduct cybersecurity risk assessments and notify authorities of any suspicious findings within a 24-hour window.
  • They must also patch such vulnerabilities uncovered and implement risk management plans to avoid them in the future.
  • If organizations fail to take these steps, they may be forced to pay fines.

“Tech giants pledge multimillion down payment to secure open source” – David Jones, Cybersecurity Dive

https://www.cybersecuritydive.com/news/open-source-security-Washington/623731/

  • The Linux Foundation and OpenSSF held a convening to announce the release of a 10-point plan designed to better open source and supply chain security.
  • Around ninety industry figures attended and agreed to collectively contribute more than $150 million over the course of two years to fix and shield against the recurrence of detrimental exploits like Log4j.
  • Among the companies taking part in the pledge are Amazon, Ericsson, Google, Intel, and Microsoft.
Share

You Might Also Like...