Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed…

View On WordPress

Little Otherkin Update

It's been a little while, so might as well push out an update.

I finally figured out one thing; I'm Hobgobbler-hearted! I see a lot of myself in them, but I don't really feel like one myself.

I'm also still considering if I'm conceptkin or not. I'm on and off with feeling connected or integral to my written world, Circias, so it might take a while to unravel this.

I've been slowly getting into quadrobics (slower than I want, stupid toe infections-). What little I can do, I'm still really happy with it! I can only walk right now, hopefully I can try trotting soon.

To protect America’s vital infrastructure from hackers without relying on a moribund Congress, the Biden administration bet big on creative uses of existing laws. But the Supreme Court probably blew up that approach.

President Joe Biden’s strategy relied on agencies interpreting the laws that give them regulatory powers to include cybersecurity, with the expectation that courts would defer to their interpretations of those laws under a decades-old legal doctrine known as Chevron deference.

But in a landmark case decided in late June, Loper Bright Enterprises v. Raimondo, the United States Supreme Court’s conservative supermajority eliminated Chevron deference and ordered courts to determine for themselves what ambiguous laws say—without assigning nearly as much weight to agencies’ interpretations.

Now, that controversial ruling could completely upend multiple agencies’ plans to require better cybersecurity from critical infrastructure entities like hospitals, water systems, and power plants. It could even help corporate America overturn existing rules aimed at keeping hackers off cloud platforms, securing pipelines and airports, and improving disclosures of major breaches.

“There’s the possibility of lawsuits to test the waters in a lot of regulations,” says Harley Geiger, counsel with the Center for Cybersecurity Policy and Law. “It definitely becomes much more difficult to regulate on critical infrastructure cybersecurity in areas where there is not sound or clear statutory backing.”

Landmark Cyber Program Under Threat

Biden’s marquee cyber regulation may also be his most endangered: a pending requirement for critical infrastructure organizations to report cyberattacks within 72 hours and ransomware payments within 24 hours.

The regulation, authorized by the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), is meant to close massive gaps in the government’s awareness of the cyberattacks plaguing US companies every day. But when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released the proposed rule in April, the business community slammed it for going further than lawmakers intended. By the time the public comment period closed earlier this month, many companies and trade groups had urged CISA to pare back the rule—with some of them even citing the Loper Bright ruling.

The criticism mostly focused on three aspects of the rule that could represent its biggest vulnerabilities in a future lawsuit: the definition of a “covered entity” subject to the reporting requirements, the definition of a “covered incident” that needs to be disclosed, and the list of information that needs to be reported. Businesses say CISA used much broader language for these three provisions than Congress intended.

“They have gone well beyond the text,” says one cybersecurity-focused attorney, who requested anonymity because they represent clients in disputes with federal agencies. “There's a lot of vulnerable aspects to it.”

Senate Homeland Security Committee chair Gary Peters, whose panel led the drafting of CIRCIA, added to the regulation’s legal peril when he filed a public comment saying that “the proposed rule is overbroad and needs additional clarity,” including on the definitions of covered incidents and covered entities. Peters’ objections are significant, because courts analyzing unclear laws will likely lean heavily on congressional intent.

It’s unclear if CISA will back down in the face of these headwinds. A spokesperson says the agency is “still assessing” the Loper Bright ruling “and any potential impacts that this may have on the agency’s rulemaking actions.” The spokesperson says the final regulation will be “consistent with authorities given to us by Congress.”

CISA officials “seem quite committed to the scope that they're aiming for, because they really seem to view it as important to their mission,” says Stephen Lilley, a partner at the law firm Mayer Brown who focuses on cyber matters. Even so, he added, “CISA now has to be thinking, have we pushed too far in light of these recent decisions, and do we need to be a bit more modest in our ambitions?”

The consequences of a government retreat are hard to predict but potentially serious. Scaled-back CIRCIA requirements could exempt more companies from reporting or reduce the amount of information they have to report, easing the burden on those organizations but weakening the government’s understanding of digital threats.

Most experts predict only modest changes. “I would expect them to try to make as limited a reaction as their lawyers say they need to make,” Lilley says.

Still, it’s clear that the officials behind the government’s biggest-ever cyber regulation—due to be finalized by October 2025—are on notice.

“There's no way that CISA takes the next [14] months to develop this rule without considering the effect of Loper Bright and the loss of Chevron deference,” Geiger says.

Planes, Trains, and Cloud Services

While CISA’s incident reporting mandate has attracted the lion’s share of post–Loper Bright attention, the ruling threatens a host of other existing and pending cyber regulations.

The Department of Health and Human Services is working on a rule that would condition hospitals’ receipt of federal Medicare and Medicaid funding on their compliance with cyber requirements. The closely watched HHS rule represents the Biden administration’s attempt to stem a massive tide of ransomware attacks on hospitals and the rest of the health care sector. But the powerful hospital industry has objected to new mandates, saying they will overly burden already struggling facilities. Few details are known about the rule—including its exact legal basis—so it’s unclear whether HHS has been rewriting it to address Loper Bright.

Corporate America’s most-loathed cyber regulation is the Securities and Exchange Commission’s 2023 rule requiring publicly traded companies to announce cyber incidents with a “material” impact within four business days. That rule may be safe from new lawsuits, given the SEC’s clear legal authority to require the disclosure of information that materially affects stock prices. But Geiger says companies might instead challenge the SEC’s authority to penalize companies for hacks, since the underlying law and regulation don’t mention cybersecurity. (The SEC declined to comment for this story.)

Lawsuits could also hit the Transportation Security Administration over its cyber requirements for pipeline, rail, and aviation operators. The TSA significantly modified its emergency directives to address industry criticism, but as the agency codifies those directives in more formal rules, disgruntled companies could seize the chance to sue. “There’s not a history of that agency doing cyber, and there’s not a great statutory hook to point to,” says the cyber attorney, who cited “a lot of frustration” with the TSA’s “perpetual invocation of an ongoing but undescribed emergency” to justify the requirements. (The TSA declined to comment.)

The Commerce Department could hit a legal snag with its proposal to require cloud companies to verify their customers’ identities and report on their activities. The pending rule, part of an effort to clamp down on hackers’ misuse of cloud services, has drawn industry criticism for alleged overreach. A major tech trade group warned Commerce that its “proposed regulations risk exceeding the rulemaking authority granted by Congress.” (Commerce declined to comment.)

Lawsuits could also target other regulations—including data breach reporting requirements from the Federal Trade Commission, the Federal Communications Commission, and financial regulators—that rely on laws written long before policymakers were thinking about cybersecurity.

“A lot of the challenges where the agencies are going to be most nervous [are] when they’ve been interpreting something for 20 years or they newly have interpreted something that’s 30 years old,” says the cyber attorney.

The White House has already faced one major setback. Last October, the Environmental Protection Agency withdrew cyber requirements for water systems that industry groups and Republican-led states had challenged in court. Opponents said the EPA had exceeded its authority in interpreting a 1974 law to require states to add cybersecurity to their water-facility inspections, a strategy that a top White House cyber official had previously praised as “a creative approach.”

All Eyes on Congress

The government’s cyber regulation push is likely to run headlong into a judicial morass.

Federal judges could reach different conclusions about the same regulations, setting up appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger, of the Center for Cybersecurity Policy and Law. In addition, agencies understand cutting-edge tech issues much better than judges, who may struggle to parse the intricacies of cyber regulations.

There is only one real solution to this problem, according to experts: If Congress wants agencies to be able to mandate cyber improvements, it will have to pass new laws empowering them to do so.

“There is greater onus now on Congress to act decisively to help ensure protection of the critical services on which society relies,” Geiger says.

Clarity will be key, says Jamil Jaffer, the executive director of George Mason University’s National Security Institute and a former clerk to Supreme Court Justice Neil Gorsuch. “The more specific Congress gets, the more likely I think a court is to see it the same way an agency does.”

Congress rarely passes major legislation, especially with new regulatory powers, but cybersecurity has consistently been an exception.

“Congress moves very, very slowly, but it’s not completely passive [on] this front,” Lilley says. “There's a possibility that you will see meaningful cyber legislation in particular sectors if regulators are not able to move forward.”

One major question is whether this progress will continue if Republicans seize unified control of the government in November’s elections. Lilley is optimistic, pointing to the GOP platform’s invocation of securing critical infrastructure with heightened standards as “a national priority.”

“There's a sense across both sides of the aisle at this point that, certainly in some of the sectors, there has been some measure of market failure,” Lilley says, “and that some measure of government action will be appropriate.”

Regardless of who controls Capitol Hill next January, the Supreme Court just handed lawmakers a massive amount of responsibility in the fight against hackers.

“It's not going to be easy,” Geiger says, “but it's time for Congress to act.”

I Think I Broke Something

Thanks @flashfictionfridayofficial for the prompt! I decided to do some TCIO for this one, and one of my favorite superhero genre tropes, hiding an injury with Nickelle because she's my little idiot that things she has to do everything on her own XD.

Wordcount: 867

Warnings: descriptions of bone fractures, mild medical stuff

The City is Ours, Draft 0, circia Book 2 or 3 - Character, Plot, and Dynamic Exploration, Nickelle's POV

As the fight slowed to a stop and goons were knocked out or tied up, Nickelle tugged the sleeve of her jacket over her arm. Her ice receded or started to melt as pain spiked in her arm. She desperately tried to hide how much her arm and a leg was shaking from the hit and fall she’d taken- given the crunching sound she’d heard, she assumed that she’d broken something.

She was fine, she could handle it, and the rest of the team and a bunch of civilians needed more urgent attention from Bryson anyways, she didn’t want to take up too much of that. She didn’t really need Bryson to look at her anyways, she could just be careful and wait for her injuries to heal on their own.

On the way back to the base (what they were calling their base anyway), Asher noticed her hand shaking and asked if she was ok.

Nickelle shrugged it off, giving him an icy glare to let him know to back off the subject, “I’m fine, ok? Just a little tired…”

When they got back to base and the other’s injuries had been treated, Bryson noticed Nickelle’s shaking hand. He said a little sternly with that team medic ‘don’t lie to me’ tone, “Nickelle…”

She huffed, attempting to subtly hide her arm behind her back, “I’m fine, Bryson. Just tired.”

Bryson studied her carefully, then said, “You better not be lying to me. You might be the team leader, but I’m the medic.”

Nickelle tried her best to appear fine, “I’m fine, Bryson. Go get some rest, that’s an order.”

Bryson reluctantly nodded, and Nickelle quickly disappeared into the half constructed base to find a way to wrap up her arm and leg. The pain shot through her lower leg and up her forearm, and it certainly felt like what Nickelle guessed a broken bone was, since she’d never actually experienced it.

She found a room no one was using, swiping some bandages from Bryson’s medical kit, and painstakingly peeled off the sleeve of her suit for her arm first. Her forearm was definitely swollen, and when she gently prodded the area with one arm the pain got worse. She looked up what minor bone fractures looked like on her phone, and the results did say there would be a lot of swelling.

So she had broken something.

Gritting her teeth and biting back a scream, Nickelle straightened out her arm as best she could, then started wrapping the bandages around her arm.

Once that was done, she torturously peeled off the next part of her suit for her leg. Then she repeated the process, gritting her teeth and biting back a yell of pain as she straightened her calf and carefully wrapped it in the bandages.

When finished, she gingerly pulled her suit back on over the injuries to hide them, tugging her jacket sleeve over her wrist to hopefully hide how much the injures screamed in pain with each movement.

After a minute, she got used enough to the pain she could move around without wincing or biting back screams of pain.

The team gathered in what they’d deemed the ‘living room’ or ‘meeting room’ of the base, wolfing down the pizza that Asher had gotten from down the street. It was a good thing he’d gotten several boxes, because each of them were starving after that fight and ate at least four or five slices each.

Jason had already skipped out because he apparently thought he was above pizza and other ‘peasantry’ things, and went home to (in Chase’s words) ‘be pampered like a baby in his castle and eat rich people things’.

The rest of the team relaxed on the cots that were serving as temporary furniture for the ‘living room’ laughing and chatting as they ate the pizza.

Nickelle and Kylee reached for the next slices at the same time, and Kylee’s arm accidentally bumped Nickelle’s.

A cry of pain escaped Nickelle as she couldn’t stop herself from jerking her arm back, instinctively shielding it to her chest and hissing in pain.

The others’ heads snapped to her as she tried to pretend she was fine.

Bryson narrowed his eyes. “Nickelle…”

“I’m fine,” She insisted.

“Did you lie to your team medic?”

Nickelle shot him an icy glare that didn’t deter him. “I said I’m fine, it’s nothing-”

“You can’t hide injuries from me,” Bryson said sternly, “What if it’s serious?”

“It’s not!”

“I don’t buy it,” He said, getting up and walking over to where she was sitting, “Chase, get my kit please.”

Chase wolfed down their last few bites of pizza, and got up to go fetch the team medic’s kit. Nickelle tried to pull away, but the movement of her arm made her wince as Bryson sat down next to her, holding out his hand.

Asher said, “He treated all of us, Nickelle. Your turn.”

Nickelle huffed, and let Bryson take her arm and start examining it, carefully peeling back the sleeve of her supersuit. Bryson said, “So, you stole my bandages, huh? Must not be nothing.”

Nickelle avoided his scolding look as Chase returned with Bryson’s med kit.

TCIO Taglist: @friendlyneighborhood-writer @jessica-writes22 @rose-bookblood @yejidoesthings 

@space-writes @cljordan-imperium (send me a message to be +/- from the taglist <3)

General Taglist: @enchanted-lightning-aes @thatprolificauthor @wip-nook @writeblrsupport 

@outpost51 @dustylovelyrun @thelaughingstag @jacqueswriteblrlibrary (send me a message to be +/- from the taglist <3)

hc + ✂️ for a hair-themed headcanon / for hox !

Meme / Accepting!

When he was a kid he had no control over what hairstyle he had and absolutely hated the preppy cuts he was given.

As such after moving out he immediately started growing it out, eventually into his iconic short ponytail cut. Which he likes a lot and does take good care of.

Unfortunately prison cut his hair short again. Which was one of the smaller traumas that they put him through.

After getting out he grew it out again and is fiercely protective of his hair. Don't come at him with scissors unless you want him to beat the everliving shit out of you.

Also he absolutely did not give himself an undercut, nope, I refuse to acknowledge that. He has his ponytail circia 2023 and it is going nowhere.

NIS2, DORA und CIRCIA zwingen zu Transparenz

800 verschobene Operationen, geschlossene Rathäuser, ausgefallene Video-Dienste – all dies sind direkte Folgen der jüngsten Ransomware-Attacken in nur 2 Wochen. Transparenz ist notwendig. Die Ransomware-Pandemie wütet ungebremst und die Politik diskutiert strengere Regeln. In UK wird diskutiert, ob Firmen gezwungen werden sollten, Attacken und Ransom-Zahlungen zu melden. Die EU hat mit NIS2 und Dora bereits strenge Meldepflichten definiert. Der Fall von Synnovis legt offen, wie selbst kritische Infrastrukturen anfällig bleiben und wie komplex Firmen heute miteinander verwoben sind. Dadurch entstehen ungewisse Ausfallrisiken. Synnovis ist als Pathologielabor mit seinen Dienstleistungen wie Bluttests eng mit einigen Krankenhäusern verzahnt. Der Ransomware-Angriff gegen das Labor zwang die Krankenhäuser, insgesamt rund 800 Operationen zu verschieben. Mark Dollar, CEO von Synnovis, eines am 4. Juni gehackten Gesundheitsdienstleisters aus UK, sagte: „Angriffe dieser Art können jederzeit jedem passieren und die dahinter stehenden Personen haben beunruhigenderweise keinerlei Skrupel, wen ihre Aktionen treffen könnten.“ Ransomware-Attacke zwingt zur Operationsverschiebung Die Zeitungen meldeten weitere Angriffe gegen kommunale Einrichtungen wie Michigan’s Traverse City und New York’s Newburgh in den USA, der Videodienstleister Niconico ist ebenfalls offline. Dies sind vier Beispiele für erfolgreiche Angriffe innerhalb 2 Wochen, die Dunkelziffer ist wahrscheinlich x-fach höher. Und hier wollen Politiker aus Großbritannien ansetzen und Firmen zu mehr Transparenz zwingen. Diskutiert werden erste Ideen, ob man alle Opfer verpflichten soll, Vorfälle der Regierung zu melden. Opfer sollen sich auch vor Erpressungszahlungen eine Lizenz besorgen müssen. Ebenfalls vorgeschlagen werden soll ein vollständiges Verbot von Lösegeldzahlungen für Organisationen, die an kritischer nationaler Infrastruktur beteiligt sind. Das Verbot soll Hackern den Anreiz nehmen, diese kritischen Dienste zu stören, indem es sie daran hindert, Angriffe zu monetarisieren. In den USA hat die Biden-Administration bereits im März 2022 mit ihrem Gesetz “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)“ klar geregelt, dass Betreiber kritischer Infrastruktur einen Cybervorfall innerhalb von 72 Stunden melden müssen. Ransomware-Zahlungen müssen sogar 24 Stunden nach der Zahlung kommuniziert werden. Globale Standards für Transparenz Die Vorschriften und Gesetze, mit denen Regierungen mehr Licht in Cybergefahren und -risiken bringen wollen, orientieren sich zusehens an strengen zeitlichen Vorgaben bei der Meldepflicht. 72 Stunden sind hier der globale Standard, der sich nun zu etablieren scheint. Auch bei dem Digital Operational Resilience Act (DORA), auf die Finanzindustrie fokussiert, und der NIS-2 Direktive sind 72 Stunden das Maß der Dinge. Mit beiden Regelwerken will die EU Firmen in Europa zu mehr operativer Cyberresilienz drängen. Die obligatorischen Meldepflichten bei Datenschutzverletzungen haben es in sich und stellen klare Anforderungen: - Innerhalb von 24 Stunden muss die Organisation eine Frühwarnung geben, wenn der Verdacht besteht, dass ein schwerwiegender Vorfall durch rechtswidrige oder böswillige Handlungen verursacht wurde oder grenzüberschreitende Auswirkungen haben könnte. - Innerhalb von 72 Stunden nach Bekanntwerden eines schwerwiegenden Vorfalls muss die Frühwarnung mit einer ersten Bewertung, einschließlich seiner Schwere und Auswirkungen, aktualisiert werden. Die Organisation sollte dem nationalen CERT auch alle Indikatoren für eine Gefährdung im Zusammenhang mit dem Angriff mitteilen. - Auf Anfrage eines nationalen CERT oder einer Aufsichtsbehörde muss die Organisation Zwischenstatusaktualisierungen bereitstellen. - Innerhalb eines Monats nach Einreichung der Vorfallmeldung muss die Organisation einen Abschlussbericht vorlegen. Mehr Transparenz schaffen Das Risiko erfolgreicher Cyberattacken auf das Wohl und Leben der Bürger wird die Politik weiter antreiben, neue Regeln und Vorschriften zu erlassen mit dem Ziel, das Sicherheitsniveau und die Cyberresilienz zu stärken. Da wird also wahrscheinlich noch mehr kommen. Firmen sollten entsprechend reagieren und intern mehr Transparenz und Kontrolle über ihre Daten und Dienste schaffen. Dazu sind folgende Schritte elementar. - Daten genau verstehen – Firmen müssen genau wissen, welche Daten sie besitzen und welchen Wert sie haben. Nur dann können sie in den Behörden berichten, welche Daten bei einer erfolgreichen Attacke korrumpiert wurden. Auf diesem Gebiet können KI-Lösungen wie Cohesity Gaia massiv helfen und eine der komplexesten Probleme entschärfen, indem sie die Daten von Firmen automatisiert klassifizieren. Business Owner können beispielsweise direkte Fragen zu bestimmten Daten stellen und bekommen automatisch von Gaia eine entsprechende Antwort mit einer Liste aller betroffenen Dokumente. - Zugriffe reglementieren: Wer seine Daten richtig eingestuft und klassifiziert hat, kann automatisch Regeln und Rechte durchsetzen, die den Zugriff darauf regeln. Daten-Management-Plattformen wie von Cohesity wickeln das automatisiert ab und reduzieren die Risiken für menschliche Fehler. Eine Firma kann durchsetzen, dass bestimmte Daten niemals an externe Speicherorte oder KI-Module weitergegeben werden dürfen. - Angriffe überstehen – Damit eine Firma die Berichte für die Behörden überhaupt erstellen kann, muss sie handlungsfähig bleiben. Bei Ransomware oder einem Wiper-Angriff aber funktioniert im Worst Case nichts mehr. Die IT-Teams der CIOs und CISOs werden auf diese Attacke nicht einmal reagieren können, da alle Sicherheitstools offline, Beweise in Logs und auf den Systemen verschlüsselt sind. Firmen sollten daher unbedingt Clean-Room-Konzepte implementieren, wo ein Notfallset an Tools und System- und Produktionsdaten liegt, um einmal einen Notbetrieb der Gesamt-IT zu schaffen. Darin liegen alle essenziellen Tools für die Security-Teams, damit diese mit dem essenziellen Incident-Response-Prozess beginnen können. Dieser Prozess ist essenziell, um richtige und aussagekräftige Berichte für NIS-2, DORA und DSGVO-Verstöße zu generieren.     Passende Artikel zum Thema Lesen Sie den ganzen Artikel

Healthcare Sector Advocates for Streamlined Cyber Reporting

The healthcare industry is raising significant concerns about the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed cyber incident reporting rule, part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The rule mandates detailed and rapid reporting of cyber incidents, targeting hospitals, medical manufacturers, and IT entities within the sector. Healthcare groups, including the American Hospital Association (AHA) and College of Healthcare Information Management Executives (CHIME), argue the rule is burdensome and redundant, overlapping with existing regulations like HIPAA and HITECH. They also highlight issues with the 72-hour reporting timeline, data preservation requirements, and security risks associated with reporting sensitive information. The industry suggests harmonizing the rule with existing regulations, simplifying reporting requirements, and ensuring data security. For more insights, visit DistilInfo HealthPlan.

Read more: https://distilinfo.com/healthplan/cignas-express-scripts-tricare-care/

Discover the latest payers’ news updates with a single click. Follow DistilINFO HealthPlan and stay ahead with updates. Join our community today!

Cryptic Fog - October Ghost

Cryptic Fog said;

"This song is about alcoholism."

The drunken crowd roared with approval.

Cryptic Fog said;

"No, not that kind."

And we all listened.

-Backyard Barbecue circia roughly 2008ish?

Dell Portal Breach Exposes Customer Data Cybersecurity Concerns Rise

Dell, the renowned IT giant, has confirmed a significant customer data breach from one of its portals. Although the exact number of affected individuals remains undisclosed, the thief behind the cyber intrusion claims to have acquired a staggering 49 million records. These compromised records, now available for sale on the dark web, contain personal information such as names, addresses, and details regarding Dell equipment purchases. Notably, Dell reassures customers that sensitive data like payment information has not been compromised. However, the Dell portal breach underscores concerns about cybersecurity vulnerabilities within the company’s infrastructure.

According to a spokesperson from Dell, the breach was identified recently, prompting immediate action from the company. While the breach primarily involved customer information such as names, physical addresses, and details of Dell hardware and orders, Dell’s spokesperson emphasized that highly sensitive data like financial information and contact details were not included in the stolen records. Despite these assurances, the breach raises questions about the security measures implemented by Dell to safeguard its customers’ data.

Response and Investigation

Following the discovery of the breach, Dell initiated a thorough investigation into the incident. Immediate steps were taken to contain the damage, including notifying law enforcement agencies and enlisting the expertise of a third-party forensic firm. Despite these efforts, concerns persist regarding the extent of the breach and the potential ramifications for affected customers. Dell asserts its commitment to monitoring the situation closely and implementing proactive measures to protect customer information.

In an email communication to customers, Dell sought to downplay the severity of the breach while acknowledging the incident involving the compromised Dell Portal. The company emphasized its dedication to safeguarding the privacy and confidentiality of customer data. Additionally, Dell warned customers to remain vigilant against potential scams or fraudulent activities leveraging the stolen information. This proactive approach aims to mitigate any further harm to customers and restore trust in Dell’s security measures.

Lockbit Update, Dell Portal Breach, British Columbia Cyberattack | Friday News

Regulatory Implications and Future Measures

The Dell portal breach comes amid increasing regulatory scrutiny over data protection and cybersecurity practices. Recent regulatory developments, such as the expansion of data loss reporting requirements by the US Federal Communications Commission (FCC) and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), underscore the importance of prompt and transparent reporting of data intrusions. Dell’s breach highlights the urgent need for organizations to bolster their cybersecurity defenses and adhere to regulatory guidelines to prevent similar incidents in the future.

Notably, this is not the first instance of a cybersecurity breach at Dell, with a previous incident occurring in 2018. The recurrence of such breaches underscores the evolving nature of cyber threats and the persistent challenges faced by organizations in safeguarding sensitive data. As cybercriminals continue to target businesses across various sectors, organizations must prioritize cybersecurity measures to mitigate risks and protect customer information effectively. The aftermath of the Dell portal breach serves as a stark reminder of the ongoing battle against cyber threats and the critical importance of robust cybersecurity practices in today’s digital landscape.

Also Read: Mastering Risk Management: Strategies for Safeguarding Business Success

CIRCIA Is a Turning Point in CISA’s Cyber Watchdog Role

http://i.securitythinkingcap.com/T6NRT8

A generation has missed out on the sexual prowess of Dregen circia late 90s early 00s

Worra hunk

Cyber Incident Reporting for Critical Infrastructure Act

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input,…

View On WordPress

Homesick for a new source?

Not sure what else to title this, but yeah. Fictionkin things. Expect to read a really long ramble post.

Okay, so for context, I made a universe with OCs, heavily inspired by a hyper-realistic dream I had (this was about 6-7 years ago). I named this universe Circias, and it was essentially an ethereal world separate from Earth where certain special souls would go after death.

It's been a long time since I have worked on Circias and its characters. When I decided to come back to it, I suddenly felt... homesick. It certainly wasn't nostalgia, since I know exactly what my nostalgia feels like.

Now that I'm thinking about it, ever since I had that initial dream that inspired Circias, I always felt a little weird thinking about it. It just feels like I belong there. I don't know what as, but the thought of Circias feels like... home, you know?

The only thing I can think of as a reason would be that Circias was meant to feel homey and welcoming. I just find it strange that I was hit with homesickness when I never really felt that before, even with my other sources.

I suppose, if this passes and doesn't return, it could've just been something like a cameo shift. And yet, I kinda don't want it to be that. I really do feel torn away from home, and having it be just a cameo shift feels... wrong? Almost like a tease to get me worked up.

Idk, not sure how to feel about this. If this really is a cameo shift, then I guess, so be it? I almost hope it isn't, though. I miss that dream. I just want to go back, even once.

CISA publishes 447 page draft of cyber incident reporting rule

https://therecord.media/cisa-publishes-circia-rule-cyber-incident-reporting

Sophos Guidance on CIRCIA – Sophos News

A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats | Fortune

On Dec. 15, the Securities and Exchange Commission’s (SEC’s) expanded cybersecurity rules came into effect, requiring public companies to disclose incidents within four business days. That means headline-grabbing breaches–such as the one that affected all Okta customer support system users or the 23andMe hack that included the information of nearly 7 million customers–will have even greater consequences than whatever data was compromised. And the SEC rules are only the tip of the iceberg of changes to regulatory compliance.

With little fanfare and largely unnoticed by the press, institutional investors, or anyone else, the federal government is quietly directing a seismic shift in the economy by mandating stringent cybersecurity compliance across all 16 critical infrastructure sectors.

These sectors include well-known and highly relegated markets such as the defense industrial base, financial services, and energy–regulated by the Department of Defense (DoD), SEC, and Department of Energy (DoE), respectively. However, often overlooked are the subsectors beneath those 16 sectors, which essentially combine to comprise nearly every company and component of our economy, making nearly every business in scope for the emerging cybersecurity compliance regulations flowing down across the federal government at an increasingly rapid pace. The commercial facilities sector, for instance, consists of eight subsectors, including real estate, retail, sports leagues, and entertainment venues. There is no place to hide from cybersecurity regulation and mandatory minimum cybersecurity requirements.

A boon for the industry

While some argue government overreach, it’s clear why these regulations are coming fast and furious. Russia poses a tremendous cyber threat–it even breached the DoE–and intelligence officials have warned of potential threats from China.

This heightened cybersecurity revolution began last year with the White House’s executive order and unfolds as a movement that transcends borders. A dozen nations have aligned with the U.S. cybersecurity efforts, reflecting a collective endeavor toward a fortified global digital economy.

We’re heading toward a burgeoning market for cybersecurity compliance, with the ripple effects resonating through legal corridors as fraudulent cybersecurity claims come under the judicial scanner. Proper security controls will no longer be a choice, but a legal and economic imperative, marking a new epoch of digital resilience and a reinforced economic structure.

This is already required for DoD contractors through the Defense Federal Acquisition Regulation Supplement (DFARS), and soon the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. Within a few years, it’s likely government contractors outside of defense efforts will also be required to meet mandatory minimum cybersecurity requirements as a condition of being awarded any federal contract.

The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policies that exist today. Individual departments and agencies are not waiting for that day to come and are furiously issuing their own regulatory requirements.

We’ve already seen the Transportation Security Administration (TSA) issue new requirements for airport and aircraft operators, the Department of Homeland Security (DHS) act to protect controlled unclassified information (CUI), the Environmental Protection Agency (EPA) aim to safeguard the water sector, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

Pulling all the levers

The government is pulling every regulatory lever available to quietly define and enforce mandatory cybersecurity minimums on the entire economy in the same way it mandates seatbelts, airbags, and other safety features in automobiles.

This addressable market expansion doesn’t stop at the border: Canada recently adopted CMMC for its defense industrial base, and Japan will also require government contractors to meet U.S. cybersecurity rules.

The pressure to meet mandatory cybersecurity minimums isn’t just about winning federal contracts. The Department of Justice is actively looking for fraud by using the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Cases have begun piling up as whistleblower employees come forward to collect large rewards.

Last October, Pennsylvania State University was sued by a former chief information officer (CIO) for allegedly failing to safeguard CUI and falsifying security compliance reports. The case is ongoing, but there’s already precedent. Last July, Aerojet Rocketdyne agreed to pay $9 million to resolve a similar case. More than $2.2 billion was paid out in settlements and judgments in False Claims Act cases last year–and over $1.7 billion was related to the healthcare industry.

To further cement the government’s resolve to put teeth to these regulations, it has begun suing individual companies and employees for defrauding investors by misleading them about cyber vulnerabilities as it did SolarWinds and its former vice president of security, Tim Brown.

Every sector of the economy is under a transformative directive to fortify its digital defenses. Security posture has evolved from a superlative to a crucial factor that affects the bottom line. This isn’t just a policy change–it’s a paradigm shift, making cybersecurity compliance a legal imperative because its implications are more far-reaching than ever before.