Salt Typhoon should still be in the news. US telecoms are likely still compromised and I still can't get a bank that'll do TOTP, they wanna SMS code me for every login. No VOIP allowed, either.
Their work with CISA didn't prevent the attack which took place, and didn't prepare them to handle it, and they had to do the mad scramble of fixing it, and Biden's CISA wouldn't have made any difference either.
CISA is like the TSA for the internet. Security Theater, now streaming to a screen near you.
CISA has been nothing more than a bureaucratic checklist tool, not a legitimate defensive organization capable of implementing meaningful deterrents. At its best, it provides a reasonable shared framework for bare minimum efforts by local IT teams. At worst, it's the usual big organization ass-covering mechanism that allows responsible parties to dodge accountability by waving around the checklists and saying "look! we did everything we were supposed to, but despite our best efforts, those evil Iranian hackers defaced our unsecured, sloppily put together web servers anyway."
We need less bureaucracy and more accountability, and for that we need legislation that brings consequences to bear. Minimum IT staffing and spending, an actual regulatory enforcement agency and not a corporate style cover your ass department.
Salt Typhoon should still be in the news. US telecoms are likely still compromised and I still can't get a bank that'll do TOTP, they wanna SMS code me for every login. No VOIP allowed, either.
Their work with CISA didn't prevent the attack which took place, and didn't prepare them to handle it, and they had to do the mad scramble of fixing it, and Biden's CISA wouldn't have made any difference either.
CISA is like the TSA for the internet. Security Theater, now streaming to a screen near you.
CISA has been nothing more than a bureaucratic checklist tool, not a legitimate defensive organization capable of implementing meaningful deterrents. At its best, it provides a reasonable shared framework for bare minimum efforts by local IT teams. At worst, it's the usual big organization ass-covering mechanism that allows responsible parties to dodge accountability by waving around the checklists and saying "look! we did everything we were supposed to, but despite our best efforts, those evil Iranian hackers defaced our unsecured, sloppily put together web servers anyway."
We need less bureaucracy and more accountability, and for that we need legislation that brings consequences to bear. Minimum IT staffing and spending, an actual regulatory enforcement agency and not a corporate style cover your ass department.
Otherwise, the status quo will continue.
Narrator: Nothing ever happens.
* accountabily for/from bureaucracies not staffed with loyalists.