France commits €20 million to strengthen cybersecurity of hospitals, healthcare establishments
France’s minister for digital transition and telecommunications, Jean-Noël Barrot, and François Braun, minister of health, announced an additional €20 million investment in the French national cyber agency ANSSI to strengthen the cybersecurity of the nation’s hospitals and healthcare establishments. This was in the wake of a significant ransomware attack against the Centre Hospitalier Sud Francilien (CHSF) on August 24. It is believed that Lockbit was the ransomware type involved in the attack, with a ransom demand of $10 million reportedly made by the attacker. Braun described the cyberattack as inadmissible, with Barrot stating that hospital cybersecurity is a government priority. The funds should make it possible to “strengthen its support for health establishments,” Barrot added.
Scotland offers cyber resilience training to hundreds of organizations
The Scottish government announced a £500,000 contract to extend cyber resilience training to more than 250 organizations across the country. Run by the Scottish Business Resilience Centre (SBRC), the training included online and in-person workshops for public services and third-sector health, housing, and social care bodies to ensure they are better prepared for and protected against cyberthreats. The move came in the wake of increasing numbers of disruptive, large-scale cyberattacks in Scotland. “The workshops provide practical guidance to mitigate or respond to hostile cyberattacks,” stated Justice Secretary Keith Brown. “I would urge eligible organizations to take up this opportunity to ensure they are protected. The Scottish government is committed to ensuring Scotland leads the way in cyber resilience and security.”
Belgium’s Council of Ministers implements legal framework for European cybersecurity certificates
Belgium’s Council of Ministers (the supreme executive organ of the Belgium federal government) designated the Centre for Cybersecurity Belgium (CCB) as the National Cyber Security Certification Authority (NCCA) for recognizing and publishing EU cybersecurity certificates in the country. Within a new legal framework, it was announced that the CCB would provide guidance and support to Belgian companies in the EU cybersecurity certification process. The move implemented European Regulation 2019/881 on the certification of information and communication technologies in the field of cybersecurity – the so-called Cybersecurity Act. “These certificates are based on cybersecurity certification schemes with one or more assurance levels [basic, substantial, or high],” the CCB wrote. “The aim is to improve the transparency of the cybersecurity security of information and communication technology products, services, and processes. This will increase trust in and the competitiveness of the digital single market.”
NSW state government pours $1 million AUD into cybersecurity accelerator
The New South Wales (NSW) state government in Australia selected the nation’s only dedicated cybersecurity accelerator, CyRise, to operate its $1-million Cyber Security Accelerator program, based within Sydney’s Tech Central district. The program includes three-day boot camps, a 14-week accelerator program for startups, and a new scale up program for later stage scaling businesses, all run by CyRise. “This program will help companies sharpen their products, fine-tune business models and boost their connections with international investors,” Minister for Enterprise, Investment and Trade Alister Henskens stated. “It will support businesses to ‘go global’ faster and attract cutting-edge talent to NSW, which will grow the economy and help secure a brighter future for our state.” CyRise CEO Scott Handsaker added that the innovative program aims to make NSW a beacon to the cybersecurity industry globally.
Finland plans cybersecurity funding scheme for companies amid rising security threats
Finland announced plans to help companies fund improvements to their cybersecurity through a new voucher scheme. The plan comes in response to the war in Ukraine and Finland’s bid to join NATO. The vouchers would provide up to €15,000 to small and medium-sized companies and non-profits. Larger companies could be eligible for vouchers worth as much as €100,000, according to the Wall Street Journal.
Teppo Halonen, VP, EMEA at Vectra AI, tells CSO the scale of the Finnish government’s proposed voucher scheme is beyond anything seen within the global security community to date. “Considering cybersecurity in the Nordics has been historically underfunded, this new program is a great step towards improving Finnish cyber resiliency,” he said. “With more freedom to advance their cybersecurity tools and training, these vouchers put Finnish companies in a significantly better position to defend against increased security threats and avoid collateral damage from nation-state campaigns, as well as attacks from cybercriminal groups.”
US releases cybersecurity guidance for software supply chain
The US government’s CISA and the US National Security Agency (NSA) published guidance advising developers how to better secure the software supply chain, with a significant focus on open-source software. The guidance outlined advice in line with industry best practices and principles which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).
Speaking to CSO, Dave Stapleton, CISO at CyberGRX, said that while the initiative is spearheaded by the US, it will have a positive impact across the globe as supply chains cross city, state, country, and continent lines. “I am encouraged by the federal government’s efforts to aid organizations in securing the software supply chain. One important point brought up by the federal government is that many remediation and mitigation approaches will depend heavily on upstream and downstream stakeholders, evoking the shared responsibility model.”
Singapore calls on cybersecurity industry for innovation
The Singapore’s CSA launched the Cybersecurity Industry Call for Innovation 2022 (CyberCall 2022), inviting cybersecurity companies to participate in developing innovative solutions to address specific cybersecurity challenges. Its aim is to strengthen organizations’ cyber resilience and provide opportunities for cybersecurity companies to catalyze cutting-edge solutions in Singapore for commercial adoption. Singapore’s CSA said that year’s CyberCall was looking for solutions in the following areas:
- Artificial intelligence for cybersecurity
- Cloud security
- Operational technology (OT)/Internet of Things (IoT) security
- Privacy-enhancing technologies
Cybersecurity companies’ proposals that are shortlisted will be invited to discuss their proposals in greater depth with the participating end-users for potential co-innovation, adoption, and test bedding, the CSA added.
Canada commits $675,000 to raise awareness of, preparedness for quantum threats
The Canadian government announced that it was investing $675,000 CAD in support of Quantum-Safe Canada’s project Laying the Foundations for a Quantum-Safe Canada, which raises awareness and preparedness of quantum security threats. This funding was made available under the Cyber Security Cooperation Program and aims to help strengthen Canada’s ability to prepare for and respond to quantum risks, coordinating research, technology, tools, and training, the government stated in a posting on is website. The project also seeks to ensure that those charged with protecting the systems that Canadians rely on have knowledge and skills they need in the era of quantum computers, it added. “This project will help better protect Canadians against cyberthreats, in particular the growing risk posed by quantum threats,” said Marco Mendicino, minister of public safety.
September
US launches incident, ransomware reporting rulemaking RFI
The US government’s CISA released a request for information (RFI) on upcoming reporting requirements that will mandate organizations report significant cybersecurity incidents within 72 hours and ransomware payments 24 hours after payments are made. The RFI follows the March passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires CISA to pursue a regulatory rulemaking path for collecting incident and ransomware payment data. CISA also announced it would be hosting 11 in-person listening sessions to inform further how it develops its rules, with one session in each of CISA’s ten regions and another in Washington, DC. “The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response,” said CISA Director Jen Easterly in a press release.
European Commission unveils draft rules for EU Cyber Resilience Act
The European Commission unveiled draft rules for the Cyber Resilience Act (CRA) to set common cybersecurity standards for connected devices and services across the EU. First announced by EU President Ursula von der Leyen 12 months earlier, the Act seeks to establish cybersecurity rules for digital products and associated services that are placed on the market. It will also hand the European Commission the power to hit companies that fail to comply with penalties up to €15 million, or 2.5% of the previous year’s global turnover, along with granting the EU the ability to recall and ban products that are not compliant. The draft rules will need to be agreed with EU countries and EU lawmakers before they can become law.
Bob Kolasky, senior VP for Exiger and former assistant director at CISA, tells CSO that, for the EU CRA to be effective, the new regulations must have a strong approach to attestation to ensure technology providers meet the requirement. “The requirements under the Act must be risk-based and harmonized as much as possible with approaches taken by other Western countries, particularly the United States. If the implementation of the Act becomes more of a compliance burden rather than a positive action to incentivizing more investment into security practices, measures and protocols, then it could do more harm than good. Industry must be involved in implementing the Act to ensure it’s a success in reality and not just on paper.”