In the wake of the Salt Typhoon hacks, the US government agencies have reversed course on encryption, urging the use of end-to-end encryption after decades of advocating against it. This is a major turnaround from their previous demands for law enforcement backdoors.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security measures to prevent adversary states from accessing American's personal data and government-related information, aimed at entities handling sensitive data exposed to 'countries of concern.'
Proposed Security Measures
| Category | Requirements |
|---|---|
| Asset Inventory | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| Vulnerability Remediation | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| Network Topology | Maintain an accurate network topology for incident identification and response. |
| Authentication | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| Unauthorized Hardware | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| Logging | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| Data Management | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| Encryption Key Storage | Do not store encryption keys along with covered data or in countries of concern. |
| Data Protection Techniques | Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
