Selected Government Security Information Issue 2 2017: UK and US attach importance to IoT security_Vulnerability disclosure and security talent training

Abstract: The US Senator proposed the "Internet of Things Network Security Improvement Act", the Chinese government launched the "Online School Program", invested 20 million pounds to cultivate network security talents, the US Department of Justice issued a framework to guide companies to establish a "vulnerability disclosure plan", and voted in the US election. The machine for sale on eBay contained the personal information of 650,000 voters.


d67f9d5f41f1d8068d9a791a9cc3f5fe6e4d228c





【Global Policy Trends】





U.S. Senators proposed the "Internet of Things Network Security Improvement Act" to raise the security threshold for government equipment procurement. Click to view the original text



Summary : Recently, several US Senate members proposed the "Internet of Things Network Security Improvement Act", hoping to legislate to regulate the security standards of the Internet of Things (hereinafter referred to as IoT) devices procured by the federal government. The bill requires IoT manufacturers to ensure that devices sold to the government can be patched, do not use fixed passwords, and eliminate known security vulnerabilities; require departments using IoT to inventory devices and establish security requirements.



Comments: The senator expressed the hope that through government procurement, he would "lead by example" to further improve the safety standards of the entire industry, remedy "market failures", and encourage healthy competition in the safety industry. A few days ago, my country's Ministry of Industry and Information Technology also stated that this year, it will focus on new businesses such as the Internet of Vehicles, Internet of Things, and network security in the field of integration, encourage enterprise innovation, and select pilot demonstration enterprises in this field. Suffice it to say, focusing on IoT security requirements is a global trend. The domestic IoT industry is developing rapidly, and the number of end users has now reached 181 million. However, most IoT manufacturers focus on electronic production and manufacturing, and lack network security awareness and capabilities. Therefore, in the early stage of its development, a series of regulations and systems such as IoT security monitoring, early warning, threat sharing, and rapid disposal need to be built simultaneously, so that IoT and security can develop simultaneously.





The British government launched the "Online School Plan", investing 20 million pounds to cultivate cybersecurity talents. Click to view the original text



Summary: The programme is aimed at young people aged 14-18 and aims to train at least 5,700 young talents in the cybersecurity industry in 2021, with 1,000 students receiving £4,000 scholarships. The four-year program is aimed at students from various basic and professional backgrounds. The courses include both offline and online methods, offering courses in programming, encryption, digital forensics, and defense against web attacks. Students can control the pace of online courses by themselves, with approximately four hours of class hours per week.



Comments: The essence of security is the offensive and defensive confrontation between people. No matter how powerful the security system is, it needs professional management and monitoring. Recently, with the frequent occurrence of global network security incidents, the importance of security talents has become increasingly prominent. At present, my country's security talent gap is as high as 700,000, and the demand is increasing every year. The "National Cyberspace Security Strategy" and "Cybersecurity Law" both put forward requirements for the training of network talents, and the Ministry of Education has also added a first-level discipline of cyberspace security. On this basis, it is necessary to further strengthen the construction of disciplines and specialties, and ensure the investment of funds, teachers, and teaching equipment. Universities, scientific research institutions and security industry enterprises should jointly educate people to form a benign ecological chain of talent training, technological innovation, and industrial development.





The U.S. Department of Justice issued a framework to guide companies in establishing a "vulnerability disclosure program." Click to view the original text



Summary : Many US companies and institutions use the "bug bounty program" to find vulnerabilities in their own networks and applications. The Justice Department has released a detailed framework to help companies design vulnerability disclosure plans and reduce the likelihood of violating relevant laws and regulations. The framework outlines what the company should pay attention to when designing, managing, and implementing plans, such as specifying the form of reporting vulnerabilities, the contact person for receiving vulnerability reports, and how to deal with accidental and intentional violations of the vulnerability policy.



Comments: The U.S. "Vulnerability Disclosure Program" also has reference significance for my country. Necessary national security standards and norms need to be set for vulnerability discovery and disclosure, so as to promote the growth of a public testing mechanism with security norms and management. On the one hand, it focuses on the national network. Experts in security, dig out potential vulnerability risks for the majority of governments, enterprises and institutions, on the one hand, effectively manage the behavior of white hats, so that vulnerability discovery and disclosure can be managed in a coordinated manner, forming China's own soft power.





【Related security incidents】



US election voting machines for sale on eBay contain personal information of 650,000 voters. Click to view the original text



Summary : At the DefCon summit, a security researcher released an ExpressPoll-5000 voting machine auctioned by the government after the US election. Voter data was allegedly not deleted before the government auction, so the machine contained personal information (name, birthday, home address, phone number, party information, absentee voting, etc.) of 650,000 voters in Tennessee. At present, a large number of similar unaudited voting machines are being auctioned on eBay, and the lowest price is only a few hundred dollars.

Comments: One of the reasons for the use of "clunky" voting machines in US elections is to reduce the risk of mass hacking. However, some state governments lack proper management and basic security awareness of voting machines, which has brought serious hidden dangers to the security of voters' personal information. The public can still search for and buy these voting machines on eBay even after the news reports about them become public. For equipment containing personal information or sensitive data, especially government equipment, it is necessary to support corresponding security standards for the whole life cycle, such as ensuring that relevant records are destroyed before discarding, or to avoid storing information in plain text at the beginning to reduce the risk of data leakage.





Looking forward to hearing your feedback The



financial , government, and game security information collection will

meet you every week through the Yunqi community column, Alibaba Cloud Security WeChat and Weibo.

If you are an Alibaba Cloud user, you are

also welcome to check this week's industry news through email and DingTalk official account.







029307c2bf99a126e3c7d4b050286cfed9f71a06



Scan the code to participate in the selection of global safety information

Reader research feedback



We will seriously discuss each of your suggestions

and invite excellent respondents to join the VIP readership


This article is the original content of the Yunqi community and cannot be reproduced without permission. If you need to reprint, please send an email to [email protected]; if you find any content suspected of plagiarism in this community, please send an email to: yqgroup@ service.aliyun.com reports and provides relevant evidence. Once verified, the community will immediately delete the allegedly infringing content.