Effects on Government Cybersecurity

It has been a bad 12 days for CrowdStrike. The trouble is, a bad 12 days for CrowdStrike is a bad 12 days for everybody. Whether you were trying to board an airplane or use public transport, bank online, access emergency services, or even just watch TV, people everywhere had their work and lives upended by what was likely the largest IT outage in history. There has been a fair amount of post-mortem analysis of how we got to here. The prevailing take is that there was a logic flaw in Falcon sensor version 7.11 and above, resulting in its crash. The postmortem is essential — but looking at the past doesn’t mean jack if we’re not carrying those lessons into the future. This has to be a wake-up call. Bugs, errors, and omissions like this turn into weapons faster than you can imagine. We just helped our adversaries learn a little bit more about how to take down our electric grid. One lousy engineer should not be able to sow chaos at this scale. Two key things need to happen next: 1️⃣ ENFORCEMENT Cyber Command needs to step up and take a more muscular approach. It’s not just about monitoring for cybersecurity; they need to ensure it. This is not a regulatory imperative -- it’s a national security imperative. After the 2008 collapse, Treasury was deputized to conduct stress tests on banks. I think it’s time that Cyber Command and related federal agencies be granted the oversight and authority to conduct cyber stress tests for companies like CrowdStrike. 2️⃣ CONSEQUENCES When bank executives don’t pass Treasury’s stress tests, they get fined. When CrowdStrike deletes hundreds of billions of dollars of market value, we shrug our shoulders. This is a case of what economists call “moral hazard.” It’s a dangerous precedent if the entire world can be interrupted and a company’s only concern is that they’ll be dragged in front of some angry senators and have their hand slapped. There need to be real consequences that incentivize everybody to do better. It could’ve been worse. It could’ve been nefarious. Collectively we need to take steps to ensure it doesn't happen again.

India’s public transportation network is among the largest globally, moving over 25 million passengers daily through Indian Railways, 70 million via buses, and millions more through metros, airlines, and water transport. The rapid adoption of digital technologies in transport—smart ticketing, digital payments, real-time GPS tracking, and AI-driven fleet management—has enhanced efficiency and accessibility. However, this shift has also expanded the attack surface for cybercriminals, posing serious threats to safety, national security, and economic stability. With cyberattacks on critical infrastructure rising worldwide, India needs proactively secure its transportation sector. A breach in railway control systems, airport networks, or traffic management could cause mass disruptions, financial losses, and compromised national security. Case Study: Cyber Attack on Indian Railways’ Ticketing System In 2022, a breach in Indian Railways exposed sensitive passenger data of over 30 million users. Hackers infiltrated the IRCTC database, extracting personal details and payment information, highlighting the need for advanced encryption and authentication. Cyberattacks on public transport have a domino effect: Disruptions in Supply Chains: Freight transport breaches can delay essential goods, affecting healthcare, agriculture, and manufacturing. Financial Losses: A breach in Delhi Metro or Mumbai suburban rail network could result in losses exceeding $100 million due to ticketing fraud, data theft, and service disruptions. National Security Risks: Transportation is crucial for military and emergency services. A cyberattack on railway control systems could have catastrophic consequences during geopolitical tensions. India’s Steps Towards Strengthening Cybersecurity in Transport. India has initiated several measures to enhance cybersecurity. National Cyber Security Policy 2020: Strengthens defense mechanisms for critical infrastructure, including transport. Cyber Swachhta Kendra: Monitors and neutralizes cyber threats in public infrastructure. CERT-In Guidelines for Transport Cybersecurity: Directives for metros, airlines, and logistics providers to enhance cybersecurity frameworks. Global Cybersecurity Collaborations: Indian Railways and major metro corporations partner with international agencies to secure digital systems. The future of smart mobility—electric buses, bullet trains, and AI-driven metro systems—depends on robust cybersecurity frameworks. Government initiatives like Digital India and Make in India needs to integrate cybersecurity-first approaches in transport planning to prevent disruptions. With India leading G20 discussions on cybersecurity and the digital economy, now taking leap steps int to implementing forward-thinking solutions, which will safeguard the nation’s transportation network from evolving cyber threats. #publictransportation #cybersecurity #commuting #passengers

The recent inadvertent exposure of classified U.S. military plans by top defense and intelligence leaders serves as a stark reminder that even the most capable cybersecurity tools and well-defined policies can be rendered meaningless if ignored or misused. In this case, senior leaders relied on the Signal messaging app to communicate sensitive data but unintentionally exposed critical information to unauthorized parties. The leaked details—time-sensitive plans for a military operation—could have not only placed personnel in greater danger but also undermined the mission by alerting adversaries to an imminent attack. While #Signal is a widely respected, consumer-grade, end-to-end encrypted communication tool, it does not provide the same level of security as classified government systems. National security organizations typically utilize Sensitive Compartmented Information Facilities (SCIFs) to safeguard classified data from leaks and eavesdropping. However, SCIFs and other highly-secure methods are not as convenient as less secure alternatives—such as personal smartphones. In this instance, Signal's encryption was not the issue; rather, the exposure occurred when an unauthorized individual was mistakenly added to the chat. This human error resulted in sensitive information being disclosed to a reporter. Lessons Learned: This incident highlights critical cybersecurity challenges that extend beyond the military and apply to organizations everywhere: 1.     Human behavior can undermine even the most robust security technologies. 2.     Convenience often conflicts with secure communication practices. 3.     Untrained personnel—or those who disregard security protocols—pose a persistent risk. 4.     Even with clear policies and secure tools, some individuals will attempt to bypass compliance. 5.     When senior leaders ignore security policies, they set a dangerous precedent for the entire organization. Best Practices for Organizations: To mitigate these risks, organizations should adopt the following best practices: 1.     Educate leaders on security risks, policies, and consequences, empowering them to lead by example. 2.     Ensure policies align with the organization’s evolving risk tolerance. 3.     Reduce compliance friction by making secure behaviors as convenient as possible. 4.     Recognize that even the strongest tools can be compromised by user mistakes. 5.     Anticipate that adversaries will exploit behavioral, process, and technical vulnerabilities—never underestimate their persistence to exploit an opportunity. #Cybersecurity is only as strong as the people who enforce and follow it. Ignoring best practices or prioritizing convenience over security will inevitably lead to information exposures. Organizations must instill a culture of cybersecurity vigilance, starting at the top, to ensure sensitive information remains protected. #Datasecurity #SCIF #infosec

The recent news about DBKL systems allegedly being hacked with a ransom demand of RM236 million is deeply alarming. As someone who’s been in the IT and business development space, this incident is a wake-up call for all government agencies, GLCs, and even private corporations in Malaysia. Cybersecurity is no longer just an IT department's responsibility. It is an organisation-wide priority. This kind of attack doesn’t just risk sensitive data. It shakes public trust, disrupts services, and drains financial resources that could have been used for development. So how do we prevent this? ❗️1. Basic Cyber Hygiene Must Be Enforced Strong passwords, multi-factor authentication (MFA), timely system updates, and regular patching are not optional anymore. Many breaches happen simply due to outdated software or poor access control. ❗️2. Educate Everyone From top management to front liners, everyone needs cybersecurity awareness training. Social engineering, phishing, and impersonation attacks are getting smarter. A single unaware staff can become the weakest link. ❗️3. Conduct Regular Penetration Tests and Audits We need to stop treating cybersecurity audits as a compliance checklist. Continuous monitoring, external penetration tests, and simulated phishing campaigns must be conducted regularly. ❗️4. Invest in Threat Detection and Response By the time hackers ask for ransom, it is already too late. Organisations need to implement real-time threat detection, SIEM systems, and endpoint detection and response (EDR) tools to spot and neutralise threats early. ❗️5. Backup. Backup. Backup. Critical systems and data must be backed up securely and regularly, both online and offline. In the event of an attack, recovery should be possible without paying a ransom. ❗️6. Appoint a CISO and Form an Incident Response Team (Male for corporate smartness, Female for detailed work) Leadership matters. Cyber resilience must be driven from the top. An empowered Chief Information Security Officer (CISO) and a dedicated Cybersecurity Incident Response Team (CSIRT) should be standard in every major organisation. This DBKL case is not just about one agency. It is a national issue. We must stop being reactive and start building cybersecurity into the DNA of how we operate. #CyberSecurity #Malaysia #DBKL #DigitalResilience #ITGovernance #CyberAwareness #PublicSector #Infosec #Ransomware #CISO #PenTest #IncidentResponse #MFA #MalaysianGovTech #BusinessContinuity #CyberSecurityMalaysia

India’s Draft Telecom Cybersecurity Rules, 2025: A Strategic Legal Analysis 🇮🇳 As someone deeply engaged in the convergence of technology and law, I find this a pivotal moment for India’s cyber and telecom regulation. My #legaltech on the keytakeaways: 1. Introduction of TIUEs (Telecom Identifier User Entities): This is a paradigm shift. Entities like fintechs, health-tech apps, and OTT platforms—who use telecom identifiers but aren’t licensees—are now explicitly regulated. The net of responsibility is rightly widening. Legal Impact: TIUEs will now be accountable for data security, telecom identifier usage, and adherence to platform-based validation mechanisms. This brings clarity—and also new compliance burdens. 2. MNV Platform (Mobile Number Validation): The Central Government proposes to establish a centralised MNV platform to validate mobile numbers via licensee or authorised databases. This is akin to a KYC backbone for digital telecom identity. Legal Impact: While this helps prevent fraud and identity misuse, it raises DPDPA-aligned questions around data minimisation, purpose limitation, and third-party data access. All TIUEs must now factor telecom-centric validation into their onboarding and service delivery. 3. Enforcement Power Without Prior Notice: Under certain public interest clauses, the government can direct suspension of telecom identifiers without prior notice to TIUEs or licensees. Legal Impact: This strengthens national security posture, especially during cyber threats or fake SIM frauds. However, it must be constitutionally tested for due process, judicial review, and non-arbitrariness. 4. IMEI Compliance for Device Manufacturers & Second-hand Sellers: Manufacturers are now obliged to assist in cases of IMEI tampering, and maintain databases of restricted IMEIs. Even resale markets must check IMEIs against this central registry. Legal Impact: This finally closes the loop in India’s battle against cloned and blacklisted mobile devices—a big win for national cyber hygiene. 5. Charging Model Introduced: A fee structure has been proposed—ranging from zero for government entities to ₹3 per request for private TIUEs. Legal Impact: India is monetising verification while balancing it with access. This could lead to debates on affordability vs. security for start-ups and small players. As a cyberlaw practitioner, I foresee intense jurisprudence evolving around: •DPDPA and Telecom Rule harmonisation •Fair usage of emergency powers •Role of judicial oversight over identifier suspension •Applicability of these rules to global platforms operating in India Let’s all Analyse these Draft Rules further #CyberLaw #Telecom #DPDPA #IndiaDigital #CyberSecurity #AI #PrashantMali #DigitalIndia #RegTech #MNV #IMEI #TelecomAct2023 #NCPCR #DPDPAct #LegalTech #SupremeCourt #publicpolicy #policy #UN

On Friday, the Supreme Court decided Loper v. Raimondo, essentially killing "Chevron Deference." See https://lnkd.in/e2kryVVb. Chevron was the law for 40 years and was cited in more than 18,000 federal decisions. In short, Chevron said that when courts determine whether the regulations crafted by agencies are consistent with ambiguous federal legislation, they should generally defer to agencies' interpretation. In other words, the courts let agency experts fill in the legislative gaps using their subject matter expertise.   In Loper, the Supreme Court reversed course, overruling Chevron. For the first time in at least 40 years, the Supreme Court held that the Administrative Procedure Act requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, and courts may not defer to an agency interpretation simply because a statute is ambiguous.   Given that the majority of federal cyber rules come from regulations (e.g., the new SEC cyber rules), rather than from legislation itself, the death of Chevron could have significant impacts on cyber: 1. INCREASED UNCERTAINTY: Organizations may expend significant resources to comply with federal cyber regulations, only to find such regulations invalidated or significantly modified by courts.   2. LESS UNIFORMITY: Increased uncertainty about federal regulations may lead to increased cyber and privacy regulations at the state level, making compliance more confusing and costly.   3. COMPLEX & INFLEXIBLE FEDERAL LEGISLATION: If agencies cannot effectively regulate around ambiguity in federal legislation, it may lead to federal legislation being more narrow, inflexible, and less helpful. Alternatively, legislatures may try to make laws more comprehensive, which could lead to laws becoming more complicated and harder to enact. While Congress might be able to solve some of these problems by specifically granting agencies the right to interpret ambiguity in each future bill, it may be hard to reach bipartisan consensus on this resolution.   4. LONGER LITIGATION: Organizations may: (a) attempt to relitigate some of the 18,000+ cases decided under Chevron; (b) challenge existing regulations that they thought could not be successfully challenged under Chevron; and/or (c) be more likely to challenge each future regulation. With the potential for thousands of new cases flooding the courts, all litigation, including breach litigation, may be delayed in the morass.   5. UNHELPFUL INTERPRETATIONS: The Courts generally have less cyber expertise then the experts at CISA, DHS, and other agencies, which may lead to interpretations that make us less secure.   6. CEDING REGULATORY POWER TO THE EU: These new challenges likely faced by Congress and the courts may further exacerbate the lead the European Union (EU) seems to have over the U.S. when it comes to implementing comprehensive technology regulations.   OR . . . it might have minimal impact.  Stay tuned! 

Apple’s ‘Dangerous’ iPhone Update Could Weaken Encryption Worldwide A secret UK government order is reportedly forcing Apple to weaken its encryption, marking one of the most serious cybersecurity threats in years. The so-called “technical capability notice” (TCN) demands that Apple introduce a backdoor into fully encrypted iCloud accounts, a move that could undermine global data security. Key Concerns About the UK’s Encryption Mandate • Apple Cannot Disclose the Notice: Under the UK’s Investigatory Powers Act, Apple is barred from telling users that their encryption has been weakened or even confirming the order’s existence. • Security Backdoor Risks: Any backdoor for intelligence agencies also creates vulnerabilities for hackers, making personal and corporate data less secure. • Global Impact: If Apple complies, it sets a precedent that other governments could follow, leading to worldwide erosion of encryption protections. Why This Matters • No Real Oversight: Apple can appeal the order, but must comply before any ruling is made, meaning security changes could take effect before legal challenges are heard. • Potential for Mass Surveillance: Security advocates warn this move endangers journalists, activists, and ordinary users, making private data accessible to governments and bad actors alike. • Apple’s Past Encryption Stance: The company has previously refused similar requests from the FBI and other governments, insisting that backdoors compromise security for all users. What’s Next? • Apple’s Response Remains Unclear: The company has yet to officially confirm if or how it will comply with the UK’s demand. • Potential Legal Challenges: Privacy organizations and tech companies may contest the legality of forced decryption, possibly bringing international legal action. • Global Ramifications: If Apple weakens encryption in the UK, other countries—including the U.S., EU, and China—could demand similar access, permanently jeopardizing data privacy worldwide. This secret UK mandate represents a major threat to personal cybersecurity, potentially forcing Apple to compromise user privacy globally. If implemented, there may be no turning back from widespread surveillance and weakened encryption protections.

NIST CSRC quietly posted a banner across website: “Due to a lapse in federal funding, this website is not being updated”. Similar banner appeared on the CISA website. I can't help but seeing this as yet another crack in the foundation of global cyber collaboration. Recent budget changes amplify this. Congress approved a $135 million cut to CISA's budget. Buyouts, early retirements and layoffs drove roughly 1,000 employees out of CISA, leaving its workforce around 2,200; divisions that defend federal networks lost hundreds of specialists. Even the MITRE contract for the CVE program nearly lapsed earlier this year. NIST, which underpins global cybersecurity, faces similar headwinds. The WH budget would cut $325 million from NIST’s $1.2 billion budget and eliminate 556 positions, reducing funding for cyber research. Apparently the division already lost more than 20 % of its federal staff and a number of leaders. Before this shutdown. NIST’s frameworks, cryptographic standards and post‑quantum algorithms are adopted worldwide, and CISA’s advisories are used by governments and companies everywhere. When funding lapses halt updates, the world loses a trusted source of guidance. If this trend continues, the knock‑on effects could include: · (Further) fragmentation of standards: governments and private consortia may develop competing frameworks. Global companies will be forced to comply with multiple, potentially conflicting, local standards. · Increased digital sovereignty: regions will increasingly insist on local cryptographic modules and cyber policies rather than relying on U.S.‑based standards. · Slower certification and vulnerability disclosure: backlogs in FIPS 140 and the National Vulnerability Database delay products and patching, creating windows of opportunity for adversaries. It saddens me deeply to see the decline of what was once the backbone of global cybersecurity cooperation. NIST and CISA weren’t just defending the U.S.; they defended the shared cyber commons. Yet in this moment, my only pragmatic advice is that regions must cultivate their own resilience. EU (and others) should build their own vulnerability databases, cryptographic validation infrastructures, secure information sharing frameworks, and interoperability standards. Start local. Then federate. Fragmentation is painful. It weakens trust. It duplicates effort. It slows progress. But redundancy is necessary, if the U.S. can no longer reliably play its previous role. Some of my colleagues argue that “the U.S. shouldn’t be funding cyber for others.” But the truth is: the U.S. profited immensely from being the world’s cyber facilitator, standards setter, and clearinghouse. As this global role erodes, the U.S. will suffer too. The loss of this leadership doesn’t just weaken "others". It weakens all. #NIST #CISA #Cyber #Cybersecurity

The lead U.S. agency for protecting the electric grid, water supply and other critical services from hacking has furloughed most of its already trimmed-down staff in the government shutdown, just as a decade-old law giving companies leeway to collaborate on cyberdefense expired. The twin impacts leave employees at the Cybersecurity and Infrastructure Security Agency and outside professionals unsettled as they try to fend off a surge in sophisticated hacks from China as well as continued ransomware threats. The twin impacts leave employees at the Cybersecurity and Infrastructure Security Agency and outside professionals unsettled as they try to fend off a surge in sophisticated hacks from China as well as continued ransomware threats. CISA is set to keep 889 employees, or 35 percent of the workforce it had in May, according to a planning document released by its parent department, the Department of Homeland Security. More will be available for emergencies, DHS said. “CISA remains fully committed to safeguarding the nation’s critical infrastructure,” agency spokeswoman Marci McCarthy wrote in an emailed statement. “While a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions.” The shutdown comes at a precarious time, however, and not only because China-backed hacking groups have been emboldened to target more entities, in some cases without the prior approval of the Beijing government. By unhappy coincidence, the main law that shields companies from antitrust and other liabilities for sharing what they see about cyberattacks with other companies and the government expired Tuesday at midnight. Both parties and the White House enthusiastically supported renewing that information-sharing law, known as CISA 2015. The continuing resolution that passed the House and would have kept the government open included a reauthorization. But it was collateral damage in the spending standoff that led to it failing to pass the Senate. As a result, some corporate legal departments are urging companies to pull back from industry security information clearinghouses until further notice. “The lapse of CISA 2015 could effectively turn the lights out on U.S. cyber intelligence from companies that have been, or are being, attacked,” Hugh Thompson, executive chairman of the RSA security conference, said in an email Tuesday. “This breakdown of ‘collective defense’ would weaken domestic cybersecurity but could also have a global impact given that the U.S. shares cyberthreat intelligence with other nations.” In another coincidence, Wednesday marked the beginning of Cybersecurity Awareness Month, when public and private entities strive to educate more people about online risks and how to mitigate them. https://wapo.st/46Nk53R

Kristi Noem’s decision to streamline CISA is a bold move, but one that also requires a clear-eyed assessment of both risks and opportunities. By narrowing its focus to critical infrastructure, the aim is efficiency—but at what cost? Election security and local cybersecurity funding may be caught in the crossfire, leaving state and local agencies in uncharted waters. 🔹 Election Security: If CISA steps back, local agencies will need to step up. The reality? We need election officials trained in cybersecurity fundamentals—not just compliance checkboxes. 🔹 Cybersecurity Grants: The potential reduction of CISA funding initiatives, such as the State and Local Cybersecurity Grant Program, puts local agencies at a crossroads. Those who rely on federal dollars may need to rethink their strategies. Partnering with the private sector and adopting shared security models will be key to survival, should the grants go away. 🔹 Impact on Local Agencies: Budget cuts at the federal level don’t erase the agency threats—they amplify them. Agencies struggle to attract and retain talent and will need to rely on developing internal expertise, leveraging regional partnerships, and lobbying for dedicated state funding. Regardless of where all this lands, state and local governments should no longer wait for federal lifelines; they need to integrate security into their own budgets, seek alternative funding, and drive a culture of cybersecurity awareness from the ground up. Cyber threats aren’t slowing down, and neither should we. Read more at: https://lnkd.in/eAju7hBk