The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to incorporate the target list created by the Federal Communications Commission (FCC) into their risk management plans.
This list includes many telecommunications equipment and service providers that the U.S. government has determined pose a potential national security risk, pursuant to the Secure and Reliable Communications Networks Act of 2019.
“Organizations bound by CISA directives must comply with the CISA directives and take necessary actions, but for private sector organizations, the CISA directives are merely recommendations,” said a senior at Vulcan Cyber. Technical Engineer Mike Parkin said. Information security on mail. “But from a cybersecurity perspective, it’s a historically sound recommendation and well worth following.”
Companies on the list include Huawei, ZTE, Dahua and China Unicom.
More information on China Unicom ban can be found here: US Revokes China Unicom License
“In the case of Chinese telecom equipment, the concerns are largely due to general mistrust of the kit and concerns that the Chinese government has required manufacturers to include backdoors that can be used for their own purposes.” Parkin said.
At the same time, security experts added that some organizations may find compliance difficult because removing and replacing telecommunications equipment can be prohibitively expensive.
CISA has also asked all critical infrastructure organizations to enroll in a free vulnerability scanning service to identify vulnerable and high-risk devices such as those on the FCC’s Covered List. .
“It helps that CISA provides a persistent vulnerability scanning service,” said Timothy Morris, Chief Security Advisor for Tanium. Information security.
“This provides targeted discovery and vulnerability scanning of devices with internet access. It is equally important to scan internal networks that are not accessible via the internet to get a complete picture of what devices are being used. is.”
In related news, CISA announced its Ransomware Vulnerability Warning Pilot (RVWP) program last month.
Editorial image credit: WESTOCK PRODUCTIONS / Shutterstock.com
