At a glance.
- EU Cyber Resilience Act one step closer to adoption.
- Reading, writing, and artificial intelligence.
- US Government advances two new cybersecurity workforce efforts.
EU Cyber Resilience Act one step closer to adoption.
At the close of November the European Union reached a provisional agreement on the Cyber Resilience Act (CRA), a set of regulations aimed at ensuring all tech products on the EU market are cybersecure. The European Commission describes the legislation as a global first, with the goal of increasing the “level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software.” Building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, the CRA covers everything from baby monitors to computer routers, assigning different products with different security requirements based on levels of risk. As the European Commission explains, “Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.”
The requirements will cover the entire life cycle of each product, and in order to maintain compliance, manufacturers will be obligated to provide consumers with security updates even after purchase. As Productwise notes, the length of time these updates will be required after purchase has not yet been specified, though it has been indicated that it will likely be at least five years, depending on the expected period of use of the product. The CRA also includes cyberincident reporting rules, which were a source of debate during the negotiations. The Commission proposed that actively exploited vulnerabilities and incidents must be reported to the European Union Agency for Cybersecurity (ENISA) within twenty-four hours of detection, but the provisional agreement states that reports will primarily go to the national computer security incident response teams (CSIRTs) of EU member states, with ENISA having access to reported intel on a restricted basis.
The CRA must now be approved by the European Parliament and Council, with additional revisions anticipated before approval, and a final version is expected between the first and second quarters of next year. That said, the incident reporting rules would not apply until the end of 2025 at earliest, with the rest of the requirements going into effect in 2027.
George McGregor, VP, Approov Mobile Security, commented on what companies who do business in the EU should expect from the CRA:
“Despite a lot of pushback, particularly on the 24 hour breach reporting requirements, the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.
“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development, and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.
“This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.
“This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection, and response."
David Ratner, CEO, cautions against the temptation organizations will feel to cede their decisions about resilience to the regulations. "The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility. However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks."
Reading, writing, and artificial intelligence.
Back in October US President Joe Biden issued an executive order on the safe use of artificial intelligence, and while much has already been said about its impact on companies and government, JDSupra offers a closer look at what the EO means for schools. Executive Order No. 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is actually the first federal directive to address the use of AI in education, and it applies to all learning institutions, whether private or public. The EO’s fact sheet explains that while AI has the “potential to transform education by creating resources to support educators deploying AI-enabled educational tools, such as personalized tutoring in schools," the order recognizes that precautions must be taken to protect users from the inherent risks of AI tech.
Biden calls on the Department of Education and other regulatory agencies to utilize their rulemaking authority to deter potential AI issues like fraud, discrimination, and threats to privacy. The order specifically directs the Secretary of Education to create a toolkit incorporating elements from the Department’s report “AI and the Future of Teaching and Learning.” This report emphasizes the need for humans to review any AI outputs for errors or signs of discrimination or bias, and to ensure that evaluative processes are never left solely to AI. It also recommends that a “shared vision” for education remain at the center of AI systems, and that educators stay informed about both best practices and the potential pitfalls of AI use. Schools are also encouraged to add an AI Policy to their student and faculty handbooks that outline appropriate and inappropriate uses of AI in completing schoolwork and designing curricula.
US Government advances two new cybersecurity workforce efforts.
Like many nations, the US is experiencing a shortage when it comes to its cybersecurity workforce. According to a government report released in October, there are only seventy-two workers for every one hundred cybersecurity jobs nationwide. Salary gaps and complicated hiring processes make it particularly difficult to attract cyber talent to the government, and two federal initiatives are being launched to address this issue.
A bipartisan pair of House legislators have introduced the Federal Cybersecurity Workforce Expansion Act, which is focused on supporting veterans and service members with an interest in taking on government cyber positions. Backed by Representatives Mike Gallagher, a Republican out of Wisconsin, and Chrissy Houlahan, a Democrat from Pennsylvania, the bill would create an apprenticeship program at the Cybersecurity and Infrastructure Security Agency, as well as a training program under the Department of Veterans Affairs. There are also provisions calling for partnerships with privacy sector organizations to increase job opportunities, and collaboration with local, state, and tribal communities and governments to help connect job hopefuls with available cyber positions. In July Senators Maggie Hassan (Democrat, New Hampshire) and John Cornyn (Republican, Texas) introduced a companion measure, and while similar bills have been created in the past, none have yet passed Congress. As Nextgov.com explains, lawmakers hope the ever-increasing threat of new cyber threats will make this bid more successful. Gallagher stated, “There is a crippling shortage of cybersecurity workers that is leaving private companies and the federal government increasingly vulnerable to cyber threats. By creating programs that provide veterans with the skills they need to help protect this country in the cyber domain, this bill is an innovative way to bolster our nation’s cyber defenses and strengthen the federal cyber workforce while giving veterans an opportunity to continue serving their country.”
As part of the Federal Rotational Cyber Workforce Program, the Office of Personnel Management (OPM) has also established a new listing of cyber job opportunities to make it easier for federal cybersecurity employees to apply for details at other agencies. There are currently over fifty positions listed representing sixty-five rotation opportunities across twelve agencies, with more being added regularly. The thinking behind the rotational program is that, by spending time at other agencies, federal cyber staffers can pick up new skills and best practices that they can then share with their home offices. Applicants must be given the go-ahead from their current agencies and have the appropriate security clearance level from the sought position, and the details last from six months to a year. Jason Barke, OPM's deputy associate director for strategic workforce planning, told Nextgov.com “At the end of the day, if [participants] can go out and they can learn new skills and bring those back to their agency, and the host agency got somebody that brought some new techniques and new understandings...I think it's a win-win for both agencies and the employee.”