At a glance.
- Proposed state data protection law: Indiana.
- Evolution of California's Consumer Privacy Act.
- DHS IG's recommendations to CBP.
- Russia calls for cyberspace confidence-building measures.
- NIST Special Publication 800-53, Revision 5, is out.
- Comment on the IoT Cybersecurity Improvement Act of 2020.
- Reconsidering Section 230.
- Prosecution for computer destruction.
Proposed Indiana data privacy law.
Curtis Hill, the Attorney General of the US state of Indiana, has proposed a state rule to safeguard consumer data against cyberattacks, reports the Center Square. If passed, the safe harbor rule would be the first state-level regulation protecting consumers against data breaches by compelling companies to utilize appropriate protections. The hope is that the rule would not only protect Indiana residents from attacks but also “incentivize businesses that take steps to prevent them from happening in the first place,” Hill states.
Updates on the CCPA.
As the CyberWire noted earlier this week, the proposal of an amendment to the California Consumer Privacy Act of 2018 (CCPA) has privacy experts split. This debate is an example of how the constantly evolving state of data privacy law at the state level, with little guidance from the federal level, has businesses struggling to keep up with an ever-changing set of rules, reports the National Law Review. Without comprehensive national privacy regulations, individual states are left to make these decisions for themselves, with resolutions often driven by ballot initiatives funded by wealthy advocates who might or might not have information security expertise. Although there is a bipartisan consensus that federal law is needed, there is little agreement when it comes to the details.
Homeland Security IG recommends cybersecurity changes to Customs and Border Protection,
The Department of Homeland Security's Inspector General has finished its report on the 2019 data breach at Customs and Border Protection's (CBP) biometric pilot program. The IG made three recommendations, all of which CBP has accepted.
"Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods."
"Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations."
"Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards."
Russia calls for confidence-building measures in cyberspace.
According to Reuters, Russian President Putin today said that the US and Russia should agree not to meddle in one another’s elections. He called for a comprehensive treaty that would amount to a non-aggression pact in cyberspace, or at least a confidence-building treaty similar to Cold War era agreements designed to reduce the possibility of accidents at sea and in international airspace.
President Putin said in part, “One of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere. We would like to once again appeal to the United States with a proposal to approve a comprehensive program of practical measures to reset our relations in the use of information and communication technologies (ICT).” The proposal is of a piece with continuing Russian aspirations to return to a bipolar world order in which it enjoyed parity of esteem and influence with the United States
NIST Special Publication 800-53, Revision 5, is out.
The long-anticipated Revision 5, to the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is out. NIST summarizes the changes as follows:
- "Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.
- 'Integrating supply chain risk management: Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.
- "Adding new state-of-the-practice controls: These are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
- "Making controls outcome-based: Rev. 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.
- "Improving descriptions of content relationships: Rev. 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.
- "Separating the control selection processes from the controls: This allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.
- "Transferring control baselines and tailoring guidance to NIST SP 800-53B: This content has moved to the new (draft) Control Baselines for Information Systems and Organizations."
Jayant Shukla, CTO and Co-Founder of K2 Cyber Security, commented on the new standards document:
"In addition to privacy controls, the new NIST SP 800-53 includes two major updates that boost the importance of application security. The new framework includes requirements for both Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST). These important additions reflect an increased need for better application security in the light of growing data breaches and cyber attacks.
"Unlike perimeter security solutions such as WAFs, a RASP solution sits on the same server as the application,and provides continuous security for the application during runtime to protect vulnerabilities in the application from being exploited by attacks. By residing on the server, a RASP solution has complete visibility into the application, can analyze the application’s execution for better validation, and can understand the context of the application’s interactions. RASP solutions benefit by being close to the application in a way that network perimeter security solutions can not.
"With the update to require IAST, application security gets a new focus in development as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.
"While NIST frameworks are requirements for Federal governmental agencies and the organizations that work with them, these new requirements around RASP and IAST should encourage all organizations to take a fresh look at their application security and the tools they use in their own infrastructure."
Comment on the IoT Cybersecurity Improvement Act of 2020.
The US House's version of the IoT Cybersecurity Improvement Act of 2020 passed on September 14th. The bill would require that any Internet of Things (IoT) devices the US Government purchased to meet security requirements established by the US National Institute of Standards and Technology.
Ellen Boehm, senior director of IoT product management at Keyfactor, sent us comments on the probable effects of the bill, should it eventually become law:
“Any time there is an initiative around improving cybersecurity for IoT devices, independent of industry, it helps the collective market challenge the current state and think deeper about best practices around encryption and authentication for this growing population of connected things. We frequently hear about hackers who take advantage of weaknesses in IoT security, maliciously taking control of smart home devices for DDoS attacks or changing functionality of medical devices. The only way to improve our security posture is to design a robust security architecture around our entire IoT systems. Guidelines provided by NIST or other standards groups can really make an impact in how we design security into IoT devices from inception and provide a method to manage authentication and encryption around the IoT device data and functionality over time.”
Reconsidering Section 230.
As Politico reports, the US Senate Commerce Committee has invited the CEOs of Facebook, Google, and Twitter to testify at an October 1st hearing about amending the Communications Decency Act (the relevant portion of which is Section 230), but if the tech execs do not RSVP by Thursday night, the committee will vote on whether to issue official subpoenas. Section 230, established in 1996 to protect tech platforms from legal action over user content, has received criticism from both sides of the aisle, as Democrats feel these platforms need to be held accountable for spreading misinformation, and Republicans believe there is a bias against conservative-leaning content. Pressuring the heads of these Silicon Valley giants to speak at the hearing is viewed by some Democrats as a powerplay by the Republicans ahead of the November presidential elections.
Prosecution for destruction of a computer network.
A press release from the United States Department of Justice announces that Shannon Stafford of Maryland will serve jail time for hacking into and destroying data on his former employer’s computer network. As a member of the company’s IT support staff, Stafford was given access to sensitive company data, including employee login information, and had the ability to disable employees’ network access. After being fired, Stafford used his company-issued laptop and a fellow employee’s login to access the company network, delete storage files, and block the company from restoring the data. Shannon was sentenced to twelve months and one day in federal prison.