More Signal. Less Noise.

V2 | Issue 187 | 9.25.20

US state and Federal data protection, privacy, and cyber responsibility rules. NIST's revised standards. Confidence-building

Summary

By the CyberWire staff

At a glance.

Proposed state data protection law: Indiana.
Evolution of California's Consumer Privacy Act.
DHS IG's recommendations to CBP.
Russia calls for cyberspace confidence-building measures.
NIST Special Publication 800-53, Revision 5, is out.
Comment on the IoT Cybersecurity Improvement Act of 2020.
Reconsidering Section 230.
Prosecution for computer destruction.

Proposed Indiana data privacy law.

Curtis Hill, the Attorney General of the US state of Indiana, has proposed a state rule to safeguard consumer data against cyberattacks, reports the Center Square. If passed, the safe harbor rule would be the first state-level regulation protecting consumers against data breaches by compelling companies to utilize appropriate protections. The hope is that the rule would not only protect Indiana residents from attacks but also “incentivize businesses that take steps to prevent them from happening in the first place,” Hill states.

Updates on the CCPA.

As the CyberWire noted earlier this week, the proposal of an amendment to the California Consumer Privacy Act of 2018 (CCPA) has privacy experts split. This debate is an example of how the constantly evolving state of data privacy law at the state level, with little guidance from the federal level, has businesses struggling to keep up with an ever-changing set of rules, reports the National Law Review. Without comprehensive national privacy regulations, individual states are left to make these decisions for themselves, with resolutions often driven by ballot initiatives funded by wealthy advocates who might or might not have information security expertise. Although there is a bipartisan consensus that federal law is needed, there is little agreement when it comes to the details.

Homeland Security IG recommends cybersecurity changes to Customs and Border Protection,

The Department of Homeland Security's Inspector General has finished its report on the 2019 data breach at Customs and Border Protection's (CBP) biometric pilot program. The IG made three recommendations, all of which CBP has accepted.

"Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods."

"Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations."

"Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards."

Russia calls for confidence-building measures in cyberspace.

According to Reuters, Russian President Putin today said that the US and Russia should agree not to meddle in one another’s elections. He called for a comprehensive treaty that would amount to a non-aggression pact in cyberspace, or at least a confidence-building treaty similar to Cold War era agreements designed to reduce the possibility of accidents at sea and in international airspace.

President Putin said in part, “One of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere. We would like to once again appeal to the United States with a proposal to approve a comprehensive program of practical measures to reset our relations in the use of information and communication technologies (ICT).” The proposal is of a piece with continuing Russian aspirations to return to a bipolar world order in which it enjoyed parity of esteem and influence with the United States

NIST Special Publication 800-53, Revision 5, is out.

The long-anticipated Revision 5, to the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is out. NIST summarizes the changes as follows:

"Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.
'Integrating supply chain risk management: Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.
"Adding new state-of-the-practice controls: These are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
"Making controls outcome-based: Rev. 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.
"Improving descriptions of content relationships: Rev. 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.
"Separating the control selection processes from the controls: This allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.
"Transferring control baselines and tailoring guidance to NIST SP 800-53B: This content has moved to the new (draft) Control Baselines for Information Systems and Organizations."

Jayant Shukla, CTO and Co-Founder of K2 Cyber Security, commented on the new standards document:

"In addition to privacy controls, the new NIST SP 800-53 includes two major updates that boost the importance of application security. The new framework includes requirements for both Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST). These important additions reflect an increased need for better application security in the light of growing data breaches and cyber attacks.

"Unlike perimeter security solutions such as WAFs, a RASP solution sits on the same server as the application,and provides continuous security for the application during runtime to protect vulnerabilities in the application from being exploited by attacks. By residing on the server, a RASP solution has complete visibility into the application, can analyze the application’s execution for better validation, and can understand the context of the application’s interactions. RASP solutions benefit by being close to the application in a way that network perimeter security solutions can not.

"With the update to require IAST, application security gets a new focus in development as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.

"While NIST frameworks are requirements for Federal governmental agencies and the organizations that work with them, these new requirements around RASP and IAST should encourage all organizations to take a fresh look at their application security and the tools they use in their own infrastructure."

Comment on the IoT Cybersecurity Improvement Act of 2020.

The US House's version of the IoT Cybersecurity Improvement Act of 2020 passed on September 14th. The bill would require that any Internet of Things (IoT) devices the US Government purchased to meet security requirements established by the US National Institute of Standards and Technology.

Ellen Boehm, senior director of IoT product management at Keyfactor, sent us comments on the probable effects of the bill, should it eventually become law:

“Any time there is an initiative around improving cybersecurity for IoT devices, independent of industry, it helps the collective market challenge the current state and think deeper about best practices around encryption and authentication for this growing population of connected things. We frequently hear about hackers who take advantage of weaknesses in IoT security, maliciously taking control of smart home devices for DDoS attacks or changing functionality of medical devices. The only way to improve our security posture is to design a robust security architecture around our entire IoT systems. Guidelines provided by NIST or other standards groups can really make an impact in how we design security into IoT devices from inception and provide a method to manage authentication and encryption around the IoT device data and functionality over time.”

Reconsidering Section 230.

As Politico reports, the US Senate Commerce Committee has invited the CEOs of Facebook, Google, and Twitter to testify at an October 1st hearing about amending the Communications Decency Act (the relevant portion of which is Section 230), but if the tech execs do not RSVP by Thursday night, the committee will vote on whether to issue official subpoenas. Section 230, established in 1996 to protect tech platforms from legal action over user content, has received criticism from both sides of the aisle, as Democrats feel these platforms need to be held accountable for spreading misinformation, and Republicans believe there is a bias against conservative-leaning content. Pressuring the heads of these Silicon Valley giants to speak at the hearing is viewed by some Democrats as a powerplay by the Republicans ahead of the November presidential elections.

Prosecution for destruction of a computer network.

A press release from the United States Department of Justice announces that Shannon Stafford of Maryland will serve jail time for hacking into and destroying data on his former employer’s computer network. As a member of the company’s IT support staff, Stafford was given access to sensitive company data, including employee login information, and had the ability to disable employees’ network access. After being fired, Stafford used his company-issued laptop and a fellow employee’s login to access the company network, delete storage files, and block the company from restoring the data. Shannon was sentenced to twelve months and one day in federal prison.

Selected Reading

Dutton pushes trusted 5G suppliers to stop espionage (Australian Financial Review) Peter Dutton has ramped up calls for countries to decouple their technology networks from suppliers that could be forced to facilitate espionage and foreign interference, such as Huawei.

Brits unleash crack squad to save telecom from Huawei, Ericsson and Nokia (Light Reading) UK authorities have named the elite troops whose mission (impossible?) will be to find and nurture alternatives to the big three.

UAE cyber head: Israeli intel. sharing helps deter hacking attempts (The Jerusalem Post) 1st public appearance of Israel, UAE cyber officials together

UAE, Israeli cyber chiefs discuss joining forces to combat common threats (Reuters) The United Arab Emirates and Israel share threats to their national online networks, the Israeli cyber-security chief said on Thursday in a rare public discussion of potential cooperation with his counterpart following the normalisation of relations.

Putin says Russia and U.S. should agree not to meddle in each other's elections (Reuters) President Vladimir Putin called on Friday for an agreement between Russia and the United States to guarantee not to engage in cyber-meddling in each other's elections.

Secret Service consults with Cyber Command, private sector in updated approach to financial crime (CyberScoop) In an unprecedented step, the Secret Service has brought in outside expertise to overhaul investigative practices as it enhances its work with the Treasury.

FBI Director: Feeding DOD’s Cyber Offense Operations Is Crucial to New Strategy (Nextgov.com) Senator says legislation is moving forward to thwart intellectual property theft from China and defend federal networks from cyberattacks.

Senate panel to vote next week on subpoenas for Google, Facebook and Twitter CEOs (POLITICO) Republicans want the CEOs to testify about a 1996 law that has protected tech platforms from lawsuits over content their users post.

WSJ News Exclusive | DOJ to Seek Congressional Curbs on Immunity for Internet Companies (Wall Street Journal) The Justice Department submitted a proposal to Congress on Wednesday to curb longstanding legal protections for internet companies such as Facebook, Google and Twitter.

Microsoft supports commission calling for re-establishment of U.S. cyber czar (Reuters) Microsoft Corp said on Thursday it supports the Cyberspace Solarium Commission, which recommends the re-establishment of a cybersecurity czar.

Critical steps for securing cyberspace (Microsoft on the Issues) Cyberattacks are increasing every day, and the Cyberspace Solarium Commission has made some specific recommendations critical to cybersecurity. As we approach National Cybersecurity Awareness Month, we strongly recommend that Congress act on them.

Indiana attorney general wants regulation in place to protect against cyberattacks (The Center Square) Indiana would become the first state to use government regulations to protect consumers from cyberattacks if a rule proposed by Attorney General Curtis Hill gets implemented.

The Uncertain “State” of US Data Protection Law: California Leads the Way (The National Law Review) When it comes to US data protection law, all eyes are on California. The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework

Former Fed. CISO Schneider Looks Back on Gov’t Past, Ahead to Future of Info. Security (Meritalk) The former Federal Chief Information Security Officer Grant Schneider drew on his nearly 28 years of government experience to explain how government information is secured now and offered his thoughts on where information security might be headed in the future.

Brussels Report: Governments’ Concerns Rise About Pandemic Cyberattacks on Health Care (Wall Street Journal) A surge in cyberattacks on medical facilities during the pandemic has alarmed national governments. The potential consequences were highlighted last week with the death of a woman after she was turned away from a German hospital that had been struck by ransomware.

Judge says U.S. must defend or delay TikTok app store ban by Friday (Reuters) A U.S. judge said Thursday the Trump administration must either delay a ban on U.S. app stores offering TikTok for download or file legal papers defending the decision by Friday.

How A High Court Textualist Could Help Limit Anti-Hack Law (Law360) Appointing a textualist to the U.S. Supreme Court could boost efforts to curb the scope of a 1986 computer crime law and change the legal reasoning the high court uses in Fourth Amendment cases, although past rulings show that privacy law does not fit neatly within ideological lines.