At a glance.
- Proposed norms for cyberstability.
- TikTok's temporary reprieve.
- Austria requires Facebook to take down comments that defame a politician.
- US will allow shipment of 4G chips to Huawei.
- US Defense Department Cybersecurity Maturity Model Certification (CMMC) takes effect in two weeks.
GCSC's proposed norms for cyberstability.
At recent meetings of the Paris Peace Forum, the Global Commission on the Stability of Cyberspace (GCSC) released its final report on advancing cyberstability, which Computing characterizes as a proposal for a Geneva Convention for cyberspace. The report advances four principles:
- “Responsibility: Everyone is responsible for ensuring the stability of cyberspace.
- “Restraint: No state or non-state actor should take actions that impair the stability of cyberspace.
- “Requirement to Act: State or non-state actors should take reasonable and appropriate steps to ensure the stability of cyberspace.
- “Respect for Human Rights: Efforts to ensure the stability of cyberspace must respect human rights and the rule of law.”
On the basis of those principles, the Commission proposes eight norms of conduct for cyberspace. They generally advance confidence-building among nations, including potential adversaries, and they seek to implement versions of the norms of discrimination and proportionality that have traditionally shaped the laws of armed conflict. They also would enjoin responsibility for cyber hygiene and control of non-state actors that would be consistent with traditional principles of sovereignty:
- “State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.
- “State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.
- “State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.
- “State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.
- “States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.
- “Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
- “States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.
- “Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.”
The Register points out that a lot of bilateral work will be required before the eight norms the GCSC proposes approach reality.
TikTok granted fifteen-day reprieve.
The US Committee on Foreign Investment pushed back TikTok’s divestment deal deadline to November 27, according to the Wall Street Journal. The social media platform, which members of Congress fear could funnel US data to Beijing, has appealed the divestment order. The ongoing legal battle could shape international internet relations for years to come.
But Facebook didn’t find Vienna quite so gemütlich: global takedown order for insulting content stands.
Austria’s Supreme Court directed Facebook to take down insulting content about a Green Party member worldwide, TechCrunch says, concluding a case that’s stretched nearly half a decade. Last year the EU Court of Justice ruled that compelling social media platforms to find and eliminate content that has been found illegal did not violate EU regulations against forcing platforms to perform comprehensive moderation. On one side lies the argument that the judgment prevents duplication later and elsewhere of illegal content; on the other are free speech advocates' and Facebook’s concerns that defining duplication is a sticky matter, better suited for courts than companies. Revamped regional liability rules are also in the works, with lawmakers hoping to hold social media giants more accountable for the content they profit from.
And Huawei gets a (small?) 4G reprieve.
The Verge reports the US is allowing Qualcomm to peddle 4G chips to Huawei in an exception to the 2019 executive order embargoing business with Chinese firms that pose national security risks. Three months ago Huawei admitted it was running low on chips due to US sanctions, which also impacted international producers.
CMMC deadline approaches.
In two weeks, Cybersecurity Maturity Model Certification comes into force, Breaking Defense reports. Homeland Security Today quotes NIST fellow Ron Ross as saying, “We literally are hemorrhaging critical information [to our adversaries],” explaining that “CMMC is aimed at stopping the bleeding.” Those angling for Pentagon contracts moving forward—some fifteen-hundred vendors in 2021—need to demonstrate compliance with NIST and Department of Defense standards, not just pay lip service to progress towards compliance. Assistant Secretary of Defense for Acquisition CISO Katie Arrington said, “We mean it.”