International norms in cyberspace. Sanctions updates. CMMC implementation approaches.

Summary

By the CyberWire staff

At a glance.

Proposed norms for cyberstability.
TikTok's temporary reprieve.
Austria requires Facebook to take down comments that defame a politician.
US will allow shipment of 4G chips to Huawei.
US Defense Department Cybersecurity Maturity Model Certification (CMMC) takes effect in two weeks.

GCSC's proposed norms for cyberstability.

At recent meetings of the Paris Peace Forum, the Global Commission on the Stability of Cyberspace (GCSC) released its final report on advancing cyberstability, which Computing characterizes as a proposal for a Geneva Convention for cyberspace. The report advances four principles:

“Responsibility: Everyone is responsible for ensuring the stability of cyberspace.
“Restraint: No state or non-state actor should take actions that impair the stability of cyberspace.
“Requirement to Act: State or non-state actors should take reasonable and appropriate steps to ensure the stability of cyberspace.
“Respect for Human Rights: Efforts to ensure the stability of cyberspace must respect human rights and the rule of law.”

On the basis of those principles, the Commission proposes eight norms of conduct for cyberspace. They generally advance confidence-building among nations, including potential adversaries, and they seek to implement versions of the norms of discrimination and proportionality that have traditionally shaped the laws of armed conflict. They also would enjoin responsibility for cyber hygiene and control of non-state actors that would be consistent with traditional principles of sovereignty:

“State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.
“State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.
“State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.
“State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.
“States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.
“Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
“States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.
“Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.”

The Register points out that a lot of bilateral work will be required before the eight norms the GCSC proposes approach reality.

TikTok granted fifteen-day reprieve.

The US Committee on Foreign Investment pushed back TikTok’s divestment deal deadline to November 27, according to the Wall Street Journal. The social media platform, which members of Congress fear could funnel US data to Beijing, has appealed the divestment order. The ongoing legal battle could shape international internet relations for years to come.

But Facebook didn’t find Vienna quite so gemütlich: global takedown order for insulting content stands.

Austria’s Supreme Court directed Facebook to take down insulting content about a Green Party member worldwide, TechCrunch says, concluding a case that’s stretched nearly half a decade. Last year the EU Court of Justice ruled that compelling social media platforms to find and eliminate content that has been found illegal did not violate EU regulations against forcing platforms to perform comprehensive moderation. On one side lies the argument that the judgment prevents duplication later and elsewhere of illegal content; on the other are free speech advocates' and Facebook’s concerns that defining duplication is a sticky matter, better suited for courts than companies. Revamped regional liability rules are also in the works, with lawmakers hoping to hold social media giants more accountable for the content they profit from.

And Huawei gets a (small?) 4G reprieve.

The Verge reports the US is allowing Qualcomm to peddle 4G chips to Huawei in an exception to the 2019 executive order embargoing business with Chinese firms that pose national security risks. Three months ago Huawei admitted it was running low on chips due to US sanctions, which also impacted international producers.

CMMC deadline approaches.

In two weeks, Cybersecurity Maturity Model Certification comes into force, Breaking Defense reports. Homeland Security Today quotes NIST fellow Ron Ross as saying, “We literally are hemorrhaging critical information [to our adversaries],” explaining that “CMMC is aimed at stopping the bleeding.” Those angling for Pentagon contracts moving forward—some fifteen-hundred vendors in 2021—need to demonstrate compliance with NIST and Department of Defense standards, not just pay lip service to progress towards compliance. Assistant Secretary of Defense for Acquisition CISO Katie Arrington said, “We mean it.”

Selected Reading

GCSC proposes rules to guide states towards responsible cyber behaviour (Computing) The proposed norms are similar to a cyber version of the Geneva Convention

International infosec rules delivered to make nations and non-state actors behave themselves online (Register) Don't hack, don't backdoor, don't hurt the internet … and don't expect rapid adoption because there's still a lot of multilateral work to be done

Microsoft President Calls for Global Crackdown on Cyberattacks (Wall Street Journal) Hacks of health-care facilities and Covid-19 research show an urgent need for more collaboration.

Why Is North Korea So Good at Cybercrime? (Diplomat) North Korea is committed to advancing its cyber capabilities, and it shows in the results.

Sweden halts 5G auction after court grants relief to Huawei (ETTelecom) Swedish telecoms regulator PTS on Monday halted 5G spectrum auctions after a court suspended parts of its decision that had excluded Chinese telecom e..

Huawei hopes Biden presidency brings a 'reset' to relations, says tech officer (CNBC) Paul Scanlan said whenever there "is a change in government, there is always the opportunity to reset the relationship."

Australia Hasn't Really Investigated Whether TikTok Is A National Security Risk As Far As We Know (Gizmodo Australia) According to the Department of Home Affairs, they've only done one brief review of TikTok in Australia and it wasn't a very thorough one.

Rwandan cyber chief: As challenges loom, Africa needs to build cyber resiliency (Israel Defense) The head of Rwanda's National Cyber Security Authority, in a speech at CybertechLive Africa, stresses that African nations must create opportunities for their growing populations of young people

Israeli cyber czar, addressing Africa, urges joint effort to repulse attacks (Israel Defense) Partnerships are essential as no single country can succeed in cybersecurity by itself, Yigal Unna says at the CybertechLive Africa conference

Taiwan is crucial to the global fight against cybercrime (MENAFN) Taiwan's national antipandemic and cybersecurity teams

US gives Qualcomm approval to sell 4G chips to Huawei despite sanctions (The Verge) The license only applies to 4G Huawei chips

EMS Not its Own Domain of Warfare, Strategy Implementer Says (Air Force Magazine) The Electromagnetic Spectrum isn't yet considered a full domain of warfare, but an aspect of every other domain, said Air Force Brig. Gen. Darrin P. Leleux.

The federal government’s chief information security officer is helping an outside effort to hunt for alleged voter fraud (Washington Post) The participation of administration officials in the Voter Integrity Fund shows the extent of the efforts by President Trump’s allies to justify his unfounded allegations of widespread ballot fraud.

DHS announces new Homeland Security Advisory Council members (Security Magazine) Acting Secretary of Homeland Security, Chad F. Wolf introduced two new members to the Homeland Security Advisory Council (HSAC): Tom Jenkins and Catherine Lotrionte. Created by President George W. Bush in 2002, the HSAC is a Department of Homeland Security federal advisory committee that provides the secretary with independent, informed recommendations, and advice on a variety of homeland security issues.

DHS boss Chad Wolf defies Trump order to fire cyber chief Chris Krebs (New York Post) Department of Homeland Security acting Secretary Chad Wolf is defying President Trump’s order to terminate election cybersecurity official Christopher Krebs, multiple sources tell The Post. T…

Calif. Privacy Law Resembles, Transcends EU Data Regulation (Law360) Companies preparing for future enforcement of the newly passed California Privacy Rights Act can look to the EU General Data Protection Regulation for guidance while understanding key differences, including the CPRA's incentive options for consumers and mandate that regulations be updated to reflect technological changes, say attorneys at Akin Gump.

Montana CISO Shares State Security Actions and Priorities (Government Technology) How does a leading state chief information security officer navigate the cyberattacks targeting his state during the pandemic and beyond? Montana CISO Andy Hanks shows us the way in this interview.

TikTok Gains Extension of Divestiture Deadline (Wall Street Journal) The Committee on Foreign Investment in the U.S. has set Nov. 27 as the new deadline for a deal to turn the social-media app into an American company.

Facebook loses final appeal in defamation takedown case, must remove same and similar hate posts globally (TechCrunch) Austria’s Supreme Court has dismissed Facebook’s appeal in a long running speech takedown case — ruling it must remove references to defamatory comments made about a local politician worldwide for as long as the injunction lasts. The Austrian Supreme Court has now delivered its fi…

Op protected childhood: 113 online child predators arrested (HackRead) The arrests took place as part of Operation protected childhood initiated by ICE, HSI, MJSP against child sexual abuse material (CSAM).

ICE, international partners arrest 113 child predators (US Immigration and Customs Enforcement) OPC VII simultaneously targeted the distributors and producers of child sexual abuse material throughout the Americas.