At a glance.
- Britain announces the existence of its National Cyber Force.
- Deterrence by denial?
- GAO takes a look at US Cyber Command.
- A possible new CISA boss.
- Private right of action under CCPA.
PM Johnson reveals the existence of Britain's National Cyber Force.
Prime Minister Johnson yesterday informed Britain’s Parliament of the existence of the National Cyber Force, a new joint command that’s been in operation since April. The National Cyber Force contains elements from MI6 and GCHQ, and from serving members of the military and personnel from the Defence Science and Technology Laboratory. The Force’s planned end strength is placed at some three thousand, a goal it is expected to reach by 2030. Its charter, according to the BBC, includes both disruption of hostile communications networks and the conduct of information operations.
The National Cyber Force is what in the US would be called a combat support organization. Its mission includes tactical support of kinetic military operations--it might, for example, be called upon to protect British combat aircraft by disrupting enemy air defense command and control. Thus it would play a tactical role analogous to that filled by traditional electronic warfare operations. ZDNet points out that the Secret Intelligence Service–also familiarly known as MI6–will contribute its "expertise in recruiting and running agents alongside its unique ability to deliver clandestine operational technology." Thus the National Cyber Force seems likely to have some multi-domain capabilities.
But the National Cyber Force also has an everyday mission. It may be called upon to interfere with hostile systems being used to conduct or prepare cyberattacks against the United Kingdom, and it may also be called upon to conduct influence and counter-influence operations against adversaries. It will operate separately from the longer established and better known National Cyber Security Centre.
How Tokyo can practice deterrence without offensive cyber capabilities.
An essay in the Diplomat argues Japan’s strategic stance against offensive measures leaves it vulnerable to Moscow, Beijing, and Pyongyang, but “deterrence by denial” remains an option, whereby the country can make the cost of doing cybercrime business prohibitively high. Specifically, Japan should set up a governmental zero day vulnerability disclosure process to shape the battlespace in its favor. A private analogue is already in place, but a state-run program would facilitate tactical decisions about which discoveries to defang and which to exploit.
The GAO says Cyber Command could improve its focus.
A Government Accountability Office (GAO) audit initiated at Congress’ behest last year and released yesterday found US Cyber Command’s Joint Cyber Warfighting Architecture vision unfocused, according to C4ISRNET. GAO’s chief criticism was a deficiency of clear roles and goals, which could compromise interoperability. Cyber Command said it’s had a tough go lately, but it’s getting around to it. Cyber Command has been, as far as we can see, a good run lately, and this report should be taken in the familiar spirit of an after-action review.
Possible new CISA head.
CyberScoop reports Department of Energy (DOE) official Sean Plankey might be under consideration for CISA's acting directorship. Plankey was already en route to DHS; last month the Administration floated his name for Assistant Director for Infrastructure Security. An unknown problem with his security clearance could stymie the transition, however. Plankey’s resume spans cybersecurity work at the DOE, Coast Guard service, security work for oil company BP, and time at US Cyber Command.
Private right of action under the CCPA.
Under the California Consumer Privacy Act (CCPA), Golden State residents can sue companies for damages (and dozens have already) but it’s not yet clear how successfully, JD Supra says, because the law “contains numerous ambiguities.” Courts must determine the following:
- Who qualifies as a resident in edge cases.
- Whether consumers can file suit in the absence of a breach, e.g. whether third-party data swapping counts as unauthorized disclosure.
- What can be construed as “personal information.”
- What “reasonable security procedures” entail.
JD Supra concludes that plaintiffs are trying to enlarge the law’s purview, and the battle is just beginning.