At a glance.
- COVID-19 tracking shows the tension between civil liberties and public health.
- US Federal Court clarifies CFAA (to the advantage of researchers).
- CISA modified list of essential critical infrastructure workers.
- NIST draft publication on "Integrating Cybersecurity and Enterprise Risk Management (ERM)" is out for comment.
COVID-19 tracking raised concerns about surveillance.
Many governments are advancing efforts to develop tracking apps that will help them track coronavirus carriers and thereby serve to contain the spread of the pandemic. Singapore's tracking policies and technology have found favor, the Telegraph reports, as a model for the UK, which, the newspaper adds, has relaxed its stringent data rules as part of its response to the emergency. Israel has moved forward with a comprehensive tracking system that uses data not only from mobile devices, but from domestic security service Shin Bet as well. According to Reuters, the Israeli government is also applying technology from the controversial lawful-intercept vendor NSO Group. In the US there's growing support for some technological adjunct to conventional epidemiological work, and a Wall Street Journal op-ed argues that this can be deployed without unacceptable violence to civil liberties. Still, concerns remain that surveillance regimes, once instituted, are difficult to dismantle. Edward Snowden makes that case in the New York Post. (If you have understandable reservations about Mr. Snowden, consider as an alternative the discussion in the CyberWire's forthcoming Quarterly Analysts' Briefing.)
Some clarification of the US Computer Fraud and Abuse Act.
The US District Court for the District of Columbia has ruled in a test case that violating a site's terms of service does not in itself constitute a crime under the Computer Fraud and Abuse Act. The test case was brought by researchers who wanted to use fictitious personnae to sign up for some online services as they studied various aspects of the sites’ behavior. There was no question of fraud, but using a fictitious personna violated most of the sites’ terms of service, and so the researchers prudently sought clarity about the famously expansive CFFA before proceeding.
CISA modifies its list of "essential critical infrastructure workers."
On Saturday the US Department of Homeland Security's Cybersecurity and Infrastructure Security (CISA) issued a new edition of its "Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response," now in version 2.0. They added the private sector to such categories as “Law Enforcement, Public Safety, and other First Responders” that had hitherto concentrated fairly exclusively on the public sector. It added “Commercial Facilities” as a new heading, and it broadened the services listed under other industries (including electricity, finance and communications and information technology). Among the additions, one that was particularly welcomed by industry comment quoted in Nextgov was the inclusion of "external affairs workers" in the communications sector.
"Integrating Cybersecurity and Enterprise Risk Management."
The US National Institute for Standards and Technology has a draft publication, "Integrating Cybersecurity and Enterprise Risk Management (ERM)," available for comment. Comments are requested by April 20th.