At a glance.
- Happy leather anniversary, GDPR.
- Updates on NSO Group investigations.
- Further comment on this week's US National Security Memorandum.
- Notes from the 2021 Annapolis Cybersecurity Summit.
A look at three years of GDPR.
Cooley outlines ten significant General Data Protection Regulation (GDPR) outcomes in honor of the legislation’s leather anniversary. Their conclusions are conveniently presented as a list:
- In the near term, a major overhaul is not likely.
- Enforcement action is ramping up.
- Other countries are following suit.
- Data transfers remain tricky, post-Schrems II.
- Brexit splintered the GDPR.
- Member states are tweaking rules.
- Standards for consent are raised.
- Directions from authorities tend to tighten the regulation.
- Arrangements between data controllers and processors have evolved.
- Additional legislation is in the works.
NSO Group investigation updates.
Le Monde says France’s National Agency for the Security of Information Systems found evidence of Pegasus on a high-ranking France 24 journalist’s phone and linked the hack to a Moroccan client of NSO Group—apparently the same client suspected of targeting a jailed Moroccan reporter, the wife of a jailed Western Sahara activist, and a French politician. The tool was active three times, in 2019, 2020, and 2021. Officials also confirmed the compromise of the devices of two other journalists flagged by Pegasus Project. France’s Finance Minister’s phone, Reuters reports, is now under examination.
The Washington Post says French President Macron convened an emergency discussion last week, while France’s Minister of the Armed Forces pressed Israel’s Defense Minister on Jerusalem’s supervision of and visibility into NSO customers’ doings. Meanwhile, senior officials in Washington have been in touch with representatives from the Israeli Government, and as we’ve seen, some US legislators are angling for regulatory action. According to an unnamed Israeli security official, Washington and Jerusalem view it as “irresponsible and premature” to draw conclusions until a thorough investigation wraps up.
Commerce, Homeland Security comment on new National Security Memorandum.
The US Department of Commerce released a joint statement from Homeland Security Secretary Mayorkas and Commerce Secretary Raimondo on the Biden Administration’s critical infrastructure memo. The secretaries called the changes “long overdue” and said the cybersecurity performance goals will “set a clear, easy-to-understand security baseline” for “responsible critical infrastructure owners and operators to follow.”
Toshihiro Koike, CEO of Cyber Security Cloud (CSC), offers additional perspective from the private sector:
“Implementing better cybersecurity guidelines within organizations, especially the ones managing critical infrastructure, is a necessity,” said Toshihiro Koike, CEO of Cyber Security Cloud Inc. (CSC), the world’s leading innovator in cyber threat intelligence and AI-driven web security. “It’s smart for President Biden to generate a sense of urgency around cybersecurity policies and order CISA and NIST to establish benchmarks. Every company is vulnerable to a cybersecurity attack; now is the time to take action.”
Towards a whole-of-nation approach to cybersecurity.
Yesterday the Governor of Maryland hosted the 2021 Annapolis Cybersecurity Summit, with participation from a broad range of Federal, state, and industry leaders. We have an account of the summit on our site, but among the points made by the participants were that states had a significant role to play in fostering the development of the kind of healthy business ecosystem on which security depends, that there was a need to fix responsibility (and not only on threat actors, but on software vendors as well), and that excessively prescriptive security standards can do more harm than good.