At a glance.
- Infrastructure bill clears US Senate.
- US OMB clarifies regulations surrounding "critical software."
- Privacy regulations compared.
- GDPR's standard contractual clauses.
An infrastructure bill with substantial funding for cybersecurity clears the US Senate.
The US Senate yesterday passed its version of the ‘‘Infrastructure Investment and Jobs Act’’ (all 2702 pages of it). It now goes back to the House of Representatives. The bill includes several cybersecurity provisions, both in its Title VI ("Cybersecurity") as well as in sections of other titles dealing with transportation, electrical power grids, public water systems, and so forth. The Hill's tally puts the bill's total allocations for cybersecurity at $1.9 billion.
Much comment on the legislation has concentrated on its provisions for sharing revenue and other resources with state and local governments. Erich Kron, security awareness advocate at KnowBe4, welcomed the bill's passage.
“This is a much-needed boost for state and local municipalities and the associated service providers, such as school districts and utility providers. These organizations are often scraping for funding and personnel, resulting in vulnerable systems and networks and exhausted staff. While they do the best they can, the resources available to them are often so limited that they must make hard decisions about what to secure and what risk to accept. This is made even more challenging when an incident occurs that requires the employees to work even longer hours and other budgets must be raided to pay for the remediation.
"By providing assistance and funds prior to and after a cyber attack, there is a much better chance that damage can be limited and recovery will be much faster, with less of a chance of losing staff who are overworked. Cyber crime is no longer an annoyance, but a very serious threat to our critical infrastructure and government, and this is a step in the right direction.
"While the assistance is welcome, it will take time to get it in place. Until then, these organizations should concentrate on shoring up against the biggest threats they face, including educating employees on how to spot phishing emails that spread malware and ransomware as well as scams, and securing remote access portals that cyber criminals target in an effort to gain access to the network with Multi-Factor Authentication (MFA) and strict account lockout processes for failed login attempts.”
Purandar Das, co-founder and chief security evangelist at Sotero, also wrote to welcome the bill's advancement, but notes that state and local governments have for decades not seen adequate cybersecurity budgets:
“It is good see this allocation of funds towards cybersecurity, especially state and local governments. While the allocation sounds impressive, it should only be the beginning. State and local governments have underfunded cyber security for decades. They have been deprioritized and funds allocated to more pressing needs. As recent cyber-attacks have demonstrated, state and local governments are ripe targets due to their aging infrastructures that cannot protect data about their citizens. This data is used to ransom money from the governments. Any help that can prevent the loss of privacy of citizens and prevention of their information falling into the hands of criminals is a welcome start.”
Neil Jones, Cybersecurity Evangelist at Egnyte, liked the bipartisan support cybersecurity seems able to attract:
"It is reassuring to see that cybersecurity continues to garner bipartisan support on Capitol Hill. Although the amount of approved funding by the US Senate was relatively modest compared to the overall size of the $1 trillion infrastructure bill. Local governments like the City of Baltimore, Maryland have been paralyzed by cyberattacks over the past several years. And, there are plenty of recent examples of remote hacking attacks on public utility providers and ransomware attacks on school systems. I am especially hopeful that the funding will help vulnerable rural communities that often face cybersecurity talent shortages to address potential attacks more effectively."
Ofer Gayer, group product management at Exabeam, thinks the funds the bill allocates to cyber, while welcome, amount to "table stakes:"
"For anyone remotely paying attention to the rise in cyberattacks over the past year, particularly on critical infrastructure, this investment news should not come as a shock. I would even call it prudent if we compare this to the typical allocation of 10% for InfoSec from the total IT spend or 0.2% to 1% of the total budget. Allocating $1.9 billion out of a $1 trillion budget is essentially table stakes in our current threat landscape. We could probably even do with more."
The bill is not yet law. It will have to pass the House of Representatives first, where Speaker Pelosi has signaled that she has other legislative priorities to deal with first.
Office of Management and Budget clarifies “critical software” security mandate.
A memo out of the US Office of Management and Budget (OMB), FCW reports, clears up the scope of “critical software” under the Biden Administration’s May cybersecurity Executive Order (EO) and outlines compliance next steps for Federal agencies. Expanding on the National Institute of Standards and Technology’s (NIST) June definition, OMB directs attention to the privileges and functionality of any standalone, embedded, or cloud software.
Agencies have sixty days from the memo’s publication to itemize and report their critical software, and one year to enact NIST-specified security standards. Future NIST updates will launch additional implementation phases with one-year timelines. Phase one, Federal News Network explains, applies to twelve categories of on-premise, standalone software.
The EO’s software mandate was motivated, the memo says, by the insecure and “opaque” nature of commercial software development.
Privacy regulations compared: EU, California, Virginia, now Colorado.
The National Law Review contrasts the treatment of “sensitive” data (whether or not explicitly referred to as such) in the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (VCDPA), and Colorado’s Privacy Act (CPA).
Some highlights: each law categorizes biometric and medical data (with some qualifications) as sensitive. Only California gives special consideration to social security, credit and debit card, and financial account numbers, and only the CPRA conveys special status to texts, emails, and mail. Virginia and Colorado consider “child-collected data” sensitive; immigration status is sensitive only in Virginia. Religious beliefs are specially protected under every law but the CCPA, but political views under only the GDPR, and philosophical views only under the GDPR and CPRA.
GDPR’s standard contractual clauses.
Novinite sketches the main lines of the GDPR, which came into effect in May of 2018, and covers any website visited by EU residents regardless of the site’s origin. The law contains data security, disclosure, erasure, and breach notification requirements, with stronger rules for controllers than processors, and strict enforcement mechanisms. While the GDPR handed users more control over personal data, it’s no privacy panacea. Novinite warns about enduring risks from insecure connections and apps, breaches, and platforms like Google Chrome.
The National Law Review unpacks the European Commission’s June Standard Contractual Clauses (SCC) update. One of the two new sets of SCCs pertains to exchanges between GDPR-subject controllers and processors, who remain at liberty to develop their own GDPR-compliant arrangements; the other, to extra-EU transfers (excluding the UK, which is writing its own SCCs). This second set will supplant previous SCCs at the end of next month, and incorporate additional obligations and liabilities as well as Schrems II considerations.
The EU’s privacy protections, the Review reminds Americans, are “some of the strictest…in the world,” on the level of “a fundamental human right.”