At a glance.
- Redmond on the future of cyber diplomacy.
- Reporting requirements for critical infrastructure under consideration by the US Congress.
- Update on US pipeline cybersecurity standards.
Microsoft weighs in on the future of cyber diplomacy.
Microsoft calls on UN member states to start enforcing this year’s spate of recommendations from the Group of Government Experts (GGE) on cybersecurity and Open-Ended Working Group (OEWG) on cybersecurity. The emergent “framework for responsible state behavior in cyberspace,” as we’ve seen, affirms the applicability of international law to cyberspace and outlines eleven norms while delineating off-limits critical infrastructure sectors and encouraging capacity-building.
Microsoft would like to see further progress on enacting the agreed-upon guidelines as well as hammering out how international law applies and involving non-state stakeholders. The tech giant envisions a large role for the private sector, as the primary owner and operator of the cyber domain, and suggests attention to the Paris Call for Trust and Security in Cyberspace and Oxford Process. The UN assembled a solid foundation and now needs to consider “passing the torch,” Microsoft says, in the interest of speed. Moving forward, a multistakeholder model could take into account civil and economic concerns in addition to the current geostrategic priorities, and the body should assume a “permanent standing” form to address enduring challenges.
US Congress contemplates critical infrastructure reporting regime.
Data Protection Report breaks down the US House Homeland Security Committee’s draft “Cyber Incident Reporting for Critical Infrastructure Act of 2021.” The bill would set up a Cyber Incident Review Office housed in the Cybersecurity and Infrastructure Security Agency and responsible for collating incident reports, reviewing incidents, analyzing vulnerabilities, sharing information, reporting findings, and developing recommendations. Backed by subpoena and investigative authority, the Department of Homeland Security would lay out reporting requirements for critical infrastructure owners and operators, and liability protections would shield reporting entities.
Updated pipeline cybersecurity standards.
SecurityWeek describes the third edition of the American Petroleum Institute’s pipeline cybersecurity standard, “Pipeline Control Systems Cybersecurity,” released last month after four years of workshopping. The latest standard builds on the National Institute of Standards and Technology’s Cybersecurity Framework and the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards, incorporating guidance from seventy organizations. Changes include an expanded focus on all control systems along with anti-ransomware, risk assessment, and critical juncture protection tips.