At a glance.
- Cyber mercenaries and their clients.
- China's data protection legislation.
- US Federal CISO appointed.
- Notes on cybersecurity from the National Governors Association.
Cyber mercenaries, their government clients, and their activist opposition.
The Telegraph describes the market for hacking tools as a “shadowy $12 billion industry” and a threat to public and private interests, given that the tools can surveil crooks and ordinary citizens (the kind who go about their lives minding their own business, their noses kept clean and their hands kept to themselves) alike. There is a legitimate lawful intercept industry, but it's bedeviled with the dual-use issues that afflict any technology with police or military applications.
The head of Memento Labs, which sells governments phone cracking kits, says customers must agree not to use the gear for mass surveillance, but otherwise the company has no insight into intended targets. Certain countries are blacklisted from purchasing the tools, though they attempt to skirt the rules with bribes. Memento’s chief commented, “We prefer not to take money from them,” while comparing his products to guns, which can find their way into the wrong hands.
The University of Toronto’s Citizen Lab says it’s identified compromised devices belonging to activists, journalists, and their families, including targets in the US and the UK. Suppliers maintain that their “life-saving” services are invaluable to intelligence and law enforcement agencies, with one company claiming that Citizen Lab has refused to help them track down abuses. Some industry observers back the firms’ support of police in developing nations. Others, like Microsoft’s president, consider the tools “bad news.”
Legal (and illegal) challenges are mounting. WhatsApp is suing industry-leader NSO Group for allegedly hacking nearly fifteen-hundred users. (NSO responded that it did not do the hacking, and that such suits jeopardize “critical national security and foreign policy concerns of sovereign governments.”) Another firm faced a different sort of challenge a few years ago, as its internal files were hacked and leaked, revealing a client list of “repressive regimes,” according to the Guardian.
Beijing’s Personal Information Protection Law (PIPL).
The National Law Review summarizes China’s draft PIPL, which as we’ve seen, will join the Cybersecurity Law and Data Security Law as the country’s three pillars of data protection legislation. The law would prohibit “personal information handlers” from denying service to users who don’t consent to data collection (except where necessary), and would require consent to be explicit, voluntary, and well-informed. Compared to the GDPR, the PIPL’s demarcation of sensitive information is wider in some respects and slimmer in others: financial and location information are covered, while biometric and political information are not. Fines for violations would run up to ¥50 million, and “employees responsible for compliance” could also be penalized and publicly named.
Report: Chris De Rusha to be appointed US Federal CISO.
CyberScoop reports that Chris DeRusha, who directed cybersecurity for President Biden's campaign and worked on cybersecurity in the Department of Homeland Security during the Obama Administration, will be the new US Federal CISO.
US state governors talk cyber policy.
Last week the National Governors Association held its fourth biennial National Summit on State Cybersecurity. The themes were familiar: the importance of a cooperative approach to cybersecurity in which state governments worked with local and Federal authorities, the growing threat of financial fraud, and the need for thoughtful legislative approaches to the challenges of online security. The CyberWire has an account of the conference. Among the more interesting aspects of the discussion was a recognition of the risk of excessive credentialism in developing a cyber workforce that meets the states' needs.