At a glance.
- Russia's place in organizing international norms for cyberspace?
- NIST offers its take on the implementation of US Executive Order 14028.
- The US FTC considers establishing its own set of online privacy rules, in advance of Congressional action.
- Considerations about an Australian equivalent of DARPA.
- Further comment on US mandatory reporting.
Russia’s role in international cybersecurity: a skeptical view.
POLYGRAPH details Russia’s long and storied record of disruptive cyber behavior, contrasting the Kremlin’s reckless digital activity with SVR director and President Putin favorite Sergey Naryshkin’s claims on state media that Moscow is leading the way towards a safer, more orderly cyber future. The SVR, in fact, hosts “one of the world’s most notorious team[s] of hackers,” POLYGRAPH says, and is responsible for “a majority of the biggest cyberattacks of the last decade.” Russian hacks have disrupted healthcare, food, energy, business, communications, legislative, and election systems from Estonia and Ukraine to Germany and the US, hitting fifteen-plus additional countries en route.
NIST on implementing EO 14028.
The US National Institute of Standards and Technology (NIST) scheduled a free webinar for October 14 titled, “Improving the Nation’s Cybersecurity: Progress and Next Steps in Carrying Out Executive Order 14028.” The event will address attendees’ inquiries and outline NIST’s headway towards fulfilling its duties under the Biden Administration’s May cybersecurity Executive Order (EO). Two topics of discussion will be software supply chain security and the forthcoming labeling regime.
Impatient for Congress to act, FTC considers new online privacy rules.
According to the Wall Street Journal, the US Federal Trade Commission (FTC) is weighing measures that could change how businesses process user data, with the goal of skipping legislative hurdles to stouter privacy protections. The FTC might chart one of four possible routes: prosecuting specific violations, revising Children’s Online Privacy Protection Act regulations, labeling undesired practices ‘deceptive,’ or targeting ‘unfair’ policies. Advocacy organization Accountable Tech is asking the department to take on surveillance advertising using the last method, referencing harms like social media’s effects on mental health.
What an Australian DARPA might look like.
The Strategist expands on its argument for an Australian analog to the US Defense Advanced Research Projects Agency (DARPA). While the Government has signaled support for a fresh approach to defense research, and AUKUS presents a new opportunity, bureaucratic and economic obstacles stand in the way of the sort of open-ended, risk-tolerant innovation required.
Nevertheless, the Strategist envisions an industry-partnered organization backed by public and private funding, led by term-limited business and technical experts (not politicians), and answerable to the Defense Ministry. Canberra’s DARPA would publish project invitations, assess pitches, and guide ventures’ progress.
“The geostrategic situation is deteriorating,” the Strategist concludes, and “Australia needs to be able to move quickly to address technological opportunities.”
Further comment on US moves toward mandatory reporting of cyber incidents.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, sees no downside to proposed mandatory reporting, whatever reflexive resistance to regulation it may prompt:
"This is great news. The mandated reporting requirements are an attempt by our government to get good metrics on how bad the problem is. Right now, with voluntary reporting, it is difficult to rely on any of the officially reported statistics, whether from the government or a vendor. The number of occurrences, values and averages vary so much that they cannot possibly be measuring the same thing. This mandate will give us more reliable data. Unfortunately, expect most businesses to push back on any mandates, even ones seemingly this useful with almost no downside. Also, reporting ransomware attacks to CISA has a side benefit in that CISA can help you determine if the ransomware gang you are involved with is one of those on the Treasury's official "do not pay list". All in all though, this is a good thing; long overdue."