At a glance.
- The Netherlands considers a military role against cybercrime.
- India releases power sector cybersecurity policies.
- Proposed US legislation to enhance CISA's authority.
- CISA doesn't want to be thought of as a "regulator."
- The US Department of Justice intends civil enforcement of cybersecurity standards.
- US OSTP wants input on an AI "bill of rights."
Netherlands military called to fight cybercriminals.
In response to an inquiry asking how the Netherlands plans to combat cybercrime, Dutch Minister of Foreign Affairs Ben Knapen explained that, in addition to intelligence agencies, it may use military services to fight cyber threats, GovInfoSecurity reports. Knapen explained that if an attack poses a threat to national security, that Defense Cyber Command could opt to deploy a counterattack by the armed forces. CTO of cybersecurity at BreachQuest Jake Williams explains the decision’s significance: "Most opposition to military response for ransomware and cybercrime is the issue that it's a response to a law enforcement problem...Effectively, this seemingly indicates that military use is a legal option because a failure to take action on ransomware actors operating from your borders is no different than actually sponsoring the action.”
India releases new power sector cybersecurity policies.
The Hindu reports that the Indian government has issued guidelines to help entities in the power sector to improve their cybersecurity posture. The policy, which takes into consideration guidance from CERT-In, NCIIPC, NSCS, and IIT Kanpur, requires ICT (Information and Communication Technology)-based procurement of devices from “trusted” sources on a predetermined whitelist. The Register adds that, in an effort to improve upon firewall technology, the legislation also mandates that organizations ensure hard isolation of their operational technology systems from internet-facing systems.
New bills enhance CISA’s authority.
In reaction to the recent wave of crippling ransomware attacks on essential services like the Colonial Pipeline and JBS USA holdings, the US government is proposing two bipartisan bills, Homeland Security Today reports. Last week, the Senate Homeland Security and Governmental Affairs Committee advanced the Cyber Incident Reporting Act, which could require critical infrastructure entities like hospitals and fuel companies to report cyberattacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) within seventy-two hours. The Federal Information Security Modernization Act of 2021 advises civilian agencies to report all attacks to CISA and Congress and makes CISA the first response to incidents on federal civilian networks. “Our bipartisan legislation will help fight back against these serious threats by ensuring CISA is notified of any attack on critical infrastructure companies and civilian federal networks, as well as when most other entities make a ransomware payment,” explained Senator Gary Peters.
Is “regulator” a dirty word? (If you're CISA, maybe it is.)
In an effort to improve data breach reporting, the Biden administration has given the US Cybersecurity and Infrastructure Security Agency (CISA) increased authority over how companies disclose and react to data breaches. But CISA says it wants to avoid being called a “regulator,” as some experts say the label could make firms less likely to voluntarily disclose security incidents. Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, told the Wall Street Journal, “You change the process more akin to a parent-child relationship, where you have the regulator and regulated entity.”
But if "regulator" is a dirty word, then the Justice Department seems downright potty-mouthed.
In a press release from the Office of Public Affairs, the US Department of Justice (DOJ) announced it’s launching the Civil Cyber-Fraud Initiative, intended to deter private companies from employing sub-par cybersecurity measures, misrepresenting their security policies, or covering up security incidents. Deputy Attorney General Lisa O. Monaco stated, “we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.” Cooley explains that the initiative should push government contractors to make sure their products are secure and the data they collect are protected. JDSupra offers an overview of how the government has strengthened legislation regarding how federal contractors’ handle cyberincidents through the 2015 amendment to Federal Acquisition Regulation Supplement, this year’s Executive Order 14028 on Improving the Nation’s Cybersecurity, and the Cyber Incident Notification Act of 2021.
US Office of Science and Technology Policy invites the public to help fight tech-driven discrimination.
The White House Office of Science and Technology Policy (OSTP) is aiming to develop a bill of rights to ensure that data-driven technologies treat all users fairly, Wired reports. Artificial intelligence has been seen to discriminate against marginalized populations, as the data sets used to train the AI are often unintentionally embedded with prejudices based on qualities like age, race, gender, geographic location. In the hopes of better preventing such partiality, the OSTP will be collaborating with academia, civil society, and the private sector to create a bill of rights, and it’s asking for input from the general public through a public request for information.