At a glance.
- Weapons of distraction.
- Evolving US breach notification requirements.
- Corruption under discussion at the Summit of Democracies.
Cyberattacks as a weapon of distraction.
Axios explores how state-backed threat actors could use a cyberattack as a distraction to interfere with the US government’s decision-making process. Using China as an example, Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs, referenced a report conducted by the US Cybersecurity and Infrastructure Security Agency (CISA) that revealed that in 2013 Chinese sponsored threat actors had their sights set on natural gas pipelines. Krebs explained, "If things get hot in Taiwan, there's a possibility that the Chinese government could use some sort of cyber capability to make us focus here rather than over there."
US continues to tighten data breach notification regulations.
Cooley reports that in November the US Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) issued a new breach notification rule for banking organizations and their service providers. Set to come into effect in April 2022, the rule treats banking organizations in much the same way as data owners or controllers under current breach notification laws, and also covers “bank service providers,” defined as any entity who performs services subject to the Bank Service Company Act. The rule requires that organizations notify their primary regulator (the OCC, FDIC or FRB) of a data breach as soon as possible and no more than thirty-six hours after the incident has been identified. That said, the clock doesn’t start ticking until the bank determines that the breach is in fact a “notification incident,” meaning the organization can take time to confirm “actual harm” before notification.
The National Law Review notes that the new regulation is just the latest in a series of evolving reporting requirements in the US. New breach notification rules for critical pipeline owners and operators came into effect in May, stating that cybersecurity incidents must be reported to the Cybersecurity and Infrastructure Security Agency within twelve hours. Similar regulations for health apps and health-related devices were implemented in September, and regulations for covered freight railroads, passenger rail, and rail transit systems will come into effect on New Year’s Eve.
Global democracy summit will focus on corruption.
At this week’s Summit for Democracy, the Biden administration will be discussing The United States Strategy on Countering Corruption, considered by anti-corruption experts to be President Biden’s most impressive strategy so far. Called “exactly what we’ve been waiting for” by the Helsinki Committee’s senior policy advisor Paul Massaro, the document focuses on multilateralism, with the United States Treasury vowing to fight tax evasion and foreign government corruption at US financial institutions by cooperating with existing multilateral organizations. The Atlantic Council explains that the goal is to get buy-in from the EU and UK, which should collaborate with USAID’s new Global Accountability Program and the US State Department’s Democracies Against Safe Havens initiative. Ideally, the EU and UK will also develop their own strategies to coincide with US efforts and implement tighter regulations for the historically unregulated real estate, private investment, and legal services sectors.