At a glance.
- CISA directs all agencies to patch Microsoft Exchange vulnerabilities.
- Pro-backdoors square off, again, with pro-encryption advocates.
- New York privacy and security law evolution.
- Governor signs Virginia consumer data protection law.
- Florida prepares CCPA-like legislation.
CISA directs patching against Hafnium exploitation of Exchange Servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) this afternoon issued Emergency Directive 21-02, "requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday." CISA requires all agencies to report completion by noon Eastern Standard Time this Friday.
Crypto Wars: next round's opening bell.
Familiar adversaries are in their corners and ready for the bell in the next round of the Crypto Wars. The Washington Post reports that, in his testimony before the Senate Judiciary Committee, FBI Director Wray has mentioned the difficulty of adequately tracking domestic extremists when such extremists are able to avail themselves of end-to-end encryption. The opposing side says this misses the point, and that weakening encryption will only serve, ultimately, to weaken security generally.
The Internet Society, representing a countervailing point of view, was quick to respond. Ryan Polk, a Senior Policy Advisor with the Internet Society, commented as follows:
"FBI Director Wray’s statements regarding encryption yesterday show a fundamental lack of understanding of what an encryption backdoor is and the security risks it poses to both personal and national security. End-to-end encryption is our strongest digital security tool. Any method that gives third party access to encrypted data is a backdoor, a vulnerability that weakens the security and privacy millions of Americans rely on each day, including members of our armed forces. We recommend that Director Wray familiarize himself with the technical realities of what he’s asking for before testifying to Congress about breaking end-to-end encryption."
He closed with an irenic offer to educate the Director: "We have several factsheets available on encryption backdoors that we believe he’d find helpful."
It's interesting to see the way in which domestic extremists have succeeded terrorists and child exploiters as the bad actors whose mail the Bureau would like to read. They're all legitimate concerns, of course, but they carry more than a whiff of target-of-opportunity about them: there's an underlying unease that will fix on some threat, but what the threat is does, of course, shift.
State privacy and security laws: New York State.
The New York Law Journal has a summary of recent developments in the state's privacy and security laws. The state has, with California, been a leader in US cybersecurity regulation. In New York's case, its legislative and regulatory activity has been most closely focused on the financial services industry, which is appropriate given the state's prominence in that sector.
State privacy and security laws: Virginia.
Virginia Governor Ralph Northam has signed the Commonwealth's Consumer Data Protection Act into law, Virginia Business reports. In many ways the omnibus bill follows the example set by the California Consumer Privacy Act. Its most immediate effect is expected to be easier ways for consumers to opt out of corporate data collection.
State privacy and security laws: Florida.
JDSupra reports that Florida is considering data privacy legislation that's expected to "mirror" the California Consumer Privacy Act. Thus even absent Federal legislation, there appears to be a growing convergence of privacy law among some of the larger American states.