At a glance.
- Britain's Home Office speaks out against Facebook's plans for end-to-end encryption.
- US prepares legislation mandating breach reporting.
- The Biden Administration's cyber strategy, outlined by the Secretary of Homeland Security.
A shot in the Crypto Wars, fired from London.
The UK’s Home Office is speaking out against end-to-end encryption (E2EE) as Facebook prepares to expand encrypted messaging options, according to Wired. Secretary Priti Patel will call for tighter rules around the technology at a National Society for the Prevention of Cruelty to Children (NSPCC) roundtable next month, where the NSPCC will share a report claiming that “increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety.” Facebook officials have acknowledged that encrypted messaging expansions will limit visibility into child exploitation networks.
The report will recommend regulating E2EE and requiring platforms to disclose child exploitation data. The UK’s Digital Secretary has indicated that encryption will not be addressed in the forthcoming Online Safety Bill, leaving industry onlookers to worry that the Home Office will instead turn to Technical Capability Notices, or confidential decryption injunctions—though others see this option as unlikely.
US prepares breach reporting regulation.
The Biden Administration is “urgently trying to complete” an executive order that would bolster Federal cybersecurity and require Government contractors to rapidly disclose breaches, Bloomberg reports. The order will span almost a dozen actions, including, as we’ve seen, encryption and multi-factor authentication conditions (for both contractors and agencies), and provisions mandating that vendors air gap their build systems and provide software bills of materials. The Administration is reportedly working closely with industry on the order, and will leave the measures for securing disclosed information to “a designated task force of officials and experts.”
Congress is not far behind. Since companies have made little voluntary use of the 2015 Cybersecurity Information Sharing Act’s liability shield, the Wall Street Journal says a number of new bills are in the works. Representative Langevin (Democrat, Rhode Island 2nd) is preparing one law covering incident reporting, and another concerning critical infrastructure data-sharing. Questions remain about who should be required to share what.
Washington’s cybersecurity strategy.
Infosecurity Magazine sketches the Biden Administration’s cyber priorities, as explained by Homeland Security Secretary Mayorkas in an RSA Conference last week:
1. “Championing a free and secure cyberspace”
2. “A focus on cyber-resilience as well as defense”
3. “A risk-based approach, based on data”
4. “Shared responsibility”
5. “Integrating diversity, equity and inclusion”
Government Technology says the Government’s “cybersecurity recovery plan” will address ransomware, elections, water utilities’ industrial control systems, pipeline and transportation systems’ data security, workforce development, and global partnership. (On the subject of ransomware, Business Insurance reports Mayorkas’ comments that the Government will work to upend “the marketplaces that enable” attackers, an apparent reference to “underground forums.”)
Mayorkas announced a collaboration with the Girl Scouts, and an enhanced relationship between the Cybersecurity and Infrastructure Security Agency and state governments. He said the US “will improve in the areas of detection, information sharing, modernizing federal cybersecurity, federal procurement, and federal incident response.”
The Secretary’s remarks positioned CISA as the “most trusted interlocutor” between industry and Government, according to Insurance Journal, and highlighted a handful of additional “personal” priorities, like “securing the digital supply chain, ensuring democracy-related infrastructure remains resilient, and planning for…the adoption of new encryption algorithms as quantum computing advances.”