At a glance.
- Tension between antitrust and privacy enforcement?
- US seeks industry input on proposed software security rules.
- A British "right to disconnect?"
- Industry reaction to senior US cybersecurity appointments.
- An update on the Natanz incident.
Tension between antitrust and privacy laws.
Wired points out an apparent inconsistency in recent US legal actions against Big Tech. The Federal Trade Commission, along with a group of states, is suing Facebook for failing to safeguard users’ data as its market share expanded. Another group of US states is suing Google for exclusionary conduct in response to the company’s initiative to limit third-party browser cookies. Can monopolistic behavior both increase and decrease privacy protections?
While the plaintiffs seem to think so, the question picks up a thread from last month’s House hearings on social media, where participants discussed the possible disconnect between a national privacy bill, which could make life harder for little firms, and Congress’ hunger for antitrust action.
Industry input sought on new US software security rules.
As we’ve seen, the Biden Administration intends to work closely with the private sector in shaping the pending cybersecurity executive order (EO). Nextgov says the National Institute of Standards and Technology will likely develop the new vendor standards in conjunction with a Federal Acquisition Regulation rulemaking, which will invite industry feedback.
The EO’s mandates will come with a delay, giving companies several months to adapt. National Security Council Acting Senior Director for Cybersecurity Jeff Greene explained the order’s overarching goal: “the Federal Government simply can’t bear the risk of buying insecure software anymore.” He also shared that additional cybersecurity wish list items may arrive via routes other than the legislative process.
A “right to disconnect” in the UK?
Computing reports bipartisan support for including a “right to disconnect” provision in Britain’s forthcoming Employment Bill that would set boundaries around employees’ time in the new era of remote work. A trade union survey found the majority of both Labour and Conservative members would back the move, while roughly thirty percent of work-from-homers said demands for uncompensated labor had increased with the transition out of office.
Dublin recently issued regulation reinforcing standard business hours and protecting workers’ right to ignore after-hours communications, and Ottawa is preparing comparable rules. (By the way, isn't the weekend the historical contribution of the Anglophone world to disconnection? Just asking.)
Industry reaction to senior US cybersecurity appointments.
We've received comment on recent appointments the US Administration has made as it fills senior cybersecurity positions. The nominees get good reviews.
Ryan Gillis, Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks, wrote,
"Palo Alto Networks commends the nominations of Chris Inglis as National Cyber Director, Jen Easterly as Director of the Cybersecurity and Infrastructure Security Agency and Rob Silvers as Under Secretary for Strategy, Policy, and Plans at the Department of Homeland Security. Each would bring deep experience countering and responding to the nation’s cybersecurity threats and are uniquely capable of improving the nation's cyber posture. We hope the Senate will quickly confirm these well-qualified nominees so that they can join an already impressive team of cyber experts in top positions across the administration. We look forward to continued collaboration to help meet the government’s cyber mission."
Amit Yoran, Chairman and CEO of Tenable, also likes the appointments:
“President Biden today named a top-notch group of cyber professionals to fill critical cyber positions within the administration, including Chris Inglis as the new National Cyber Director, Jen Easterly as Director of CISA and Rob Silvers as Undersecretary for Policy at DHS. These roles will be vital as the nation continues to deal with the fallout of the SolarWinds breach and highlight that cybersecurity is a top priority for the administration. Jen Easterly’s combination of cyber expertise, private sector experience and interagency government knowledge put her in a solid position to effectively lead CISA and ensure it can work with the private sector and other federal agencies to best protect the federal network.
"As the Federal Reserve Chairman Jerome Powell highlighted just last night, cybersecurity is one of the most significant risks facing the country and the economy. He’s spot on – and it’s great to see the Biden administration take the threat so seriously by providing CISA with an additional $650M to advance its mission, prioritizing cyber and IT modernization and tapping these experts to join the administration. These appointments fill key roles with deeply experienced individuals who will be critical to securing the nation’s digital infrastructure from bad actors. I look forward to working with all of them, along with the rest of the administration’s leaders, like Secretary Mayorkas, Anne Neuberger, and Rob Joyce, to improve the nation’s cyber posture and protect against future attacks.”
And Wayne Lloyd, CTO of Federal at RedSeal, thinks the appointees will have their work cut out for them:
“As National Cyber Director, Inglis would be wise to assume things will get worse before they’ll get better, as the agencies compromised in the SolarWinds attack weren’t even aware their unintended access points existed. The hackers went after monitoring tools, essentially breaching the networks’ ‘eyes’, and it’s reasonable to assume that the ‘hands’ – the control systems – could be next. This, compounded by the complexity of agency networks, means the appointment of Inglis is only the first step in what should be a comprehensive strategy. The approach must prioritize determining what’s accessible and understanding the entire network environment so a compromise of this scale can’t happen again.”
Update on the Natanz incident.
The BBC points out that the cause of the explosion at the Natanz power distribution system remains unclear: Natanz has been the target of both cyber sabotage (with Stuxnet) and physical sabotage (the Homeland Tigers' bombing). Most coverage, like that in Slate, is treating the incident as a probable Israeli cyberattack, and is citing Israeli media reports in support of that conclusion. The Guardian notes that the incident displays the vulnerability to sabotage of industrial systems like those in the centrifuge facility at Natanz.
Iran says it intends to retaliate, where, when, and how it chooses. "Iran's answer will be to take revenge against the Zionist regime at the right time and place," WION quotes a spokesman from the Iranian Foreign Ministry as saying. PressTV, Iran's English language news service, explains Tehran's policy more colorfully: "Israel awaits Iran’s response: terrifying days ahead for Zionist entity!"
The US Administration said that it had "of course" seen reports of the Natanz incident, that the US "was not involved in any manner," had nothing to add to public speculation, and that it expected this week's nuclear talks involving Iran to proceed as planned.