At a glance.
- Defining the borders of data.
- America’s battle against ransomware since the Colonial Pipeline incident.
- Thoughts on the fourth anniversary of GDPR.
Defining the borders of data.
The New York Times takes a look at the evolving world of data privacy regulation. The data users share when on the web has gone relatively unregulated for years, and Big Tech has enjoyed the freedom of using that data as they see fit. Now nations all over the world are attempting to reign in that unchecked power by establishing “digital sovereignty,” regulations that limit how, when, and why tech companies can access data originating within the country’s borders. But it’s a race against time, as the world becomes more digitized and the pile of available data continues to grow at an exponential rate. Cloud computing further complicates matters, allowing a company in one country to store their data on a server in another. Federico Fabbrini, a professor of European law at Dublin City University, explains, “The amount of data has become so big over the last decade that it has created pressure to bring it under sovereign control.” Different nations have resorted to differing approaches. The US supports allowing data to be transferred between democratic nations relatively unhindered, while China, Russia, and other nations prefer to keep their data within their borders in order to keep tabs on their citizens’ activities.
The EU is considered a pioneer in digital sovereignty with the establishment of its General Data Protection Regulation (GDPR), and Wired takes a look back at the first four years of its implementation. While the GDPR was a groundbreaking effort, regulators have struggled to keep up with the ever-changing landscape of data processing, and critics have argued that they’ve been too slow to penalize violators. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” says Romain Robert, a program director at the data rights nonprofit NOYB, which just settled a lawsuit regarding delays in its consent complaints. One challenge is that the GDPR takes a “one-stop shop” approach, dictating that complaints against a company operating in multiple EU countries are directed to the country where its main European headquarters are based. Ulrich Kelber, the head of the German federal data protection regulator, admits, “There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities.”
America’s battle against ransomware since the Colonial Pipeline incident.
It’s been one year since the massive attack on the Colonial Pipeline crippled the US’s fuel supply, and GovTech reflects on how the US’s approach to fighting ransomware has changed over the past twelve months. President Joe Biden responded by quickly issuing an executive order making cybersecurity a national priority, and the Ransomware Task Force, coordinated by the Institute for Security and Technology, released a comprehensive report of recommendations on preventing and responding to such attacks. Since then, the White House has coordinated international discussions on ransomware, created new collaborations like the Joint Ransomware Task Force, and carried out enforcement efforts resulting in several arrests of perpetrators. At a recent event, IST CEO Phil Reiner reported on the country’s progress. “We're excited to say that 88 percent of the recommendations that were in the report have seen some implementation,” Reiner stated. “We have also seen about 25 percent of significant progress on those recommendations…Despite these efforts, however, ransomware attacks continue to persist, and in some estimates have actually continued to increase in volume.” National Cyber Director Chris Inglis agrees that if the US wants to do more than “lose more slowly,” individual organizations must stop adhering to divisions of responsibility and instead work together across the public and private sectors.
The US Senate’s Committee on Homeland Security and Homeland Affairs has issued a report on the “Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns,” and the document acknowledges that attack volume is outpacing the government's ability to understand and control it. Ransomware attacks increased by a staggering 435% in 2020, and in 2021 attacks impacted at least twenty-three hundred local US governments, schools, and healthcare providers. The Federal Bureau of Investigation says that these numbers are likely just a fraction of reality, as data reporting on ransomware attacks is incomplete. The report concludes, “This limited collective understanding of the ransomware landscape and the cryptocurrency payment system blunts the effectiveness of available tools to protect national security and limits private sector and federal government efforts to assist cybercrime victims.” The committee recommends that Congress supply the federal agencies processing attack data with the right resources, that these agencies find effective ways to share that data, and the data be more effectively used to “track and circumvent ransomware attackers’ attempts to conduct increasingly sophisticated attacks.”
Thoughts on the fourth anniversary of GDPR.
On the fourth anniversary of GDPR, Chad McDonald, Chief of Staff and CISO at Radiant Logic, commented on the anniversary of the regulation:
“Due to the rise in digital transformation efforts, we are seeing an explosion in the number of digital identities businesses store, which makes controlling and managing identity data much more difficult. Unfortunately, when organizations struggle to manage identity data, they are at risk for breaking GDPR rules by failing to keep identity data accurate and minimized, not to mention are more vulnerable to cyber criminals.
"Organizations have been scattering their identity data across multiple sources and this identity sprawl results in overlapping, conflicting or inaccessible sources of data. When identity data isn’t properly managed, it becomes impossible for IT teams to build accurate and complete user profiles.
"It can also result in siloed systems which increases the likelihood of a failure in identity management and expands the attack surface of an organization. For example, Bocconi University was fined $214,000 after the Italian Data Protection Authority discovered that the same student information had been placed into multiple, fragmented documents - violating the GDPR principles of fairness, transparency and lawfulness when it comes to data processing. Poor identity management practices provide gaps for threat actors to exploit.
"In addition to minimal visibility across data sources, businesses also lack control. Without accurate user profiles, security teams and systems are unable to figure out what users should be accessing in order to fulfill their job. The most notorious GDPR fine was incurred by British Airways, which was over $50 million for failing to limit access to applications, data and tools. With some of the largest enterprises being found guilty of breaking GDPR rules, it is time organizations look to sanitize and streamline processes when it comes to Identity Access Management.
"Using an Identity Data Fabric, organizations can unify identity data into one easy-to-use global profile which can deliver identity data, on-prem or in the cloud, in real-time from wherever and whenever needed, on-prem. With accurate identity data, security teams have complete control over who has access to what, and they can feel more confident that they’re meeting all the GDPR regulations”