At a glance.
- Franco-American talks on cyber cooperation.
- US DNI appoints election threats executive.
- India’s new data protection bill.
- Pakistan's national security policy.
- World Economic Forum releases its Global Cybersecurity Outlook.
US and France meet to discuss cyber relations.
The US Department of State notes that the fourth US-France Cyber Dialogue was held virtually last week to foster cooperation between the two nations in promoting cybersecurity and stability. With France currently acting as president of the Council of the European Union in the first of 2022, the nation plans to call attention to cyber issues like ransomware and human rights online. The talks also focused on improving cyber resilience and promoting responsible state behavior in cyberspace. Representatives discussed how to support Ukraine in defending against potential malicious cyber activity. Michele Markoff, the Department of State’s Acting Coordinator for Cyber Issues, led the U.S. delegation, while France’s Ambassador for Digital Affairs Henri Verdier led the French interagency delegation.
US appoints new election threats executive.
Avril D. Haines, the US’s director of national intelligence, announced last week that her office has named Jeffrey Wichman as the new election threats executive. The New York Times reports that Wichman has over thirty years experience with the Central Intelligence Agency and is currently the director of analysis for the agency’s counterintelligence mission center. His appointment signals that US intelligence will not neglect the fight against foreign election interference, as some on Capitol Hill had feared, after plans to create a foreign malign influence center to monitor efforts from abroad to influence US politics were stalled due to disagreements over funding and scope. “While we work with Congress to get funding for the center, the intelligence community remains focused on addressing foreign malign influence,” office spokesperson Nicole de Haay stated. One of the new executive’s first tasks will be to create a common view across agencies of what is considered malign election influence. This move is especially timely as recent concerns about Chinese efforts to influence lawmakers in Britain and Canada have brought election threats to the forefront.
Prepping for India’s new data protection bill.
ETCIO.com talked with several IT experts to get their advice on how businesses should prepare for India’s new data protection bill. Anirban Sengupta of Cyber Security & Data Privacy, PwC says organizations should focus on consent. “Now, of course, it is easier said than done because, typically, if you look at consent, we have to take explicit consent, the consent has to be clear and concise, so we really have to look at how do we set out a system which is easy, easy for end-users to understand and to give consent, and then what are the business rules that I should set up,” he explains. He also recommends that businesses update their data governance practices and evaluate how data is being shared with third parties or data processors. Ayan De, CTO of Exide Life Insurance, says telecoms and companies in banking and finance will likely be better prepared for the bill, as data processing are already top priorities, but that the adoption of cloud architecture could pose new challenges. Prashant Deshpande, Vice President of IT at Shriram Value Services, noted that the pandemic and the resultant increased reliance on digital financial transactions could further complicate matters.
Pakistan approves National Security Policy.
Pakistan’s first-ever National Security Policy (NSP) was approved by the federal cabinet in December and released by Prime Minister Imran Khan last week, Overt Defense reports. In place until 2026, the NSP outlines the steps Pakistan will take over the next years to “ensure economic security, human welfare, and strong defence capability.” In response, Express Tribune asks if Pakistan should invest in a cyber army to protect the nation against risks to and through cyberspace. Ayaz Hussain notes that terrorist organizations have been using the internet in general and social media in particular to support and publicize terrorist attacks, raise funds, recruit partners, and disseminate propaganda, and that Pakistan should establish policy to defend against these threats.
The World Economic Forum releases its Global Cybersecurity Outlook.
The World Economic Forum (WEF) has issued its Global Cybersecurity Outlook: 2022 Insight Report, January 2022. The report offers some grounds for optimism, notably the positive effect it's seen digital transformation exert on cyber resilience. It sees, unsurprisingly, that ransomware and supply chain attacks will continue to represent a growing risk. And it calls attention to "three main and critical perception gaps between security-focused executives (chief information security officers), and business executives (chief executive officers)." They have different perspectives, with the executive side generally having a rosier view of the cyber risks their organizations face than does the security side. The perception gap was most evident in three areas:
- "Prioritizing cyber in business decisions."
- "Gaining leadership support for cybersecurity."
- "Recruiting and retaining cybersecurity talent."
Illumio's Field CTO Raghu Nandakumara emailed some comments about the report. He's gratified by evidence of increasing understanding of resilience, but he's disappointed by the enduring perception gap between business and security:
"The WEF Global Cybersecurity Outlook reinforces two very specific items – both of which are essential to the continued improvement in risk posture overall.
"The first of these is that cyber resilience, despite being a relatively new concept, has seen focused investment and is seen as essential to reducing the amount of residual cyber risk. Furthermore, the importance of cyber resilience has grown as security executives identify their biggest fear to be the collapse of their infrastructure due to a cyber attack. This is a shift we have been encouraging for a while since security capabilities truly deliver value when they are harnessed together to not only provide protection but also ensure that the environment can react and recover from an incident – as it’s this benefit that truly reduces risk and makes possible the change from risk acceptance to risk mitigation.
"The second key takeaway, and this is more disappointing, is that cyber risks are still treated as technology risks by the majority of business leaders as opposed to enterprise risks that directly impact the business. This is a significant awareness hurdle we need to overcome if cybersecurity is to get the appropriate amount of C-level attention.
"Importantly, the attention should not come on the back of an incident – i.e., after the bottom line has been affected – but rather business leaders should understand the correlation between cyber risk and enterprise risk, and invest in reducing the former as a way of improving the latter. From this perspective, security should always be framed in the context of the business it is supporting – and being able to understand and articulate this context is the responsibility of both security and business leaders.”