At a glance.
- Canadian legislation aims to improve infrastructure cybersecurity.
- Lobbying against cyberflashing.
- EPA urged to focus on protecting water system.
- Update: US Federal privacy legislation.
Canadian legislation aims to improve cybersecurity of critical infrastructure.
Global News reports that Canada has introduced a new cybersecurity law aimed at companies in the finance, telecommunications, energy, and transportation sectors. The Act Respecting Cyber Security states that the governor-in-council may "direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system." CBC News explains that under the proposed legislation, companies in critical industries would be required to report cyberattacks to the government's Cyber Centre, and they would also need to take outlined steps to protect their networks from threats. Regulators would have the power to audit companies for compliance, and those found in violation could face administrative financial penalties (up to $1 million for individuals and $15 million for others) or even summary convictions. Legislators are still determining exactly which entities will be covered, but they mentioned telecommunications companies and the rail industry were among those that would fall under its purview. “There was a lot of thought given into identifying which sectors are vital to national security and public safety,” Public Safety Minister Marco Mendicino told Insurance Journal.
Dating app cracks down on cyberflashing.
The New York Times profiles dating app Bumble’s Payton Iheme and her quest to put an end to cyberflashing. Victims of cyberflashing, or the sending of unwanted explicit images via digital platform, are typically women on dating apps or social media sites. According to a Pew Research Center survey, approximately one-third of US women under age 35 have experienced sexual harassment online, and A YouGov poll in Britain found that 40% of millennial women have received an unsolicited photo of male genitalia. Iheme, who serves as Bumble’s head of public policy for the Americas, is leading an effort to work with state legislators to pass laws that would punish cyberflashers. With her background as an Army intelligence officer and a science and tech advisor to the White House, Iheme is perfectly cut out for this mission. Iheme says her work represents victims “drawing a line in the sand, and being able to stand up and push back against all of the negativity and harassment.” Bumble began working for anti-cyberflashing legislation in Texas in 2019, helping to pass a bill making the act a class-C misdemeanor. State Senator Melissa Agard also worked with Bumble to introduce an anti-cyberflashing bill in Wisconsin in January. Iheme has also collaborated with lawmakers in California, New York, and Pennsylvania to draft bills against cyberflashing. Iheme says her vision is an internet “where people will have freedom and be able to exercise their own rights in a way that doesn’t harm someone else’s.”
EPA urged to focus on securing the US water sector.
Referring to US water and wastewater systems as the “weakest link” in the country’s critical infrastructure, water sector leaders on Wednesday urged the Environmental Protection Agency (EPA) to focus on better regulating the cybersecurity of these critical services. According to Mark Montgomery, executive director of the Cyberspace Solarium Commission and senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, the EPA only has around $7 million in its annual budget dedicated to water sector cybersecurity, a far cry from the $45 million the Solarium Commission recommended the EPA earmark for the Office of Water. Nextgov.com explains that for the 2023 fiscal year, the EPA is requesting $4 billion for the water sector, and EPA Administrator Michael Regan told Congress that includes $50 million to support resiliency and sustainability initiatives, $25 million to improve cyber capabilities, and $35 million to provide technical assistance.
The Infrastructure Investment and Jobs Act also includes $48.4 billion over five years for drinking water and wastewater spending at the EPA, and Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, has said she will be introducing new directives for the water sector in accordance with that Act. At a recent Foundation for Defense of Democracies event, Montgomery spoke about the proposed "Water Risk and Resilience" organization, which would mirror the co-regulatory model of the Federal Electricity Regulatory Commission's electricity sector collaboration with the North American Electric Reliability Corporation. Noting the small number of people on the EPA's water cybersecurity team, Montgomery stated at a recent event, "Our vision here is a sector-led organization.”
US Congress works toward privacy legislation.
The bills are still pending, and under negotiation, but Congress continues to deliberate national privacy legislation. Axios has an account of their progress. Adam Marrè, CISO at Arctic Wolf, commented on the draft legislation:
"Although the potential bill doesn’t fully succeed in unifying the patchwork of individual state privacy laws under one cohesive structure and further specifies and protects the privacy rights of all citizens, this is a good start for common ground legislation that protects the privacy of all Americans.
"A few areas that seem ill-defined or seem to conflict with other definitions include the mentions of “Duty of Loyalty,” “Duty of Care,” “data holders,” “that use algorithms,” etc. For this type of proposed legislation, we must be specific and direct in order to ensure accountability from all parties.
"The preemption provision of state privacy laws also seems to be confusing and inconsistent. For example, federal law should not weaken privacy protections enacted into laws in individual states.
"In addition, using the size of companies as a guide for when provisions of the bill take effect is not a productive form of measurement. The sensitivity of private information does not change with the size of the company, nor does size or revenue reflect the type or sensitivity of data sets used by a company.
"Lastly, there are substantive issues with the enforcement provisions, including when and how someone can seek action against a data holder. Although the bill needs a lot of work, it is far better than continuing to do nothing at the federal level on privacy."