At a glance.
- The growing influence of the Cyberspace Administration of China.
- American think tank says US should rethink foreign policy for cyberspace.
- Looking back on the TSA’s handling of the Colonial Pipeline incident.
- CISA head urges FCC to rethink internet protocol measures.
The growing influence of the Cyberspace Administration of China.
Protocol recounts how the regulatory powers of the Cyberspace Administration of China (CAC), China’s central internet censorship agency, have grown to cover nearly every internet company in the country. When the CAC was established in 2013, China’s State Council mandated it to regulate online content, and it was tasked with drawing up China’s 2017 Cybersecurity Law. The CAC went on to draft China’s Data Security Law and the Personal Information Protection Law, which went into effect last year. The agency tested the limits of its power when it ordered a cybersecurity investigation of DiDi, a leading ride-hailing platform, after the launch of the company’s US IPO. The CAC followed this with a requirement that all companies handling the data of more than a million users undergo a security review before listing their shares overseas. Today the agency is more active than ever, publishing more than twice the releases, policies, and regulations it did before the pandemic. What’s more, the CAC represents China when meeting with international partners about international privacy and data governance, even though it’s technically not part of the State Council. Jamie Horsley, a senior fellow at Yale Law School’s Paul Tsai China Center, explains, “Its core functions expanded from content to now include data security and privacy. They permeate everything in a modern economy. It really gives them an arm in or a finger in every regulatory pie basically.”
American think tank says US should rethink foreign policy for cyberspace.
Looking back on the TSA’s handling of the Colonial Pipeline incident.
Last May was the one-year anniversary of the ransomware attack on US fuel provider Colonial Pipeline, and Security Intelligence reflects on how the unprecedented incident impacted the cybersecurity of operational technologies over the past year. The Transportation Security Administration (TSA) responded by hurriedly issuing two major cybersecurity directives for all American pipeline operators, making the once-voluntary rules mandatory. In its rush to safeguard against future attacks, the TSA did not allow for pipeline companies (or even Congress, for that matter) to collaborate on these directives, and a year later, pipeline operators say they are struggling to comply. The TSA has offered support for operators, allowing them to create their own paths to meet the rules’ objectives, but these plans must be approved first, and the understaffed and underfunded agency is ill-equipped for such oversight. As well, the rules are very specific, not taking into consideration the variability and complexity of operators’ systems, nor allowing enough time for compliance. Some experts say the TSA isn’t suited for such oversight, and the Biden Administration has suggested moving regulation to the Federal Energy Regulatory Commission (FERC), an independent agency within the Department of Energy responsible for cybersecurity regulation of the electric power sector.
CISA head urges FCC to rethink internet protocol measures.
Last week Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly submitted comments to the Federal Communications Commission (FCC) expressing internet providers’ concerns that the commission is allowing national security issues to too greatly impact measures addressing the internet’s routing protocol vulnerabilities. Easterly stated, “While the obstacles discussed are valid to various degrees, they must be viewed in the context of the national security risk posed by insecure [Border Gateway Protocol]. The Commission should keep a variety of tools available to respond to BGP threats. Including regulatory and non-regulatory responses.” Nextgov notes that although CISA is the risk management agency for the information technology and communications sectors, it is not a regulatory agency, and there’s much debate over which body should have regulatory authority over information and communications technology. Mark Montgomery, the former executive director of the Cyberspace Solarium Commission, explains, “It's not clear who would be setting the standards for this industry, and that's why CISA is going to have to have outreach with regulatory organizations like the FCC.”