At a glance.
- State-level cybersecurity regulations.
- Comment on NIST’s post-quantum cryptography standards.
State-level cybersecurity regulations.
The New York Department of Financial Services (DFS) has released Draft Amendments to its Part 500 Cybersecurity Rules, Gibson Dunn reports. The Draft Amendments show that the DFS continues to grow and evolve in strengthening cybersecurity practices. Highlights of the Draft Amendments include “increased expectations for senior leaders, heightened technology requirements, an expanded set of events covered under the mandatory 72-hour notification requirements, a new 24-hour reporting requirement for ransom payments and a 30-day submission of defenses, significant new requirements for business continuity and disaster recovery, and heightened annual certification and assessment requirements.”
Connecticut has also seen forward movement in its policies, joining Colorado, California, Utah, and Virginia in passing a comprehensive consumer privacy law, the National Law Review reports. The legislation will take effect on July 1, 2023, but provisions about a task force created by the state legislature take effect immediately, focusing on issues including “information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.” This legislation will add to Connecticut’s already existing data protection laws, which include Obligation to Safeguard Personal Information and SSNs, Obligation to Destroy Personal Information, and Data Breach Notification Law.
Comment on NIST’s post-quantum cryptography standards.
Schneier on Security has reported on NIST’s post-quantum cryptography standards whose development has been in progress since 2016. 82 post-quantum algorithm submissions were received in 2017, with 69 progressing to Round 1, 27 progressing to Round 2, and seven (with eight alternates) progressing to Round 3. NIST was prepared to have final algorithm selections this year, and planned to have a draft standard available in 2023, but the competition was brutal. New cryptanalysis results came against four of the top contenders just moments before the final decision was to be made. One algorithm, Rainbow, was found to be completely broken, and three other algorithms were weakened.
Schneier says that we will face a double uncertainty in coming years, both with respect to quantum computing becoming a reality, and with respect to the algorithms themselves. Quantum computing architecture has the potential to change as we learn more about it, and with that may come changes in cryptanalytic techniques. When it comes to the algorithms, “More cryptanalytic results are coming, and more algorithms are going to be broken.”