At a glance.
- Update on EU cybersecurity legislation.
- CISA toolkit offers guidance for US election officials.
- EU responds to the claims of the Twitter whistleblower.
- Twitter whistleblower to testify before Congress.
Update on EU cybersecurity legislation.
Mondaq offers an overview of two recent developments in EU legislation aimed at improving operational resilience and cybersecurity. The Digital Operations Act, or DORA, aims to improve existing risk management requirements for information communications technology ("ICT") used by financial entities including credit institutions, investment firms, and insurance undertakings. Under DORA, for the first time certain major ICT service providers will officially fall under the supervision of the European Supervisory Authorities. The directive on measures for a high common level of cybersecurity across the Union, commonly referred to as Network and Information Security Directive 2 or NIS2, increases the scope of NIS1 by moving away from the distinction between operators of essential services and digital service providers, instead distinguishing between "essential" entities, which include banking, energy, transport, health, cloud computing, and space secorts, and "important" entities, which include providers of digital services and entities in the food, medical devices, pharmaceuticals, and motor vehicle sectors.
CISA toolkit offers guidance for US election officials.
In preparation for the 2022 midterm elections, the US Cybersecurity and Infrastructure Security Agency (CISA) has released “Protecting U.S. Elections: A CISA Cybersecurity Toolkit.” Described as a “one-stop catalog of free services and tools available for state and local election officials,” the toolkit was developed through CISA’s Joint Cyber Defense Collaborative, a partnership of public and private organizations intended to bolster collective action across sectors. American City and County explains that the resource offers guidance to election officials on how to assess their risk, protect voter data and platforms, and defend against various types of cyberattacks. As CISA director Jen Easterly stated, the toolkit aims to “to help [election officials] in their ongoing efforts to ensure American elections remain secure and resilient.” The toolkit’s publication follows an advisory from the Federal Bureau of Investigation warning that election systems are at increased risk for cyberaggression.
EU responds to the claims of the Twitter whistleblower.
As we noted yesterday, Peiter “Mudge” Zatko, renowned hacker and Twitter’s former head of security, released a statement earlier this week claiming that the social media giant’s user data protections bear “extreme, egregious deficiencies.” ABPLive reports that Twitter CEO Parag Agrawal has distributed an internal email dismissing the whistleblower’s claims, stating, "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that are riddled with inconsistencies and inaccuracies and lacks important context."
Mudge’s missive referenced EU regulators, alleging that the social media giant misled regional oversight bodies in Ireland and France about data-sets used to train the platform’s machine learning algorithms and improper separation of cookie functions, and the national data protection authorities are investigating these claims. Ireland is Twitter’s lead supervisor for the General Data Protection Regulation (GDPR), and data protection commissioner Graham Doyle told TechCrunch, “We became aware of the issues when we read the media stories [yesterday] and have engaged with Twitter on the matter.” A spokesperson for the French watchdog, the CNIL, also stated, “The CNIL is currently investigating the complaint filed in the US. For the moment we are not in a position to confirm or deny the accuracy of the alleged breaches. If the accusations are true, the CNIL could carry out checks that could lead to an order to comply or a sanction if breaches are found. In the absence of a breach, the procedure would be terminated.”
Twitter whistleblower to testify before Congress.
Meanwhile stateside, Twitter whistleblower Peiter “Mudge” Zatko is scheduled to testify before the US Senate Judiciary Committee about his claims that the social media powerhouse has been neglecting user data privacy. Scheduled for September 13, the hearing was announced yesterday, just one day after Mudge’s complaints came to light. As the Washington Post notes, the whistleblower’s allegations prompted concerns about privacy and national security from lawmakers on both sides of the aisle, and were especially timely given that legislators are working to pass legislation that would hold social media companies like Twitter accountable for their handling of American user data. According to his lawyer John Tye, Zatko has already had three meetings on Capitol Hill with Judiciary Committee staff. “We’re encouraged that the U.S. Congress is taking this so seriously,” Tye stated.
The Washington Post also offers an account of Zatko’s journey from amateur child hacker, breaking digital copyright locks on video games, to a member of the L0pht, considered by many as the first US hackerspace, testifying before congress in the 90s about security issues discovered on the young World Wide Web. Zatko was hired by Twitter founder Jack Dorsey after the platform experienced a data breach in 2020, but it was less than two years later that he was fired by new CEO Parag Agrawal. Twitter claims Mudge was ousted for “poor performance and leadership,” but according to Zatko, he was let go because he tried to draw attention to the security issues detailed in his complaint.