At a glance.
- US DHS considers self-assessments for contractors.
- Sephora fined for sharing more than customers’ mascara reviews.
- CISA recommends companies prepare now for a post-quantum future.
US DHS considers self-assessments for contractors.
The US Department of Homeland Security (DHS) has been working on a plan for assessing its contractors’ cyber practices, and at a recent FCW event, chief information security officer Kenneth Bible offered a hint as to what might be on the horizon. Bible told FCW the DHS is considering relying on self-assessments, instead of using the third-party assessments adopted by the Department of Defense (DoD) as part of its Cybersecurity Maturity Model Certification (CMMC) program. Last year the DHS announced it was considering the DoD’s approach and has been conducting pathfinder assessments to suss out a strategy for evaluating its contractors’ cybersecurity prowess. Bible says early results gave the DHS confidence that self-assessment could be an efficient method. Bible also noted that a program similar to the CMMC would leave small businesses, which account for a sizable number of DHS contractors, at a disadvantage. He added, “The real question is, can we take that technique and extend it so that we’re able to…not use a self-attestation, but use a self-assessment, to gauge the cyber maturity of a vendor and make that a criteria by which we would select for an award.”
Sephora fined for sharing more than customers’ mascara reviews.
Last week California’s Attorney General Rob Bonta hit multinational makeup retailer Sephora with the state’s first fine for a violation of the California Consumer Privacy Act (CCPA). As cyber/data/privacy insights explains, the attorney general alleges that Sephora failed to disclose that it shared personal customer information by allowing third-party advertising and analytics providers to track Sephora’s website. The company also reportedly failed to provide an opt-out link for users who did not wish to be included in such tracking, and did not properly heed user-enabled global privacy controls in which customers requested to keep their data hidden.
While announcing the $1.2 million penalty, Bonta said he’s already delivered notices to “a number of businesses” accused of non-compliance for making customers click on opt-out links each time they visit their website, instead of providing an easier, one-click method. He did not disclose which businesses are under fire, but said the companies will have thirty days to resolve the issue and avoid penalties. The Record by Recorded Future notes that as of next year, this thirty-day “right to cure” provision will no longer be offered. Consumer Reports head of tech policy Justin Brookman explains, “Starting in 2023, California regulators can just directly bring an action without telling a company to stop first, so companies are risking legal liability if they engage in the sort of behaviors Sephora was.”
CISA recommends companies prepare now for a post-quantum future.
Bleeping Computer offers a look at how the US government is preparing for the new age of quantum computing, and what it will mean for protecting data. The US Cybersecurity and Infrastructure Security Agency (CISA) published a paper last week urging leaders to prepare now for the transition to advanced cryptographic standards, before it’s too late. CISA explains, “When quantum computers reach higher levels of computing power and speed, they will be capable of breaking public key cryptography, threatening the security of business transactions, secure communications, digital signatures, and customer information…Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available.”
While quantum computing is not yet commercially available, last week Chinese search engine Baidu introduced an industry-level quantum supercomputer called Qian Shi capable of achieving stable performance at 10 quantum bits of power. The company also announced it had completed the design of a 36-qubit superconducting quantum chip that could surpass the strength of the US’s most powerful quantum machine, IonQ Aria.
CISA advises that stakeholders follow their “post-quantum cryptography roadmap,” which, among other things, recommends companies increase their engagement with post-quantum standards developing organizations, inventory their most sensitive and critical datasets, and assess which systems use cryptographic technologies, identifying where public key cryptography is being used and labeling those systems as quantum vulnerable.