At a glance.
- Australian legislators react to Optus data breach.
- Iran protests lead the US Treasury to relax sanctions.
- Senators introduce open source software security bill.
Australian legislators react to Optus data breach.
As we noted last week, Australian wireless carrier Optus is contending with a cyberattack that potentially exposed the data of its entire customer base – nearly 10 million individuals, or about 40% of the Australian population. ABC reports that Australian Home Affairs Minister Clare O'Neil met with the Australian Signals Directorate and the Cyber Security Centre on Saturday to discuss the repercussions of the attack. She is expected to announce several changes to the country’s data breach notification policies, including requiring breach victims like Optus to inform banks and other financial institutions about an attack first so they can immediately begin working to protect client accounts. O’Neil tweeted, “Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.” CNA adds that Prime Minister Anthony Albanese commented on the impending policy changes, stating, "We want to make sure...that we change some of the privacy provisions there so that if people are caught up like this, the banks can know, so that they can protect their customers as well.” The Guardian notes that in the past, Optus has pushed back on laws that would give customers more say in how their data is handled. In a 2020 review of Australia’s Privacy Act the attorney general asked whether customers should be given increased legal rights when it comes to breaches, including whether customers should be given the right to have their personal data erased. Optus opposed both changes, stating that such a change would lead to “significant technical hurdles” and “significant” compliance costs, and would “place a further drag on innovation and limit the benefits of digitisation.”
Iran protests lead the US Treasury to relax sanctions.
In light of the protests raging in Iran over the killing of Mahsa Amini, a woman who died in police custody after violating the country’s headscarf rules, the US Department of Treasury announced it is amending its sanctions on Iran, allowing exceptions for technology companies that provide the country’s citizens with internet access, the Record by Recorded Future reports. The sanctions were issued to make it difficult for American businesses to operate in the country, but with the Iranian government shutting off various mobile networks and blocking WhatsApp and Instagram to prevent protesters from communicating with the outside world, the Treasury issued a new license allowing tech companies to offer the Iranian people secure internet services and platforms. Deputy Secretary of the Treasury Wally Adeyemo stated on Friday, “With these changes, we are helping the Iranian people be better equipped to counter the government’s efforts to surveil and censor them. In the coming weeks, [the Office of Foreign Assets Control] will continue issuing guidance to support the Administration’s commitment to promoting the free flow of information, which the Iranian regime has consistently denied to its people.” As the Taipei Times reports, a Treasury official explained that the new license includes social media platforms and video conferencing, and will broaden access to virtual private networks (VPNs), which allow users anonymity online, and other anti-surveillance tools.
Senators introduce open source software security bill.
A bipartisan group of senators this week introduced the Securing Open Source Software Act , a new bill that would require the Cybersecurity and Infrastructure Security Agency (CISA) to create a “risk framework” around the use of open source code within the government and critical infrastructure agency. The bug found in the widely used Log4j open source software caused a surge of cyberattacks, and the new bill is intended to address the security risks of using open source software in government. If passed, CISA would be required to enlist the help of open source experts to find ways to reduce the risks posed by the use of such software, and the Office of Management and Budget (OMB) would be required to publish guidance for agencies on using open source software securely. The Record by Recorded Future notes that the repercussions of Log4j are still being felt, as just two weeks ago researchers from Cisco said they’d found several energy companies across multiple countries had been hacked this summer through exploitation of the bug. Senator Gary Peters, one of the sponsors of the bill, stated, “Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services. This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”