Australian legislators react to Optus data breach. Iran protests lead the US Treasury to relax sanctions. Senators introduce open source software security bill

Summary

By the CyberWire staff

At a glance.

Australian legislators react to Optus data breach.
Iran protests lead the US Treasury to relax sanctions.
Senators introduce open source software security bill.

Australian legislators react to Optus data breach.

As we noted last week, Australian wireless carrier Optus is contending with a cyberattack that potentially exposed the data of its entire customer base – nearly 10 million individuals, or about 40% of the Australian population. ABC reports that Australian Home Affairs Minister Clare O'Neil met with the Australian Signals Directorate and the Cyber Security Centre on Saturday to discuss the repercussions of the attack. She is expected to announce several changes to the country’s data breach notification policies, including requiring breach victims like Optus to inform banks and other financial institutions about an attack first so they can immediately begin working to protect client accounts. O’Neil tweeted, “Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.” CNA adds that Prime Minister Anthony Albanese commented on the impending policy changes, stating, "We want to make sure...that we change some of the privacy provisions there so that if people are caught up like this, the banks can know, so that they can protect their customers as well.” The Guardian notes that in the past, Optus has pushed back on laws that would give customers more say in how their data is handled. In a 2020 review of Australia’s Privacy Act the attorney general asked whether customers should be given increased legal rights when it comes to breaches, including whether customers should be given the right to have their personal data erased. Optus opposed both changes, stating that such a change would lead to “significant technical hurdles” and “significant” compliance costs, and would “place a further drag on innovation and limit the benefits of digitisation.”

Iran protests lead the US Treasury to relax sanctions.

In light of the protests raging in Iran over the killing of Mahsa Amini, a woman who died in police custody after violating the country’s headscarf rules, the US Department of Treasury announced it is amending its sanctions on Iran, allowing exceptions for technology companies that provide the country’s citizens with internet access, the Record by Recorded Future reports. The sanctions were issued to make it difficult for American businesses to operate in the country, but with the Iranian government shutting off various mobile networks and blocking WhatsApp and Instagram to prevent protesters from communicating with the outside world, the Treasury issued a new license allowing tech companies to offer the Iranian people secure internet services and platforms. Deputy Secretary of the Treasury Wally Adeyemo stated on Friday, “With these changes, we are helping the Iranian people be better equipped to counter the government’s efforts to surveil and censor them. In the coming weeks, [the Office of Foreign Assets Control] will continue issuing guidance to support the Administration’s commitment to promoting the free flow of information, which the Iranian regime has consistently denied to its people.” As the Taipei Times reports, a Treasury official explained that the new license includes social media platforms and video conferencing, and will broaden access to virtual private networks (VPNs), which allow users anonymity online, and other anti-surveillance tools.

Senators introduce open source software security bill.

A bipartisan group of senators this week introduced the Securing Open Source Software Act , a new bill that would require the Cybersecurity and Infrastructure Security Agency (CISA) to create a “risk framework” around the use of open source code within the government and critical infrastructure agency. The bug found in the widely used Log4j open source software caused a surge of cyberattacks, and the new bill is intended to address the security risks of using open source software in government. If passed, CISA would be required to enlist the help of open source experts to find ways to reduce the risks posed by the use of such software, and the Office of Management and Budget (OMB) would be required to publish guidance for agencies on using open source software securely. The Record by Recorded Future notes that the repercussions of Log4j are still being felt, as just two weeks ago researchers from Cisco said they’d found several energy companies across multiple countries had been hacked this summer through exploitation of the bug. Senator Gary Peters, one of the sponsors of the bill, stated, “Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services. This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

Selected Reading

Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem (Atlantic Council) The explosion of Internet of Things (IoT) devices and services worldwide has amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large. In light of this systemic risk, this report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needs, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy.

VPN Providers Flee India as a New Data Law Takes Hold (WIRED) Many companies have pulled physical servers from the country as a mandate to collect customer data goes into effect.

New security measures to be unveiled following massive Optus data breach (ABC) Under changes expected to be announced in coming days, banks and other institutions will be informed much faster when a data breach occurs at a company so personal data cannot be used to access accounts.

Australia plans privacy rule changes after Optus cyber attack (CNA) Australia plans to change privacy rules, allowing banks to be alerted faster to cyber attacks on companies, Prime Minister Anthony Albanese said on Monday (Sep 26), after hackers targeted the country's second-largest telecoms firm. Optus, owned by Singapore Telecommunications (Singtel), said last ...

Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data (the Guardian) In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Optus data breach: cybersecurity reforms expected to enable companies to rapidly inform financial institutions (the Guardian) Cybersecurity minister Clare O’Neil set to announce reforms in coming week after millions of telco customers’ data stolen

US Issues License to Expand Internet Access for Iranians (VOA) State Department says move will counter Iran government's cut in access

US Treasury carves out Iran sanctions exceptions for internet providers (The Record by Recorded Future) The U.S. Department of Treasury said it is carving out exceptions within its stifling sanctions on Iran for technology companies providing internet access during recent protests.

US to ease online sanctions during Iran protests (Taipei Times) Bringing Taiwan to the World and the World to Taiwan

Where Online Hate Speech Can Bring the Police to Your Door (New York Times) Battling far-right extremism, Germany has gone further than any other Western democracy to prosecute individuals for what they say online, testing the limits of free speech on the internet.

Log4j: Senators introduce bill centered on CISA open source security efforts (The Record by Recorded Future) A bipartisan group of senators introduced a new bill this week focused on a variety of efforts to secure open source software.