At a glance.
- US expected to proceed with cybersecurity labeling modeled on EnergyStar.
- Transatlantic data sharing agreement could face pushback.
- US restricts chip exports to China.
- CISA chooses not to share industry feedback on performance goals.
US expected to proceed with cybersecurity labeling modeled on EnergyStar.
Among the initiatives the White House ticked off in its factsheet on "Strengthening America's Cybersecurity" this week was a program to label Internet of Things devices for their security:
"Developing a new label to help Americans know their devices are secure. This month, we will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities. By developing and rolling out a common label for products that meet by U.S. Government standards and are tested by vetted and approved entities, we will help American consumers easily identify secure tech to bring into their homes. We are starting with some of the most common, and often most at-risk, technologies — routers and home cameras — to deliver the most impact, most quickly."
The initiative represents partial implementation of a recommendations the Cyberspace Solarium Commission made in its report, that the government establish a certification body that would operated “a voluntary cybersecurity certification and labeling program for information and communication technologies.” CyberScoop reports that the program envisioned by the White House would be modeled on the familiar EnergyStar labeling system.
Suzanne Spaulding, Senior Advisor at CSIS and Advisor at Nozomi Networks sees the policy as a solid incremental step toward improved cybersecurity:
"This is consistent with the recommendation from the Cyberspace Solarium Commission. This is not regulation. Instead, it's designed to make the market more effective by providing consumers, including business consumers, information they need to better compare security and risks in Internet of Things (IoT) devices. Not only will there be better labeling, this information should drive tech analysts to include a "security" element in their reviews. This helps consumers understand that security is a feature they should look for in considering purchases, which in turn should encourage the producers of IoT to see security as a potential market differentiator. We won't see an improvement in security until we take steps like this one to mitigate the "first to market" imperative that shortchanges investment--and time--in designing more secure and resilient devices."
Ms Spaulding, before moving to the private sector, was DHS undersecretary for cyber and infrastructure where she led the NPPD, the ancestor organization of CISA.
Transatlantic data sharing agreement could face pushback.
As we noted previously, last week US President Joe Biden issued an executive order outlining rules for the Trans-Atlantic Data Policy Framework, which will regulate EU-US data sharing policies and replace the former overturned agreement, Privacy Shield. Biden’s EO establishes the Data Protection Review Court, which will give EU citizens the opportunity to challenge how US security agencies use their data and also sets several restrictions on data collection by US intelligence agencies. However, as Computerworld notes, the new agreement won’t go into effect until spring 2023, and experts say it has several federal hurdles to cross before becoming official. First, the EU must approve the new rules set out in Biden’s EO, then the European Commission will propose a draft adequacy decision. From there, the adoption procedure will require consultation with the European Data Protection Board and approval from a committee of EU member states.
Austrian activist and lawyer Max Schrems, whose complaints led to the fall of Privacy Shield, has already said he’s considering challenging the new agreement. “At first sight it seems that the core issues were not solved and it will be back to the [European Court of Justice] sooner or later,” Schrems stated. Jonathan Armstrong, a compliance and technology lawyer at UK-based compliance specialists Cordery, explains, “Both the White House and the European Commission might be saying that they are confident, but we’ve been down this road before, with both sides saying that Privacy Shield would stand up to judicial scrutiny. It didn’t,” Armstrong said. Critics say the new deal doesn;t properly address mass surveillance by US intelligence agencies. Also, as Schrems’ company NYOB notes, Biden’s EO is not law but merely a directive, and the Data Protection Review Court Biden calls for will not be a true court, but a body in the US government’s legal branch. Ashley Gorski, senior staff attorney with the ACLU National Security Project, stated, “The problems with the U.S. surveillance regime cannot be cured by an executive order alone. To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, US businesses and individuals will continue to pay the price.”
US restricts chip exports to China.
Last week, the US announced sweeping export restrictions blocking the export of advanced chips, chipmaking equipment, and design software to China in an effort to hamper China’s use of artificial intelligence. “The United States is saying to China, ‘AI technology is the future; we and our allies are going there—and you can’t come,’” says Gregory Allen, director of the AI governance project at the Center for Strategic & International Studies, a Washington, DC think tank. By taking advantage of China’s dependence on US silicon and chips manufactured by American firms like Nvidia, the blockade’s goal is to impede the progress of tech giants like Baidu, the leading Chinese web search provider and a key player in cloud AI services and autonomous driving, and TikTok parent company ByteDance, as well as military use of AI. “The Biden administration believes that the hype around the transformative potential of AI in military applications is real,” Allen told Wired. “The United States also has a pretty good understanding of which computer chips are going into Chinese military AI systems, and they are American, which is viewed as unacceptable.”
CISA chooses not to share industry feedback on performance goals.
The US Cybersecurity and Infrastructure Security Agency (CISA) has requested stakeholders’ comments on policy aimed at determining how companies defend their industrial control systems and maintain essential services during a cyberattack. The comments will be facilitated by the Critical Partnership Advisory Council, which, in an effort to promote honest feedback from stakeholders, is exempt from the typical transparency rules that govern other federal advisory committees. However, CISA’s decision not to share this feedback with the public has some questioning the agency’s commitment to transparency. Suzanne Spaulding, a former chief of the Department of Homeland Security agency that would become CISA, told Nextgov, “It would be consistent with CISA's commitment to transparency to make the comments public. It could be tricky, however, if they didn't make clear at the outset that the comments would be public." CISA says that while it’s considering stakeholder comments on the cybersecurity performance goals, the end product will not be a direct application of regulatory authority and is therefore not governed by formal administrative procedures like a typical Request for Information would be. “Given that, it would be unusual to release the written comments, given both the voluntary nature of the [Cybersecurity Performance Goals] and our intent to continue requesting feedback even after the CPGs are released this month.” a CISA spokesperson stated.