At a glance.
- The UN’s cybercrime treaty and the importance of intent.
- A primer on the EU’s Cyber Resilience Act.
- Supply chain security in the UK and the US.
The UN’s cybercrime treaty and the importance of intent.
After years of discussion, the United Nations is currently working on a global cybercrime treaty, and while the need for such an agreement is clear, Just Security examines some of the pitfalls. Negotiations thus far have demonstrated that there’s a gray area when it comes to the definition of “cybercrime.” What’s more, not all UN members agree on how much the government should restrict citizens’ access to the internet, and competing treaty proposals make those differences all the more stark. Perhaps most importantly, some proposals call for the criminalization of all computer-enabled conduct, regardless of intent, which leaves white hat research out in the cold. If it is intended to bolster world cybersecurity, the treaty must strike a delicate balance in order to crack down on cybercriminals without hampering the important efforts of whitehat hackers. The UN could take a note from other treaties, like the Budapest Convention, in creating guidelines that clearly incorporate intent in determining what is considered a crime and what isn’t. Otherwise, the UN runs the risk of stymying essential research that could lead to important advancements in cybersecurity.
A primer on the EU’s Cyber Resilience Act.
Last month the European Commission released its proposal for the Cyber Resilience Act, or CRA. Data Protection Report offers an overview of what the CRA entails, and how it could impact the EU supply chain. The main goals of the CRA are to improve the security of connected products and software available on the EU market, to hold a manufacturer responsible for that security throughout the product’s life, and to keep consumers informed about the security of the products they consume. The CRA comes hand-in-hand with the new NIS2 Directive, which, in replacing the original NIS Directive, outlines the minimum technical, operational and organizational cybersecurity measures and streamlines incident reporting rules for an expanded scope of entities. In the EU, the European Union Agency for Cybersecurity (ENISA) will have oversight of the, while the CRA will be enforced by “market surveillance authorities” internationally. Once the CRA is adopted, organizations and EU member states will have up to two years to comply, but it’s worth noting that the UK, no longer a member of the EU, will not fall under the Act’s purview, and is instead in the process of passing its own similar legislation, the Product Security and Telecommunications Infrastructure Bill.
Supply chain security in the UK and the US.
As supply chain attacks continue to increase, securing the supply chain is at the forefront of lawmakers’ minds. US President Joe Biden issued an executive order earlier this year that directed the National Institute of Standards and Technology to create guidance “identifying practices that enhance the security of the software supply chain,” and the UK’s National Cyber Security Centre (NCSC) has issued guidance on how organizations can better assess their supply chain security. But securing the software supply chain is a complicated beast, as it requires companies to know exactly where their software is coming from, and who had a part in creating it. As Infosecurity Magazine notes, some experts question whether the NCSC’s guidance is too narrow in focus by concentrating too heavily on supplier communication.
Steve Judd, senior solutions architect at Jetstack by Venafi, explains, “[Today’s guidance from NCSC] offers the security industry very little in the way of actionable, technical information as it mainly focuses on issues such as supplier and stakeholder communication and ‘identifying your crown jewels.’ With this information being aimed at security professionals – among others – it lacks a bit of depth and can only take organizations so far in the journey to securing software supply chains.”
Stateside, Department of Homeland Security Chief Information Officer for the Cybersecurity and Infrastructure Security Agency Bob Costello says self-attestation is important, but is only a starting point for determining risk. Costello told the Federal News Network, “Oftentimes, we, I think it’s just people, we’re not good at, you know, gauging true, true risk on things. And it’s really hard on the government side, but in some cases, there could be data that is low risk, it’s exposed and we should consider that maybe those companies that are handling that don’t need quite the level of vetting that we may want for a company handling, or designing software for national security systems or dependent systems or others. So I think there could be varying levels based on what the product is doing.”