At a glance.
- Australian regulatory changes after Optus data breach.
- Section 230 and its impact on internet user content.
- TSA says it will issue new aviation cybersecurity requirements.
- TSA announces railway cybersecurity directive.
Australian regulatory changes after Optus data breach.
In response to the massive breach of Australian telecom company Optus, the largest cyberincident in the country’s history, the Australian government decided earlier this month to temporarily suspend regulations preventing telcos from sharing customer data with third parties. While the move is intended to allow breached companies to exchange info with banks and other financial institutions in order to better protect impacted customers from identity theft, the suspension will only last one year, and the question remains, what will the government do to prevent such breaches in the long term? With many wondering why Optus had such a large trove of data, much of which belonged to former customers, CRN posits that lawmakers need to focus on limiting how much customer data a company can hold on to, and for how long. Australia’s Privacy Act has been undergoing a government review for nearly three years, and the Optus breach could be the catalyst the government needs to make the necessary amendments.
Section 230 and its impact on internet user content.
As we previously discussed, the US Supreme Court has agreed to hear a case that calls into question Section 230 of the Communications Decency Act, which shields web companies from legal liability for the content their users post. The lawsuit alleges that Google subsidiary YouTube violated the Anti-Terrorism Act by promoting videos supporting Islamic terrorist group ISIS, which in turn led to the murder of Nohemi Gonzalez in the 2015 ISIS shootings. “Google selected the users to whom it would recommend ISIS videos based on what Google knew about each of the millions of YouTube viewers, targeting users whose characteristics indicated that they would be interested in ISIS videos,” the plaintiffs wrote. While some argue the purpose of Section 230 was to allow websites like Facebook and Twitter to freely publish user content, when Section 230 was first established in 1996, the marketing algorithms and targeted content recommendations that drive such sites today were a thing of the future. Still, some experts argue the measure puts more responsibility on internet companies, not less, by giving them the reins when it comes to determining what content is safe and what’s not. Wired discusses why Section 230 was established in the first place, and why its future should be determined by Congress instead of the court.
TSA says it will issue new aviation cybersecurity requirements. TSA announces railway cybersecurity directive.
Last week several US airport websites suffered what appear to be coordinated denial-of-service attacks at the hands of pro-Russian threat actors. In response, Reuters reports, the US Transportation Security Administration (TSA) has announced plans to issue new cybersecurity requirements for critical aviation systems. In a 2020 report, the Government Accountability Office urged the Federal Aviation Administration (FAA) to tighten regulations for airport cybersecurity protocols, and the FAA last month sent a notice directing airports "to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project," stating that "projects that have not appropriately considered and addressed physical and cyber security and resilience ... will be required to do so before receiving funds for construction." The TSA stated on Monday that it has already "updated its aviation security programs to require airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans," and that it will "soon issue additional performance-based cybersecurity requirements for critical aviation systems."
TSA announces railway cybersecurity directive.
In related news, TSA has also issued a security directive addressing the cybersecurity of freight railway carriers. Titled “Rail Cybersecurity Mitigations and Testing,” the directive’s goal is to protect railway systems from the growing threat of cyberattacks that could disrupt railroad services, preventing the transport of essential goods and in turn, threatening national security. Among the mitigation measures listed, railway owners and operators will be required to implement a TSA-approved Cybersecurity Implementation Plan to ensure operations can continue even in the event of an attack, and they will also be asked to establish a Cybersecurity Assessment Program to measure the effectiveness of their protocols.