At a glance.
- RUSI webinar speakers call for international cyber norms.
- Beijing responds to Tokyo’s cooperation with NATO.
- California’s data privacy regulation regime.
- Possible implications of midterm elections on US cybersecurity legislation.
RUSI webinar speakers call for international cyber norms.
At a webinar hosted by the Royal United Services Institute (RUSI) think tank in London, global leaders emphasized the need for international rules governing cyberspace, the National reports. Referencing the rise in cyberattacks in recent years, Nathalie Jaarsma, the Dutch security policy and cyber ambassador, stated, “I think a lot of countries have experienced a certain wake-up call,” adding that a plan for agreeing on “rules of the road in cyberspace” has been “inspiring enormous discussion internationally.” She noted the need not only to determine what rules are essential, but also how to enforce them. Germany's ambassador for cyber foreign policy Regine Grienberger underlined the need for countries to develop “resilience, deterrence, countermeasures and retaliation,” and Tanel Sepp, Estonia’s ambassador for cyber diplomacy, noted that attribution is key, calling out Russia for its cyberattacks on Ukraine. “This is clearly a violation of any single norm related to traditional international law or cyber norms,” Tanel stated.
Beijing responds to Tokyo’s cooperation with NATO.
As we noted earlier this week, on Friday Japan officially joined NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE). Telecoms Tech News explains that with the addition of South Korea, Canada, and Luxembourg in May, the CCDCOE now consists of thirty-two members: twenty-seven full NATO members, and five contributors, like Japan, that are not part of NATO’s wider defensive alliance. As South China Morning Post notes, the move comes as Tokyo more closely aligns with the Western military alliance to counter China, which NATO called a “challenge” to the alliance at a June summit also attended by Japan’s Asia-Pacific neighbors South Korea, Australia, and New Zealand. Beijing is less than pleased with the new partnership, and foreign ministry spokesman Zhao Lijian is urging Japan not to conduct activities that could bring an end to peace in the region. He went on to imply that Japan has joined the CCDCOE with the ulterior motive of preventing China from taking actions that could deter Japan from pursuing its own national interests. He also questioned NATO’s involvement in the Asia-Pacific, stating “The Asia-Pacific region is not the geographic domain of the North Atlantic, and there is no need to establish an ‘Asia-Pacific version of NATO.’”
California’s data privacy regulation regime.
California has been a pioneer when it comes to data privacy, and WRAL TechWire offers an overview of the US state’s arsenal of privacy legislation. In 2002 it became the first state to establish a data breach notification law, and in 2020 it made history by enacting the first state-level comprehensive data privacy, the California Consumer Privacy Act (CCPA). Modeled after the EU’s General Data Protection Regulation (GDPR), it defines personal information to include any information that relates to or could be used to identify a natural person, including IP addresses, device data, and other online identifiers. Also like the GDPR, it requires detailed privacy notices about what data is collected and why, restrictive contracts for certain types of third parties with which the data is shared, and comprehensive employee training for all personnel handling personal data. That said, it differs from its European cousin in several important ways, including the exclusion of nonprofits or governmental organizations and exempted employees and business-to-business contacts, and the granting of private cause of action for damages from a data breach that results from the failure to provide adequate data security. In November 2020, California enacted the California Privacy Rights Act (CPRA), which will go into effect on January 1, 2023. It amends and expands the CCPA by increasing jurisdiction on the CCPA to companies that collect data on 100,000 consumers (rather than 50,000). It also adds a new category of personal information called “sensitive information” and expands the user’s Right of Opt-Out to include such data.
Possible implications of midterm elections on US cybersecurity legislation.
We received some industry comment on the possible effects of US midterm elections on cybersecurity legislation. Matthew Fulmer, Manager of Cyber Intelligence Engineering at Deep Instinct hopes those effects include more Federal support for small businesses:
"I cannot emphasize how much federal support would help smaller businesses with increasing their cyber readiness and maturity stance! It's being found that small and medium sized businesses are more vulnerable and take a larger hit when impacted by cyber attacks like ransomware, and many just don't have the capability to secure the training needed due to budgetary constraints.
"The government can provide the funding stipulated in the bill, along with some suggested courses which are mandatory to obtain the funding, and once that is complete, the rest of the budget could be at the discretion of the businesses on where they feel they need more support so they can secure their businesses better.
"Piring this with mentoring within the cyber world to help bring up new talent would serve to combat the shortage we have been seeing in the industry. Budget allocation, of which some of this grant money could be used, could help with just that and could allow companies to bring in more junior talent to develop, giving new security practitioners hands-on experience and a quicker path than just the route of traditional education in a university.
"From experience, hands-on experience trumps reading something on paper, and budgets bolstered with funding like this from federal support could allow companies to build labs for hands-on training accompanied with the courses they could also obtain."