At a glance.
- NSW government aims to protect white hat hackers.
- Attorneys advise critical infrastructure firms to prepare for cybersecurity regulation.
- White House expected to issue executive order on spyware.
- The future of crypto regulation in the US.
NSW government aims to protect white hat hackers.
In Australia, the New South Wales (NSW) government is considering making changes to criminal laws in order to promote “good faith” hacking. The revisions would protect cybersecurity researchers from being prosecuted for reporting potential bugs and vulnerabilities, including those found in government systems. InnovationAus.com explains that Cyber Security NSW is currently working on policy that would encourage more community feedback on the cybersecurity if these systems, and Customer Service and Digital Government minister Victor Dominello is pushing to protect such white hat hackers as lawmakers proceed toward the state’s first whole-of-government policy framework for cyber security vulnerability disclosure. While such disclosure is already happening in the region, it’s lacking standardization. “The vulnerability disclosure policy will provide clear expectations for all NSW government agencies and the public about how the government will handle reports of identified vulnerabilities,” a Cyber Security NSW spokesperson stated. In addition to revising legislation to allow for more vulnerability disclosure, at a recent ‘Cyber Insights’ roundtable, experts suggested a ‘cyber socket’ that would help organizations to easily create vulnerability disclosure programs. Lawmakers are also considering establishing a single ‘front door’ for disclosing vulnerabilities and adding vulnerability disclosure processes to the NSW Cyber Security Policy.
Attorneys advise critical infrastructure firms to prepare for cybersecurity regulation.
Stateside, it’s well known that the Biden administration has made improving the cybersecurity of critical infrastructure a priority, regularly releasing updated cybersecurity guidance and requirements geared toward better protecting the sector. While the majority of the guidance coming from the White House has been nonbinding, attorneys say they expect lawmakers to eventually implement regulations backed by enforcement actions for noncompliance. Marcus Christian, a partner at Mayer Brown LLP who practices in cybersecurity and compliance, told Bloomberg Law, “I’m sure the Biden administration would love to have certain legislation passed for some of the requirements or aspirations or goals, but in the interim it’s creating a climate where they can choose how to enforce, how much to enforce.”
While the non-binding goals issued so far (which target four critical infrastructure sectors, with plans to eventually address sixteen) allow operators the flexibility to focus on the changes they deem important, they also raise industry standards, creating a set of quasi-requirements that could prime the field for official regulations. Attorneys recommend that private infrastructure operators take a proactive approach, updating their cyberagreements now in order to minimize risk in the future. Lawrence “Chip” Muir, a partner at Dunlap Bennett & Ludwig PLLC who focuses on government regulation and contracting, advises, “Start getting proactive, start reviewing those documents, start thinking about what’s in the realm of possible that you can do to have a more responsible and compliant ecosystem for your clients.”
White House expected to issue executive order on spyware.
The White House is ramping up plans to implement policy restricting the use of commercial foreign spyware, the Washington Post reports. Biden officials last week submitted a letter to Representative Jim Himes of Connecticut and other members of the House Intelligence Committee explaining that an executive order would “prohibit US Government operational use of commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly.” Plans for such an order have been in deliberations for some time, and an anonymous administration official says the order comes with the “recognition that there was no regulation within the US federal government on how to address these tools,” alluding to reports of spyware abuse abroad as well as spyware makers’ attempts to sell their products to the US government. That said, some lawmakers feel last week’s letter leaves too much wiggle room for spyware abuse. Representative Himes stated, “What they’re very clearly not saying is there should be an operational ban on the part of the US government with respect to any of this technology.”
The future of crypto regulation in the US.
In the wake of the collapse of the FTX cryptocurrency exchange, the New York Times offers an in-depth look at Gary Gensler, the chair of the US Securities and Exchange Commission (SEC), and his role in crypto regulation. Gensler has made it his mission to rein in the crypto industry by establishing the SEC as the primary overseer of the currently underregulated market. Under his leadership, the SEC has nearly doubled its enforcement team and in February levied a $100 million fine on the crypto lending company BlockFi, and many in the crypto industry look at Gensler as an adversary. (Crypto company LBRY once called him “a demon wearing human flesh.”) However, the implosion of FTX has some lawmakers asking whether Gensler is doing enough. Prior to FTX’s disintegration, Gensler was in talks with the exchange’s chief executive Sam Bankman-Fried. While those in the room say he was discussing his plans for regulating the sector, Tom Emmer, a Minnesota Republican who serves on the House Financial Services Committee, tweeted in November, “Reports to my office allege he was helping SBF and FTX work on legal loopholes. We’re looking into this.” In September, the Republicans on the Senate Banking Committee grilled about whether the SEC was offering insufficient legal guidance to crypto companies that wanted to follow federal law. When it comes to the future of US crypto regulation, much is riding on the ruling in the Ripple lawsuit, filed by the SEC in December 2020, as well as a slate of crypto-related bills introduced by Congress this year.