At a glance.
- US lawmakers urge President not to reduce Secretary of Defense’s cyber powers.
- SEC seeks to regulate crypto exchanges.
- US states consider local-level regulation of IT vendors.
- EU court rules that phone data cannot be indiscriminately retained.
US lawmakers urge President not to reduce Secretary of Defense’s cyber powers.
The White House is considering making changes to National Security Presidential Memorandum – 13 (NSPM-13), which gives the Secretary of Defense the ability to plan and conduct time-sensitive offensive cyber operations. The Co-Chairs of the US Cyberspace Solarium Commission (CSC), Representative Mike Gallagher and Senator Angus King have submitted a letter to President Joe Biden asking him to keep the policy in place, citing their concern that changing the policy could undermine national security. “Any effort to alter and possibly weaken NSPM-13 signals to our adversaries a lack of credible willingness to use offensive cyber capabilities which undermines the credibility of our deterrent,” the letter reads.
The chairs go on to emphasize the need for a layered cyberdeterrence strategy supported by “three lines of effort: building a more resilient and defended cyber infrastructure, establishing an effective public-private collaboration, and ensuring we have a credible, capable deterrent, including offensive cyber capabilities,” and explain that any modification of NSPM-13 could put the nation’s critical infrastructure at risk.
SEC seeks to regulate crypto exchanges.
Securities and Exchange Commission (SEC) Chairman Gary Gensler says the SEC is urging cryptocurrency trading platforms to submit to the commission for oversight in order to properly safeguard their customers’ assets. “These crypto platforms play roles similar to those of traditional regulated exchange,” Gensler said at an event on Monday. “Thus, investors should be protected in the same way.” The Wall Street Journal notes that Gensler has been encouraging crypto platforms to register with the SEC for months, but the firms (despite often being referred to as “exchanges”) say they do not fall under the SEC’s purview. Unlike traditional exchanges, these platforms interact directly with individual investors and regularly take the opposite side of a trade. The platforms also argue that crypto developers would be unable to meet the traditional exchange requirements, as they’re designed for publicly traded companies. Gensler says he’s willing to collaborate with industry leaders to determine how to tailor oversight to the sector.
US states consider local-level regulation of IT vendors.
At last week’s Cybersecurity Modernization Summit, state cyber leaders stressed the importance of cracking down on the security protocols of cloud IT vendors in order to ensure that their clients’ data are properly protected. StateScoop, who hosted the event, explains that while most vendors adhere to the review requirements of the Federal Risk and Authorization Management Program, some leaders are considering tightening up state-level standards. Jayson Cavendish, Michigan’s deputy chief security officer, stated, “It’s not good enough to say I’m in a FedRAMP environment like AWS or Google Cloud or Azure, but how do I configure my responsibilities in that environment to ensure I remain secure?” The newly established StateRAMP organization announced last month that its approval policies are currently being used by local agencies in ten states, and Texas recently launched its own program called TexRAMP.
EU court rules that phone data cannot be indiscriminately retained.
The Court of Justice of the EU (ECJ), the EU’s top court, has determined that national authorities are not allowed to retain phone data in a "general and indiscriminate" manner. Reuters reports that the ruling was connected to the appeal of a man, sentenced to life imprisonment in 2015, who says the Supreme Court in Ireland wrongly admitted cellphone traffic and location data as evidence. The ECJ ruled that it’s up to the national courts to decide whether such evidence is admissible, but that a country cannot allow the general retention of such data. However, exceptions could be permitted for specific data or investigations concerning especially serious crimes.