At a glance.
- Biden administration nominates new head for NSA and CyberComm.
- European Parliament questions Irish DPC on TikTok investigation.
- New Jersey passes tougher cyberincident reporting legislation.
President Bide nominates new head for NSA and CyberComm.
US Army General Paul Nakasone is expected to step down from his dual role as head of the US National Security Agency (NSA) and US Cyber Command later this summer, and yesterday US President Joe Biden announced his nominee to replace him: Lieutenant General Timothy Haugh. Haugh seems a smart choice as he currently serves as deputy of US Cyber Command, and as a member of the Air Force, Haugh has held senior cyber positions in the US military for years. As well, Haugh has been active in talks regarding election security, an issue at top of mind as the US approaches the 2024 presidential elections. While policy makers are likely to be relieved that President Biden has selected a nominee (a step he has not yet taken for the still vacant role of National Cyber Director), CNN notes that the nomination could be slowed by the Senate, as Senator Tommy Tuberville (Republican of Alabama) has placed a hold on senior military nominations due to objections with the department’s abortion travel policy.
European Parliament questions Irish DPC on TikTok investigation.
As the EU continues its probe into the potential data security threats posed by Chinese-owned video streaming app TikTok, Ireland’s data protection commissioner Helen Dixon appeared before the European Parliament yesterday to address MEPs’ concerns that the investigation is taking too long. TechCrunch explains that two TikTok inquiries were opened by the Irish Data Protection Commission (DPC) in September 2021, one investigating how the company handles the data of minors, and the other focused on the transfer of European data to China. Addressing the European Parliament’s civil liberties committee (LIBE) yesterday, Dixon indicated that a decision on the children’s data investigation can be expected this year. Regarding the data transfers decision, she said that “a preliminary draft of the draft decision” is now with TikTok to make its “final submissions.” She went on to say that enforcement decisions connected to other tech companies can be expected this year. “2023 is going to be an even bigger year for GDPR enforcement on foot of DPC large scale investigations,” she stated, adding that a long-running inquiry focused on Yahoo should be completed in the coming months. The DPC has been criticized for the number of outstanding cases that still remain undecided, including investigations into Google’s advertising tech and location tracking, and experts have questioned what appears to be a lack of determination in holding Big Tech accountable for violations of the General Data Protection Regulation (GDPR). In her remarks, Dixon addressed such criticism, stating that the DPC’s findings are “generally accepted in all cases” by fellow regulators.
New Jersey passes tougher cyberincident reporting legislation.
State Tech reports that New Jersey has become the latest US state to tighten up its cyberincident reporting requirements. Earlier this month Governor Phil Murphy signed new legislation that requires state public agencies to report cyberattacks within seventy-hours of detection to the New Jersey Office of Homeland Security and Preparedness. The law covers state agencies and their contractors, counties, K–12 schools, public higher ed institutions, and law enforcement agencies. A number of other states have taken similar measures in recent years, and while New Jersey already has data breach reporting measures in place, the new law requires reporting even if the incident in question does not involve a breach. As New Jersey CISO and director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) Michael Geraghty explains, the measure isn't meant to be punishment, but rather to motivate entities to report incidents in a more timely, consistent fashion. “It’s not punitive in any way if you don’t report in 72 hours,” Geraghty stated. “We’re not going to hit you over the head with anything. It’s really that idea of a neighborhood watch. We want to share information with our cyber neighbors so they can protect themselves.”