Jordan's controversial cybercrime law. US agencies' joint guidance on quantum-readiness. Deadline for comment on US cybersecurity regulations extended.

Summary

By the CyberWire staff

At a glance.

Jordan passes controversial cybercrime bill.
US agencies issue joint guidance on quantum-readiness.
Deadline for comment on US cybersecurity regulations extended to October 31st.

Jordan passes controversial cybercrime bill.

In response to a recent six-fold increase in cybercrime in the country over the past three years, the Jordanian government has passed a new cybercrime bill that has some human rights advocates expressing concerns. The legislation defines various types of digital crimes and assigns punishments to each, with penalties ranging from fines to “temporary work” to prison time. Article 12, which states that anyone who "circumvents the protocol address" could face a financial penalty or prison time, has been the subject of controversy. Dark Reading explains that this could include the use of VPNs, anonymous proxies, and even the Tor browser – all ways users attempt to maintain anonymity while accessing the web – and human rights activists say this could prevent individuals from expressing their opinions online without fear of retribution.

Human Rights Watch, Access Now, Article 19, and eleven other organizations have issued a statement saying the new law threatens freedom of expression, the right to information, and the right to privacy and could allow heightened government control and censorship on the web. Liz Throssell, the United Nations' spokesperson for the UN High Commissioner for Human Rights, issued a statement saying that while countries must do their best to fight cybercrime, they must also maintain individual freedoms. She also noted that the law’s rapid ascent from draft to passage raises questions about transparency in the Jordanian legislature.

US agencies issue joint guidance on quantum-readiness.

On Monday the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and National Institute of Standards and Technology (NIST) issued a fact sheet urging organizations to prepare for the transition to post-quantum cryptographic (PQC) standards. “Quantum-Readiness: Migration to Post-Quantum Cryptography” describes the impacts of quantum capabilities and calls on organizations – especially critical infrastructure operators – to develop a Quantum-Readiness Roadmap. As well, organizations are encouraged to conduct inventories of quantum-vulnerable assets, apply risk assessments and analysis, and engage vendors in the migration process. NIST plans to publish the first set of post-quantum cryptographic (PQC) standards in 2024.

As Executive Gov notes, the agencies recommend organizations begin by prioritizing the most sensitive and critical assets. The fact sheet states, “Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation.” Rob Joyce, director of cybersecurity at NSA, stressed the importance of public-private partnerships as plans for testing and integration unfold. He stated, “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry.”

(Added, 12:00 noon ET, August 24th, 2023.) Two experts from DigiCert commented on the guidelines. “Today’s public release of the draft standards is the most significant milestone in the seven-year NIST process for replacing existing asymmetric cryptographic algorithms with quantum-safe alternatives—and kicks off the internet’s largest security transition," Amit Sinha, CEO of DigiCert said. "Now is the time for organizations to build a centralized book of record of their cryptographic assets and be in a position to adopt these algorithms as they are made available for use.” Sinha added, “Data being stored and software being shipped right now is already at risk for future compromise by quantum computers, and companies need to prepare to adopt these changes into their most critical systems once the standards are finalized.”

Sinha's colleague at DigitCert, Industry and Standards Technical Strategist Tim Hollebeek, wrote, “The math behind the algorithms has been known for a while, but these new draft standards contain detailed information about exactly how these algorithms need to be used in practice. Companies that invest now in crypto-agility, discovery and automation will be well-prepared to rapidly deploy these changes as soon as they become available. This will allow them to hit the ground running when the final standards arrive early next year.” He added, “Industry experts, including those from DigiCert, have been collaborating at NIST and IETF to figure out how to update internet protocols with these new quantum-safe algorithms. The release of the draft standards provides a wealth of information which will assist everyone in finalizing their protocol standards and implementations.”

Keyfactor's Chris Hickman also offered some reflections on what post-quantum readiness entails. Among other things, it entails a change in how organizations look at supply chain security. “To truly be post quantum ready, therefore being protected against the threats of quantum computing as it relates to currently used cryptography, requires an end-to-end solution where all aspects of the organization are prepared and have adopted post quantum algorithms. This includes not only internal systems and assets but extends to all interconnected and co-dependent systems including an organization supply chain," Hickman wrote. "Today, supply chain vulnerabilities are increasingly used to attack organizations, whether it is from the introduction of malware via weak supply chain controls or direct attacks from 3rd party breached systems. As organizations prepare for the threat of quantum, they need to also consider the extent to which their supply chain presents risks and need to start including post quantum readiness into supply chain risk assessments. To do this, it is critical for businesses to understand the origin and authenticity of all the components that are in the supply chain (both hardware and software). This is especially true for IoT devices, which rely on systems and subsystems created by multiple partners and vendors bringing their solutions together to make a fully functioning connected product/system." He concluded, In short, if you have portions of your supply chain that do not have a plan to be ready for post quantum cryptography, it might be a good time to look for another supplier.”

Deadline for comment on US cybersecurity regulations extended to October 31st.

The US Office of the National Cyber Director (ONCD) has invited public comment "on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy." The challenge involved in understanding the implications of regulatory overlap is complicated, and ONCD has extended the deadline for comments from September 15th to October 31st. Comments may be submitted through www.regulations.gov.

Selected Reading

Quantum Readiness: Migration to Post-Quantum Cryptography (CISA | NSA | NIST) The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) created this factsheet to inform organizations — especially those that support Critical Infrastructure — about the impacts of quantum capabilities, and to encourage the early planning for migration to postquantum cryptographic standards by developing a Quantum-Readiness Roadmap

Controversial Cybercrime Law Passes in Jordan (Dark Reading) The increase in cyberattacks against the Middle East in the last few years has pressured Jordan and other nations to better secure their infrastructures.

Changes to UK Surveillance Regime May Violate International Law (Just Security) Proposed changes to the UK Investigatory Powers Act 2016 may violate international human rights law.

Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations (Federal Register) The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy. ONCD seeks input from stakeholders to understand existing challenges with...

ONCD extends deadline for comments on new sector cybersecurity requirements (FedScoop) Industry, academics and nonprofits now have until Oct. 31 to respond to the call for evidence.

The Senate’s Defense-Policy Bill Looks for Threats in the Rear-View Mirror (Real Clear Defense) The upper house orders up an investigation of the 2020 SolarWinds hack while saying all but nothing about AI.

A Divorce Between the Navy and Cyber Command Would Be Dangerous (War on the Rocks) Frustrated by reports of the U.S. Navy’s underperformance in cyber operations, Congress has made an unusual request. The Fiscal Year 2023 National Defense

A Young Congressman Is Sounding Alarms About Election Security. We Should Listen to Him. (The Messenger) Chris Deluzio, a House Democrat from Pennsylvania, wants tougher oversight of election technology companies and a different approach to fighting social media lies

A win for Biden administration's cyber agenda in court (Washington Post) Judge rules favorably on Treasury sanctions of crypto service

A Pennsylvania court says state police can't hide how it monitors social media (AP News) Pennsylvania’s Supreme Court handed civil liberties advocates a victory, ruling that state police can't hide from the public its policy governing how it monitors social media.