At a glance.
- EU considers changes to product lifecycle and vulnerability disclosure rules.
- FBI works to gain the trust of ransomware victims.
- The impact of the impending Section 230 ruling on user-created content.
- The challenges of self-attestation.
- US and India launch tech research and development partnership.
EU considers changes to product lifecycle and vulnerability disclosure rules.
Euractiv reports that the EU is contemplating adjusting the definition of “product lifecycle” as it pertains to the Cyber Resilience Act, a legislative proposal to introduce baseline cybersecurity requirements for Internet of Things (IoT) products. While the original proposal mandated that manufacturers ensure the security of their IoT products throughout their lifecycle or for a maximum of five years, the Swedish government is circulating compromise text that would better account for the fact that different products have life cycles of various lengths. The compromise reads, “Manufacturers shall ensure when placing a product with digital elements on the market and for a period of time after the placing on the market, appropriate to the type of product and its expected lifetime.” The changes are scheduled to be discussed today by the Horizontal Working Party on Cyber Issues. Another topic of discussion will be conformity assessment and the list of critical products that require a third-party assessment before being placed on the European market.
FBI works to gain the trust of ransomware victims.
Last week, after disclosing that the Federal Bureau of Investigation (FBI) had been engaged in a months-long operation to take down the Hive ransomware gang's digital operations, FBI director Christopher Wray revealed that only 20% of Hive's victims had reported potential issues to law enforcement during the course of the operation. As vice president of intelligence at cyber defense firm Redacted Adam Flatley told Axios, there’s a distrust about engaging agencies like the FBI or Cybersecurity and Infrastructure Security Agency in cyberattack investigations. According to a 2021 survey from cybersecurity firm Talion, about 45% of cyber professionals think calling in law enforcement would slow down data recovery and distract their companies' IT team. Firms worry the Feds will muck up their own internal investigations, or that involving them will damage negotiations with the attackers. With the Hive sting, agents tried to demonstrate that this is not the case. The FBI quickly deployed Hive decryption keys to victims, demonstrating the value of having federal investigators involved when threat actors attack. As CISA prepares to enact forthcoming cyber incident reporting laws, experts wonder whether the new measures will help ransomware victims feel more confident about involving the government. Victims also fear that involving the FBI will draw unwelcome and intrusive regulatory attention. The Bureau has worked for years to dispel that concern, promising to treat victims as victims, and not to dime them out to regulatory bodies over any tangential issues an investigation might reveal.
The impact of the impending Section 230 ruling on user-created content.
As we’ve discussed previously, later this month the US Supreme Court is set to hear a case that could determine the future of Section 230, a provision in the Communications Decency Act that shields social media platforms from responsibility for user-created content. MIT Technology Review discusses why the case is such a big deal, and what it could mean for tech giants like Meta, Google, Twitter, and YouTube. If the court decides to repeal or reinterpret 230, these companies might have to drastically overhaul their content moderation processes and platform structures. User moderators might also suddenly become liable for their actions, which would be devastating for platforms like Reddit, where user upvotes determine what content is most visible, or Wikipedia, which depends almost entirely on user content.
Ben Lee, Reddit’s general counsel, asks, “Can we [users] be dragged into a lawsuit, even a well-meaning lawsuit, just because we put a two-star review for a restaurant, just because we clicked downvote or upvote on that one post, just because we decided to help volunteer for our community and start taking out posts or adding in posts?” As CNBC notes, states like Texas and Florida have further complicated matters by enacting state-level laws to prevent online platforms from discriminating on their services based on viewpoint. Experts worry that if Section 230 is degraded, the future of content moderation will be determined by a confusing, fragmented tangle of state laws. Google’s General Counsel Halimah DeLaine Prado wrote in a blog post, “Without Section 230, some websites would be forced to overblock, filtering content that could create any potential legal risk, and might shut down some services altogether.” Still, some experts hope such confusion could motivate Congress to enact federal legislation that better clarifies the ins and outs of moderation.
The challenges of self-attestation.
A cybersecurity rule will be enacted in the US later this year that requires agencies to acquire “self-attestation letters” from software vendors stating whether a product adheres to National Institute of Standards and Technology guidelines. While Federal Acquisition Regulation officials are still considering the proposed rule, the General Services Administration (GSA) said it will start collecting attestations by mid-June and is already developing training on the coming system. As Bloomberg Government explains, some agency contractors and vendors are worried that with such a wide network of companies providing software, obtaining attestation will be an almost impossible task. Joanne Woytek, NASA program manager for the government-wide acquisition contract called SEWP, stated “I don’t know how that can possibly work. But we’re going to work as best we can, working with GSA and [National Institute of Standards and Technology] and others to determine what this policy means and how it might actually operate in a world in which there [are not] 10 companies but many thousands of companies selling software.” The Information Technology Industry Council submitted a letter to the Office of Management and Budget in November outlining suggestions, like using a single standardized form for all agencies, that could make the process go more smoothly.
US and India launch tech research and development partnership.
US national security adviser Jake Sullivan met with his Indian counterpart Ajit Doval on Tuesday to formally launch an initiative on critical and emerging technologies, or iCET, Candid.Technology reports. The product of a partnership announced last May by US President Joe Biden and Indian Prime Minister Narendra Modi, the initiative’s goal is to elevate and expand the strategic and defense technology partnership between the two countries. As the Washington Post explains, among other things, the deal will promote joint production of defense equipment like military jet engines and long-range artillery. “To expand and deepen our technology partnership, the United States and India are launching new bilateral initiatives and welcoming new cooperation between our governments, industry and academia,” the White House said in a statement.