At a glance.
- US announces "Disruptive Technology Strike Force."
- Germany's Constitutional Court finds against police use of Palantir.
- Implications of Belgium's new vulnerability disclosure regulations.
US announces "Disruptive Technology Strike Force."
US Deputy Attorney General Lisa Monaco yesterday announced the formation of a Disruptive Technology Strike Force, an interagency collaboration between the US Departments of Justice and Commerce. Its aim will be to deny hostile governments “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.” The new Strike Force is intended, CyberScoop reports, as an evolutionary development of the Committee on Foreign Investment in the U.S. (CFIUS), the mechanism that's hitherto been used to protect US technology from hostile foreign poaching. The Disruptive Technology Strike Force is expected to bring enforcement out of the "brick-and-mortar" period in which CFIUS was drafted and into the present age of cyberespionage.
Germany's Constitutional Court finds against police use of Palantir.
Deutsche Welle reports that Germany's Federal Constitutional Court has ruled against police use of Palantir to automate processing of personal data in the course of crime prevention efforts. According to Reuters, the tool was deemed to have "violated the right to informational self-determination." The ruling directly affects the Länder of Hessen and Hamburg. Hessen, where police currently use Palantir, has until September 30th to rewrite its regulations. Hamburg, where police haven't yet brought Palantir into use, has simply had its plans to do so cancelled.
Implications of Belgium's new vulnerability disclosure regulations.
Rules developed by the Centre for Cybersecurity Belgium (CCB) to cover voluntary disclosure of vulnerabilities went into effect this week. "In the event that an organization responsible for a network, or information system (hereafter, responsible organization) has a coordinated vulnerability disclosure policy (hereafter, CVDP), individuals who discover a vulnerability within the scope of that CVDP should contact directly and only the responsible organization," the CCB wrote. "If difficulties arise or if the responsible organization fails to respond within a reasonable time frame, then participants in a CVDP may contact the CCB (default coordinator role). If the vulnerability also affects other organizations that do not have a CVDP, the vulnerability can still be reported to the CCB." The regulations are seen as lending clarity to the process surrounding vulnerability research.
The Daily Swig says the regulations effectively make Belgium a safe harbor for ethical hackers, and industry sources tend to agree. Chloe Messdaghi, Managing Director at Impactive Partners, thinks Belgium's regulatory regime should serve as a model for other countries' policies:
"Belgium is offering a good example of where every country needs to be with their vulnerability disclosure policies. Unfortunately, the US is still piecing together our VDP legal framework, although in 2022, the DOJ revised its policies under the Computer Fraud and Abuse Act (CFAA) to help protect 'good-faith' security research from being prosecuted, and the US Army actively encourages researchers to participate in its VDP.
"With cyber threats growing exponentially over the last several years, it’s past time to actually require that certain types and sizes of organizations across the US – and especially including all Federal agencies and NGOs - have robust protective, active vulnerability disclosure policies. VDPs have been viewed by security-aware organizations as must-have for many years. The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them - this is why we need VDPs.
"Remember back in 2021 when the UN disclosed a data breach exposing over 100K UNEP records? We applauded Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted. This was a great example of how vulnerability disclosure policies work, and underscored the value of working closely with independent researchers, i.e., hackers."
Christopher Vaughan, VP, Technical Account Management at Tanium, also welcomes the regulations:
“This is a welcomed development and having such laws in place will make Belgium a more secure country as a whole. Further, it will help position Belgium as go-to destination for security research with a corresponding benefit of cultivating a greater number of homegrown talent.
“We can also expect to see some ambiguity around what's considered legal and not. There isn’t a huge sample size of where policies such as this have been enacted on a national level, so it will be interesting to see a program of this scale in action."