At a glance.
- CISA head speaks at major US tech event.
- New Year’s resolutions in the way of privacy legislation.
CISA head speaks at major US tech event.
As the war in Ukraine rages on, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly says the US should remain vigilant against the threat of Russian cyberaggression. Fears of Russian retaliation for the US’s support of Ukraine were at top of mind when the war began last year. As the Hill notes, so far there have been no attacks, but Easterly says that’s no reason to get complacent. Speaking on a panel at the CES 2023 tech event on Thursday, Easterly said, “It looks like it’s not going to end anytime soon. We need to continue to be vigilant, keep our shields up, and ensure that we are putting all those controls in place.” As the Hill explains, Easterly speculates the reason Russia has not yet attacked the US could be because Moscow realizes that a strike against the US would be considered “very escalatory.” She also noted that the current security structure in the private sector leaves too much responsibility on the consumer, who is the least knowledgeable about the threats they could face, and she highlighted the need for incentives that would make companies push cybersecurity up on their list of priorities.
At the same event, Easterly also highlighted the need for the tech industry, consumers, and government to collaborate to protect the interconnected network of technology that touches all sectors of the economy. “We live in a world…of massive connections where that critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe,” Easterly told Yahoo Finance. She also addressed the rise in cyberattacks targeting learning institutions and healthcare facilities, which are often the entities least prepared to protect themselves. “We cannot have the same sort of attacks on hospitals and school districts that we've been seeing for years,” Easterly stated. “We have to create a sustainable approach to cyber safety, and that's the message that I'm bringing to CES.” She also sent a message to Big Tech, noting that the companies that provide the world’s computers should be held to a higher standard of security.
New Year’s resolutions in the way of privacy legislation.
As we entered 2023, two new US state privacy laws came into effect on January 1: the California Privacy Rights Act (CPRA), and the Virginia Consumer Data Protection Act (VCDPA). Three additional new privacy laws will come into effect later this year: the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) on July 1, and the Utah Consumer Privacy Act (UCPA) on December 31. Businesses will need to update their privacy plans in order to make sure they are in compliance with these new rules, and Wiley offers advice for companies to avoid violations. The California and Colorado laws are intentionally broad in order to allow for future rulemaking, meaning compliance could become a moving target as the year unfolds and the rules are finalized. As well, each of the five states have unique enforcement regimes, so companies must work to understand the expectations of each new law. To maximize efficiency, it’s recommended that companies subject to multiple state privacy laws should, whenever possible, establish comprehensive privacy programs that can ensure compliance under multiple frameworks.
Ev Kontsevoy, CEO & Co-Founder of Teleport, welcomes the laws, but sees them as falling far short of what's necessary. “While state-wide data privacy laws, like those now active in California and Virginia, should be welcomed, they’re like putting a Band-Aid on a broken leg," he wrote. "Simply put, privacy laws are fine, but 50 different ones are not. That’s because it creates an ever-growing patchwork of conflicting data privacy laws that burden businesses with unnecessary complexity. It will stifle innovation and limit competition by putting small internet-based companies at a disadvantage compared to incumbents who can afford the additional regulatory burden. To combat this, Congress should further elevate and simplify data privacy laws with a federal-wide policy on what compliance requirements enterprises must meet.”