Happy New Year, CyberWire Pro readers! As a special thank you, we would like to offer you a free CyberVista practice test or free access to the Cloud Security Essentials Course, Use code PROLEARN at checkout to redeem this limited time offer.
Tech giants have long benefited from the fact that their popularity gives them greater influence over the tech market. Last year the European Commission passed the Digital Markets Act, new rules designed to weaken Big Tech’s hold on the market and give smaller companies a chance. However, some fear that EU legislation could have a negative impact on encryption. Wired spoke with Andy Yen, the owner of Swiss technology firm Proton AG, to discuss how the new rules will affect smaller firms like his. Proton offers the same sorts of services that heavy-hitters like Apple and Google do – email, calendar, cloud storage, and so on – but the main difference is that all of Proton’s products are encrypted in order to increase user privacy. Yen notes that while the EU’s new rules, spearheaded by the Commission’s head of competition Margrethe Vestager, should work in smaller firms’ favor, enforcement will be challenging given Big Tech’s endless financial resources. “They [Big Tech] are throwing literally hundreds of millions of euros at this problem,” Yen says. “And as much as Ms. Vestager is committed to fighting this, she is facing an uphill battle against enormous resources of entrenched powers. So it will be a tough fight.” He also notes that other European regulations, like the Online Safety Bill and the EU’s chat control proposal, could make things more difficult for encrypted platforms, which are being scrutinized in the effort to fight against child abuse and other illegal activities. Yen questions whether this is the right tactic. “There's many other technological ways to do this—by looking at patterns of behavior, for example,” Yen argues. “We need to always find the right balance. And for me, mandating that we undermine or weaken or break encryption, that's not the right balance.”
The US Federal Communications Commission’s Wireline Competition Bureau (WCB), which oversees American broadband and voice communications services, announced the deadlines for Gateway Provider Robocall Mitigation Requirements. Gateware providers, which are the entry points for foreign calls into the US, will be required to submit their plans for robocall mitigation to the Robocall Mitigation Database by January 11. The plans must include “know your upstream provider” provisions to prevent illegal robocall traffic, as well as a pledge to respond to all traceback requisitions within 24 hours, and a commitment to cooperate with investigations of illegal robocallers. “The implementation of these requirements is a critical step in protecting consumers in the United States from foreign-originated illegal robocalls, which the Commission has observed are a significant portion, if not the majority, of all illegal robocalls,” the announcement reads.
In more news from the FCC, on January 6 the commission voted to overhaul its breach notification rules for telecommunications companies. Created over fifteen years ago, the current rules are in dire need of an update to keep up with modern technology, the Record by Recorded Future explains. While the idea of a revamp was introduced last year, the vote to proceed took place on Friday. FCC Chairwoman Jessica Rosenworcel stated, “The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” As Yahoo News notes, in particular the agency is pushing to change a provision that allows companies up to seven days to notify consumers of a data breach. There also is currently no language specifying what details must be conveyed to consumers about such an incident, and the FCC is asking the public for input on what information would be most useful to the general public. Rosenworcel added that the commission is seeking comments on how its new breach reporting rules could work alongside the Cybersecurity and Infrastructure Security Agency’s own breach reporting rules for critical infrastructure owners.
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, wrote to observe that this kind of rule can be distinctly hard on the companies it applies to. "This is all good news for consumers, but the requirement to immediately report could prove onerous. By requiring covered companies to have to report breaches right away it's going to make it more difficult for those companies to get all of the facts exactly right, right away. Will a company get sued if what it reports right away is inaccurate? Let's hope regulators use common sense leeway."
Sweden vows to push defense collaboration, cyber defense at EU helm (Defense News) Stockholm has set out to move the needle on joint procurement arrangements for military equipment within the European Union.
China, a Pioneer in Regulating Algorithms, Turns Its Focus to Deepfakes (Wall Street Journal) Beijing is among the first governments to regulate hyper-realistic, AI-generated media with new rules set to take effect Jan. 10.
Encryption Faces an Existential Threat in Europe (WIRED) The CEO of Proton says new competition laws have finally given him a voice in Brussels, even as he fights the EU’s anti-encryption campaign.
The FCC wants carriers to notify you sooner when there's a data breach (Yahoo) The FCC has proposed rules that could let carriers alert you to data breaches much sooner.
FCC to mull changes to telecom data breach notifications (The Record from Recorded Future News) The FCC voted unanimously to investigate potential changes to the breach notification rules for telecommunications companies.
WCB Announces Deadlines for Gateway Provider Robocall Mitigation Rules (Federal Communications Commission) The Wireline Competition Bureau announces that gateway providers have until January 11, 2023 to submit certifications, including robocall mitigation plans, to the Robocall Mitigation Database pursuant to section 64.6305(d) of the Commission's rules
Japan police patrol cyberspace to protect VIPs (Japan News) Police nationwide are compiling and analyzing social media postings that might indicate future attacks on dignitaries, The Yomiuri Shimbun has learned, spurred by the fatal shooting of former Prime Minister Shinzo Abe six months ago.
