Anyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that […]
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. The spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.
Recent developments in the United States suggest that cybersecurity of the maritime sector will come under increasing focus in 2016. On December 16, 2015, H.R. 3878, “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” passed the House of Representatives. The Bill’s language echoes and expands upon recommendations made by the General Accountability Audit in its June 5, 2014 study Maritime Port Cybersecurity. It also reflects congressional focus on enabling cybersecurity information sharing as seen in the recent passage of the Cybersecurity Information Sharing Act.
The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology, titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence, with participation by the Financial Services Information Sharing and Analysis Center and several private sector organizations.
At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital […]
After a prolonged debate and months-long consideration of amendments, the Senate has passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. It remains to be seen what form the final cybersecurity information sharing bill will take, but the Senate’s overwhelming vote for CISA suggests that the chances for overall passage are stronger than ever.
The National Institute of Standards and Technology released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days.
This article is not about morality but about an urgently-needed change in behaviour. For real and for good. The much talked-about saga involving the theft and subsequent publication of customer data from extramarital affairs website Ashley Madison, has sparked many debates. Opinions have ranged from those who see this as a just punishment for the organised cheating industry to those who have ranked this hack as the most serious privacy violation since the invention of the Internet. The degree of sympathy for the victims has also been variable, but what appears to be a constant theme is the perception that this incident will have more dramatic consequences than any other cyber-attacks we have seen.
On August 12, the National Institute of Standards and Technology published a Request for Information to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012.
After the recent release of the discussion draft of its Framework for Cyber-Physical Systems, the National Institute for Standards and Technology has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.
The U.S. Federal Communications Commission’s Public Safety and Homeland Security Bureau has requested public input on a recent report on Cybersecurity Risk Management and Best Practices by the Communications Security, Reliability and Interoperability Council for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26.
On 1 April 2015, President Obama signed an Executive Order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.
This week, the National Institute of Standards and Technology released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.
A recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “The Emergence of Cybersecurity Law,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts.
Tonight, the President’s State of the Union address covered, as he put it, “the tasks that lie ahead.” Among the policy initiatives that he proposed, he “urge[d]…Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” What he was referring to is a set of cybersecurity and info sharing initiatives and privacy and data security proposals that the White House started rolling out last week. The President also alluded to a report to be released next month that will address the Administration’s actions to curtail domestic surveillance programs. We provide here excerpts of the President’s address that discuss cybersecurity, data security, and privacy.
President Obama today addressed cybersecurity for the second time in as many days in a speech at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Early this morning, the White House announced a February 13 Summit on Cybersecurity and Consumer Protection and released further details on several initiatives to promote cybersecurity information sharing between the private sector and government. The President then convened a meeting with congressional leaders in which he discussed cybersecurity issues. Speaking about his cooperation with House Speaker John Boehner (R-OH) and Senate Majority Leader Mitch McConnell (R-KY), the President noted “I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks.” Today’s developments follow the President’s address to the Federal Trade Commission (FTC) yesterday, in which he announced a legislative proposal on national data breach reporting and emphasized the importance of student and consumer privacy. Together, these events provide a preview of initiatives that the President is expected to highlight during his State of the Union address on January 20.
Today, the President spoke at the Federal Trade Commission on the importance of preventing identity theft and improving consumer and student privacy. Today’s speech has been billed as a first look at a broader White House policy initiative on cybersecurity, identity theft, and privacy that will continue this week and will be included in the President’s State of the Union address to Congress on January 20th. Tomorrow, the President will highlight the work of the Department of Homeland Security and the importance of public-private collaboration on cyber threats and is expected to release policy proposals over the coming weeks.
On December 5, the National Institute of Standards and Technology issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity. Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. NIST’s update addresses industry input received from an October workshop and an August Request for Information. It also describes NIST’s plans to support future use of the Framework.
The medical internet of things is coming. That was the common recognition of participants at a two-day public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” co-sponsored by the Food and Drug Administration, Department of Health and Human Services, and the Department of Homeland Security. The workshop comes during a busy month for medical device cybersecurity, with the FDA issuing final guidance earlier this month and DHS indicating that it is reviewing dozens of potential cybersecurity vulnerabilities in medical devices.
Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.
On April 10, 2014, the Department of Justice and Federal Trade Commission issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
On March 27, senior members of the Hogan Lovells Privacy and Cybersecurity practice will present a timely and practical webcast on how businesses can prepare for and address the risks of cybersecurity incidents in this time of high alert. Visit the full blog post to learn more and to register for this free event.