The Kazakhstan government is intercepting all HTTPS-encrypted internet traffic within its borders.
Under a new directive effective 7/17, the Kazakhstan government is requiring every internet service provider in the country to install a security certificate onto every internet-enabled device and browser. Once installed, this certificate allows the government to decrypt and analyze all incoming internet traffic.
Kazakhstan ISP Kcell posted a notification on its website of the new policy, stating:
“In connection with the frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats.
The introduction of a security certificate will help in the protection of information systems and data, as well as in identifying hacker cyber attacks of Internet fraudsters on the country’s information space systems, private, including the banking sector, before they can cause damage.”
The notification warned that “technical limitations may arise” for users who don’t install the certificate.
Despite the stated intention of the government, this requirement has all of the defining characteristics of a hacking technique called “Man in the Middle” attacks, where data relayed across the internet is intercepted and either adjusted or scanned for sensitive and potentially compromising content.
Read more about the story here.
The post Kazakhstan Government Intercepting All Secured Internet Traffic appeared first on Adam Levin.
While there is significantly more to be done to protect our data, consumers have never been better apprised of the imperiled state of their privacy. That said, it’s still an acute problem. The air travel equivalent would be when the cabin depressurizes and oxygen masks drop. In the dramatic destabilization that has occurred to our collective privacy over the past 15 years, the trigger event–a mixture of Facebook arrogance and the Equifax breach–has come and gone, but kids have not yet received the crucial attention needed to protect their data.
A recent study shows that nearly 40% of Amazon Prime Day shoppers have actively avoided Alexa-enabled products because they are concerned about the possibility of eavesdropping. Mozilla Firefox now features enhanced tracking protection as a default behavior. And, Apple CEO Tim Cook memorably doubled (if not tripled) down on prioritizing user privacy as the parade of Facebook stories rattled consumers to the core. More recently, New York State introduced legislation to update its data protection and privacy laws, and California’s new privacy law, modeled on the EU’s GDPR, goes into effect January 1, 2020.
Even with all the positive news from the frontlines of protecting consumer information, the safeguarding of children’s data still has a long way to go.
Consider just one recent story. Video-sharing giant YouTube is currently being investigated for the illegal collection of data from users under the age of 13 (competitor service TikTok recently paid $5.7 million in fines for similar practices), and Amazon.com’s Dot Echo is the focus of a class action suit for illegally recording children. A recent study from UC-Berkeley found that 57% of apps listed under Google Play’s “Designed for Families” section collected data on children under the age of 13 in direct violation of COPPA, the Children’s Online Privacy Protection Act.
How Did We Get Here?
Unless you have been living in an upside-down chowder bowl on the bottom of Cape Cod Bay, tracking and trafficking in the online browsing habits of children should come as no surprise. While there’s a massive industry for all user data, from online quizzes to browsing habits to online purchases, kids online worlds make them easy prey for pretty much every monetized online behavior out there.
ISPs, mobile carriers, social media providers, and web browsers are currently making a very healthy profit from the data associated with your day-to-day life, both on- and offline. Children are the Holy Grail for advertisers, and represent a sizable chunk of the consumer market. Their data is just as valuable as those of adults, if not more so.
While children are supposed to be protected under COPPA, the regulations have gone largely unchanged since it was passed in the late 90s, and became the law of the land in 2000. File under: “Man plans, God laughs.” Meanwhile, the Internet made Las Vegas look like a sad, poorly planned desert boom town gone bust. The surveillance economy didn’t exist when COPPA was conceived, and it needs to be updated to address our new world of constant, persistent, near-total exposure.
What is COPPA and Why Is it Failing?
The broad strokes of COPPA are straightforward: Websites aren’t allowed to collect information associated with children under the age of 13 without the express consent of a parent or guardian.
While this sounds reasonable, it also contains a major and easily exploited loophole: Namely that there is no liability for non-compliance, for just one instance, if a company or provider is not aware of that this or that information belongs to an underage user. In short, if they don’t ask for the age of the user, they’re off the hook.
When COPPA went into effect, the internet had roughly 361 million users worldwide. For context, Facebook alone currently has 2.38 billion monthly active users. Only 3% of households in 2000 had broadband Internet access, with roughly a third of households being on dial-up internet.
We’ve come a long way (for better and worse). Currently 80% of pre-teens use social media, despite the fact that the most widely-used platforms all prohibit accounts for anyone under 13.
COPPA’s idea of children requiring permission from a parent made more sense when Internet access was mainly accomplished using a land line phone connection. The law neither allowed for nor expected multi-device households, with children able to connect to the Internet via IoT devices, tablets and mobile devices via continuous wireless connection. It didn’t anticipate the rise of “free” apps that would track the activity of every user in exquisite detail. Had the framers of COPPA forseen the advent of the surveillance economy, chances are pretty good they would have been busy chasing seed money in the late ’90s.
Connected devices are designed to be as user friendly as possible, which makes them child accessible. When Disney acquired Fox, that consolidation gave the new larger entity access to giant portfolios of underage-user data. It probably should have been COPPA’s Equifax moment, but if we’re going to keep it real, Equifax probably should have had a Home Depot moment. We live in a time when the profitability of a privacy depredation makes progress hard to come by.
Since it’s no mean feat to determine the age of a user, maybe it’s time to assume users are underage, and be more restrictive with captured data. Whatever happens next, the protection of children’s data is a problem in sore need of solutions as quickly as possible. There is too much at stake.
The post Tech Giants Are Using Children’s Online Data Like It’s 1999 (or ’98, to Be More Precise) appeared first on Adam Levin.
Have you ever seen the bridge of a commercial cargo shipping vessel? It is like a dream come true for every kid out there–a gigantic PlayStation. Unfortunately, maritime computer systems are also attractive to malicious cyber actors. Illustrating this interest by malicious individuals, the U.S. Coast Guard issued a safety alert warning all shipping companies […]… Read More
The post U.S. Coast Guard Releases Cybersecurity Measures for Commercial Vessels appeared first on The State of Security.
When it comes to ransomware attacks this year, it’s been a tale of three cities.
In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.
But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.
The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in. Check out their answers over on the Cisco blog here.
As a U.S. cybersecurity company, McAfee supports legislation that aims to safeguard U.S. election security. After the 2016 election, McAfee sees the importance of improving and preserving election security; we even offered free security tools to local election boards prior to the 2018 elections and released educational research on how localities can best protect themselves in future elections. As the 2020 primary elections quickly approach, it is more important than ever that the federal government takes steps to ensure our election infrastructure is secure and that states and localities have the resources they need to quickly upgrade and secure systems.
The U.S. House of Representatives recently passed H.R. 2722, the Securing America’s Federal Elections (SAFE) Act, legislation introduced by Rep. Zoe Lofgren (D-CA) that would allocate $600 million for states to secure critical election infrastructure. The bill would require cybersecurity safeguards for hardware and software used in elections, prevent the use of wireless communication devices in election systems and require electronic voting machines to be manufactured in the United States. The SAFE Act is a key step to ensuring election security and integrity in the upcoming 2020 election.
Earlier this year, the House also passed H.R. 1, the For the People Act. During a House Homeland Security Committee hearing prior to the bill’s passage, the committee showed commitment to improving the efficiency of election audits and continuing to incentivize the patching of election systems in preparation for the 2020 elections. H.R. 1 and the SAFE Act demonstrate the government’s prioritization of combating election interference. It is exciting to see the House recognize the issue of election security, as it is a multifaceted process and a vital one to our nation’s democracy.
McAfee applauds the House for keeping its focus on election security and prioritizing the allocation of resources to states. We hope that Senate leadership will take up meaningful, comprehensive election security legislation so our country can fully prepare for a secure 2020 election.
The post House Actions on Election Security Bode Well for 2020 appeared first on McAfee Blogs.
The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data. The bill expands the definition of “Breach of the security […]… Read More
The post New York Passes a Law that Further Expands Cyber Protection appeared first on The State of Security.
In international election security news, the Libyan government arrested two men with ties to a Russian troll farm. They are accused of working to influence elections in Libya and various African countries.
Personal property seized from the suspects pointed to Fabrika Trollei, which according to a letter from the state prosecutor to a Libyan security chief, “specializes in influencing elections that are to be held in several African states.” The letter also alleges that the men secured a meeting with Saif al-Islam al-Qaddafi, the son of deposed dictator Moammar al-Qaddafi.
Libya had previously planned to hold elections this year, an initiative that was supported by the U.N. as part of the recovery process from the 2011 revolt. However, election plans have been disrupted by an April military offensive led by commander Khalifa Haftar who is focused on seizing the presidency. Haftar has received support from the U.A.E and Egypt, as well as from Russia.
The prosecution document named Maxim Shugalei and his translator Samer Hassan Seifan. A third Russian man, Alexander Prokofiev, escaped arrest but was named in the document. Three Libyans connected to the scheme have also been arrested. The ties to Fabrika Trollei is significant because of the organization’s connection to Russian oligarch Yevgeny Prigozhin, who was connected by special prosecutor Robert Mueller to Russian meddling in the 2016 United States presidential election.
Prigozhin has denied his role in election interference, but evidence suggests that his companies have been funding the efforts. The detained Russians also confessed their involvement in a campaign to influence elections in Madagascar. The accusations by the Libyan government point to a much larger Russian scheme to increase their geopolitical power in Africa and elsewhere, suggesting that Russian efforts to sway elections in their favor are expanding.
The post Two Russians Accused of Election Interference Arrested in Libya appeared first on Adam Levin.
A bill that would provide a billion dollars to states for election security was blocked by Senate Republicans.
The Election Security Act, proposed by presidential candidate Senator Amy Klobuchar (D-Minn.), would have required paper ballots for voting systems as well as for President Trump to provide a strategy for protecting institutions from foreign cyberattacks.
“There is a presidential election before us and if a few counties in one swing state or an entire state get hacked into there’s no backup paper ballots and we can’t figure out what happened, the entire election will be called into question,” said Klobuchar.
Senator James Lankford (R-Okla.), who has worked with Klobuchar on previous election security efforts, voted to stop the bill, arguing that federal funding couldn’t be effectively implemented in time for the 2020 elections.
“No matter how much money we threw at the states right now, they could not make that so by the 2020 presidential election,” Lankford said.
Calls for legislation to secure elections have been renewed in the wake of the redacted release of the Mueller report, which detailed Russian interference in 2016. While several bills have passed the House of Representatives, many have been blocked in the Republican-controlled Senate, particularly by Majority Leader Mitch McConnell.
President Trump has authorized a round of cyber attacks against Iran, and U.S. companies and agencies are bracing for counter attacks.
The Washington Post reported that the U.S. cyberattack had disabled Iranian missile control systems. The attack was the latest in escalating tensions between the two countries, which includes the recent downing of an unmanned surveillance drone.
“This operation imposes costs on the growing Iranian cyberthreat, but also serves to defend the United States Navy and shipping operations in the Strait of Hormuz,” said former senior White House cybersecurity official Thomas Bossert.
The Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) issued an alert warning organizations of potential retaliation from Iranian hackers, including the deployment of “wiper” malware that deletes data from targeted computers and networks.
“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” said CISA director Christopher Krebs
Cyber warfare is in addition to what the U.S. government has called “kinetic” actions, i.e. more traditional military operations. Earlier this month, the U.S. Cyber Command reportedly deployed offensive malware against Russia’s electrical grid.
Last month marked the one-year anniversary of the European Union’s General Data Privacy Regulation, or GDPR. Since then, California and New York State have created similar bills aimed at protecting the privacy of their citizens. Nevada has recently enacted a narrow privacy law. Meanwhile, privacy is dead.
Long Live Privacy!
At this anniversary time, it’s worth looking at what has and hasn’t worked in Europe.
The Good, the Bad, or the Woefully Ineffective?
Looking at the numbers released by the EU, familiarity with the law itself has been one of its greatest successes: Sixty-seven percent of Europeans have heard of the GDPR, and there were 144,376 queries and complaints reported in its first year. Add to these impressive figures the 89,271 data breach notifications issued, and it’s clear that despite its flaws, the law successfully addresses a set of problems that a more scattershot approach (with multiple statutes enacted by different EU member states) was unable to achieve.
Where the GDPR comes up short is enforcement: While the law includes fines for the mishandling of data for up to 4 percent of a company’s annual global revenue, the actual numbers so far have been underwhelming. Far from preventative, they almost encourage bad cybersecurity. Take Google. The company was fined €50 million (roughly $57 million) for lack of consent on advertisements–not a big number for them–and this fine comprised the bulk of the €56 million of fines levied in total.
It is anticipated that heavier fines will be placed on companies under the GDPR going forward, Facebook most likely being the poster child, but the message so far is clear: Fines need to hurt if the goal is the deterrence of poor data practices.
The Biggest Issue
By far the largest flaw in the GDPR has been a lack of clarity caused by poor communication.
Even though 67 percent of Europeans have heard of the GDPR, only 20 percent know which public authority is responsible for it. Misinformation combined with the requirement for 72-hour breach notification set off a deluge to the U.K. data privacy regulator in 2018. One-third of those calls involved incidents well below the GDPR’s threshold. Misconceptions about what exactly was required under the law were so widespread that the Irish Data Protection Commission actually blogged about whether taking pictures of one’s children at a school event is permissible. (It is.)
Corporations have also struggled with what many perceive as the law’s ambiguity. Under the GDPR, “companies processing large amounts of special categories of personal data” are required to hire a data protection officer, or DPO, to ensure compliance. The problem is that the law doesn’t specifically define what “large amounts” are, and although the DPO is required to have “expert knowledge of data protection law,” there is no set definition for what qualifies as an expert, either. It’s a great idea to have someone at large corporations ensuring the careful and lawful handling of customer data, but the implementation is ill-defined by the GDPR, which could make a DPO’s job awkward or downright impossible.
The kinds of confusion caused by the GDPR seem contagious, and that’s just the nature of the beast. There are many stakeholders in the privacy racket, and they are often vigorously at odds with one another.
The privacy laws in the U.S. will be more of the same. The best innovation when it comes to the GDPR was that it created one law instead of a patchwork that might change the moment you crossed a border. While New York and California should be applauded for taking steps to protect the privacy and data of their citizens, having multiple sets of requirements for websites and businesses alike (as we have witnessed with more than 50 U.S. jurisdictions’ having individual and not necessarily complementary breach notification laws) will necessarily lead to widespread difficulty in their implementation and accessibility.
Perhaps the most important takeaway for any state wishing to mirror the data protections of the GDPR is that in order to be privacy-friendly and consumer-friendly, the application of the law itself should at least try to be user-friendly, too. Too many differences run the risk of any and all of these laws’ being accept gnats to be clicked away when we visit our favorite websites–and that is a giant fail.
The post Will Business Lose Its Cookies Over These New Privacy Laws? appeared first on Adam Levin.
The Federal government has long struggled to close the cybersecurity workforce gap. The problem has continued to get worse as the number of threats against our networks, critical infrastructure, intellectual property, and the millions of IoT devices we use in our homes, offices and on our infrastructure increase. Without a robust cyber workforce, federal agencies will continue to struggle to develop and execute the policies needed to combat these ongoing issues.
The recent executive order on developing the nation’s cybersecurity workforce was a key step to closing that gap and shoring up the nation’s cyber posture. The widespread adoption of the cybersecurity workforce framework by NIST, the development of a rotational program for Federal employees to expand their cybersecurity expertise and the “president’s cup” competition are all crucial to retaining and growing the federal cyber workforce. If we are to get serious about closing the federal workforce gap, we have to encourage our current professionals to stay in the federal service and grow their expertise to defend against the threats of today and prepare for the threats of tomorrow.
Further, we must do more to bring individuals into the field by eliminating barriers of entry and increasing the educational opportunities available for people so that there can be a strong, diverse and growing cybersecurity workforce in both the federal government and the private sector. Expanding scholarship programs through the National Science Foundation (NSF) and Department of Homeland Security (DHS) for students who agree to work for federal and state agencies will go a long way to bringing new, diverse individuals into the industry. Additionally, these programs should be expanded to include many types of educational institutions including community colleges. Community colleges attract a different type of student than a 4-year institution, increasing diversity within the federal workforce while also tapping into a currently unused pipeline for cyber talent.
The administration’s prioritization of this issue is a positive step forward, and there has been progress made on closing the cyber skills gap in the U.S., but there is still work to be done. If we want to create a robust, diverse cyber workforce, the private sector, lawmakers and the administration must work together to come up with innovative solutions that build upon the recent executive order.
The post A Robust Federal Cybersecurity Workforce Is Key To Our National Security appeared first on McAfee Blogs.
As Europe heads to the polls this weekend (May 23-26) to Members of the European Parliament (“MEPs”) representing the 28 EU Member States, the threat of disinformation campaigns aimed at voters looms large in the minds of politicians. Malicious players have every reason to try to undermine trust in established politicians, and push voters towards the political fringes, in an effort to destabilise European politics and weaken the EU’s clout in a tense geopolitical environment.
Disinformation campaigns are of course not a new phenomenon, and have been a feature of public life since the invention of the printing press. But the Internet and social media have given peddlers of fake news a whole new toolbox, offering bad actors unprecedented abilities to reach straight into the pockets of citizens via their mobile phones, while increasing their ability to hide their true identity.
This means that the tools to fight disinformation need to be upgraded in parallel. There is no doubt that more work is needed to tackle disinformation, but credit should also go to the efforts that are being made to protect citizens from misinformation during elections. The European Commission has engaged the main social media players in better reporting around political advertising and preventing the spread of misinformation, as a complement to the broader effort to tackle illegal content online. The EU’s foreign policy agency, the External Action Service, has also deployed a Rapid Alert System involving academics, fact-checkers, online platforms and partners around the world to help detect disinformation activities and sharing information among member states of disinformation campaigns and methods, to help them stay on top of the game. The EU has also launched campaigns to ensure citizens are more aware of disinformation and improving their cyber hygiene, inoculating them against such threats.
But adding cybersecurity research, analysis and intelligence trade craft to the mix is a vital element of an effective public policy strategy. And recently published research by Safeguard Cyber is a good example of how cybersecurity companies can help policymakers get to grips with disinformation.
The recent engagement with the European Commission think-tank, the EPSC, and Safeguard Cyber is a good example of how policymakers and cyber experts can work together, and we encourage more such collaboration and exchange of expertise in the months and years ahead. McAfee Fellow and Chief Scientist Raj Samani told more than 50 senior-ranking EU officials in early May that recent disinformation campaigns are “direct, deliberate attacks on our way of life” that seek to disrupt and undermine the integrity of the election process. And he urged policy makers that the way to address this is to use cyber intelligence and tradecraft to understand the adversary, so that our politicians can make informed decisions on how best to combat the very real threat this represents to our democracies. In practice this means close collaboration between best-in-class cybersecurity researchers, policymakers and social media players to gain a deeper understanding of the modus operandi of misinformation actors and respond more quickly.
As the sceptre of disinformation is not going to go away, we need a better understanding the actors involved, their motivations and most importantly, the rapidly changing technical tools they use to undermine democracy. And each new insight into tackling disinformation will be put to good use in elections later this year in Denmark, Norway, Portugal, Bulgaria, Poland and Croatia and Austria.
The post McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security appeared first on McAfee Blogs.
The Increasing Regulatory Focus on Privacy
The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on U.S. federal-level breach and privacy laws, while individual U.S. states are also looking to strengthen and broaden their privacy laws.
The focus on stronger consumer privacy has already sparked new regulations like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Many customers of U.S. companies are covered by GDPR’s broad privacy protections, which protects the rights of residents of the European Economic Area. As U.S. states increasingly pass their own privacy laws, the legal environment is becoming more fragmented and complex. This has led to an increased focus on potentially creating a U.S. federal privacy law, perhaps along the lines of the GDPR or otherwise protecting individuals’ information more broadly than the sectoral laws now in place. Although it is not clear whether effective national legislation will pass in the immediate future, the continued focus on regulatory solutions to strengthen consumer data privacy appears certain.
Privacy is Important to McAfee
For technology to be effective, individuals and corporations must be able to trust it. McAfee believes that trust in the integrity of systems – whether a corporate firewall or a child’s cell phone – is essential to enabling people to get the most possible out of their technologies. Fundamental to that trust is privacy and the protection of data. McAfee is committed to enabling the protection of customer, consumer and employee data by providing robust security solutions.
Why Privacy Matters to McAfee
- Protecting our customers’ personal data and intellectual property, and their consumer and corporate products, is a core value.
- Robust Privacy and Security solutions are fundamental to McAfee’s strategic vision, products, services and technology solutions.
- Privacy and Security solutions enable our corporate and government customers to more efficiently and effectively comply with applicable regulatory requirements.
- McAfee believes privacy and security are necessary prerequisites for individuals to have trust in the use of technology.
Effective Consumer Privacy Also Requires Data Security
Today, electronic systems are commonly used by government, business and consumers. There are many types of electronic systems and connected devices used for a variety of beneficial purposes and entertainment. The use of data is a common element across these systems, some of which may be confidential information, personal data and or sensitive data.
A reliable electronic system must have adequate security to protect the data the system is entrusted to process and use. Data leaks and security breaches threaten the ability of customers to trust businesses and their products. Flawed or inadequate data security to provide robust data protection puts consumers’ privacy at risk.
Too often, privacy and information security are thought of as separate and potentially opposing concerns. However, there are large areas of interdependency between these two important policy areas. Privacy and information security must work in harmony and support each other to achieve the goal of consumer privacy. Privacy requires that consumers have the capacity to decide what data about them is collected and processed, and the data must have safeguards driven by appropriately secure technologies and processes.
Data security is the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Privacy is an individual’s right or desire to be left alone and or to have the ability to control her own data. Data security also enables the effective implementation of protective digital privacy measures to prevent unauthorized access to computers, databases and websites. Data security and privacy must be aligned to effectively implement consumer privacy protections.
An effective risk-based privacy and security framework should apply to all collection of personal data. This does not mean that all frameworks solutions are equal. The risks of collection and processing the personal data must be weighed against the benefits of using the data. Transparency, choice and reasonable notice should always be a part of the way data is collected. The specific solutions of a framework may vary based on the risk and specific types of data. The key is to have in place a proactive evaluation (Privacy and Security by Design principles) to provide the most effective protection for the specific application and data use.
Examples Where Privacy Regulations Require or Enable Robust Data Security
Breach Notification Safe Harbor for Encrypted Data in U.S. State Privacy Laws
Data breach notification laws require organizations to notify affected persons or regulatory authorities when an unauthorized acquisition of personal data occurs as defined by the applicable law or regulation. Many U.S. state laws provide a “safe harbor” for data breach notice obligations if the data was encrypted. A safe harbor may be defined as a “provision of a statute or a regulation that reduces or eliminates a party’s liability under the law, on the condition that the party performed its actions in good faith or in compliance with defined standards.”
Security safe harbor provisions may be used to encourage entities and organizations to proactively protect sensitive or restricted data by employing good security practices. Encrypting data may protect the organization from costly public breach notifications. Encrypted data may be excluded from breach requirements or unauthorized access to encrypted data may not be considered a “breach” as defined in the statute. To be protected by an encryption “safe harbor” exemption, the breached organization must encrypt data in compliance with the state statute. The state-specific statutes may also require control of the encryption keys to claim safe harbor.
GDPR Security Requirements
The General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA) in 2018, enhancing further the privacy rights of residents of the EEA. In addition to allowing EEA residents access to personal data collected about them, the GDPR requires companies interacting with this data to perform risk analyses to determine how to secure the data appropriately. The GDPR lays out basic security requirements in Article 32, GDPR Security of processing, which requires entities to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
Controllers of personal data must also have appropriate technical and organizational measures to satisfy the GDPR. Business processes that handle personal data must be designed and implemented to meet the GDPR security principles and to provide adequate safeguards to protect personal data.
Implementing a robust security framework to meet the GDPR requirements means the organization should proactively evaluate its data security policies, business practices and security technologies, and the organization must develop security strategies that adequately protect personal data.
Federal policymakers need to pass uniform privacy legislation into law. A key part of this effort must include sufficiently strong cybersecurity provisions, which are imperative to protecting data, as evidenced by GDPR and thoughtful state breach notification laws. Instead of relying on hard regulations to incent organizations to implement strong security, policymakers should include a liability incentive – a rebuttable presumption or a safe harbor – in privacy legislation. Such an approach, ideally aligned to NIST’s flexible Cybersecurity Framework, would enable policy makers to promote the adoption of strong security measures without resorting to a “check the box” compliance model that has the potential to burden customers and discourage innovation in cyber security markets.
It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of an ever-expanding attack surface, making old system architectures an increasing liability.
Recently, the city of Albany, New York became a victim of a ruthless ransomware attack, which created a series of municipal service interruptions. Residents weren’t able to use the city’s services to obtain birth certificates, death certificates or marriage licenses, and the police department’s networks were rendered inoperable for an entire day. This resulted in an enormous disruption of the city’s functionality and made clear that the threat to infrastructure is more real than ever. Bolstering state and local digital defenses should be of the utmost priority, especially as we near the 2020 presidential elections when further attacks on election infrastructure are expected. We must take the necessary precautions to mitigate cyberattack risk.
The reintroduction of the State Cyber Resiliency Act by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX), does just that. The legislation demonstrates a critical bipartisan effort to ensure that state, local and tribal governments have a robust capacity to strengthen their defenses against cybersecurity threats and vulnerabilities through the Department of Homeland Security (DHS). States have made clear that they suffer from inadequate resources to deal with increasingly sophisticated attacks, but also the most basic attacks, which require proper safeguards and baseline protection. This bill works to strategically address the challenges posed by a lack of resources to deal with emerging threats.
The possibility of cyber warfare must not be taken lightly and has long gone ignored. This bill shows that the status quo of kicking the can further down the road will no longer stand as a “strategy” in today’s political and cybersecurity landscape. Action is necessary to better secure our national security and the systems upon which every sector of our economy relies, from utilities to banking to emergency first responders to hospital networks to election infrastructure. It is our responsibility to create and support the safeguards against bad actors looking for gaps in our infrastructure.
The bill makes states eligible for grants to implement comprehensive, flexible cybersecurity plans that address continuous vulnerability monitoring, protection for critical infrastructure systems and a resilient cybersecurity workforce. States would also be able to repurpose funds to various local and tribal governments. In addition, the bill would implement a 15-person committee to review the proposed plans and track the spending of state and local governments. This committee would help states and localities formulate and deliver annual reports to Congress that detail the program’s progress. The specific funding was not disclosed, but this effort showcases the timeliness of the issue and why it is such an imperative step at this stage in time.
We must take basic steps to ensure the security of our state and local systems, and enable systems to be patched, maintained and protected from outside threats. This bill is a welcomed and needed effort by lawmakers to address the existing challenges states and local governments and infrastructures are dealing with every day. As adversaries become increasingly sophisticated and targeted in their attack strategies, we have a responsibility to best equip states and localities with the necessary tools to close gaps and mitigate gaps.
We at McAfee are committed to partnering with federal, state and local governments to equip them with the best strategies to create a better and more secure cybersecurity future.