Adding government access to data weakens the security of encrypted products and services, but absence of access hampers official investigations, said a report issued Thursday by the National Academies of Sciences, Engineering and Medicine. It was meant to inform policymakers and the technical community when deciding government authorization to access encrypted data, NASEM said in a release. The report results from an 18-month effort from a group that includes law enforcement, computer science, civil liberties, law and other disciplines, it said. “Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward,” said Fred Cate, a law professor at Indiana University and chair of the committee that wrote the report, in a statement. NASEM said the framework can be applied to regulatory requirements for when “a manufacturer has to ensure lawful access to their products”; funding decisions to support government access; and other details. The report lists several challenges for lawmakers in the debate, including incomplete information about encryption’s impact on investigations and limits in measuring security risks. BSA Senior Director-Policy Tommy Ross called the report “one of the most important analytical examinations of this issue since the debate began.”
The GAO recommended various agencies, including the Department of Homeland Security and the National Institute of Standards and Technology, consult sector partners in adopting NIST’s cybersecurity framework (see 1801190057), in a report. DHS, NIST, sector-specific agencies and others initially identified four challenges to adopting the cybersecurity framework. The agencies and groups explained that: ability may be limited in committing necessary resources for adoption; necessary knowledge and skills may be lacking; various regulatory, industry and other requirements may inhibit adoption; and other priorities may take precedence over conducting cyber-related risk management or adopting the framework. GAO recommended DOD, the departments of Energy, Health and Human Services, Transportation and Treasury, the EPA, the General Services Administration and DHS “take steps to consult with respective sector partners … to develop methods for determining the level and type of framework adoption by entities across their respective sector.” Five agencies agreed with the framework, and four others “neither agreed nor disagreed,” GAO said. NIST scheduled a 2018 Framework Workshop for Sept. 11-13. The agency is reviewing comments for Draft 2 of Framework Version 1.1.
NTIA's recommendations on botnets and other automated threat issues focus almost “exclusively” on domestic threats, despite NTIA’s acknowledgement that “effective action against botnets requires greater international coordination,” said NCTA in comments on NTIA's draft interagency report to the president (see 1801110006). The comments were released last week. The Information Technology Industry Council suggested that to achieve progress on the draft report’s action items, coordination will be needed with various stakeholders, including: NTIA, the National Institute of Standards and Technology, the Department of Homeland Security and other U.S. stakeholders; small, medium and large private sector entities; and international private and public sector partners. CTA wrote that the report takes a “promising, but still somewhat dour view of existing” security tools. “CTA continues to urge caution with respect to regulatory approaches generally, as they usually tend toward static, prescriptive compliance regimes that inhibit security innovation over time,” the group wrote. The Computer & Communications Industry Association said the “chief educational burden” for policymakers, regulators and cybersecurity professionals is a better understanding of the “things” that make up IoT. The Internet Society suggested government collaborate with stakeholders in clarifying how current liability and consumer protection regulations apply to IoT. “Without clear up-front liability, users are often the ones who pay the price for poor IoT security,” the group wrote, saying liability and consumer protection laws can be a strong incentive for investing in security. Samsung echoed those comments, agreeing with the draft report’s call for the federal government to “lead by example and create market incentives for IoT product vendors to adopt” more secure products. The company recommended Congress and the administration avoid duplicating efforts, such as NIST’s Cybersecurity for IoT Program. The U.S. Chamber of Commerce wrote more dialogue is needed on “so-called market incentives,” saying regulation would “stunt security and innovation, including deployment of IoT.”
Without proper balance, the EU’s General Data Privacy Regulation could allow bad actors even more freedom for spreading false information and fostering illicit markets, wrote American Enterprise Institute's Shane Tews in a blog post this week. The GDPR (see 1802070001), which is to take effect in May, is meant to be a uniform set of data privacy and protection laws across the EU. One of the challenges of the new law is its impact on ICANN's WHOIS database, which law enforcement uses to investigate digital crimes, and companies use to protect trademarks. Under the new law, WHOIS data such as names and contact details might be identified as private, protected data requiring individual consent to be distributed. Tews said that could mean “a lot less information on who is contractually responsible for a domain,” allowing perpetrators to better hide their identities. ICANN is reviewing how to adapt to the new EU law. Tews said the larger challenge is keeping a free flow of internet traffic that allows accurate, trusted content, which requires identity verification for who's distributing the content. “Online actors who know how to be deceptive in their ways can weave through online networks to protect themselves. It would be a shame if the well-intended GDPR became one of their tools of the trade,” she wrote.
NARUC praised Energy Department creation of a new office on Cybersecurity, Energy Security and Emergency Response. "The issues under CESER’s purview are critical to the operation of a safe, reliable and resilient grid needed to support the nation’s energy infrastructure," said the state telecom regulators group Wednesday.
The federal government is exploring how blockchain technology could potentially address cybersecurity weaknesses, Rep. Ralph Abraham, R-La., said Wednesday during a House Science Committee' Oversight and Technology subcommittees' hearing. Technology Subcommittee Chairwoman Barbara Comstock, R-Va., said blockchain technology has extensive applications beyond cryptocurrency exchanges, including identity authentication and verification, supply chain risk management and digital rights management. Chris Jaikaran, cybersecurity policy analyst at Congressional Research Service, said the General Services Administration and Department of Homeland Security are analyzing blockchain as a means for more efficient government business. Congress can provide oversight to federal agencies considering regulatory uses for blockchain technology, he said. IBM Vice President-Blockchain Technologies Jerry Cuomo said blockchain has the “potential to vastly reduce the cost and complexity of getting things done across industries and government.” Walmart Vice President-Food Safety Frank Yiannas said his company and IBM did two “proofs of concept” successfully demonstrating that blockchain technology can provide viable solutions for tracking and verifying food from origin to the store. Aaron Wright, professor at the Cardozo School of Law, said China, Japan and the EU have increased experimentation with the technology. They explored “whether blockchains can secure and manage critical public records, including vital information, identity, and title or deeds to property, and whether blockchains can improve government procurement and taxation processes,” he said in prepared testimony.
BSA I The Software Alliance suggested NTIA’s draft interagency report to the president on botnets and other automated threat issues (see 1801110006) should focus on developing “more sophisticated, risk-informed” policy approaches for IoT cybersecurity. Monday's comments recommended emphasis on increasing the cybersecurity workforce and supported NTIA's emphasis on security integration into software development processes and cybersecurity education for consumers. Tuesday, the agency released all such comments.
FTC Commissioner Terrell McSweeny gave a belated shoutout to Consumer Reports in a Tuesday tweet for its cybersecurity efforts with The Digital Standard, announced last week. “Agree -- a step forward in providing consumers with better information & reviews re data privacy and security of #IoT,” McSweeny tweeted. “Thanks @ConsumerReports for starting to take this on!” CR announced the standard Feb. 7, an effort with Disconnect, Ranking Digital Rights, The Cyber Independent Testing Lab and nonprofit tech organization Aspiration, with a goal of helping set expectations for how connected product manufacturers should handle privacy and security (see 1802070046).
The World Broadcasting Unions (WBU) released recommendations for members and media companies to use when “designing, procuring and implementing their systems, software and services,” said a news release Monday from the North American Broadcasters Association and the European Broadcasting Union, the entities that developed the WBU’s recommendations. “It is important that broadcasters reinforce the need for cyber security with their vendors,” said WBU Technical Committee Chairman Simon Fell.
House Science Committee Chairman Lamar Smith, R-Texas, demanded Thursday the Department of Homeland Security give the committee a full response to its December request for information proving federal agencies are removing Kaspersky Lab software from federal IT systems. The Moscow-based firm is under fire after reports vulnerabilities in its software enabled Russia to breach federal systems (see 1712060045). House Science originally sought response by Dec. 19. The company subsequently sought court reversal of DHS' ban (see 1712180074). The department indicated to House Science it could provide only part of the requested information because of the lawsuit. The committee still “expects a full and complete response” by Feb. 8 and “will consider use of the compulsory process to obtain the information” absent compliance, Smith wrote Secretary Kirstjen Nielsen. The agency didn't comment.