In one look.
- Russia’s place in the organization of international cyberspace standards?
- NIST offers its perspective on the implementation of U.S. Executive Order 14028.
- The US FTC plans to establish its own set of online privacy rules, ahead of Congress action.
- Considerations on an Australian equivalent of DARPA.
- Additional commentary on mandatory reporting in the United States.
Russia’s role in international cybersecurity: a skeptical point of view.
POLYGRAPH details Russia’s long and rich track record of disruptive cyberbehavior, contrasting the reckless digital activity of the Kremlin with claims by SVR director and President Putin’s favorite Sergey Naryshkin in state media that Moscow paves the way for a safer and more orderly cyber future. The SVR, in fact, hosts “one of the most notorious teams in the world[s] hackers, ”POLYGRAPH says, and is responsible for“ the majority of the biggest cyber attacks of the past decade ”. Russian hacks have disrupted health, food, energy, business, communications, legislative and electoral systems from Estonia and Ukraine to Germany and the United States, affecting more than fifteen additional countries along the way.
NIST on the implementation of OE 14028.
The US National Institute of Standards and Technology (NIST) has scheduled a free webinar for October 14 titled “Improving the Nation’s Cyber Security: Progress and Next Steps in Enforcing Executive Order 14028.” The event will respond to requests from attendees and outline NIST’s progress in fulfilling its tasks under the May Biden Administration Executive Order (EO) on Cybersecurity. Two topics of discussion will be software supply chain security and the future labeling regime.
Eager for Congress to act, the FTC is considering new online privacy rules.
According to the Wall Street Journal, the United States Federal Trade Commission (FTC) is considering measures that could change the way companies treat user data, in a bid to jump legislative hurdles to strengthen privacy protection . The FTC could chart one of four avenues: prosecute specific violations, revise children’s online privacy law regulations, label unwanted practices “deceptive”, or target “unfair” policies. Advocacy organization Accountable Tech is asking the ministry to take charge of surveillance advertising using the latter method, referring to damage such as the effects of social media on mental health.
What an Australian DARPA might look like.
The Strategist develops its argument in favor of an Australian analogue of the United States Defense Advanced Research Projects Agency (DARPA). While the government has signaled its support for a new approach to defense research and AUKUS presents a new opportunity, bureaucratic and economic hurdles stand in the way of the kind of open and risk-tolerant innovation required.
Nonetheless, the strategist envisions an industry partner organization backed by public and private funding, led by time-limited business and technical experts (not politicians) and accountable to the Ministry of Defense. Canberra’s DARPA would issue invitations to projects, assess arguments, and guide companies’ progress.
“The geostrategic situation is deteriorating”, concludes the strategist, and “Australia must be able to act quickly to seize technological opportunities”.
Additional commentary on the US move towards mandatory cyber incident reporting.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, sees no problem with the proposed mandatory reporting, no matter how much reflexive resistance to regulation it may generate:
” That’s excellent news. The mandatory reporting requirements are an attempt by our government to get good action on the seriousness of the problem. Right now, with self-reporting, it’s hard to trust any of the officially reported statistics, government or vendor. The number of occurrences, values, and means vary so much that they cannot measure the same. This mandate will provide us with more reliable data. Unfortunately, expect most companies to push back on all mandates, even those that seem useful with almost no downside.In addition, reporting ransomware attacks to the CISA has a secondary benefit in that the CISA can help you determine if the ransomware gang you are involved with is one that is on the official Treasury “non-payment list”. all the same, it is a good thing; long awaited. “