Shortwave: Maybe Everyone Should Pretend Like There Are Strong, Binding U.S. Cyber Regulations?

Last week, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and CISA Executive Assistant Director For Cybersecurity Eric Goldstein published an article articulating their views on how the United States (U.S.) should change course on cybersecurity regulation. Notably, legislation is not mentioned once even though they do seem to be calling for regulation of the cybersecurity of critical sectors of the economy. To be fair, this may reflect political realities. A narrowly Democratic Congress showed no inclination for such legislation over the last few years, and so one may safely assert that a Republican House has even less appetite for lawmaking of this sort. Hence, the piece may be best seen as the best options given the chances of legislation to give the executive branch greater authority to set regulatory mandates.

Easterly and Goldstein compare the state of cybersecurity to the auto industry in the early and mid-20th Century that lacked almost all of the safety features that improved and saved lives.  Easterly and Goldstein then make clear where they stand in arguing “[t]he readily apparent safety issues with cars also led to a simple solution: government action to compel adoption of specific security measures with proven better outcomes. “ However, they hint at legislation through analogies to crises in the automobile, aviation, and medical device industries resulting in “additional safety measures.”  But then, Easterly and Goldstein veer from the conclusion that would seem to follow from their claims and propose voluntary measures of the sort businesses should be undertaking.

They go on to call for technology providers and software developers to use the two principles of secure-by-default and secure-by-design products .  Both of those notions are described through their names with tech being designed to be secure and to default to being secure. The former will matter in developing tech and would seem contrary to the “move fast and break things” ethos that prizes getting products to the market as fast as possible. Likewise, with respect to default security, this would work against marketing security and privacy as options consumers must pay for.

Easterly and Goldstein sidestep legislation mandating cybersecurity standards and instead propose that “the U.S. government can start by defining specific attributes of technology products that are secure by default and secure by design...can also call out companies that continue to introduce insecurity into the fabric of the U.S. economy, and it can encourage companies that are making progress.”

They go on to say that “[e]very organization should demand transparency from its technology providers about whether they have adopted strong safety practices.” This may be hard if not impossible for companies with huge market shares that may well be anti-competitive and monopolistic. In fact, many have argued that the failure to see competitors to incumbents offering shoddy security is often evidence that there is not competition in many tech markets.  One can easily imagine a gigantic cloud provider or word processing software maker ignoring such demands.

Nonetheless, Easterly and Goldstein pointed to the Biden Administration’s “important steps toward this goal in establishing software security requirements for federal contractors.” They added that the White House “is also advocating for development and voluntary adoption of labels that would clearly and simply convey basic security information about Internet-connected consumer devices, such as baby monitors and webcams.”

They posited that the use of the U.S. government’s buying power to drive security-by-default and -design will spread to the private sector.  This may prove true so long as regulatory capture does not lead to less demanding cybersecurity standards.

Easterly and Goldstein move onto claiming that entities across the U.S. economy “should commit to requiring strong security practices when purchasing or upgrading technology, and technology providers should commit to taking responsibility for the security outcomes of their customers.” Moreover, “[e]very technology provider must consider it a duty to ensure that its products are safe for use and to warn customers when that is not the case. “ While these things should ideally occur, without positive or negative incentives, these events are not likely to come about.

They do turn to some possible incentives like shareholders demanding that companies and their boards focus on cybersecurity,  including through empowering cybersecurity officials inside companies.  Easterly and Goldstein return to the evergreen solution to cybersecurity: information sharing. However, they called on companies to cast aside fears about “regulatory liability and reputational damage” and just come clean with agencies like CISA. Interestingly, they do not mention legal liability, considering the settlements many corporations have made based on insufficient cybersecurity and practices. Nonetheless, the new Joint Cyber Defense Collaborative is held up as  a better version of information sharing.

United States

Meta fended off the Federal Trade Commission’s (FTC) suit to block the company from buying Within Unlimited, a virtual reality device manufacturer and software developer.  The FTC said it would not appeal the decision.

The California Privacy Protection Agency (CPPA) Board “voted unanimously today to adopt and approve the Agency’s rulemaking package, as modified, to further implement the California Consumer Privacy Act (CCPA).”

California Attorney General Rob Bonta announced “an investigative sweep, sending letters to businesses with mobile apps that fail to comply with the California Consumer Privacy Act (CCPA)” that “focuses on popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data.”

New York Attorney General Letitia James “secured $410,000 from Patrick Hinchy and 16 of his companies for illegally promoting spyware that allowed individuals to monitor another person’s device without their awareness. “

Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) and Ranking Member Ted Cruz (R-TX) reintroduced the “Informing Consumers about Smart Devices Act” (S.90) that “would require the FTC to create reasonable disclosure guidelines for products that have audio or visual recording components, such as refrigerators, washers, dryers and dishwashers that are not clearly obvious.”  Representatives John Curtis (R-UT) and Seth Moulton (D-MA) introduced companion legislation in the House.

The Department of Agriculture issued a final rule with a request for comment “to make updates to the Rural eConnectivity Program (ReConnect Program) regulation to ensure that requirements are clear, accurate as presented and in compliance with Federal reporting requirements.”

Representative Chris Stewart (R-UT) introduced the “Social Media Child Protection Act” (H.R.821), “which would make it unlawful for social media platforms to provide access to children under the age of 16.”

Senator Ron Wyden “D-OR) “asked the Department of Justice Inspector General to investigate the relationship between multiple federal law enforcement agencies and an Arizona nonprofit that has collected records of millions of Americans’ money transfers.”

Colorado Attorney General Phil Weiser published a new set of revised regulations to implement “Colorado Privacy Act” (CPA.)

The Department of Agriculture “is investing $2.7 billion to help 64 electric cooperatives and utilities expand and modernize the nation’s rural electric grid and increase grid security.”

European Union

The “Digital Operational Resilience Act” (DORA) took effect, “which will make sure the financial sector in Europe is able to stay resilient through a severe operational disruption” according to the European Council.

The European Council Presidency and the European Parliament agreed “on the draft regulation and the draft directive on cross-border access to e-evidence” that“will make it possible for the relevant authorities to address judicial orders for electronic evidence directly to service providers in another member state.”

Australia

The eSafety Commissioner Julie Inman Grant’s Youth Council wrote“an open letter to Big Tech to demand they impose consequences on users who abuse and harass others, breaching platforms’ own terms of service.”

eSafety Commissioner Julie Inman Grant released “new research” revealing “75 per cent of Australian adults have had at least one negative online experience in the past 12 months, an increase of 30 per cent compared to 2019.”

France

The Commission Nationale de l'Informatique et des Libertés (CNIL) “is creating an Artificial Intelligence Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI.”

United Kingdom

The Competition and Markets Authority published the responses to its issues statement in its “market investigation in relation to the supply of mobile browsers and mobile browser engines, and the distribution of cloud gaming services through app stores on mobile devices (and the supply of related ancillary goods and services) in the United Kingdom.”

The Information Commissioner’s Office (ICO) “published a statement on 20 January 2023 about the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).” However, “[f]ollowing feedback received, the ICO removed the statement from its website so it could review it in order to provide greater clarity regarding its shift in regulatory approach to CSPs, which is in line with ICO25 – our three-year strategic plan.”

The Information Commissioner’s Office (ICO) “is consulting on our draft Impact Assessment Framework, which sets out our approach to impact assessments (IAs), when we will and won't produce IAs, what we plan to include in IAs, and how they fit into our wider policy-making process.”

International

The United States Department of State and the Directorate-General for Communications Networks, Content and Technology (DG CONNECT) of the European Commission signed an “Administrative Arrangement on Artificial Intelligence for the Public Good.”

India and the United States’ National Security Advisors “led the inaugural meeting of the U.S.-India initiative on Critical and Emerging Technology (iCET) and “discussed opportunities for greater cooperation in critical and emerging technologies, co-development and coproduction, and ways to deepen connectivity across our innovation ecosystems.”

“U.S. government is not investigating Elon Musk’s Twitter purchase” — Washington Post

“Meta Won Approval to Buy a Virtual Reality App, But FTC Laid Groundwork to Halt Big Tech’s Next Deal” — Hollywood Reporter

“These companies will pay you for your data. Is it a good deal?” — Washington Post

“Musk Pledged to Cleanse Twitter of Child Abuse Content. It’s Been Rough Going.” — New York Times

“When my dad was sick, I started Googling grief. Then I couldn’t escape it.” — MIT Technology Review

“Chip war: Japan and Netherlands expected to join US in ban on tech exports to China” — The Guardian

“CISA establishes new office to ‘operationalize’ supply chain security” — Federal News Network

“The Problem With Taking TikTok Away From Americans” — New York Times

“Crypto Thefts Hit Record $3.8 Billion Last Year on North Korean Hacks” — Bloomberg

“Cyber experts work to write code in safer languages” — Washington Post

“The Website That Wants You to Kill Yourself—and Won’t Die” — Mother Jones

“A pro-Russian social media campaign is trying to influence politics in Africa” — NPR

“RIP Twitter bots: A list of some of the world's favorite accounts” — Semafor

“Dissecting Elon Musk’s Tweets: Memes, Rants, Private Parts and an Echo Chamber” — New York Times

7 February

The United States (U.S.) House Financial Services Committee will hold a hearing titled “Combatting the Economic Threat from China.”

Australia’s House of Representatives Standing Committee on Social Policy and Legal Affairs will hold a hearing in its “Inquiry into online gambling and its impacts on those experiencing gambling harm.”

The United States (U.S.) House Energy and Commerce Committee’s Energy, Climate, & Grid Security and Environment, Manufacturing, & Critical Materials Subcommittees will hold a hearing titled "Unleashing American Energy, Lowering Energy Costs, and Strengthening Supply Chains" with discussion of a number of bills, including, H.R. __, the “Securing America’s Critical Minerals Supply Act.” and H.R. __, the “Critical Electric Infrastructure Cybersecurity Incident Reporting Act.”

The United States (U.S.) House Energy and Commerce Committee’s Innovation, Data, and Commerce Subcommittee will markup five bills, including H.R. 750, the “Chinese-owned Applications Using The Information of Our Nation Act of 2023” or the “CAUTION Act of 2023”.; H.R. 784, the “Internet Application Integrity and Disclosure Act” or the “Internet Application I.D. Act”); H.R. 742, the “Telling Everyone the Location of data Leaving the U.S. Act” or the “TELL Act”); H.R. 813, the “Global Investment in American Jobs Act of 2023); and H.R. 752, the “Securing Semiconductor Supply Chains Act of 2023.”

Canada’s Standing Committee on Procedure and House Affairs will hold a hearing as part of its inquiry into “Foreign Election Interference.”

Canada’s Standing Committee on National Defence will hold a hearing on “Cybersecurity and Cyberwarfare.”

The European Union Agency for Cybersecurity (ENISA) will hold its “first ever cybersecurity policy conference together with the European Commission to discuss the evolution of the EU cybersecurity policy framework.”

8 February

The United States (U.S.) House Oversight and Accountability Committee will hold a hearing titled “Protecting Speech from Government Interference and Social Media Bias, Part 1: Twitter’s Role in Suppressing the Biden Laptop Story.”

9 February

The United States (U.S.) Senate Foreign Relations Committee will hold hearing titled “Evaluating U.S.-China Policy in the Era of Strategic Competition.”

10 February

Australia’s House of Representatives Standing Committee on Social Policy and Legal Affairs will hold a hearing in its “Inquiry into online gambling and its impacts on those experiencing gambling harm.”

15 February

The United States (U.S.) National Institute of Standards and Technology (NIST) will hold the Journey to the NIST Cybersecurity Framework (CSF) 2.0 | Workshop #2.

16 February

The United States (U.S.) Federal Communications Commission (FCC) will hold its monthly open meeting.

17 February

Australia’s House of Representatives Standing Committee on Social Policy and Legal Affairs will hold a hearing in its “Inquiry into online gambling and its impacts on those experiencing gambling harm.”

1 and 2 March

The United States (U.S.) National Institute of Standards and Technology’s Information Security and Privacy Advisory Board (ISPAB) will hold its first quarterly meeting of the year.

29 and 30 April

The G7 Digital and Technology Ministers' Meeting will take place.