Shortwave: White House Floats Mandatory Cybersecurity Regulations For Critical Sectors

For the foreseeable future, I’ll be trying a new format a few times a week that is shorter than the usual edition of The Wavelength with two longer editions a week. The Shortwave version of the Wavelength will be free while the Longwave will remain subscription only.

With the beginning of the new year, the Biden Administration seems to be checking its list of resolutions from last year and has floated indications that its National Cyber Strategy is coming. According, to news accounts, we should see the new strategy in the next few months.

But, more importantly, the Administration is signaling that they will support regulations requiring baseline cybersecurity much like agencies in the Department of Transportation have already done with respect to pipelines and some rail entities. And, such regulatory requirements are nothing new to some sectors of the U.S. economy like the nuclear industry, large electric utilities, financial services firms, and the defense industry. However, should the Biden Administration actually follow through, this would mark a sea change in U.S. cybersecurity policy, one that would track in some respects with recent changes to European Union policy. Of course, some would point out that it is not so much a sea change as a return to the  thinking of some during the first term of the Obama Administration as evidenced in the cybersecurity package Senators Joe Lieberman (I-CT), Susan Collins (R-ME), and Tom Carper (D-DE) could not quite get out of the Senate.

Of course, the Trump Administration published its National Cyber Strategy in 2018, the first update of the Bush Administration’s 2003 National Strategy to Secure Cyberspace. Understandably, the Biden Administration has different policies from the previous White House. Additionally, the new strategy may even rewrite the Obama Administration’s Presidential Policy Directive 21 that sought to reform how the U.S. government addressed cybersecurity.

The White House Office of the National Cyber Director (ONCD) “owns” or “holds the pen” on the new National Cyber Strategy, and there is still an ongoing interagency review process. Consequently, the document is likely to change more than is being reported. National Cyber Director Chris Inglis has been saying for some time that the current U.S. approach needs to change. For example, last year he said “self-enlightenment and market forces take us [only] so far … then we have to go a little bit further as we have for cars, or airplanes, or drugs and therapeutics.” Inglis may be willing to go bold because there were recently articles floated about his wanting to exit the government within the next few months.

Leaks of passages and statements from anonymous officials stress the new strategy will break from the U.S.’ historic dependence on voluntary efforts and information sharing. One leaked sentence in a draft reads “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes.” There is also an indication the White House will call for negligent entities to bear liability, notably for “those entities that fail to take reasonable precautions to secure their software.”

In order to achieve these goals, it appears the White House will direct agencies to use the authority they have and to ask Congress for authority where there is none. A number of sectors of the economy where regulators lack authority include agriculture, schools, election systems, and critical manufacturing. Of course, the real question is how hard the Administration will be willing to lean into getting legislation out the 118th Congress that would give additional authority to agencies to require and enforce cybersecurity standards, especially given the Republican controlled House. Another consideration is whether entities linked to companies subject to mandatory cybersecurity regulations will have some burden to meet. After all, SolarWinds was a vendor to U.S. agencies, and hackers penetrated the company’s systems and then moved from there into sensitive government networks. In short, where does the line get drawn?

Moreover, the White House will direct agencies to work with industry and other stakeholders on any regulations after the first round of pipeline regulations were panned by industry.

Washington Post; Federal News Network;

A United States (U.S.) federal court agreed to a $725 million settlement in the class action against Meta regarding Facebook’s conduct in the Cambridge Analytica matter.

The United States (U.S.) Federal Trade Commission (FTC) “secured agreements requiring Epic Games, Inc., creator of the popular video game Fortnite, to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (COPPA) and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases.”

Ireland’s Data Protection Commission (DPC) issued two fines to Meta totaling €390 million under the General Data Protection Regulation (€210 million for Facebook violations and €180 million for Instagram violations) pursuant to a binding Article 65 decision the European Data Protection Board handed down in December. The fines arise from Meta’s use of contract as a valid basis for data processing for behavioral advertising. The DPC and other data protection authorities had disagreed strongly about the appropriate fines and the scope of the wrongdoing. The DPC is vowing to appeal part of the EDPB’s decision to the European Union’s top court because it claims the EDPB cannot issue it orders.

The European Commission “has made commitments offered by Amazon legally binding under EU antitrust rules…[that] address the Commission's competition concerns over Amazon's use of non-public marketplace seller data and over a possible bias in granting to sellers access to its Buy Box and its Prime programme.”

Australia’s Attorney-General Mark Dreyfus tweeted that he had received a review of the nation’s privacy laws and said he will be preparing an overhaul of the Privacy Act.

Colorado Attorney General Phil Weiser issued revised draft regulations to implement the Colorado Privacy Act (CPA) (SB-190).

New York Governor Kathy Hochul signed the Digital Fair Repair Act (S4104-A/A7006-B) “making New York the first state in the nation to guarantee the right to repair, protecting consumers from anticompetitive efforts to limit repair.”

Australia’s Treasury Department published a consultation paper that builds upon the Australian Competition and Consumer Commission’s (ACCC) “Digital Platform Services Inquiry” and “is seeking stakeholder views to ensure they are taken into account when advising the Government on its response to the ACCC recommendations.” The agency is responding to the ACCC’s recommendations for changes in Australian law and policy in its fifth interim report.

Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) “published an Inspection Report on the personal data system of” TransUnion and advised the company “to formulate internal policies and standards which are applicable in Hong Kong.”

Australia’s eSafety Commissioner published a report that alleges “[s]ome of the world’s biggest technology companies are not doing enough to tackle child sexual exploitation on their platforms” and “includes confirmation from Apple and Microsoft that they do not attempt to proactively detect child abuse material stored in their widely used iCloud and OneDrive services, despite the wide availability of PhotoDNA detection technology.”

The United Kingdom’s Secretary of State for Digital, Culture, Media and Sport Michelle Donelan wrote “an open letter to parents, carers and guardians, setting out the key measures in the government’s Online Safety Bill” and the Department for Digital, Culture, Media & Sport issued a “guide” to the revised bill.

India’s Ministry of Electronics and Information Technology extended the deadline for feedback on draft legislation, the “Digital Personal Data Protection Bill, 2022,” a rewrite of Indian data protection law.

Ireland’s Data Protection Commission “launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 (‘the Act’) in relation to multiple international media reports, which highlighted that one or more collated datasets of Twitter user personal data had been made available on the internet.”

New Zealand’s Office of the Privacy Commissioner announcedan investigation into the breach and subsequent ransoming of a managed service provider, Mercury IT.

The United Kingdom’s Department for Digital, Culture, Media & Sport finalizeda “voluntary code of practice for app developers and operators is a world-first and will protect the UK’s app market.”

In order to help implement Executive Order 14086, the United States (U.S.) Office of the National Director of Intelligence issued “Intelligence Community Directive 126: Implementation Procedures for the Signals Intelligence Redress Mechanism”

“Come to the ‘war cry party’: How social media helped drive mayhem in Brazil” — Washington Post

“Musk has made Twitter a right-wing safe space in Brazil” — Rest of the World

“Germany reminds Musk that removing disinformation from Twitter is a must” — Ars Technica

“ByteDance Inquiry Finds Employees Obtained User Data of 2 Journalists” — New York Times

“TikTok Spied On Forbes Journalists” — Forbes

“Big Tech’s Big Flops of 2022” — Recode

“What Twitter’s 200 Million-User Email Leak Actually Means” — WIRED

“John Deere relents, says farmers can fix their own tractors after all” — Ars Technica

“Your stuff is actually worse now” — Vox

“Tech Industry Reversal Intensifies With New Rounds of Layoffs” — Wall Street Journal

“A Breach at LastPass Has Password Lessons for Us All” — New York Times

“It’s 2023, and tech is still pushing unsafe products” — Washington Post

“Southwest’s Meltdown Could Cost It Up to $825 Million” — New York Times

“Two years after Jan. 6, Facebook mulls if Trump is still a threat” — Washington Post

“Facebook Wanted Out of Politics. It Was Messier Than Anyone Expected.” — Wall Street Journal

“EU to Probe Broadcom’s $61 Billion Planned Takeover of VMware” — Wall Street Journal

“‘Consciousness’ in Robots Was Once Taboo. Now It’s the Last Word.” — New York Times

“Next in AI’s ‘gold rush’: Military, regulations and endless chatbots” — Washington Post

“A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?” — MIT Technology Review

“The streaming boom is over” — Recode

“Cybercom disrupted Russian and Iranian hackers throughout the midterms” — Washington Post

§ 10 January

o   The United Kingdom’s House of Commons Treasury Committee will hold a formal meeting (oral evidence session) on the crypto-asset industry.

o   The United Kingdom’s House of Commons Digital, Culture, Media and Sport Sub-committee on Online Harms and Disinformation will hold a formal meeting (oral evidence session) on “misinformation and trusted voices.”

§ 16 January

o   The United Kingdom’s House of Commons Treasury Committee will hold a formal meeting (oral evidence session) on the crypto-asset industry.

§ 17 January

o   The United Kingdom’s House of Lords Communications and Digital Committee will hold a formal meeting (oral evidence session) on the Online Safety Bill.

§ 26 January

o   The United States Federal Communications Commission will hold an open meeting.

§ 1 February

o   The Colorado Attorney General will hold a rulemaking hearing on the draft regulations proposed to implement the “Colorado Privacy Act.”

§ 29 and 30 April

o The G7 Digital and Technology Ministers' Meeting will take place.