NTSC Technology Security Roundup

NTSC Weekly News Roundup: February 6, 2017

Draft of Executive Order Indicates More Federal Cybersecurity Accountability Coming

While President Trump did not sign an executive order dealing with cybersecurity on Tuesday as planned, a peek at the draft executive order gives a preview of what may be coming. The executive order builds upon work from the Obama administration and basically holds federal agency heads accountable for ensuring they improve cybersecurity. The Office of Management and Budget (OMB) will oversee and coordinate all of these efforts. Two important areas addressed by the executive order include modernizing IT systems and partnering with the private sector to ensure the security of critical infrastructure (such as the power grid).

Read the draft executive order.

European Union to Update ePrivacy Directive

The European Union is currently working on updating its ePrivacy Directive to include more regulations pertaining to electronic communications. Enza Iannopollo provides an excellent summary of this updated directive at the Forrester blog and she points out seven important aspects for which businesses need to prepare. Overall, she notes that the updated ePrivacy Directive is a regulation, will incur heavier fines if violated, and places more restrictions on how electronic communications companies handle customer data (including tracking both physical and online activities). The EU wants to time the finalization of this regulation when the GDPR is finalized in May 2018.

PCI Security Standards Council Urges Better Encryption in Ecommerce Security Supplement

The PCI Security Standards Council released an information supplement entitled “Best Practices for Securing E-commerce” that updates and replaces its initial ecommerce guidance from 2013. The supplement urges that merchants shore up encryption by adopting TLS 1.1 or higher by June 2018 and use HTTPS whenever possible because of Chrome’s non-HTTPS browser warnings that began in January of this year. According to a press release, “In addition to educating merchants, this latest resource from the Council also provides guidance for third party e-commerce service providers and assessors that support the ongoing security of e-commerce environments.”

NIST at Public Input Phase of Finalizing Digital Identity Guidelines

After drafting and getting private input through Github, NIST is now releasing a draft of its Digital Identity Guidelines to solicit public input. According to the abstract, “The guidelines cover remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols and related assertions.” These guidelines will update previous versions of this document created in 2004 and 2013.

Lawmakers Discuss Encryption and Privacy at Recent State of the Net Conference

At the recent State of the Net Conference, lawmakers discussed encryption and privacy issues among other internet topics. According to CIO Magazine, lawmakers appear at a stalemate about encryption although Rep. Bob Goodlatte (R-Va.) (chair of the Judiciary Committee) appears to desire a “measured approach” that balances both security and the needs of law enforcement. Also, no consensus seems to be immediately forthcoming as lawmakers wrestle with the outdated 1986 Electronic Communications Privacy Act (ECPA) as it relates to email.