Wrestling with China’s New Cybersecurity Law
Last week, China implemented its new cybersecurity law, postponed part of it, and delayed enforcement until December 31, 2018. Confused? You’re not alone. Many companies and organizations want answers from China about what is, at times, a vague and ambiguous cybersecurity law. According to Reuters, the law “bans online service providers from collecting and selling users' personal information, and gives users the right to have their information deleted, in cases of abuse.” The law operates upon the false but publicly reassuring premise that storing data within one’s own country makes that data safer—but this restriction may hurt Chinese business in addition to foreign business. For more legal analysis about the law and its history, read Samm Sacks’s analysis on the Lawfare blog.
NIST Welcomes Public Comment on “Secure Inter-Domain Routing: Route Hijacks” Project
NIST is welcoming public comment until June 29, 2017 on a new project entitled “Secure Inter-Domain Routing: Route Hijacks.” According to NextGov, “The planned ‘cybersecurity practice guide’ will detail best practices for protecting internet traffic from various cyberattacks that rely on rerouting web traffic to points where it can be hijacked or surveilled.” On the webpage that describes this project, NIST explains that “while the BGP protocol performs adequately in identifying viable paths that reflect local routing policies and preferences to destinations, the lack of built-in security allows the protocol to be exploited. As a result, attacks against internet routing functions are a significant and systemic threat to internet based information systems.”
Four Senators Introduce Bipartisan “Hack Department of Homeland Security (DHS) Act”
The US government seems to be showing signs that it recognizes the benefits of ethical hackers in strengthening the security of organizations—including the Department of Homeland Security. Four senators— Maggie Hassan (D-NH), Rob Portman (R-OH), Claire McCaskill (D-MO), and Kamala Harris (D-CA)—co-sponsored the recently introduced Hack Department of Homeland Security (DHS) Act. According to a press release, the bill “would establish a bug bounty pilot program—modeled off of similar programs at the Department of Defense and major tech companies—in order to strengthen cyber defenses at DHS by utilizing ‘white-hat’ or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems.” Threatpost reports that “The bill was read twice last Thursday and referred to the Committee on Homeland Security and Governmental Affairs which will consider it before ultimately sending it to the House or Senate.”
Three-Part Series Examines Gas Industry Preparedness for Cyberattacks
Last week, E&E News published a three-part series that examined the cybersecurity efforts of the gas industry. The series covered how cybersecurity threats against gas pipelines are increasing, how the Transportation Security Administration is too understaffed to help protect these pipelines against cyberattacks, and the pros and cons of considering regulations that help ensure cybersecurity standards are met by the gas industry. The Obama administration had pushed for “an audit of gas pipeline cybersecurity to determine whether mandatory regulations were needed” but “was dead on arrival in a Trump administration committed to wiping out regulations affecting oil and gas production.” Current debate centers around whether there is enough of a “demonstrated need” for cybersecurity regulation of this critical infrastructure.
Gartner Says Four Vectors Are Transforming the Security Software Market
Gartner recently reported that four vectors are currently transforming the security software market.
1. By 2020, advanced security analytics will be embedded in at least 75 percent of security products.
2. Acquiring and integrating products and technologies will be a critical strategy to increase market share and enter new markets.
3. End users' quest for flexibility will increase adoption of SaaS.
4. The regulatory environment will create opportunities for security software providers.
Referring to the GDPR, Gartner says, “Punitive regulations will create board-level fears, driving security software budget decisions based on the potential financial impact of fines and noncompliance. Consequently, enterprises will look to providers with products that provide the needed visibility and control of their data. Providers should identify the key regulatory requirements and constraints in target geographies by working with legal counsel to deliver product and service choices that will alleviate board-level fears.”