DHS’s National Risk Management Center Begins Meeting with Critical Infrastructure Sectors
The DHS’s new National Risk Management Center, created in July 2018, began meeting last Thursday with three of its 16 identified critical infrastructure sectors. According to NextGov, “The meeting with officials from the communications, electricity and finance sectors will be followed by meetings with the other 13 critical infrastructure sectors in coming weeks, Mark Kneidinger, deputy director of Homeland Security’s National Risk Management Center told reporters after speaking before a Commerce Department advisory board. Based on those meetings, risk management center officials will work with industry on future steps for how to both identify and protect the nation’s most vital digital assets, Kneidinger said.” Focused on long-term concerns, the National Risk Management Center will, according to DHS, create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure.
Ohio Incentivizes Companies to Have a Written Cybersecurity Program in Place
A data breach law in Ohio became effective last Friday (Senate Bill 220) that provides legal safe harbor if a covered entity implements a cybersecurity program. According to The National Law Review, “Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to ‘industry-recognized frameworks’ like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act.”
Digital Millennium Copyright Act Exemptions Help Protect Security Researchers
Ambiguities in the Digital Millennium Copyright Act can lead to a lack of legal protection for security researchers trying to do good. To help protect security researchers, the Librarian of Congress and US Copyright Office recently (according to Motherboard) “renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.” Motherboard also notes “The exemptions still have some caveats. Specifically, the Copyright Office ruling only applies to ‘use exemptions,’ not ‘tools exemptions’—meaning security researchers still can’t release things like pen-testing tools that bypass DRM, or even publish technical papers exploring how to bypass bootloaders or other Trusted Platform Modules to test the security of the systems behind them.”
Cybersecurity Reports and Surveys Roundup
We’ve rounded up a few of the best cybersecurity reports and surveys released last week:
API Releases “Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry Report”
According to a press release, API and the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) “released a report describing the industry’s resilience and preparedness to defend itself and energy consumers against malicious cyber threats and providing insight for policymakers into the comprehensive cybersecurity programs of the natural gas and oil industry.” Key points from the report include: