On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures. The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. IoT equipment suppliers are being asked to implement “security by design”. The FCC states the definition as “A development practice that reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Many are speculating if other states will adopt similar laws, but in the meantime, the California market is too big for suppliers to walk away from and many are trying to understand how these laws will impact their products.
Equifax suffered huge damages after the well-publicized breach. Now, come to find attribution points to a culture of complacency. Executives should attend the The First Annual Atlanta Symposium on Cyber Culture and Team Building with others from their executive team. This event is intended to be cross-cultural and bring together the entire C-Suite. Learn more and register today!
The Justice Department is trying to force Facebook to break the encryption on its Messenger app so it can listen to a suspect’s voice as part of a criminal probe, Reuters reported late last week. Facebook is said to be resisting. The ACLU’s Jennifer Granick tweeted about how the case wasn’t exactly a repeat of the encryption fight a few years ago between Apple and the FBI. Security engineer Alec Muffett predicted the case might go all the way to the Supreme Court. In related news, ZDNet reported that the government is seeking source code from tech companies in court, and the tech companies are largely losing. [via POLITICO’s Morning Cybersecurity]
U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, formerly known as the MAIN STREET Cybersecurity Act, into a law on August 14 this year. The law would require the National Institute of Standards and Technology (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.” The new law will attempt to provide the necessary tools to small businesses to strengthen their cybersecurity infrastructure as well as fight online attacks. Jessica Ortega, a member of the SiteLock research team said, “The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve.”
=&0=& for the federal government for years, but the Trump administration has increased the focus on them. Homeland Security last year banned government agencies from using products made by the Russian cyber firm Kaspersky Lab, citing the risk that Moscow could secretly access the company’s data or reach into its customers’ computers. Congress codified a similar ban later that year. DHS is also seeking industry feedback on a broader supply chain risk management initiative . And on Thursday, the telecom agency NTIA launched a project to encourage more transparency around the building blocks of software, with the goal of reducing hidden risks that can threaten the U.S. supply chain.
=&1=& on supply chain threats. Some lawmakers are trying to impose Kaspersky-like restrictions on the Chinese telecom giants Huawei and ZTE. Others have introduced bipartisan legislation to tackle supply chain risk management more holistically, and the White House has circulated a draft proposal that closely mirrors that bill. Meanwhile, the commerce committees have encouraged the FCC and the Agriculture Department to prevent telecom companies that receive federal subsidies from buying Huawei or ZTE products. At a recent federal advisory board meeting, a House Energy and Commerce Committee staffer noted that rural telecom operators in particular were liable to buy from these Chinese firms because they often offered better prices than American competitors.
Should we be surprised at all that Facebook, Google and others base their business plan on the marketing of our personal information and on the doorstep of GDPR, from customers to Senators are astonished they haven’t noticed or cared up until now? A heavy-handed regulatory response could have us rethinking the current model of social media and marketing. Does the pendulum swing back to the closed communities like AOL of the 1990s? This issue requires informed discussion (frankly, many Senators are out of touch on this topic) if we are to avoid throwing the baby out with the bathwater.
Russian threat actors poised to cripple power grid, UK warns -
McFadden also called out Moscow’s use of cyber criminal gangs and mercenary hacktivist operations that are not directly controlled by the Kremlin but are allowed to act with impunity as long as they don’t act against…
CISA and FBI Publish Product Security Bad Practices
The Guidance states that the ten identified practices—categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies—are “dangerous and significantly elevate risk to national…
Please consider making a year-end tax exempt donation to Docent Institute to support our educational mission with K-12 and college students. #docentinstitute #GivingTuesday
Please consider making a year-end tax exempt donation to Docent Institute to support our educational mission with K-12 and college students. #docentinstitute #GivingTuesday