Data Matters: The Declaration for the Future of the Internet
On April 28, 2022, the White House announced, in partnership with 60 global partners, the launch of the Declaration for the Future of the Internet, also known as the “DFI.”
According to the White House briefing, the Declaration sets forth the shared principles regarding how parties should comport themselves with respect to the Internet, the digital ecosystem, and the digital economy. The Declaration affirms that the signatories are committed to defending the Internet, to governing it by a multi-stakeholder approach, and to promoting an open, free, global, interoperable, reliable, and secure Internet for the world. The State Department’s newly formed Bureau of Cyberspace and Digital Policy put out a nearly identical statement. (more…)
CISA: “We don’t stab the wounded.”
Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). (more…)
Understanding China’s Data Regulatory Regime: What Are Important Data? And Can They Be Transferred Outside Of China?
The concept of “important data” is a cornerstone of China’s data regulatory regime. The Cyber Security Law (2017) (the CSL) prohibits operators of critical information infrastructures (CIIs) from transferring their “important data” and personal information outside of China. The Data Security Law (2021) (the DSL) and some recent draft regulations indicate that the prohibition on exports of “important data” is likely to apply to all companies, whether CII operators or not.
Then, what are “important data”? (more…)
White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks
On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.
In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to: (more…)
Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022
The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)
U.S. Government Issues Warning of Threat Against U.S. Critical Infrastructure
On February 25, 2022, in light of Russia’s attack on Ukraine, and months of continuing Russian state-sponsored cyberattacks on Ukrainian government and critical infrastructure organizations, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning to American critical infrastructure organizations and businesses, stating that “[e]very organization—large and small—must be prepared to respond to disruptive cyber activity.” While the guidance states that there are no specific, credible cyber threats directed at the United States, it notes that Russian threat actors have been orchestrating denial of service and destructive malware attacks affecting Ukraine and its neighboring countries, and that such activities may spread to the United States and its NATO allies in what is a rapidly evolving scenario. (more…)
U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks
On January 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recently released a joint Cybersecurity Advisory warning critical infrastructure operators about the threat of Russian state-sponsored cyberattacks and recommended best practices to minimize disruption from such an attack (the “Advisory”).
The advisory was promptly endorsed by the National Cyber Security Centre, a division of Government Communications Headquarters (“GCHQ”), a UK intelligence agency. Within a few days, data security experts at Microsoft, Palo Alto Networks (“PANW”), and Mandiant confirmed reports of increasing Russian cyberactivity and offered their own recommendations for hardening measures (many of which overlap with the Advisory). (more…)
U.S. Commerce Department Proposes Expansion of Information and Communications Technology and Services Review Process
On November 26, 2021, the U.S. Department of Commerce (Commerce) issued a notice of proposed rulemaking (Proposed Rule) implementing Executive Order 14034 on Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034). The Proposed Rule would bring “connected software applications” into the scope of Commerce’s authority to review certain transactions involving information and communications technology and services (ICTS) in the U.S. supply chain and approve or prohibit such transactions or require mitigating measures.1
A Software Primer For Attorneys After Cyber Executive Order
When President Joe Biden issued his major cybersecurity executive order on May 12, a White House press briefing said the order would invoke:
“the power of federal procurement to say, “If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.” (more…)
The U.S. Federal Government Continues Its Focus on Ransomware Attacks: CISA, FBI, and NSA Publish Technical Advisory on the Conti Group
On September 22, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory (the “Advisory”) outlining the Conti ransomware group’s tactics, techniques, and procedures (“TTPs”) to help companies protect against their attacks. This Advisory is especially notable because it is an example of the type of information sharing promised by the Biden administration, which includes technical details about the Conti group’s TTPs. It also heralds the launch of new website called: StopRansomware.gov. (more…)
