The UK’s data protection regulator fined TikTok £12.7 million for “failing to use children’s personal data lawfully”
The post TikTok’s Trials and Tribulations Continue With UK Data Protection Fine appeared first on SecurityWeek.
Total Network Services rebrands to True I/O and raises $9 million to accelerate deployment of product.
The post Blockchain Security Firm True I/O Raises $9 Million appeared first on SecurityWeek.
SecurityWeek spoke to VC firm Quantum Exponential about the UK National Quantum Strategy and investments in quantum computing.
The post News Analysis: UK Commits $3 Billion to Support National Quantum Strategy appeared first on SecurityWeek.
Social media platform Facebook unlawfully processed Dutch users’ personal details without consent for advertising purposes for almost a decade, Amsterdam-based judges ruled on Wednesday.
The post Facebook ‘Unlawfully’ Used Dutch Personal Data: Court appeared first on SecurityWeek.
The online counseling service BetterHelp has agreed to return $7.8 million to customers to settle with the Federal Trade Commission for sharing health data it had promised to keep private
The post BetterHelp Shared Users’ Sensitive Health Data, FTC Says appeared first on SecurityWeek.
The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.
The post AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm appeared first on SecurityWeek.
CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.
The post Data Security Startup CommandK Raises $3 Million in Seed Funding appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse – The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away. The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade.
At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.
Here we are going to examine the why, what, and how we need to prepare for that cryptopocalypse – but first we need a few definitions to ensure we’re all singing the same song.
The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption. Since public key encryption is used to secure almost all data in transit, both between separate IT infrastructures and even within individual infrastructures, that data will become accessible by anyone with a sufficiently powerful quantum computer.
“That means that all secrets are at risk,” explains Bryan Ware, CEO at LookingGlass; “nuclear weapons, banks, business IP, intelligence agencies, among other things, are at risk of losing their confidentiality and integrity.”
But this is not a threat for the future – the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the ‘harvest now, decrypt later’ threat. Intellectual property and commercial plans – not to mention military secrets – will still be valuable to adversaries when the cryptopocalypse happens.
“Even if a cryptographically relevant quantum computer is still years away, the time to start preparing is now,” warns Rebecca Krauthamer, co-founder and CPO at QuSecure.
The one thing we can say with certainty is that it definitely won’t happen in 2023 – probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies – and they’re not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor’s algorithm and crack PKI encryption in a meaningful timeframe.
It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years. Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer – which is more likely to be 20 to 30 years away.
It is difficult to make precise predictions because the power of a quantum computer comes from the number of qubits that can be used. This is further complicated by the instability of qubits that require a high number of additional qubits used solely for error correction. Consequently, the number of qubits that can be ‘used’ (logical qubits) is much less than the total number needed (physical qubits).
It has been suggested that as many as 1,000 physical qubits may be required for each logical qubit. This will depend on the quality of the error correction in use – and this is an area of intense research. So, at some time in the next few years, as the number of physical qubits increases, and the number of required physical qubits per logical qubit decreases, quantum developers will have a quantum computer able to crack PKI. It has been estimated that this will require between approximately 1,000 and 2,000 logical qubits.
To put some flesh on this skeleton, we can look at an announcement made by IBM on November 9, 2022: a new 433 qubit Osprey processor. This was accompanied by a roadmap that that shows a progression toward a 4,000 plus qubit quantum computer, codenamed Kookaburra, due in 2025.
Error correction is being approached by a new version of IBM’s Qskit Runtime software that allows ‘a user to trade speed for reduced error count with a simple option in the API’. This is supported by a new modular IBM Quantum System Two able to combine multiple processors into a single system with communication links. System Two is expected to go live in 2023, around the same time that IBM expects to have a 1k+ qubit processor codenamed Condor.
System Two will be a building block in what IBM calls quantum-centric supercomputing. Scott Crowder, the VP of IBM quantum adoption and business, explains in more detail: “Quantum-centric supercomputing (which describes a modular architecture and quantum communication designed to increase computational capacity, and which employs hybrid cloud middleware to seamlessly integrate quantum and classical workflows) is the blueprint for how quantum computing will be used in the years to come.”
He added, “This approach to scaling quantum systems alongside the recent, dramatic improvements in techniques to deal with quantum processor errors is how we envision a path to near-term, practical quantum advantage – the point when quantum processors will be capable of performing a useful computation, faster, more accurately, or cheaper than using exclusively classical computing.”
Navigating such projections doesn’t tell us precisely when to expect the cryptopocalypse, but they clearly show it is getting perilously close. “Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way,” comments Mike Parkin, senior technical engineer at Vulcan Cyber.
Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. “New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner,” he said. “It is also believed that quantum advancements don’t have to directly decrypt today’s encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it’s no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don’t even know about yet.”
Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. “Where is the threat in 2023 and beyond?” he asks. “Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future.”
Quantum key distribution (QKD) is a method of securely exchanging encryption keys using quantum properties transmitted via fiber. While in this quantum state, the nature of quantum mechanics ensures that any attempt to access the transmission will disturb the content. It does not prevent attacks, but ensures that an attempted attack is immediately visible, and the key can be discarded. Successful QKD paves the way for data to be transmitted using the latest and best symmetrical encryption. Current symmetrical algorithms are considered safe against quantum decryption.
“Symmetric encryption, like AES-256, is theorized to be quantum aafe, but one can speculate that key sizes will soon double,” comments Silvio Pappalardo, chief revenue officer at Quintessence Labs.
“Quantum cryptography is a method of encryption that uses the principles of quantum physics in securing and transmitting data,” says Ganesh Subramanya, head of data protection CoE cybersecurity at TCS. “It creates security so strong that data coded in quantum state cannot be compromised without the sender being notified. Traditional cryptography uses technologies like SSL and TLS to secure data over the internet, but they have been vulnerable to a variety of attacks, as an attacker can change the communication between two parties (like user’s browser and the webpage / application) and make them believe they’re still communicating with each other. With quantum cryptography, such an alteration of data is not possible, thereby strengthening the security of online transactions.”
John Prisco, Toshiba partner and president/CEO of Safe Quantum, applies these principles to QKD. “Quantum key distribution contains a key security aspect that cannot be overstated,” he says, “especially if it is being utilized in tandem with the NIST post-quantum encryption standards (PQC). The gold standard in cybersecurity is considered to be defense in-depth, as this leverages two totally different technologies with diverse failure mechanisms, working for protection. With harvest now decrypt later attacks becoming more frequent, there is no delay time that is safe to defend against quantum attacks. QKD authenticated with PQC signature algorithms is the only defense that can be deployed immediately and guarantee a successful defense against harvest now, decrypt later.”
Terry Cronin, the VP at Toshiba who oversees the QKD Division, agrees with this assessment. “The use of QKD as part of a hybrid solution to quantum resistance can offer the security needed ensuring that a harvest and decrypt attack cannot succeed in accessing the data.”
The practical difficulties in introducing wide-scale fiber based QKD means that it cannot be implemented everywhere. Its immediate use will likely be limited to point-to-point communications between high value sites – such as some government agencies and between major bank offices.
NIST began a competition to select and standardize post quantum encryption algorithms in 2016. “We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” said NIST mathematician Dustin Moody at the time. “They deal with encryption, key establishment and digital signatures, all of which use forms of public key cryptography.”
In July 2022, NIST announced its first four finalists. However, it emerged in August 2022 that a different finalist, the Supersingular Isogeny Key Encapsulation (SIKE) algorithm had already been broken. SIKE is designed to deliver keys securely from source to destination across an untrusted network. Researchers had demonstrated, however, the algorithm could be cracked on a single classical PC in little over an hour.
This illustrates a problem that all security professionals need to confront. Any encryption algorithm is secure only until it is cracked. Whitehat researchers will tell you if they can crack an algorithm — foreign governments will not. In effect, this means that the ‘later’ part of ‘harvest now, decrypt later’ is an optimistic view. We believe that encrypted IP being stolen today cannot yet be decrypted — but we cannot be certain.
We do, however, know that current PKI encryption will certainly be broken by quantum computers in the relatively near future. The solution from NIST is to replace current vulnerable PKI algorithms with more complex algorithms — that is to solve more powerful computing by using more powerful algorithms.
Ultimately, we will be in the same position we are in today. We will believe our IP protected by NIST’s post quantum algorithms will be safe — but we cannot be certain. Remember that at least one proposed post-quantum algorithm has been broken on a PC. So, even if we switch to a NIST-approved post quantum encryption standard tomorrow, we cannot be certain that the harvest now decrypt later philosophy has been beaten.
NIST’s PQC algorithms are ‘quantum safe’, they are not ‘quantum secure’. The former is thought to be safe against quantum decryption but cannot be proven to be so (since they are mathematical in nature and susceptible to mathematical decryption). Cryptography that can be proven to be safe is known as ‘quantum secure’ — and the only way to achieve this is to remove mathematics from the equation.
The only quantum secure cryptography known is the one-time pad because it relies on information security rather than mathematical security. Technically, QKD could be described in similarly secure terms since any attempt to obtain the keys for mathematical decryption could result in the immediate destruction of the keys (preventing them from being usefully decrypted). We have already seen that QKD has problems for widespread use — but it remains an open question whether modern technology is able to deliver usable one-time pads.
Historically, OTP has been considered unworkable for the internet age because it requires keys of the same length or longer than the message being encrypted. Nevertheless, several companies have been exploring the possibilities becoming available with new technology.
Qrypt started from the basis that the quantum threat comes from the communication of encryption keys from source to destination. If you can avoid the necessity to communicate the keys, you can eliminate the threat. It consequently developed a process that allows the generation of the same quantum random numbers simultaneously at both source and destination. A quantum random number is a genuinely random number generated with quantum mechanics principles. These numbers can then be used to generate identical keys without them needing to be transmitted across the internet.
However, since the generation of the numbers can be performed and stored until use, there remains the potential to chain the process to provide genuine OTP for the keys without requiring them to be transmitted across the internet. Solutions based on this process are quantum secure.
Incrypteon, a British startup, has taken a different route by applying Shannon’s information theories to the one-time pad. The science is a bit mind-numbing but is based on Shannon’s equivocation from his Communication Theory of Secrecy Systems published in 1949. “The definition of perfect secrecy is based on statistics and probabilities,” says Incrypteon. “A ciphertext maintains perfect secrecy if the attacker’s knowledge of the contents of the message is the same both before and after the adversary inspects the ciphertext, attacking it with unlimited resources.”
Using its own patented software and ‘Perpetual Equivocation’, Incrypteon “ensures that conditional entropy never equals zero, therefore achieving Perfect Secrecy.” The result is something that is automatically quantum secure (not just quantum safe) — and is available today.
Co-founder Helder Figueira had been an electronic warfare signals officer commanding a cryptanalysis unit in the South African Army. The concepts of Shannon’s equivocation are well-understood by the military, and he has long-been concerned that the commercial market is forced to accept encryption that is, by definition, ‘insecure’ — if something cannot be proven to be secure, it must be insecure.
A third and potentially future approach to the one-time pad could evolve from current advances in tokenization – more specifically cloud-based vaultless tokenization protected by immutable servers.
Rixon, another startup, is involved in this area. Its primary purpose is to protect PII stored by organizations with a web presence – but the principles could easily be extended. Plaintext is immediately tokenized in the cloud, and no plaintext is held onsite. Nor is the plaintext held at the tokenization engine in the cloud – all that is stored is the tokenization route for each tokenized character (for the purpose of comparison, this tokenization route is equivalent to the cryptographic key, but is random for each character).
This provides the primary parallel with the OTP – the ‘key’ is the same length as the message. Currently, Rixon concentrates on tokenizing PII; but the same concept could be extended to secure high value files at rest such as intellectual property and commercial plans.
The coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure. This will be a long process, and in 2023 businesses will need to start planning their route in greater detail.
Most companies will start from the viewpoint that NIST post-quantum algorithms is the only way forward. We have discussed OTP developments in some depth to show that the NIST route is not the only available route – and we expect further OTP developments during 2023.
The full transition to post quantum readiness will take many years, and will not be achieved by throwing a switch from classical to PQC. This has led to the concept of ‘crypto agility’. “It will be essential that quantum ready algorithms (QRAs) are able to coexist with existing cryptographic capabilities, in a hybrid manner, while the complete transition to quantum safe occurs,” explains Silvio Pappalardo, chief revenue officer at Quintessence Labs.
“Crypto agility enables applications to migrate between key types and cryptographic algorithms without the need to update the application software — transitioning from homogenous towards micro-service architecture,” he said. “With encryption ciphers changing due to the threat of quantum, decreasing longevity, increasing key sizes, and the expanding requirements to protect more data, more effectively, crypto agility becomes a business enabler and defender to keep pace with constant innovations and enable greater flexibility into the future.” Such agility also allows companies to switch from one quantum safe algorithm to another if the one in use gets broken.
For now, government agencies will have little choice but to follow NIST. On November 18, 2022, the White House issued a memorandum to the heads of executive departments and agencies requiring that CRQC readiness begins with taking an inventory of vulnerable assets. “By May 4, 2023, and annually thereafter until 2035”, states the memo, “agencies are directed to submit a prioritized inventory of information systems and assets, excluding national security systems, that contain CRQC-vulnerable cryptographic systems to ONCD and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).”
(This confirmed earlier details announced in the National Security Memorandum NSM/10 published on May 4, 2022.)
On December 21, 2022, Biden signed the Quantum Computing Cybersecurity Preparedness Act into law. “Quantum computers are under development globally with some adversarial nation states putting tens of billions of dollars into programs to create these very powerful machines that will break the encryption we use today,” comments Sanzeri. “While not here yet, quantum computers will be online in coming years, but it will take more than a few years for our federal agencies and commercial enterprises to upgrade their systems to post quantum cybersecurity.”
This Act, he continued, “requires federal agencies to migrate systems to post quantum cryptography which is resilient against attacks from quantum computers. And the Office of Management and Budget is further required to send an annual report to Congress depicting a strategy on how to assess post-quantum cryptography risks across the federal government.”
The government is clearly wedded to the NIST proposals. This may be because NIST is correct in its assertion that OTP is not realistic. NIST computer security mathematician Dustin Moody told SecurityWeek in October 2022, “The one-time pad must be generated by a source of true randomness, and not a pseudo-random process.” But there are numerous sources for the generation of genuinely random numbers using quantum mechanics.
“The one-time pad must be as long as the message which is to be encrypted,” added Moody. “If you wish to encrypt a long message, the size of the one-time pad will be much larger than key sizes of the algorithms we [NIST] selected.” This is also being challenged as a problem by both Qrypt and Incrypteon, and potentially tokenization firms like Rixon.
Nevertheless, most companies will follow the incremental process of NIST rather than the more revolutionary process of OTP, if only because of NIST’s reputation and government support. 2023 will see more companies beginning their move to CRQC readiness – but there are more options than are immediately obvious.
Related: Quantum Computing’s Threat to Public-key Cryptosystems
Related: Quantum Computing Is for Tomorrow, But Quantum-Related Risk Is Here Today
Related: Solving the Quantum Decryption ‘Harvest Now, Decrypt Later’ Problem
Related: Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?
The post Cyber Insights 2023: Quantum Computing and the Coming Cryptopocalypse appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Regulations – In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business. IBM, for example, issued a statement, “These steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.”
Our first prediction for 2023 is that the EC will approve Biden’s Executive Order and allow ‘free flows of data between the US and the EU’. This approval is in process. The EC issued a draft adequacy determination for the EU-US data privacy framework on December 12, 2022.
“As expected,” comments Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals (IAPP), “the draft outlines the Commission’s reasoning in finding the framework adequate, with a focus on the new necessity and proportionality requirements for US signals intelligence and the Data Protection Review Court outlined in the recent Executive Order and Department of Justice regulations.”
But that will be just the beginning. European activists, such as Max Schrems, are likely to challenge the EC ruling in the European Court.
The basic problem remains the NSA’s requirement to only surveil non-Americans (such as Europeans) for national security purposes. Schrems’ website, noyb, has already indicated a dissatisfaction. “So-called ‘bulk surveillance’ will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not ‘proportionate’ (under the European understanding of the word) twice.”
So, during 2023, transatlantic PII data flows will become legal under the new framework, but that framework will be challenged as unconstitutional in the European Court. The court case will take several years to come to a conclusion, but it will probably declare the data privacy framework (or whatever it becomes known as) to be illegal. The basic problem is that GDPR and NSA surveillance are incompatible, and neither is likely to change.
The US government has been seeking a federal privacy law for around a decade but is probably no closer to achieving one. Progress was made during 2022, but the midterms kicked the bill into the long grass while the lawmakers concentrated on more pressing career issues. The question is whether it can be retrieved during 2023.
Mitzi Hill, a partner at the Taylor English Duma law firm, thinks it is unlikely. “I remain doubtful,” she said. “It is a complex topic both technically and legally. It is made more complicated with every new state law, because that is a new set of factors to consider in drafting any federal legislation.”
She also notes the outcome of the 2022 midterms. “Traditionally, we would expect that a Republican House majority [as we will have in 2023] will favor marketplace (as opposed to regulatory) solutions, making it tough to get anything passed in both houses of Congress. My own view is that the states will continue to lead in this area.”
Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems points out that “Five states have already enacted privacy acts, and more are expected to follow. The increased focus on privacy has stemmed from the introduction of GDPR and Schrems II decision from the EU.”
The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, with enforcement beginning on July 1, 2023. It is an extension of the existing CCPA, which is already possibly the strongest privacy act in the US (and largely modeled on GDPR). While it is somewhat more friendly to small businesses, it gives consumers more rights, places more requirements on organizations, and establishes an enforcement agency.
The consumer demand for privacy is strong, but not absolute – and often depends on what is received in return for giving up personal information. Consider Google, widely acknowledged as one of the primary collectors and users of PII. Despite this, consumers continue to consume Google because of the ‘free’ services the company offers in exchange. The result is that it is difficult for lawmakers to know exactly what their voters really want.
“Privacy laws and regulations will continue to swing widely between completely useless – even harmful – and amazing wins for consumers. This is due to corporation lobbying and consumer [voter] demands,” comments Taylor Gulley, senior application security consultant at nVisium. “Though most consumers desire complete privacy, the growing demand for personalized content and services requires providing ever more information to companies. This increase of valuable, marketable, information gives corporations a reason to continue to lobby for their benefit.”
One area worth watching in 2023 is whether the FTC picks up the mantle of a ‘federal’ privacy regulator. Noticeably, the FTC includes failures in consumer privacy to be a potential deceptive practice – and deceptive practices are firmly within the FTC bailiwick.
“The FTC may become even bolder about privacy matters in the next couple of years,” suggests Hill. “It recently adopted an enforcement action that is targeted to a particular CEO and any future business he may join.”
She explained that his current company has multiple privacy violations and may have misstated the degree to which it addressed security issues following the first set of violations. His future companies or employers will be required to release detailed security plans. “This is unprecedented as far as I know,” she added.
Although Biden does not believe in trickle-down economics, he nevertheless makes use of trickle-down cybersecurity. He cannot pass federal laws for private industry without the support of Congress – but he can (and does) issue executive orders that become mandatory instructions for federal agencies and strong trickle-down recommendations for private industry.
If security vendors must conform to certain requirements before they can sell into the government, the size of the government market makes it a commercial if not legal requirement to conform. Furthermore, if federal agencies are required to apply certain cybersecurity methodologies, much of private industry will also take heed.
Both conditions were introduced in May 2021 with Executive Order 14208, spurring activity in zero trust, and introducing the software bill of materials (SBOM). Both are intended to counter the growing supply chain threat, and both will remain top of mind for companies during 2023.
“SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use,” comments Tom Pace, CEO at NetRise.
The federal government described the requirements for SBOMs in an OMB memorandum published on September 14, 2022. “This is going to cause a cascading effect in the private sector,” continued Pace, “since obviously the federal government does not manufacture all its own software and firmware – in fact very little is manufactured in house.”
There will be a bedding-in period before SBOMs achieve their end – and attackers are likely to increase their own efforts in the meantime. “Highly visible attacks on the software supply chain start with access to the weakest link. As we head into 2023, it will be important for businesses of all sizes to be engaged as new secure software development practices are defined,” warns John McClurg, SVP and CISO at BlackBerry.
Executive Orders are not the only tools the federal government can use – it also has NIST (a standards body) and CISA (a DHS agency responsible for strengthening security and infrastructure across all levels of government). While they primarily provide recommendations, this may not always be the case.
“The combined efforts of CISA and NIST in recent years,” comments Eric Hart, manager of subscription services at LogRhythm, “have led to a series of new cross-sector cybersecurity performance goals (CPGs) that organizations have already begun to implement.”
CISA’s CPGs are designed to provide an easier route towards conforming to NIST for organizations that may not have the resources to go straight to the complexities of the NIST CSF. “While these standards are designed to strengthen organizations,” continued Hart, “the process of reaching full regulatory compliance can be tricky. The complexity, along with the growing push for federally enforced compliance, suggests we could see a flurry of activity in 2023 as more organizations seek to adopt these new security standards.”
Noticeably, CISA describes the CPGs as ‘voluntary’ and ‘not comprehensive’, adding, “The CPGs are intended to supplement the [NIST] Cybersecurity Framework (CSF) for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.”
But it is also worth considering a comment from Grant Geyer, CPO at Claroty, who blogged that they may prove a jumping off point for upcoming regulations coming from the White House. “Regulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address key practices such as account security, data and device integrity, supply chain and third-party risk, and response and recovery.” We may yet see CISA’s CPGs become mandated for federal agencies and join the trickle-down process of federal regulations.
Ben Johnson, CTO and co-founder of Obsidian Security, sees a great future for CISA. “CISA came into its own in 2022. This next year, we’ll see CISA drive better, more resilient security, especially in critical infrastructure — increasing the sector’s maturity as a whole.”
The trajectory for regulations is to increase, and they are increasing rapidly. These include state-level, federal level, and overseas national level that may impact US companies with operations in those countries. An example of the last could be Australia’s current plans for a new more aggressive attitude toward cybercriminals. Part of this will be to make ransom payments illegal in Australia.
One question to be decided is how that might impact American companies with an Australian operation that gets ransomed. Will the American parent, where ransom payments are not illegal, be able to pay the ransom on behalf of the Australian operation?
Such complexities will require expert input by companies to match their infrastructure and processes against a huge number of regulations simply to understand where their compliance requirements are effectively mandatory.
Another new law, passed by Congress but targeted at federal agencies, may be introduced early in 2023: the Strengthening Agency Management and Oversight of Software Assets Act. MeriTalk reported on November 17, 2022, “The legislation would order Federal government agencies to undertake an inventory of all software used by the government – with a view toward eventually creating strategies to consolidate government software contracts, create governmentwide software licenses, and move toward adopting open-source software.”
This is not directly a cybersecurity regulation and will not be enforced on private industry. Nevertheless, if its precepts are adopted by industry, it could benefit industry groupings and separately lead to a beneficial reduction of security tool sprawl within companies.
The totality of regulations is beyond the scope of this peek into regulations in 2023. However, there is one we should consider that won’t come into effect until 2024.: PCI DSS 4.0. This will impact all organizations that store, transmit or process cardholder data and sensitive authentication data. The new standard allows organizations to customize their approach to proving compliance with each PCI DSS security requirement.
“If organizations take this direction,” warns Terry Olaes, senior technical director at Skybox Security, “there are growing opportunities for threat actors to exploit retailers who may have taken non-standard routes to achieve compliance. Additionally, the long lead time to implement these regulations gives attackers more opportunity to use those requirements as a blueprint to breach retailers before they have time to implement changes to their cybersecurity strategy.”
It is also worth noting that while regulations are becoming more numerous, they are also becoming more difficult to satisfy. “We’ll see more failed audits in regulated companies as multi-cloud, multi-cluster grows as a strategy in 2023,” warns Sitaram Iyer, senior director of cloud native solutions at Venafi. This strategy is increasingly popular among smaller but regulated organizations because it spreads risk, increases performance, and offers the control and visibility they need for compliance.
“However,” adds Iyer, “it also increases complexity because these environments are fragmented and require a huge number of machines which all need an authenticated identity to communicate securely. Due to this increased volume of machine identities in cloud native environments, compliance with regulations on machine identity management is a real challenge.”
Elon Musk has completed his takeover of Twitter, and his swashbuckling management style has caused ructions even before the end of 2022. These are not relevant to us. What may be relevant, however, is his adherence to the constitutionally protected concept of free speech; and the potential for Musk’s new Twitter to operate at a lower level of moderation than the old Twitter. Noticeably, in late November 2022, Musk reinstated almost all the accounts that had previously been suspended for spreading misinformation.
As a quick aside, on November 17, 2022, a group of Democrat senators asked the FTC to investigate any possible violations by the platform of consumer-protection laws or of its data-security commitments. The FTC had already said it is “tracking recent developments at Twitter with deep concern”.
Of more direct relevance, many governments have already expressed concern over the practice of bad actors spreading misinformation, malinformation and disinformation – and giving extremist viewpoints a loudspeaker – via social media platforms such as Twitter. This is a direct challenge to democratic government, and some governments have suggested countering it by making websites legally responsible for the user-generated content they publish. There is a possibility that such suggestions will increase during 2023.
Mitzi Hill does not think this is likely in the US. Although lower moderation might lead to howls of protest, “I never bet against the First Amendment,” she said. “‘Congress shall make no law… abridging the freedom of speech’ is one of the most important tenets in American legal thinking.”
Europe, however, thinks differently. The EU already has a new Digital Services Act that will kick in from January 2024. It doesn’t make platforms directly responsible for any unknown illegal content, but does require them to remove it once they are informed that it is illegal. It will also impose greater transparency on how algorithms work and are used. It is aimed at platforms that reach more than 10% of the EU population; that is, have at least 45 million EU users – that includes US big tech companies such as Twitter and Facebook. Non-compliance could lead to fines of up to 10% of annual turnover.
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
But don’t expect much from the federal government in 2023. “On federal government cybersecurity issues,” explains Robert DuPree, manager of government affairs at Telos Corporation, “Congress has been more active and effective but further progress in 2023 will be hampered by the fact that some longtime cyber policy advocates and experts from both parties – including Sen. Rob Portman (R-OH), Rep. Jim Langevin (D-RI) and Rep. John Katko (R-NY) – are retiring and won’t be around in 2023. Their absence will leave a tremendous void when it comes to pushing ‘good government’ cybersecurity issues through Congress.”
Related: Do Privacy and Data Protection Regulations Create as Many Problems as They Solve?
Related: Robinhood Crypto Penalized $30M for Violating Cybersecurity Regulations
Related: Hack Prompts New Security Regulations for US Pipelines
Related: New York Imposes New Cybersecurity Regulation for Financial Services
The post Cyber Insights 2023: Regulations appeared first on SecurityWeek.
The European Union’s digital policy chief warned TikTok’s boss Thursday that the social media app will have to fall in line with tough new rules for online platforms set to take effect later this year.
