{"id":16852,"date":"2023-02-02T13:32:54","date_gmt":"2023-02-02T12:32:54","guid":{"rendered":"https:\/\/www.show.it\/cyber-insights-2023-regulations\/"},"modified":"2023-02-02T13:32:54","modified_gmt":"2023-02-02T12:32:54","slug":"cyber-insights-2023-regulations","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cyber-insights-2023-regulations\/","title":{"rendered":"Cyber Insights 2023: Regulations"},"content":{"rendered":"
\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

SecurityWeek Cyber Insights 2023 | Regulations \u2013<\/strong> In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security \u2013 with the complication that the first is often in conflict with the second and third.<\/p>\n

Transatlantic data flows<\/strong><\/h2>\n

Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.<\/p>\n

At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield \u2013 the second attempt at finding a workaround to GDPR \u2013 was declared illegal<\/a> in what is known as the Schrems II<\/a> court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as \u2018standard contractual clauses\u2019.<\/p>\n

During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework<\/a> agreement \u2013 sometimes known as Privacy Shield 2.0.<\/p>\n

This was enthusiastically greeted by US business. IBM, for example, issued a statement, \u201cThese steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.\u201d<\/p>\n

Our first prediction for 2023 is that the EC will approve Biden\u2019s Executive Order and allow \u2018free flows of data between the US and the EU\u2019. This approval is in process. The EC issued a draft adequacy determination for the EU-US data privacy framework on December 12, 2022.\u00a0<\/p>\n

\u201cAs expected,\u201d comments Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals (IAPP), \u201cthe draft outlines the Commission\u2019s reasoning in finding the framework adequate, with a focus on the new necessity and proportionality requirements for US signals intelligence and the Data Protection Review Court outlined in the recent Executive Order and Department of Justice regulations.\u201d<\/p>\n

But that will be just the beginning. European activists, such as Max Schrems, are likely to challenge the EC ruling in the European Court.<\/p>\n

The basic problem remains the NSA\u2019s requirement to only surveil non-Americans (such as Europeans) for national security purposes. Schrems\u2019 website, noyb, has already indicated a dissatisfaction. \u201cSo-called \u2018bulk surveillance\u2019 will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM<\/a> or Upstream, despite of the CJEU declaring US surveillance laws and practices as not \u2018proportionate\u2019 (under the European understanding of the word) twice.\u201d<\/p>\n

So, during 2023, transatlantic PII data flows will become legal under the new framework, but that framework will be challenged as unconstitutional in the European Court. The court case will take several years to come to a conclusion, but it will probably declare the data privacy framework (or whatever it becomes known as) to be illegal. The basic problem is that GDPR and NSA surveillance are incompatible, and neither is likely to change.<\/p>\n

Federal privacy law<\/strong><\/h2>\n

The US government has been seeking a federal privacy law <\/a>for around a decade but is probably no closer to achieving one. Progress was made during 2022, but the midterms kicked the bill into the long grass while the lawmakers concentrated on more pressing career issues. The question is whether it can be retrieved during 2023.<\/p>\n

Mitzi Hill, a partner at the Taylor English Duma law firm, thinks it is unlikely. \u201cI remain doubtful,\u201d she said. \u201cIt is a complex topic both technically and legally. It is made more complicated with every new state law, because that is a new set of factors to consider in drafting any federal legislation.\u201d<\/p>\n

She also notes the outcome of the 2022 midterms. \u201cTraditionally, we would expect that a Republican House majority [as we will have in 2023] will favor marketplace (as opposed to regulatory) solutions, making it tough to get anything passed in both houses of Congress. My own view is that the states will continue to lead in this area.\u201d<\/p>\n

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems points out that \u201cFive states have already enacted privacy acts, and more are expected to follow. The increased focus on privacy has stemmed from the introduction of GDPR and Schrems II decision from the EU.\u201d<\/p>\n

The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, with enforcement beginning on July 1, 2023. It is an extension of the existing CCPA, which is already possibly the strongest privacy act in the US (and largely modeled on GDPR). While it is somewhat more friendly to small businesses, it gives consumers more rights, places more requirements on organizations, and establishes an enforcement agency.<\/p>\n

The consumer demand for privacy is strong, but not absolute \u2013 and often depends on what is received in return for giving up personal information. Consider Google, widely acknowledged as one of the primary collectors and users of PII. Despite this, consumers continue to consume Google because of the \u2018free\u2019 services the company offers in exchange. The result is that it is difficult for lawmakers to know exactly what their voters really want.<\/p>\n

\u201cPrivacy laws and regulations will continue to swing widely between completely useless \u2013 even harmful \u2013 and amazing wins for consumers. This is due to corporation lobbying and consumer [voter] demands,\u201d comments Taylor Gulley, senior application security consultant at nVisium. \u201cThough most consumers desire complete privacy, the growing demand for personalized content and services requires providing ever more information to companies. This increase of valuable, marketable, information gives corporations a reason to continue to lobby for their benefit.\u201d<\/p>\n

One area worth watching in 2023 is whether the FTC picks up the mantle of a \u2018federal\u2019 privacy regulator. Noticeably, the FTC includes failures in consumer privacy to be a potential deceptive practice \u2013 and deceptive practices are firmly within the FTC bailiwick.<\/p>\n

\u201cThe FTC may become even bolder about privacy matters in the next couple of years,\u201d suggests Hill. \u201cIt recently adopted an enforcement action that is targeted to a particular CEO and any future business he may join.\u201d<\/p>\n

She explained that his current company has multiple privacy violations and may have misstated the degree to which it addressed security issues following the first set of violations. His future companies or employers will be required to release detailed security plans. \u201cThis is unprecedented as far as I know,\u201d she added.<\/p>\n

Trickle-down regulated security<\/strong><\/h2>\n

Although Biden does not believe in trickle-down economics, he nevertheless makes use of trickle-down cybersecurity. He cannot pass federal laws for private industry without the support of Congress \u2013 but he can (and does) issue executive orders that become mandatory instructions for federal agencies and strong trickle-down recommendations for private industry.\u00a0<\/strong><\/p>\n

If security vendors must conform to certain requirements before they can sell into the government, the size of the government market makes it a commercial if not legal requirement to conform. Furthermore, if federal agencies are required to apply certain cybersecurity methodologies, much of private industry will also take heed.<\/p>\n

Both conditions were introduced in May 2021 with Executive Order 14208, spurring activity in zero trust<\/a>, and introducing the software bill of materials (SBOM<\/a>). Both are intended to counter the growing supply chain threat, and both will remain top of mind for companies during 2023.<\/p>\n

\u201cSBOM is going to continue to garner mainstream adoption, not just from software\/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use,\u201d comments Tom Pace, CEO at NetRise.<\/p>\n

The federal government described the requirements for SBOMs in an OMB memorandum published on September 14, 2022. \u201cThis is going to cause a cascading effect in the private sector,\u201d continued Pace, \u201csince obviously the federal government does not manufacture all its own software and firmware \u2013 in fact very little is manufactured in house.\u201d<\/p>\n

There will be a bedding-in period before SBOMs achieve their end \u2013 and attackers are likely to increase their own efforts in the meantime. \u201cHighly visible attacks on the software supply chain start with access to the weakest link. As we head into 2023, it will be important for businesses of all sizes to be engaged as new secure software development practices are defined,\u201d warns John McClurg, SVP and CISO at BlackBerry.<\/p>\n

Executive Orders are not the only tools the federal government can use \u2013 it also has NIST (a standards body) and CISA (a DHS agency responsible for strengthening security and infrastructure across all levels of government). While they primarily provide recommendations, this may not always be the case.<\/p>\n

\u201cThe combined efforts of CISA and NIST in recent years,\u201d comments Eric Hart, manager of subscription services at LogRhythm, \u201chave led to a series of new cross-sector cybersecurity performance goals (CPGs<\/a>) that organizations have already begun to implement.\u201d\u00a0<\/p>\n

CISA\u2019s CPGs are designed to provide an easier route towards conforming to NIST for organizations that may not have the resources to go straight to the complexities of the NIST CSF. \u201cWhile these standards are designed to strengthen organizations,\u201d continued Hart, \u201cthe process of reaching full regulatory compliance can be tricky. The complexity, along with the growing push for federally enforced compliance, suggests we could see a flurry of activity in 2023 as more organizations seek to adopt these new security standards.\u201d<\/p>\n

Noticeably, CISA describes the CPGs as \u2018voluntary\u2019 and \u2018not comprehensive\u2019, adding, \u201cThe CPGs are intended to supplement the [NIST] Cybersecurity Framework (CSF)\u202ffor organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.\u201d<\/p>\n

But it is also worth considering a comment from Grant Geyer, CPO at Claroty, who blogged that they may prove a jumping off point for upcoming regulations coming from the White House. \u201cRegulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address key practices such as account security, data and device integrity, supply chain and third-party risk, and response and recovery.\u201d We may yet see CISA\u2019s CPGs become mandated for federal agencies and join the trickle-down process of federal regulations.<\/p>\n

Ben Johnson, CTO and co-founder of Obsidian Security, sees a great future for CISA. \u201cCISA came into its own in 2022. This next year, we\u2019ll see CISA drive better, more resilient security, especially in critical infrastructure \u2014 increasing the sector\u2019s maturity as a whole.\u201d<\/p>\n

The regulations jungle<\/strong><\/h2>\n

The trajectory for regulations is to increase, and they are increasing rapidly. These include state-level, federal level, and overseas national level that may impact US companies with operations in those countries. An example of the last could be Australia\u2019s current plans for a new more aggressive attitude toward cybercriminals. Part of this will be to make ransom payments illegal in Australia.\u00a0<\/p>\n

One question to be decided is how that might impact American companies with an Australian operation that gets ransomed. Will the American parent, where ransom payments are not illegal, be able to pay the ransom on behalf of the Australian operation?<\/p>\n

Such complexities will require expert input by companies to match their infrastructure and processes against a huge number of regulations simply to understand where their compliance requirements are effectively mandatory.<\/p>\n

Another new law, passed by Congress but targeted at federal agencies, may be introduced early in 2023: the Strengthening Agency Management and Oversight of Software Assets Act. MeriTalk reported on November 17, 2022, \u201cThe legislation would order Federal government agencies to undertake an inventory of all software used by the government \u2013 with a view toward eventually creating strategies to consolidate government software contracts, create governmentwide software licenses, and move toward adopting open-source software.\u201d<\/p>\n

This is not directly a cybersecurity regulation and will not be enforced on private industry. Nevertheless, if its precepts are adopted by industry, it could benefit industry groupings and separately lead to a beneficial reduction of security tool sprawl within companies.<\/p>\n

The totality of regulations is beyond the scope of this peek into regulations in 2023. However, there is one we should consider that won\u2019t come into effect until 2024.: PCI DSS 4.0<\/a>. This will impact all organizations that store, transmit or process cardholder data and sensitive authentication data. The new standard allows organizations to customize their approach to proving compliance with each PCI DSS security requirement.<\/p>\n

\u201cIf organizations take this direction,\u201d warns Terry Olaes, senior technical director at Skybox Security, \u201cthere are growing opportunities for threat actors to exploit retailers who may have taken non-standard routes to achieve compliance. Additionally, the long lead time to implement these regulations gives attackers more opportunity to use those requirements as a blueprint to breach retailers before they have time to implement changes to their cybersecurity strategy.\u201d<\/p>\n

It is also worth noting that while regulations are becoming more numerous, they are also becoming more difficult to satisfy. \u201cWe\u2019ll see more failed audits in regulated companies as multi-cloud, multi-cluster grows as a strategy in 2023,\u201d warns Sitaram Iyer, senior director of cloud native solutions at Venafi. This strategy is increasingly popular among smaller but regulated organizations because it spreads risk, increases performance, and offers the control and visibility they need for compliance.<\/p>\n

\u201cHowever,\u201d adds Iyer, \u201cit also increases complexity because these environments are fragmented and require a huge number of machines which all need an authenticated identity to communicate securely. Due to this increased volume of machine identities in cloud native environments, compliance with regulations on machine identity management is a real challenge.\u201d<\/p>\n

And one to watch\u2026<\/strong><\/h2>\n

Elon Musk has completed his takeover of Twitter, and his swashbuckling management style has caused ructions even before the end of 2022. These are not relevant to us. What may be relevant, however, is his adherence to the constitutionally protected concept of free speech; and the potential for Musk\u2019s new Twitter to operate at a lower level of moderation than the old Twitter. Noticeably, in late November 2022, Musk reinstated almost all the accounts that had previously been suspended for spreading misinformation.<\/p>\n

As a quick aside, on November 17, 2022, a group of Democrat senators asked the FTC to investigate any possible violations by the platform of consumer-protection laws or of its data-security commitments. The FTC had already said it is \u201ctracking recent developments at Twitter with deep concern\u201d.<\/p>\n

Of more direct relevance, many governments have already expressed concern over the practice of bad actors spreading misinformation, malinformation and disinformation \u2013 and giving extremist viewpoints a loudspeaker \u2013 via social media platforms such as Twitter. This is a direct challenge to democratic government, and some governments have suggested countering it by making websites legally responsible for the user-generated content they publish. There is a possibility that such suggestions will increase during 2023.<\/p>\n

Mitzi Hill does not think this is likely in the US. Although lower moderation might lead to howls of protest, \u201cI never bet against the First Amendment,\u201d she said. \u201c\u2018Congress shall make no law\u2026 abridging the freedom of speech\u2019 is one of the most important tenets in American legal thinking.\u201d\u00a0<\/p>\n

Europe, however, thinks differently. The EU already has a new Digital Services Act that will kick in from January 2024. It doesn\u2019t make platforms directly responsible for any unknown illegal content, but does require them to remove it once they are informed that it is illegal. It will also impose greater transparency on how algorithms work and are used. It is aimed at platforms that reach more than 10% of the EU population; that is, have at least 45 million EU users \u2013 that includes US big tech companies such as Twitter and Facebook. Non-compliance could lead to fines of up to 10% of annual turnover.<\/p>\n

Finally<\/strong><\/h2>\n

Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek<\/em><\/a>, \u201cIf it ain\u2019t required, it ain\u2019t gonna happen.\u201d We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must<\/em><\/strong> happen and therefore must<\/em><\/strong> be required.\u00a0<\/p>\n

Ron Kuriscak, MD at NetSPI, certainly believes so. \u201cRegulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity\u2026 Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.\u201d<\/p>\n

But don\u2019t expect much from the federal government in 2023. \u201cOn federal government cybersecurity issues,\u201d explains Robert DuPree, manager of government affairs at Telos Corporation, \u201cCongress has been more active and effective but further progress in 2023 will be hampered by the fact that some longtime cyber policy advocates and experts from both parties \u2013 including Sen. Rob Portman (R-OH), Rep. Jim Langevin (D-RI) and Rep. John Katko (R-NY) \u2013 are retiring and won\u2019t be around in 2023. Their absence will leave a tremendous void when it comes to pushing \u2018good government\u2019 cybersecurity issues through Congress.\u201d\u00a0<\/p>\n

Related<\/strong>: Do Privacy and Data Protection Regulations Create as Many Problems as They Solve?<\/a><\/p>\n

Related<\/strong>: Robinhood Crypto Penalized $30M for Violating Cybersecurity Regulations<\/a><\/p>\n

Related<\/strong>: Hack Prompts New Security Regulations for US Pipelines<\/a><\/p>\n

Related<\/strong>: New York Imposes New Cybersecurity Regulation for Financial Services<\/a><\/p>\n

The post Cyber Insights 2023: Regulations<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

About SecurityWeek Cyber Insights | At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum […]<\/p>\n","protected":false},"author":2,"featured_media":16853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16,143,25,75,169,170,38,171],"tags":[],"class_list":["post-16852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance","category-cyberinsights2023","category-data-protection","category-government","category-laws","category-policy","category-privacy-compliance","category-regulations"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16852"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16852\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16853"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}