New Security Laws Overview - ThreatWire
Added 2021-05-25 16:54:51 +0000 UTCBy Shannon Morse, ThreatWire
We’ve got some new laws being introduced to bring better security and accountability, not only just here in the US but in the UK as well. Let’s start with the news out of the UK.
The Department for Digital, Culture, Media and Sport or DCMS is asking for folks to respond to a survey about cybersecurity in supply chains and managed service providers. This is in response to the growing concern about supply chain attacks, so this is a proposal for new rules in order to mitigate those threats. If you’re wondering what a managed service provider is, that's a company that provides some sort of back-end infrastructure for clients -- be it data backup, cloud services, monitoring, security, communications, logistics, etc.
In the call for views, Minister for Digital Infrastructure Matt Warman states that the Cyber Security Breaches Survey 2021 found that only 12% of businesses actually review risks from suppliers, and only 5% actually address the risks from suppliers. The proposed rules would put managed service providers under the same umbrella of regulations as critical UK infrastructure, in regards to the UK’s Cyber Assessment Framework or CAF.
The US government has also been hard at work coming up with new laws centered on cybersecurity. Last week, the US House Committee on Homeland Security passed five bills directed at protecting infrastructure and US organizations. These include HR 2980, the Cybersecurity Vulnerability Remediation Act, which lets the government provide remediation and mitigation strategies to infrastructure, HR 3138, the State and Local Cybersecurity Improvement Act which authorizes a $500 million grant program for local governments for network security, HR3223, the CISA Cyber Exercise Act, which promotes regular testing and assessments of networks, HR 3243, the Pipeline Security Act, which clarifies what the TSA’s Pipeline Security Section does and can do (also today I learned that TSA also is responsible for pipeline security), and HR 3264, the Domains Critical to Homeland Security Act, and this one allows for DHS to research risks to supply chains and do reporting to Congress.
Just given the names alone, it’s obvious these are in response to the recent attacks on Colonial Pipeline and Solarwinds.
The US also saw a new bipartisan bill introduced by senators Amy Klobuchar, Jon Kennedy, Joe Manchin, and Richard Burr, called the Social Media Privacy Protection and Consumer Rights Act. Sound familiar? That’s because Klobuchar also introduced this bill back in 2019 but didn’t get Republican support, so it died. Now it’s back and stands a change in the Democratic majority Congress. Similar to what we’ve seen with the newest iOS on Apple, this bill would force sites to give users the option to opt out of data tracking or collection and give users more control over said data. It would also require companies to notify users of a data breach within 72 hours, as well as write their service agreements in plain text that’s understandable, not legal speak.
With state level bills, like Virginia’s new Consumer Data Protection Act and California's Consumer Privacy Act already passing, this bill does have a better chance of passing legislation.
UK and US CyberSecurity Laws
https://www.ncsc.gov.uk/collection/caf
https://homeland.house.gov/imo/media/doc/BILLS-117hr2980ih-Jackson%20Lee.pdf
https://homeland.house.gov/imo/media/doc/BILLS-117hr3138ih-Clarke.pdf
https://homeland.house.gov/imo/media/doc/BILLS-117hr3223ih-Slotkin.pdf
https://homeland.house.gov/imo/media/doc/Pipeline%20Security%20Act%20Text.pdf
https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf
https://homeland.house.gov/imo/media/doc/BILLS-117hr____-Katko.pdf
https://www.congress.gov/bill/116th-congress/senate-bill/189/text
