Sponsored Links
-->

Saturday, November 25, 2017

New York State's New Cybersecurity Regulation and What it Means to you
src: www.ccsinet.com

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks.[1] There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption and login passwords.[2] There have been attempts to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity. Industry regulators including banking regulators have taken notice of the risk from cybersecurity and have either begun or are planning to begin to include cybersecurity as an aspect of regulatory examinations.


Video Cyber-security regulation



Reasons for cybersecurity

The United States government believes that the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity an essential component of the economy. Also, cybersecurity is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid.[3]

Based on DHS Secretary Janet Napolitano's testimony to the Senate in 2012, in 2011 alone, the DHS U.S. Computer Emergency Readiness Team (US-CERT) received more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products. In January 2013, Twitter, the Wall Street Journal, New York Times, and the Department of Energy each reported that their systems had been breached. A successful attack on critical infrastructures could be devastating to the public. Richard Clarke, the former special advisor on cybersecurity to George W. Bush, stated that within the first 48 hours of a cyber attack, the United States could experience, among other things: classified and unclassified network failures, large oil refinery fires and gas pipeline explosions, financial system collapse with no idea of who owns what, trains and subways derailing, and a nationwide blackout leaving cities in the dark. Defense Secretary Leon Panetta stated in October 2012 that, "a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11...Such a destructive cyber terrorist attack could paralyze the nation".


Maps Cyber-security regulation



United States federal government regulation

There are few federal cybersecurity regulations, and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information.[4] For example, FISMA, which applies to every government agency, "requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security". But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies.[5] Furthermore, these regulations do not specify what cybersecurity measures must be implemented and require only a "reasonable" level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so.[6] He also states that successful cyber-attacks on government systems still occur despite government efforts.[7]

It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority needed to implement critical infrastructure protection regulations through the Administrative Procedure Act rulemaking process. This idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin.

State government regulation

State governments have attempted to improve cybersecurity by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number, driver's license number, credit card number or financial information.[8] Several other states have followed California's example and passed similar security breach notification regulations.[9] These security breach notification regulations punish firms for their cybersecurity failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cybersecurity to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.

In 2004 the California State Legislature passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners.[10] This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cybersecurity. However, like the federal legislation, it requires a "reasonable" level of cybersecurity, which leaves much room for interpretation until case law is established.[11]

Proposed regulation

The U.S. Congress has proposed numerous bills that expand upon cybersecurity regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley Act to require disclosure of security breaches by financial institutions. Congressmen have also proposed "expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card".[12] Congress has proposed cybersecurity regulations similar to California's Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers "ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals".[13]

In addition to requiring companies to improve cybersecurity, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) was a bill of this type. This bill, which focused on phishing and spyware bill was passed on May 23, 2005 in the United States House of Representatives, but died in the Senate. This bill "makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software".[14]

On May 12, 2011, U.S. President Obama proposed a package of cybersecurity legislative reforms to improve the security of U.S. persons, the federal government, and critical infrastructure. A year of public debate and U.S. Congress hearings followed, resulting in the U.S. House of Representative passing an information sharing bill and the U.S. Senate developing a compromise bill seeking to balance national security, privacy, and business interests.

In July 2012, the Cybersecurity Act of 2012 was proposed by Senators Joseph Lieberman and Susan Collins.[15] The bill would have required creating voluntary "best practice standards" for protection of key infrastructure from cyber attacks, which businesses would be encouraged to adopt through incentives such as liability protection.[16] The bill was put to a vote in the Senate but failed to pass.[17] President Obama had voiced his support for the Act in a Wall Street Journal op-ed[18] and it also received support from officials in the military and national security including John O. Brennan, the chief counterterrorism adviser to the White House.[19][20] According to The Washington Post, experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack".[21] The act was opposed by Republican senators including John McCain who was concerned that the act would introduce regulations that would not be effective and could be a "burden" for businesses.[22] After the senate vote, Republican senator Kay Bailey Hutchison stated that the opposition to the bill was not a partisan issue, but rather that the Act did not take the right approach to cybersecurity.[23]The senate vote was not strictly along partisan lines, six Democrats voted against the Act, while five Republicans voted in favor.[24] Critics of the bill included the U.S. Chamber of Commerce,[25] advocacy groups including the American Civil Liberties Union and the Electronic Frontier Foundation,[26] cybersecurity expert Jody Westby and The Heritage Foundation, both of whom argued that although the government does need to act on cybersecurity, the 2012 bill was flawed in its approach and represented "too intrusive a federal role".[27]

In February 2013, President Obama proposed the Executive Order Improving Critical Infrastructure Cybersecurity. It represents the latest iteration of policy, but is not considered to be law as it hasn't been addressed by Congress yet. It seeks to improve existing public-private partnerships by enhancing timeliness of information flow between DHS and critical infrastructure companies. It directs federal agencies to share cyber threat intelligence warnings to any private sector entity identified as a target. It also tasks DHS with improving the process to expedite security clearance processes for applicable public and private sector entities to enable the federal government to share this information at the appropriate sensitive and classified levels. It directs the development of a framework to reduce cyber risks, incorporating current industry best practices and voluntary standards. Lastly, it tasks the federal agencies involved with incorporating privacy and civil liberties protections in line with Fair Information Practice Principles.

In January 2015, President Obama announced a new cybersecurity legislative proposal. This proposal was made in an effort to prepare the US from the expanding number of cyber crimes. In this proposal, President Obama outlined three main efforts to work towards a more secure cyberspace for the US. The first main effort emphasized the importance of enabling cybersecurity information sharing. By enabling this, President Obama's proposal encouraged information sharing between the government and the private sector. This would allow the government to know what main cyber threats private firms are facing and would then allow the government to provide liability protection to those firms that did share their information. Furthermore, this would give the government a better idea of what the US needs to be protected against. Another main effort that was emphasized in this proposal was to modernize the law enforcement authorities to make them more equipped to properly deal with cyber crimes by giving them the tools they need in order to do so. It would also update classifications of cyber crimes and consequences. One way this would be done would be by making it a crime for overseas selling of financial information. Another goal of this effort is to place cyber crimes prosecutable. The last major effort of this legislative proposal was to require businesses to report data breaching to consumers if their personal information had been sacrificed. By requiring companies to do so, consumers are aware of when they are in danger of identity theft.

In February 2016, President Obama developed a Cybersecurity National Security Action Plan (CNAP). This plan was made to create long-term actions and strategies in an effort to protect the US against cyber threats. The focus of this plan was to inform the public about the growing threat of cyber crimes, improve cybersecurity protections, protects personal information of Americans, and to inform Americans on how to control digital security. One of the highlights of this plan include creating a "Commission on Enhancing National Cybersecurity". The goal of this is to create a Commission that consists of a diverse group of thinkers with perspectives that can contribute to make recommendations on how to create a stronger cybersecurity for the public and private sector. The second highlight of the plan is to change Government IT. This new Government IT will make it so that a more secure IT can be put in place. The third highlight of this plan is to give Americans knowledge on how they can secure their online accounts and avoid theft of their personal information through multi-factor authentication. The fourth highlight of this plan is to invest 35 percent more money that was invested in 2016 into cybersecurity.


New NYDFS Cybersecurity Regulations and What to Do to Comply - YouTube
src: i.ytimg.com


Other United States government efforts

In addition to regulation, the federal government has tried to improve cybersecurity by allocating more resources to research and collaborating with the private-sector to write standards. In 2003, the President's National Strategy to Secure Cyberspace made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry "to create an emergency response system to cyber-attacks and to reduce the nation's vulnerability to such threats".[28] In 2004, Congress allocated $4.7 billion toward cybersecurity and achieving many of the goals stated in the President's National Strategy to Secure Cyberspace.[29] Some industry security experts state that the President's National Strategy to Secure Cyberspace is a good first step but is insufficient.[30] Bruce Schneier stated that "The National Strategy to Secure Cyberspace hasn't secured anything yet".[31] However, the President's National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem.[32] Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.

In the United States, Congress is trying to make information more transparent after the Cyber Security Act of 2012, which would have created voluntary standards for protecting vital infrastructure, failed to pass through the Senate. In February 2013, the White House issued an executive order, titled "Improving Critical Infrastructure Cybersecurity," which allows the Executive Branch to share information about threats with more companies and individuals. In April 2013, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), which calls for protecting against lawsuits aimed at companies that disclose breach information. The Obama Administration said it may veto the bill.


Cybersecurity Management Expectations Clarified By FDA - QMS + ...
src: www.assurx.com


Indian regulation

In the light of the hacking of the website of the Indian Space Agency's commercial arm in 2015, Antrix Corporation and government's Digital India programme, cyber law expert and advocate Supreme Court of India, Pavan Duggal stated that "a dedicated cyber security legislation as a key requirement for India. It is not sufficient to merely put cyber security as a part of the IT Act. We have to see cyber security not only from the sectoral perspective, but also from the national perspective."


New York DFS Cybersecurity Regulation | OutSecure, Inc ...
src: www.outsecure.com


European Union regulations

Cyber Security standards have been of great prominence in today's technology driven businesses. In order to maximize their profits, corporations leverage technology by running a majority of their operations via the internet. Since there are a large number of risks that entail inter-network operations, it is essential that such operations are protected through comprehensive and extensive regulations. Existing Cyber Security regulations each cover different aspects of business operations and often vary by region or country in which a business operates. Given the differences in a country's society, infrastructure and values, one over arching cyber security standard is not optimal for the purpose of decreasing risks. While American standards provide a basis for operations, the European Union has created a more tailored regulation for businesses operating specifically within the European Union. Also, in light of Brexit, it is important to consider how the UK has chosen to adhere to such security regulations.

Three major regulations within the EU include, ENISA, the NIS Directive and the EU GDPR.

ENISA

ENISA, the European Union Agency for Network and Information Security, is a governing agency that was originally set up by the Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 for the purpose of raising network and information security, NIS, awareness for all inter-network operations within the EU. ENISA currently runs under,  Regulation (EU) No 526/2013, which has replaced the original regulation in 2013. ENISA works actively with all member states of the EU to provide a range of services. The focus of their operations are on three factors

  • Recommendations to Member States on course of action for security breaches
  • Policy making and implementation issue support for all members states of the EU
  • Direct support, where ENISA will take a hands on approach to working with operational teams within the EU

ENISA is made up of a management board who relies on the support of The Executive Director and the Permanent Stakeholders Group. The majority of operations however, are run by the heads of various departments.

ENISA has released various publications that cover all major issues regarding cyber security. ENISA's past and current initiatives include; The EU Cloud Strategy, Open Standards in Information Communications Technology, A Cyber Security Strategy of the EU and a Cyber Security Coordination Group. ENISA also works in collaboration with existing international standard organizations such as the ISO and the ITU.

NIS Directive

On July 6, 2016, the European Parliament set into policy the Directive on Security of Network and Information Systems (the NIS Directive).

The directive went into effect in August 2016 and all member states of the European Union were given 21 months to incorporate the directive's regulations into their own national laws. The aim of the NIS Directive is to create an overall higher level of cyber security in the EU. This directive significantly affects digital service providers, DSPs, and operators of essential services, OES. Operators of essential services include any organizations whose operations would be greatly effected in the case of a security breach, provided that engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting security incidents of a certain caliber to Computer Security Incident Response Teams, CSIRTs. While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even when DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.

The member states of the EU are required to create a NIS directive strategy which includes the aforementioned CSIRTs in addition to National Competent Authorities, NCAs, and Single Points of Contact, SPOCs. Such resources are given the responsibility of handling cyber security breaches in a way that minimizes impact. In addition all member states of the EU are encouraged to share cyber security information.

Security requirements of the NIS Directive include technical measures that manage the risks of cyber security breaches in a preventative manner. In addition both DSP and OES must provide information that allows for an in depth assessment of their information systems and security policies. As aforementioned, all significant incidents must be notified to the CSIRTs. Significant cyber security incidents are determined by the count of users whom will be affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.

EU GDPR

The EU General Data Protection Regulation, GDPR, was set into place on April 14 in 2016 however the current date of enforcement is set to be on May 25 in 2018. The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes that the GDPR will bring about include the redefining of geographical borders. The regulation not only applies to entities that operate in the EU but also entities that deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen's data is being processed, the entity is now subject to the GDPR. Fines are also much more stringent under the GDPR and can total twenty million euros or 4% of an entity's annual turnover, which ever amount is higher. In addition, similar to previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours. The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.

Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer citizens the right to easily back out of sharing data just as easily as citizens consented to sharing data. In addition citizens can also restrict processing of the data stored on them; they can choose to allow companies to store their data but not process it thus creating a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen's data outside of the EU or to a third party without prior consent of the citizen.

The proposed ePrivacy Regulation is also planned to be applicable from 25 May 2018.

Brexit considerations

In light of the recent political event in which the UK has decided to withdraw its membership from the EU, the regulations that now apply to the UK only include ENISA and the NIS Directive.

There is still some speculation however that the GDPR still applies to the UK due to the time that the GDPR was set in place. Regardless of a pending implementation date, because the GDPR was signed into effect while the UK was still a part of the EU, it is said that the UK must comply. In addition, not being a part of the GDPR would mean that the UK misses out on valuable resources.


The DFS Compliance Deadline is Here! รข€
src: www.mdsny.com


Pro-regulation opinions

While experts agree that cybersecurity improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation. Many government officials and cybersecurity experts believe that the private-sector has failed to solve the cybersecurity problem and that regulation is needed. Richard Clarke states that, "industry only responds when you threaten regulation. If industry does not respond [to the threat], you have to follow through".[33] He believes that software companies must be forced to produce more secure programs.[34] Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives.[35] U.S. Rep. Rick Boucher (D-VA) proposes improving cybersecurity by making software companies liable for security flaws in their code.[36] In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.[37]


Ransomware attacks highlight need for strong cyber security ...
src: blogs.thomsonreuters.com


Anti-regulation opinions

On the other hand, many private-sector executives and lobbyists believe that more regulation will restrict their ability to improve cybersecurity. Harris Miller, lobbyist and president of the Information Technology Association of America, believes that regulation inhibits innovation.[38] Rick White, former corporate attorney, and President and CEO of TechNet, also opposes more regulation. He states that, "the private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint".[39] Another reason many private-sector executives oppose regulation is because it is costly and involves government oversight in private enterprise. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cybersecurity problem efficiently.


New York financial firms will have to implement cybersecurity ...
src: www.pionline.com


See also

  • CERT Coordination Center
  • Cyber security standards
  • Cybersecurity Information Sharing Act
  • Default password
  • List of data breaches
  • Medical device hijack
  • National Cyber Security Division
  • National Strategy to Secure Cyberspace
  • Presidential directive
  • Proactive cyber defence
  • United States Computer Emergency Readiness Team
  • United States Department of Homeland Security

Notes

  1. ^ "A chronology of data breaches reported since the ChoicePoint incident." (2005). Retrieved October 13, 2005.
  2. ^ "Electronic privacy information center bill track: Tracking privacy, speech and civil liberties in the 109th congress." (2005). Retrieved October 23, 2005.
  3. ^ "How computer viruses work." (2005). Retrieved October 10, 2005.
  4. ^ "The National Strategy to Secure Cyberspace." (2003). Retrieved December 14, 2005.
  5. ^ "Notice of security breach - civil code sections 1798.29 and 1798.82 - 1798.84." 2003). Retrieved October 23, 2005.
  6. ^ "Richard Clarke interview." (2003). Retrieved December 4, 2005.
  7. ^ Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005). "2005 CSI/FBI computer crime and security survey." Retrieved October 10, 2005.
  8. ^ Heiman, B. J. (2003). Cybersecurity regulation is here. RSA security conference, Washington, D.C. Retrieved October 17, 2005.
  9. ^ Kirby, C. (2003, December 4, 2003). "Forum focuses on cybersecurity". San Francisco Chronicle.
  10. ^ Lemos, R. (2003). "Bush unveils final cybersecurity plan." Retrieved December 4, 2005.
  11. ^ Menn, J. (2002, January 14, 2002). "Security flaws may be pitfall for Microsoft". Los Angeles Times, pp. C1.
  12. ^ Rasmussen, M., & Brown, A. (2004). "California Law Establishes Duty of Care for Information Security." Retrieved October 31, 2005.
  13. ^ Schmitt, E., Charron, C., Anderson, E., & Joseph, J. (2004). "What Proposed Data Laws Will Mean for Marketers." Retrieved October 31, 2005.
  14. ^ Jennifer Rizzo. (August 2, 2012) "Cybersecurity bill fails in Senate." Accessed August 29, 2012.
  15. ^ Paul Rosenzweig. (July 23, 2012) "Cybersecurity Act of 2012: Revised Cyber Bill Still Has Problems." The Heritage Foundation. Accessed August 20, 2012.
  16. ^ Ed O'Keefe & Ellen Nakashima. (August 2, 2012 ) "Cybersecurity bill fails in Senate." The Washington Post. Accessed August 20, 2012.
  17. ^ Alex Fitzpatrick. (July 20, 2012) "Obama Gives Thumbs-Up to New Cybersecurity Bill." Mashable. Accessed August 29, 2012.
  18. ^ Brendan Sasso. (August 4, 2012) "After defeat of Senate cybersecurity bill, Obama weighs executive-order option". The Hill. Accessed August 20, 2012.
  19. ^ Jaikumar Vijayan. (August 16, 2012) "No partisan fight over cybersecurity bill, GOP senator says". Computerworld. Accessed August 29, 2012.
  20. ^ Carl Franzen. (August 2, 2012) "As Cybersecurity Bill Fails In Senate, Privacy Advocates Rejoice". TPM. August 29, 2012.
  21. ^ Alex Fitzpatrick. (August 2, 2012) "Cybersecurity Bill Stalls in the Senate". Mashable. Accessed August 29, 2012.
  22. ^ Jody Westby (August 13, 2012) "Congress Needs to Go Back To School on Cyber Legislation". Forbes. Accessed August 20, 2012.

The NY Cybersecurity Regulation - How it Impacts You and Your ...
src: i.ytimg.com


References

Source of article : Wikipedia