Critical Infrastructure

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

Abstract geometric technology graphic elements. Template design.Today, the Treasury Department issued a General License authorizing transactions and activities concerning information technology products in the Russian Federation despite recent executive order prohibiting such transactions.

In April 1, 2015, President Obama issued Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”). In short summary, this order blocked any property or interests in property that is in the US, ends up in the US, or that come within the possession or control of any US persons, if such persons end up being responsible, complicit or supportive of cyber-enabled activities that (1) have the purpose of causing harm or risk to the critical infrastructure sector and are reasonably likely to result in or material contribute to threats to national security, foreign policy or economic heal or financial stability; or (2) the knowing receipt or use by a commercial entity outside or the United States, for commercial or competitive advantage or private financial gain, of trade secrets misappropriate by cyber-enabled means.

On December 28, 2016, following reports regarding the Russian hacking of Democratic political organizations and operatives, President Obama issued Order 13757 (“Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”) to amend Order 13694. This amendment included an Annex blocking certain entities and individuals, including the Federal Security Services (a.k.a. Federalnaya Sluzhba Bezopasnosti, or “FSB”),but also authorizing the Secretary of Treasury, in consultation with the Attorney General and the Secretary of State, to determine “that circumstances no longer warrant the blocking of the property and interested in property of a person listed in the Annex to this order, and to take necessary action to give effect to that determinations.” The Russian FSB represents Russia’s domestic security service, and must approve certain encrypted technology imports to Russia per domestic law.

Today, however, the Treasury exercised its right in Section 10 by authorizing American tech companies to seek licenses from Russia’s FSB to export their good to Russia, so long as the products are not used in Crimea and do not violate pre-existing sanctions.  Despite claims that the Trump administration is “easing sanctions against Russia”, White House press secretary Sean Spicer claimed in today’s press conference that the Treasury Department’s actions were not “easing sanctions”, and that it is “a fairly common practice of the Treasury Department, after sanctions are put in place, to go back and to look at whether or not there needs to be specific carve-outs for either industries or products and services that need to be going back and forth.” Other experts agreed that the OFAC’s amendment is likely an intention to clean up unintended consequences of the ban through limited carveouts rather than relaxing sanctions.

 

 

On January 10, 2017, NIST issued an update to the NIST Cybersecurity Framework (v.1.1).  After reviewing public comment and convening a workshop, NIST intends to publish a final version of this Version 1.1 in the fall of 2017.

Key updates the framework include:

  • Metrics.  A new section 4.0 on Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.
  • Supply Chain.  A greatly expanded explanation of using the framework for supply chain risk management purposes.
  • Authentication, Authorization and Identify Proofing.  Refinements to the language of the Access Control category to account for authentication, authorization, and identify proofing.  A subcategory has been added, and the Category has been renamed to “Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding subcategories.
  • Explanation of Relationship between Implementation Tiers and Profiles.  Adds language on using Framework Tiers in Framework implementation, to reflect integration of Framework considerations within organizational risk management programs, and to update Figure 2.0 to include actions from the Framework Tiers.

More detail on the changes can be found in Appendix D.  NIST seeks public comment on the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than “version 1.1” for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

A redline version of the framework can be found by clicking here.  A clean version of the Framework may be found by clicking here.