Category: Safeguards

Dec 13 2017

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

Sep 05 2017

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

Jul 11 2017

DHS and FBI – Hackers Are Targeting US Nuclear, Energy, and Manufacturing Facilities

According to a new joint report issued by the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), hackers have been penetrating the computer networks of companies that operate nuclear power stations, energy facilities, and manufacturing plants in the US since May 2017. The joint report carried an urgent amber warning, which is the second-highest rating for the sensitivity of a threat. The report was publicized by the New York Times last week.

According to the report, an “advanced persistent threat” actor was responsible for the attacks, which has included thus far:

  • Hackers writing targeted email messages containing fake resumes for control engineering jobs and then sending them to senior industrial control engineers who have access to critical industrial control systems. The resumes were Microsoft Word documents that contained malicious code. Once the recipient clicks on the document, the attackers copy the recipient’s credentials and access the network.
  • Hackers compromising websites they know their victims visit (watering hole attack).
  • Hackers redirecting the victims’ internet traffic through their own machines (man-in-the-middle attack).

The report does not say whether the cyber intrusions are an attempt at espionage, or part of a plan to cause physical damage. Nor is there any indication as to how many facilities were compromised. The report does state, however, that the hackers appear to be mapping out computer networks for future attacks.

In a joint statement issued by the DHS and FBI, a spokesperson for the DHS said “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.” John Keeley, a spokesperson for the Nuclear Energy Institute (which works with the 99 utilities that operate nuclear plans in the US), said nuclear facilities are required to report cyber attacks that relate to their safety, security and operations. None have reported any cyber attacks thus far.

On May 11, as the attacks were ongoing, President Trump signed an executive order to strengthen the cybersecurity of federal networks and critical infrastructure.

If you or your enterprise is engaged in the energy or manufacturing sectors, cyber threat preparation and monitoring is your first line of defense against bad actors. Dentons’ team of cybersecurity experts can assist you in establishing and implementing an effective and compliant incident response plan and set of programs to monitor internal and external threats, including threat intelligence and access control and vulnerability assessments.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

May 23 2017

President Trump’s Budget Requests $1.5B For Homeland Security Cyber Unit

President Trump’s new budget includes a request to increase cybersecurity personnel and funding across several federal departments, including $1.5 billion for the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD). The NPPD is a DHS unit responsible for protecting US infrastructure from cyber threats. The DHS is responsible for protecting critical infrastructure and federal networks from cyber intrusions.

The budget document, released by the Office of Management and Budget earlier this morning, states: “The Budget supports the President’s focus on cybersecurity to ensure strong programs and technology to defend the Federal networks that serve the American people, and continues efforts to share information, standards, and best practices with critical infrastructure and American businesses to keep them secure[.]” The budget document also proposes to increase law enforcement and cyber personnel at DHS, the FBI and Department of Defense.

The President’s budget comes on the heels of his recent Executive Order aimed at strengthening cybersecurity across federal networks, critical infrastructure, and the nation writ large. It also comes in the wake of federal departments and agencies, such as DHS, Health and Human Services, and the Securities and Exchange Commission, focusing their efforts on cybersecurity in medical devicesmobile devices, financial services, and the Internet of Things (IoT).