why new information security bills do not find widespread support – examples and opinions

The number of cyber attacks is growing around the world, and individual governments are taking measures to counteract attackers. Some initiatives seem quite strict. Thus, the Indian regulator obliged companies affected by hacker attacks to provide reports on hacking within six hours after the incident. At the same time, many regulators are trying to find a balance between tightening information security requirements and the interests of the private sector.

Photo: Agê Barros / Unsplash.com

Photo: Agê Barros / Unsplash.com

Full access for law enforcement

The number of cybercrime-related incidents in the United States is on the rise, attracting increased attention from regulators. So, at the end of last year the Federal Trade Commission (FTC) obliged financial sector organizations to disclose information about cyber attacks on their infrastructure within a month. The amendment applies to data leaks that affect more than 500 people.

Around the same time, the US Securities and Exchange Commission (SEC) updated Information security regulations for companies whose shares are traded on a stock exchange. They must now report data breaches and other cyber incidents involving material risks within four days (unless disclosing the information would pose a threat to public safety). The new rules have already met resistance from companies. Not all of them have the resources and tools to quickly assess the consequences of a cyber attack and prepare reports. And some members of the government apparatus say that cybersecurity control is actually located outside the authority of the SEC.

Although the initiative caused the most heated discussions in the industry, proposed US Department of Defense and NASA – Federal Acquisition Regulation (FAR). It introduces new cybersecurity regulations for government contractors. Here are its main provisions:

  • Partner companies are required to create and daily update a Software Bill of Material (SBOM) specification for all software used in the execution of the contract.

  • If a company's infrastructure has been hacked, it must provide law enforcement with full access to its systems.

  • The contractor must report the breach within eight hours and update the report every 72 hours.

Members of the Cloud Service Provider Advisory Council (CSP-AB) already notedthat the new requirements are too burdensome for cloud providers. Thus, the set of rules does not take into account the model of division of responsibility. Thus, service providers cannot provide unlimited access to infrastructure without putting clients’ personal data at risk. The daily SBOM update also raises questions. According to CSP-AB members, developing this kind of documentation within the cloud infrastructure is an overwhelming job.

The Industrial Council for IT – Information Technology Industry Council (ITI). Representatives of the organization believethat the proposed amendments would give the state excessive access to contractors' infrastructure, which would jeopardize the confidential data of third parties. This approach will inevitably lead to a decrease in trust on the part of both American companies and foreign partners.

Opinion regarding FAR also You said company representatives HackerOne. They believe the eight-hour deadline for reporting cyber incidents is unreasonable. The allotted time is insufficient to conduct a decent investigation into a potential incident. Working under time pressure will cause an increase in the number of “false positive” reports.

So far, the bill is going through the stage of public discussion, and its fate is difficult to predict. However, tightening of information security legislation is observed not only in the United States.

Nuts are tighter

Against the backdrop of an increase in the number of cyber attacks, the Indian government also began to tighten legislation in the field of information security. Yes, Indian CERT-In decided to oblige IT companies to report hacks, leaks, and any other suspicious activity in the infrastructure within six hours after their discovery. The business is also required to provide CERT-In with any information for its investigation.

Photo: Stepan Kulyk / Unsplash.com

Photo: Stepan Kulyk / Unsplash.com

As expected, the new requirements were met with serious criticism – the six-hour deadline caused particularly strong dissatisfaction among organizations. In an attempt to dispel community doubts and answer questions, the government has published an official FAQ. But the wording used in it turned out to be quite vague and only aggravated the situation. Eleven foreign companies present on the Indian market wrote an open letter, where noted discrepancies in the requirements of official regulations and answers in the FAQ.

In general, industry representatives suggest increase deadline for notification of cyber attacks. It may take several days or more to discover a breach in the system. Therefore, it is quite difficult to get a complete picture of the incident in such a short time and provide a quality report.

The Indian IT community also fears that the local regulator's directive will have a negative impact in small and medium businesses. When a small company discovers a breach in the system, all its efforts and resources are immediately directed to maintaining client applications and damage control, and not to compiling reports.

After a discussion with representatives of the IT community, the regulator still changed some regulations. For example, it provided small and medium-sized businesses with additional time to equip themselves with the necessary equipment and services for compliance. However, no relaxations were made regarding the timing of notification. Instead, it proposed a standard format for reporting cyberattacks and the possibility of creating a digital portal for collecting notifications.

Practices in the EU

Bills aimed at improving information security are also being developed in Europe. One of them – the Cyber ​​Resilience Act (CRA) – will come into force in 2025 and will impose obligations on manufacturers and importers of products with digital elements (DCE). This category includes both software and consumer electronics such as watches and headphones.

According to the document, work with PCE should be accompanied by a risk assessment and the implementation of protection against known vulnerabilities. Vendors and developers are required to report discovered vulnerabilities to their local national cybersecurity authority within 24 hours. Serious issues must be reported to the European Cybersecurity Agency – European Union Agency for Cybersecurity. Authors of the bill hopethat the new initiative will help reduce the number of cyber attacks, increase the prestige of European companies and protect the personal data of users.

Photo: Agê Barros / Unsplash.com

Photo: Agê Barros / Unsplash.com

Although a number of information security specialists believesthat the rapid disclosure of information about vulnerabilities by one company can jeopardize the infrastructure of other organizations. The bill also received criticism from the open source community. According to representatives of the Linux Foundation, the authors of the CRA didn't take into account specifics of open source software development. Unlike proprietary products, the authors of open solutions distribute them free of charge. They may not have the time, money or inclination to issue appropriate patches and notify European law enforcement authorities. In theory, foreign developers may refuse adhere to the new regulations and leave the market.

This point of view is shared by representatives of other large organizations involved in the development of open source software. In their letter, representatives of OpenForum Europe (OFE) emphasized that the CRA requirements will slow down development of open source in the EU and will undermine international cooperation. One possible solution proposed by OFE is to make CRA an optional quality standard. In this context, companies would be able to release software with a CRA Compliant label, and government and critical sectors of the economy would be allowed to use only products bearing this certification.

At the same time, the CRA is not the only cybersecurity bill that is being promoted in the EU. In 2023 came into force Network and Information Security 2 (NIS2) directive. It aims to standardize information security practices among European Union member states and obliges private and public organizations to adhere to an established set of rules that increases the overall level of cyber resilience in the internal market. Provisions include: a) submission of incident reports within 24 hours of actual discovery; b) ensuring the security of supply chains; c) encryption; d) timely notification of vulnerabilities.

EU countries must implement NIS2 requirements at the legislative level by October 2024. However, only a third of organizations, subject to the directive, are technically prepared for the new regulations. Although in general representatives of leading IT companies in Europe are positive reacted to NIS2. They note that with the growing number of cyber attacks on digital infrastructure, standardized practices and coordinated actions between all EU countries will help ensure an adequate level of cyber security.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *