Cyber Theft Bill Introduced by Bipartisan Group of Senators

Posted by Kristen Eichensehr on May 08, 2013

On Tuesday, Senators Carl Levin (D-MI), John McCain (R-AZ), Jay Rockefeller (D-WV), and Tom Coburn (R-OK) introduced the “Deter Cyber Theft Act.”

The Act would require the Director of National Intelligence (“DNI”) to provide relevant congressional committees with an annual report on “foreign economic and industrial espionage in cyberspace.”  The report would require the DNI to identify “foreign countries that engage in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” and “priority foreign countries”—those countries that the DNI “determines engage in the most egregious economic or industrial espionage in cyberspace.”  The bill specifies that the DNI must identify foreign countries pursuant to the Act  if the foreign government “engages in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” or “facilitates, supports, fails to prosecute, or otherwise permits such espionage by” its citizens or residents or entities organized under its laws or subject to its jurisdiction.

Continue Reading

Covington Files Comments on Cybersecurity Incentives

Posted by Kristen Eichensehr on April 30, 2013

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical infrastructure entities.  To facilitate these initiatives, the Executive Order instructs the Secretaries of Homeland Security, Treasury, and Commerce to recommend incentives to promote participation in the Program.   

On March 28, the Department of Commerce, through the Office of the Secretary, NIST, and the National Telecommunications and Information Administration (“NTIA”), issued a Notice of Inquiry regarding “Incentives To Adopt Improved Cybersecurity Practices.”  Yesterday, representatives of Covington & Burling LLP and The Chertoff Group filed comments in response to the Notice of Inquiry.  The comments set out several principles for the Department of Commerce to consider in structuring incentives for participation in the Program.  The comments are based on the professional experience of the representatives and are not offered on behalf of any client of either firm or any other entity.

All of the comments submitted in response to the Notice of Inquiry are available on the NTIA website.

Cyber Intelligence Sharing and Protection Act Passes House Intelligence Committee

Posted by Kristen Eichensehr on April 10, 2013

In a vote Wednesday afternoon, the House Permanent Select Committee on Intelligence passed the Cyber Intelligence Sharing and Protection Act (“CISPA”).  Eighteen Representatives voted in favor of the bill, and two--Rep. Adam Schiff (D-CA) and Rep. Jan Schakowsky (D-IL)--voted against.

The Committee adopted amendments that Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) outlined on Monday in response to privacy and other concerns voiced about the bill.  In particular, amendments were adopted to eliminate a provision enabling the government to use shared information for broad “national security purposes,” to require the government to remove personally identifiable information from information shared pursuant to the bill, and to clarify that the bill does not allow companies to “hack back” entities that engage in cyber theft.

The panel did not adopt amendments offered by Representatives Schiff and Schakowsky.  Those amendments would have required private sector entities to remove personally identifiable information before sharing data with the government, limited liability protection available to companies that share information, and required information to be shared first with a civilian agency, rather than the National Security Agency.

Reflections on Legal and Policy Developments in Cybersecurity

Posted by Kristen Eichensehr on April 09, 2013

By David N. Fagan and Kristen E. Eichensehr 

On March 28, our firm hosted an event, co-sponsored with The Chertoff Group, on Legal and Policy Developments in Cybersecurity.  The event featured keynote addresses by former Secretary of Homeland Security Michael Chertoff, now Senior Of Counsel with Covington and founder of The Chertoff Group, and Representative Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence (“HPSCI”) and principal sponsor of the Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House last year and is expected to be re-introduced and voted upon in HPSCI soon. 

The program also included a panel discussion examining the scope of the cybersecurity threat confronting the government and private sector; how law, regulation, and policy may address the threat; and certain competing policy imperatives, including balancing security and economic considerations.  The panel included three partners at Covington -- David Fagan (who moderated), John Veroneau (international trade), and Robert Nichols (government contracting) -- along with Prescott Winter, Managing Director of the Chertoff Group; James Mulvenon of Defense Group, Inc.; and Scott Aaronson of the Edison Electric Institute. 

As Congress moves toward votes on cybersecurity legislation, we thought it would be timely to offer some reflections on the program and panel discussion.  In particular, while cybersecurity is a topic du jour in Washington and the press, the program sought to dig deeper than the headlines, unpack the complexity of cybersecurity, and explore how the interconnection of systems and the related threats impact various legal, policy, and business considerations.  The following are some observations from the event:

Continue Reading

Amendments Expected for Cyber Intelligence Sharing and Protection Act

Posted by Kristen Eichensehr on April 08, 2013

By David N. Fagan and Kristen E. Eichensehr 

In a call with reporters Monday, Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), respectively the Chairman and Ranking Member of the House Permanent Select Committee on Intelligence (“HPSCI”), announced several planned amendments to the Cyber Intelligence Sharing and Protection Act (“CISPA”).  The bill is expected to come to a vote in HPSCI on Wednesday.

CISPA passed the House last April, despite opposition by privacy groups and a veto threat by the White House. Congressmen Rogers and Ruppersberger intend to use amendments to alleviate concerns that derailed the bill last year.  Specifically, reports (here and here) indicate that amendments will:

  • Eliminate a provision that would have allowed government agencies to use shared cybersecurity information for “national security purposes”;
  • Allow private companies to use cybersecurity information they receive from the government only for cybersecurity purposes;
  • Require the government to remove personally identifiable information from information shared pursuant to the Act; and
  • Clarify that CISPA does not authorize hacking in retaliation for cyber theft, as some had alleged.

The list of amendments does not include one Rep. Adam Schiff (D-CA) intends to offer that would require companies to remove personally identifiable information from data before sharing it with the government.

German Government Proposes Cybersecurity Law

Posted by Monika Kuschewsky on March 22, 2013

Following the German Government’s adoption of a cybersecurity strategy back in February 2011, and only a couple of weeks after the publication of the European Commission’s CyberSecurity Strategy and proposal for a Directive on Network and Information Security (see InsidePrivacy EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive, February 7, 2013), Germany has put forward its own proposal for a cybersecurity law.

On 5 March 2013, the German Interior Minister, Hans-Peter Friedrich, presented a draft IT Security Act, which would impose certain minimum IT security standards on operators of critical infrastructure as well as telecommunications and information society service providers.  The measure would introduce mandatory reporting obligations.

Continue Reading

Report Links Cyberattacks on U.S. Companies to Chinese Military

Posted by Kristi Cercone on February 20, 2013

On Tuesday, the U.S. cybersecurity firm Mandiant released a 60-page report detailing the activities of a hacking collective it claims has direct ties to China’s military. The firm has linked the collective to cyberattacks on more than 140 organizations across 20 industries worldwide since 2006.

Mandiant claims the activity—carried out by a group called the “comment crew”—can be traced to four networks near Shanghai, with some of the activity occurring in a nondescript building on Datong Road—the headquarters of Unit 61398, a secret wing of the People’s Liberation Army.

The report notes that the hackers have a “well-defined attack methodology,” that has enabled them to steal large volumes of intellectual property, including technology blueprints, proprietary manufacturing processes and business plans.

In the wake of the report, two recent victims of cyberattacks—The New York Times and The Wall Street Journal—have published editorials that are outwardly critical of China. Both publications pressed President Obama to confront China more aggressively and publicly on its cyber espionage.

President Obama Issues Cybersecurity Executive Order

Posted by Kristen Eichensehr on February 14, 2013

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading

ENISA Publishes New Guidelines for Smart Grid Cyber Security

Posted by Ezra Steinhardt on December 31, 2012

By Jacqueline Clover and Ezra Steinhardt

In December 2012, the European Network and Information Security Agency (ENISA) published a set of (non-binding) Guidelines titled, “Appropriate security measures for smart grids; Guidelines to assess the sophistication of security measures implementation”.  The Guidelines are intended to help EU Member States and smart grid stakeholders improve the resilience of smart grid cyber security systems against cyber threats and attacks, and follow on from a pair of European Commission initiatives that have called for improved security of European electricity networks:  the Commission’s Standardization Mandate to support European Smart Grid Deployment, released in March 2011, and the Commission’s Recommendation on the roll-out of smart metering systems, released in March 2012.  The latter document encourages EU Member State electricity network providers to consult the ENISA Guidelines when implementing smart grid security measures.

The Guidelines stress the importance of data privacy for smart grid stakeholders, and note that many such stakeholders “still have little experience in these areas”.  The Guidelines do not set out to address data privacy concerns per se, but the information security measures proposed by the Guidelines will also be of use to controllers, who must take adequate organizational and technical measures to protect personal data under European data protection law. 

The Guidelines aim to harmonise and establish minimum cyber security standards and best practices for European smart grids.  The Guidelines identify ten smart grid security issue areas and make security recommendations for each area.  To take into account different smart grid characteristics, such as the size of the grid or the types of services provided, and correspondingly different risk profiles, the Guidelines accommodate varying degrees of security measure implementation (“sophistication levels”).  Some security measures (or security issues) discussed by the Guidelines include:

  • Protection of sensitive information processing facilities;
  • Encryption methods for sensitive data during storage and transmission;
  • Controlling access to critical asset information, and the use of secure remote access methods;
  • Precautions against malware and viruses;
  • Timely technical upgrades to smart grid information systems;
  • Segregation of information services and information systems into groups and networks;
  • Protection of security audit information;
  • Security policies and monitoring of grid information systems;
  • Staff cyber security training programs, personnel risk assessments, and staff security responsibilities and oversight;
  • Third party agreements (e.g., with external suppliers and contractors) and monitoring of third parties to preserve confidentiality;
  • Communication with relevant authorities and cyber security interest groups (i.e., to stay ahead of the latest vulnerabilities and threats);
  • Maintaining updated inventories of all smart grid components and systems;
  • Management of authentication credentials, user names, etc.; and 
  • Policies for secure disposal of smart grid components and systems.

The smart grid provider should conduct a risk assessment when determining how to implement and maintain the above measures. 

 

FCC Provides Consumer Tips On Mobile Privacy And Security

Posted by Libbie Canter on December 19, 2012

The Federal Communications Commission yesterday released a Smartphone Security Checker, a tool designed to help consumers secure their smartphones against mobile security threats.  The tool provides consumers with tips that are customized for four different mobile operating systems.  Many of tips focus on security-related topics.  For instance, the tool recommends that consumers set a password or Personal Identification Number on their phones, accept updates and patches to smartphone software, and wipe phones of personal data before reselling or recycling them. 

The FCC also made recommendations that touch on the role of in-app privacy disclosures ―a topic that has received attention recently from state regulators and the Federal Trade Commission.  Specifically, the FCC recommends that users understand app permissions before accepting them.  The FCC says, “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone.  Make sure to also check the privacy settings for each app before installing.” 

While the FCC has not been as active as the FTC and others on mobile privacy issues that do not affect the telephone portion of the mobile service, the FCC’s announcement demonstrates that it continues to see a role for itself in helping “consumers understand and combat cyber threats and mobile device theft.”  Earlier this year, the FCC partnered with mobile operators to launch their “PROTECTS Initiative” which was designed to combat mobile device theft and trafficking. 

Senator Rockefeller Requests Cybersecurity Information from Fortune 500 Companies

Posted by Kristen Eichensehr on September 20, 2012

In the wake of the Senate’s failure to pass comprehensive cybersecurity legislation in August and amid continued discussion about the possibility of a cybersecurity executive order, Senator Jay Rockefeller has sought information directly from Fortune 500 companies. 

Senator Rockefeller has urged President Obama to issue a cybersecurity executive order, but in a letter sent to Fortune 500 CEOs on September 19, Senator Rockefeller explained his belief that legislation will be still be necessary.  His letter noted that he would like to hear “directly from the chief executives of leading American companies about their views on cybersecurity.”

Specifically, Senator Rockefeller requested answers to eight questions by October 19.   The questions include whether each company has adopted cybersecurity best practices; how such practices were developed, including whether the company received outside input; how frequently the company’s cybersecurity practices are updated; and whether the federal government played a role in developing the practices.  To address particular features of the proposed Cybersecurity Act of 2012 (S. 3414), of which Senator Rockefeller is a co-sponsor, the Senator asked each CEO to explain any concerns his or her company has with a voluntary program for the federal government and private sector to develop cybersecurity best practices, with the federal government conducting cyber risk assessments, and with the federal government determining, in consultation with the private sector, what counts as critical cyber infrastructure.

A complete list of recipients of Senator Rockefeller’s letter is available on the website of the Senate Committee on Commerce, Science, & Transportation, which Senator Rockefeller chairs. 

White House Considers Cybersecurity Executive Order

Posted by Kristen Eichensehr on September 10, 2012

Before recessing in August, the Senate considered, but failed to pass, comprehensive cybersecurity legislation, the Cybersecurity Act of 2012 (S. 3414) (“CSA2012”). Shortly thereafter, during a Council on Foreign Relations event on August 8, Deputy National Security Adviser John Brennan stated that the President is considering using an executive order to implement portions of the cybersecurity legislation.

Recent reports indicate that the White House has circulated a draft cybersecurity executive order to government agencies.  The text of the draft executive order is not public, but reports suggest that it would implement portions of the CSA2012, particularly those dealing with voluntary cybersecurity standards for private industry.  The executive order would establish an interagency council, chaired by the Department of Homeland Security, to work with the National Institute of Standards and Technology (NIST) and industry to develop cybersecurity guidelines that the private sector could adopt voluntarily.  The CSA2012 included provisions for a similar program and also inducements for industry to adopt the resulting standards.  The bill’s main inducement was liability protection from lawsuits for companies that certified their compliance with the standards, but an executive order cannot offer such liability protections, absent action by Congress. The executive order apparently does not address other provisions of the CSA2012, including reform of the Federal Information Systems Management Act (FISMA), which addresses management of cybersecurity for federal government systems.

Senator Rockefeller and Senator Feinstein, both co-sponsors of the CSA2012, have called on President Obama to implement parts of the bill by Executive order.  Senator Lieberman has also supported executive action, but Senator Collins, a Republican co-sponsor of the bill, has opposed issuance of an executive order.

Senate Scheduled To Consider Cybersecurity Legislation

Posted by Libbie Canter on July 27, 2012

Yesterday, the Senate voted to move forward with a floor debate of the Cybersecurity Act of 2012 (“CSA2012”) (S. 3414), and the White House formally endorsed CSA2012, saying it will strengthen efforts to secure American networks against cyberattacks.  As a result of yesterday's procedural vote, the Senate is likely to consider the current version of the legislation next week, ahead of the August recess.  As Inside Privacy previously reported, last week, CSA2012’s primary authors introduced a revised version of their bill that incorporates elements drawn from efforts by Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) to reconcile CSA2012 with the Republican-sponsored SECURE IT Act (S. 3342).  Our prior post provides a comprehensive overview of the approach taken by the revised CSA2012, which looks to voluntary private sector compliance with cybersecurity standards. 

The Senate is expected to consider a number of amendments during the floor debate next week.  Among them, Republican sponsors of the Secure IT Act have indicated that they plan to offer their bill as a substitute amendment to CSA2012.

Senators Introduce Revised Cybersecurity Act of 2012

Posted by Kristen Eichensehr on July 24, 2012

On July 19, 2012, Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV), Dianne Feinstein (D-CA), and Tom Carper (D-DE) introduced a revised version of the Cybersecurity Act of 2012 (“CSA2012”), which they initially introduced in February. The revision includes elements drawn from efforts by Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) to reconcile the CSA2012 with the Republican-sponsored SECURE IT Act (S. 3342).

The new CSA2012 (S. 3414) takes a different approach than the original version to cybersecurity of critical infrastructure. The original bill would have given the Department of Homeland Security (“DHS”) authority to designate “systems or assets” as covered critical infrastructure and to require owners and operators of designated critical infrastructure to meet cybersecurity performance requirements, established by DHS. The new CSA2012, on the other hand, would rely on voluntary private sector compliance with cybersecurity standards. As Senator Lieberman explained, the revised bill relies on “carrots instead of sticks.”

Continue Reading

First Circuit Finds Bank's Online-Security Procedures 'Commercially Unreasonable'

Posted by Michael Beder on July 06, 2012

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Continue Reading

Draft Chinese Rules Target Mobile Smart Devices and Online Content Providers

Posted by Scott Livingston on July 04, 2012

China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), has released two draft regulations that could significantly impact how mobile smart device manufacturers (such as smartphones) and internet information service providers (“IISPs”) handle users’ personal information in China.

Continue Reading

Privacy at a cost? Recent smart meter litigation in Maine

Posted by Nigel Howard on June 15, 2012

By Nigel Howard, Jessica Milner and Mark Johnson

Interesting questions are arising in relation to how to implement an “opt out” for smart meters.  In many states, customer unease about the privacy and safety concerns associated with smart meters has resulted in new legislation or regulations that give customers the ability to decline the installation of a smart meter.  However, smart meters enable energy efficiency and cost savings, so should customers that opt out have to pay more?

This question arose last month in the Maine Supreme Court in the case of Friedman v. Maine Public Utilities Commission and Central Maine Power Company. The court heard an appeal from the Maine Public Utilities Commission’s dismissal of a complaint raising concerns over smart meter technology, including privacy and security issues.

Continue Reading

House Approves Two Additional Cybersecurity Bills

Posted by Kristen Eichensehr on April 29, 2012

Following on its passage on Thursday of the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523) and the Federal Information Security Amendments Act of 2012 (H.R. 4257), the House on Friday approved two additional cybersecurity measures.

The Cybersecurity Enhancement Act (H.R. 2096), sponsored by Rep. Michael T. McCaul (R-TX), passed by a vote of 395-10. The bill would require certain federal agencies to develop and submit to Congress a cybersecurity strategic research and development plan that takes into consideration the views of stakeholders in industry and academia. The bill would also provide scholarships for students studying cybersecurity, in exchange for federal or other government service after graduation.

The Advancing America’s Networking and Information Technology Research and Development Act of 2012 (H.R. 3834), sponsored by Rep. Ralph Hall (R-TX), passed on a voice vote. This bill also addresses cybersecurity research and development and would require certain federal agencies to develop periodically updated strategic plans for achieving cybersecurity research and development goals, taking into account recommendations from stakeholders. The bill would encourage agencies to support large-scale, long-term, interdisciplinary research activities that have the potential to improve, inter alia, U.S. economic competitiveness. In addition, the bill would require the Director of the National Coordination Office, which reports to the White House’s Office of Science and Technology Policy, to establish a task force of academic, industry, and government representatives to explore mechanisms for collaborative research and design, and to convene a governmental interagency working group to address increasing use of cloud computing for research.

House Approves Two Cybersecurity Bills

Posted by Kristen Eichensehr on April 27, 2012

On Thursday, the House voted on and passed two cybersecurity bills.

The Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523), sponsored by Rep. Mike Rogers (R-MI) and more than a hundred other Congressmen, passed by a vote of 248-168. As previously discussed on this blog, CISPA would facilitate information sharing between private entities and the intelligence community via the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and would provide liability protection for entities that share cyber threat information. 

Despite a formal statement by the White House threatening a Presidential veto of CISPA in its then-current form, the bill garnered bipartisan support, with 42 Democrats and 206 Republicans voting in favor. Before the final vote, the House adopted several amendments. One of the amendments limits the federal government to using shared cyber threat information for five enumerated purposes: cybersecurity, investigation and prosecution of cybersecurity crimes, protection of individuals from death or serious bodily harm, protection of minors from sexual exploitation or physical threat, and protection of national security.

The House also passed by a voice vote the Federal Information Security Amendments Act of 2012 (H.R. 4257), sponsored by Rep. Darrell Issa (R-CA). The bill would reform the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems. FISMA reform is also included in the two cybersecurity bills pending in the Senate, the Cybersecurity Act of 2012 (S. 2105), introduced by Sen. Joseph Lieberman (I-CT), and the SECURE IT Act (S. 2151), introduced by Sen. John McCain (R-AZ).

Bills Head to House Floor for "Cybersecurity Week"

Posted by Michael Beder on April 20, 2012

The House of Representatives next week will consider legislation to counter online threats as part of what the House leadership has dubbed “Cybersecurity Week.”

The House Homeland Security Committee approved the PRECISE Act on Wednesday. The committee adopted an amendment from the bill’s sponsor, Rep. Dan Lungren (R-Cal.), to remove provisions that would have required the Department of Homeland Security (DHS) to work with other federal agencies to incorporate cybersecurity standards into regulations governing covered critical infrastructure. The amended bill, H.R. 3674, would expand the existing National Cybersecurity and Communications Integration Center within DHS to facilitate the sharing of threat information and technical assistance between private entities and governments at all levels. The bill would create an advisory board of 13 private-sector representatives for the Center.

The House also plans to vote on the Cyber Intelligence Sharing and Protection Act (CISPA), a bill introduced in late November by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.). Like the PRECISE Act, CISPA would encourage the sharing of cyber threat information among businesses and the intelligence community through the National Cybersecurity and Communications Integration Center within DHS.

Continue Reading

Older Posts