The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on technology companies, federal contractors, and critical infrastructure owners and operators. The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities. The overall goal of the Strategy is to create a “defensible, resilient digital ecosystem” where the costs of an attack are more than the cost of defending those systems and where “neither incidents nor errors cascade into catastrophic, systemic consequences.” The Strategy outlines two fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in cyberspace. Continue Reading White House Releases National Cybersecurity Strategy

Matthew Harden
Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.
As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.
As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.
Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.
NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework
On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.” Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.” Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. The NIST CSF was previously updated in 2018, and NIST now seeks public comment on the latest changes outlined in the Concept Paper.Continue Reading NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework
New York Department of Financial Services Proposed Second Amendment to Cybersecurity Regulation – Comments Close January 9, 2023
The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022. The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022. NYDFS is accepting comments on the proposed second amendment through January 9, 2023. Continue Reading New York Department of Financial Services Proposed Second Amendment to Cybersecurity Regulation – Comments Close January 9, 2023
CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard
On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard. “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by” a CRQC (cryptanalytically relevant quantum computer) or a classical computer. NIST “has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.” NIST does not intend to publish the new post-quantum cryptographic standard for commercial products until 2024 but urges companies to begin preparing now by following the Post-Quantum Cryptography Roadmap. Continue Reading CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard
NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products
On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”). The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.
The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.” The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.” The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.
The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products. We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products
FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions
On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228). The FTC provided a list of recommended remedial actions for companies using the Log4j software. The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so. As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
Continue Reading FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions
CISA Warns Critical Infrastructure Owners and Operators to Prepare for and Take Steps to Mitigate Holiday Cyber Threats
On December 15, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a warning for “critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks” before the upcoming holiday season. CISA’s warning emphasizes that “[s]ophisticated threat actors . . . have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms” and have “demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.”
CISA’s warning includes recommended actions for executives and senior leaders, additional recommended actions for organizations with operational technology (“OT”) and industrial control systems (“ICS”), recommendations for organizations that have experienced a cybersecurity incident, and a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful.Continue Reading CISA Warns Critical Infrastructure Owners and Operators to Prepare for and Take Steps to Mitigate Holiday Cyber Threats