Archive for the ‘Laws and Regulations’ Category

New Electronic Authentication Guideline for Fed Agengies

December 17, 2011

Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.

Strategic Plan for the Federal Cyber-Security Research and Development Program

December 10, 2011

This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.

As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal  approaches of the past with a set of coordinated research priorities whose promise is to “change  the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first  principles and the fundamental building blocks of security and trustworthiness.

Feds launch cloud security standards program

December 10, 2011

Jaikumar Vijayan / ComputerWorld

Federal CIO Steven VanRoekel Thursday unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies.

The program requires that all federal agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS).

DARPA Boosts Cybersecurity Research Spending

November 11, 2011

J. Nicholas Hoover / InformationWeek 

“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”

NIST Issues Cloud Computing Roadmap

November 5, 2011

Eric Chabrow / BankInfoSecurity

The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.

North Atlantic Cyber Security Organisation (?)

July 2, 2011

Sounds like the right move

This new security challenge was on the agenda at the June 8th-9th meeting of NATO defence ministers in Brussels. Ministers agreed on an action plan and on a revised cyber defence policy which will not only ensure a quicker and more effective protection of NATO’s own network, but also provide the Allies and Partners with more assistance in preventing the cyber attacks, coping with them and limiting their impact.

The new strategy requires that all NATO structures be brought under a centralised protection system, and that all of its networks be monitored round the clock as of 2012.

Supplemental Guidance on Authentication

July 2, 2011

The Federal Financial Institutions Examination Council (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

Protecting Sensitive Information: The Virtue of Self-Restraint

June 5, 2011

Dallas Boyd @ Homeland Security Affairs Journal

The motives behind disclosures of sensitive information vary, but a common refrain is that they spur remedial action that would otherwise be avoided. Critics argue, however, that these revelations recklessly endanger the public. Whatever their effect, a soft consensus seems to have formed that airing this information does not subtract from national security to such an extent as to justify the extraordinary powers that would be required to suppress it.

Great “Fire”wall of EU

April 30, 2011

Interesting proposal submitted by LEWP

The Presidency of the LEWP presented its intention to propose concrete measures towards creating a single secure European cyberspace,” according to brief minutes of the meeting.

The secure European cyberspace would have a “virtual Schengen border”, it adds, referring to the treaty that allows freedom of movement within the EU but imposes controls on entry to the bloc.

There would also be “virtual access points” whereby “the Internet Service Providers would block illicit contents on the basis of the EU ‘black-list’”, the proposal says.

Is loss of privacy really a gain in security?

February 16, 2011

Are Privacy and Security are on the opposite sides of the weighing scale or are they orthogonal to each other? Are they really zero-sum or are they positive-sum (with other malicious factors working together to bring the sum down to zero)? Overall Julian has provided really good analogies on the topic but I am walking away with a head full of questions.

If we implicitly think of privacy and security as balanced on a scale, a loss of privacy is ipso facto a gain in security. It sounds silly when stated explicitly, but the power of frames is precisely that they shape our thinking without being stated explicitly.

Criminalizing Encryption

January 13, 2011

Earlier this week, Steptoe & Johnson, an International law firm reported that New York was considering criminalizing Encryption.

Nevada and Massachusetts require the use of encryption in certain circumstances.  But New York is thinking about taking the opposite approach – making it a crime to use encryption in some situations.  A bill (S. 714) introduced in the New York Senate on January 5 would prohibit the “criminal use of encryption.”  While the intent appears to be to make it a crime for criminals to use encryption to conceal evidence, the bill’s awkward wording could be read to prohibit the use of encryption – such as by a communications company – that has the effect of concealing the identity of a criminal or evidence of a crime.

The Bill S714 (aka National Criminal Justice Commission Act) was introduced in Senate on March 2009 by Senator Jim Webb (D-VA) and reported by the committee in Jan 2010 but it never became a law. I quickly scanned through the bill (pdf) but couldn’t find any references to “encryption” (or “unencryption”). There is no other information available about this bill being re-introduced.

Though, there are enough evidences to support that this has been discussed multiple times since 2001 –

The technology of scrambling data and messages has become a crucial element of computer security for businesses and consumers alike. Officials of law enforcement and intelligence agencies have long warned lawmakers that they were unable to break the strongest encryption products, and that crimes eventually would be committed that might otherwise have been prevented.

and as Mark Rasch (attorney and technology expert) said in his 2003 post

The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.

….we shouldn’t stop manufacturing locks just because criminals may use them to lock doors.

10 Legislative Trends to Watch in 2011

January 7, 2011

CIO Insight published a valuable list of legislative trends to watch in the coming year. All are important but “The Data Accountability and Trust Act” (Bill Number H.R.2221 for the 111th Congress) seems to have created considerable buzz.

At present, 46 of 50 U.S. states have data breach notification laws in place. A national law is imminent. A likely candidate: The Data Accountability and Trust Act, passed by the U.S. House and now before the Senate. It would require businesses engaged in interstate commerce to provide notification of breaches to affected consumers.

FTC Privacy Report

December 27, 2010

The Federal Trade Commission (FTC) issued a preliminary staff report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. It’s available for public comments. FTC will accept any comments on the report until January 31, 2011.

To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Such protections include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees, and conducting privacy reviews for new products and services.

The security laws, regulations and guidelines directory

November 13, 2010

A good collection/summary of security and privacy laws, regulations and guidelines.

This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered.

The list is intentionally US-centric, but includes selected laws of other nations that have an impact on US-based global companies.

Google’s Transparency Report

September 22, 2010

Google has created a website, called Transparency Report, for Users to know if their local government has been making requests for the removal of any contents.

Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual.

What’s the trigger behind this effort…?

Do You Know Where Your Data Is In The Cloud?

September 19, 2010

Forrester’s privacy heat map

Country-specific regulations governing privacy and data protection vary greatly. To help you grasp this issue at a high level, Forrester created a privacy heat map that denotes the degree of legal strictness across a range of nations.

Smart Grid Privacy Guidelines

September 19, 2010

National Institute of Standards and Technology (NIST) has published Guidelines for Smart Grid Cyber Security: Privacy and the Smart Grid.

The NIST Smart Grid Guidelines address privacy concerns that arise from the “many new data collection, communication, and information sharing capabilities related to energy usage.

New Federal Privacy Legislation

June 7, 2010

The  recently published draft of federal legislation to establish broad new consumer privacy protections affects many businesses that collect and store consumer info. It’ll be interesting to see how the new legislation impacts existing privacy laws and acts like GLBA, CAN- SPAM, and HIPAA.

Technological Advances and Evolution of Privacy Laws

April 28, 2010
Quick Refresher: The Fourth Amendment guards against unreasonable searches and seizures. (please note: Search and arrest should be limited in scope according to specific information supplied to the issuing court.)

So – how is Fourth Amendment related to Cloud computing (or any technological advances, in general)? In his recent article, David A. Couillardan, argues that an extension of the Fourth Amendment standard into the cloud might be able to adequately address future unanticipated issues that arise as new technologies collide with the government’s attempt to search and seize data.

The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.


This change in Internet usage seems to indicate that society might be prepared to recognize a reasonable expectation of privacy in the cloud, at least in some circumstances. Even if the Internet remains a public medium in some respects, taking a private object into public doesn’t necessarily destroy a person’s reasonable expectation of privacy in that object. But reasonable efforts to conceal that object must be present.


Get every new post delivered to your Inbox.

Join 1,113 other followers