At a glance.
- The place of cyber in US strategy.
- Federal IT modernization gains traction in the US Senate.
- US Government Accountability Office advocates centralized Federal cybersecurity leadership.
- Industry reaction to Virginia's data privacy law.
The place of cyber in US strategy.
The White House yesterday released an Interim National Security Strategy. President Biden's introductory letter read, in part, "The United States must renew its enduring advantages so that we can meet today’s challenges from a position of strength. We will build back better our economic foundations; reclaim our place in international institutions; lift up our values at home and speak out to defend them around the world; modernize our military capabilities, while leading first with diplomacy; and revitalize America’s unmatched network of alliances and partnerships."
The document mentioned cyber frequently (some sixteen times) often in the context of other categories of threats, but also in the course of discussing development of international norms for conduct in cyberspace and in expression of determination to enforce laws against cybercrime.
"One extended paragraph described the Administration's aspirations for cybersecurity: As we bolster our scientific and technological base, we will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace. We will elevate cybersecurity as an imperative across the government. We will work together to manage and share risk, and we will encourage collaboration between the private sector and the government at all levels in order to build a safe and secure online environment for all Americans. We will expand our investments in the infrastructure and people we need to effectively defend the nation against malicious cyber activity, providing opportunities to Americans of diverse backgrounds as we build an unmatched talent base. We will renew our commitment to international engagement on cyber issues, working alongside our allies and partners to uphold existing and shape new global norms in cyberspace. And we will hold actors accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity, and respond swiftly and proportionately to cyberattacks by imposing substantial costs through cyber and noncyber means."
Federal IT modernization gains traction in the US Senate.
Legacy systems that stand in need of modernization have for some time been seen as an obstacle to improving the security of US Federal IT systems. There may now be some signs that Senate appropriators, at least, are more open to putting money toward resolving the problem, the Federal News Network reports.
US Government Accountability Office cites cybersecurity as a "high-risk" area.
The Government Accountability Office (GAO) has rendered the latest report to Congress in its High-Risk Series. This one flags its overarching conclusion: "Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas." One of those high-risk areas the GAO sees as needing particular attention is "Ensuring the Cybersecurity of the Nation," and the GAO sees that area as having regressed since 2019. In sum:
"The Ensuring the Cybersecurity of the Nation high-risk area declined from a met rating in 2019 to a partially met rating in 2021 for the criterion of leadership commitment. This regression is due to missing (1) important characteristics of a national strategy in the White House’s September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan and (2) an officially appointed central leader for coordinating the execution of the White House’s approach to managing the nation’s cybersecurity. Such a position was established by statute in January 2021. As of mid-January 2021, the position had not yet been filled."
Thus the GAO sees high-level direction as vital to improving the Federal Government's cybersecurity posture.
Industry reaction to Virginia's data privacy law.
As we saw yesterday, the Governor of Virginia has signed the Commonwealth's data privacy act, the Consumer Data Protection Act (CDPA) into law. We received comment on the CDPA from Sanam Saabar, General Counsel at Iterable, who sees it as much closer to an American GDPR than measures so far enacted by other states:
"While the CCPA has been referred to in the past as GDPR-lite, we are starting to see a trend of closer alignment with GDPR. Enter the CDPA—an effort that appears to one-up the CCPA by more closely mirroring GDPR. We will likely see this trend continue because states don’t want to be left out. Legislators want to show that they value protecting their consumers, but this potential domino effect of patchwork legislation proves that there is a big appetite for federal legislation to be passed in the near future.
"While CDPA and other privacy legislation are signed into law, this poses a challenge for marketers as they try to navigate a plethora of variances. Today, the biggest tool in many marketers' toolkit is getting as much data as possible, which allows them to create highly personalized user experiences. This means rather than continuously reviewing or editing their data practices, they’re adding to it. The bigger the data bundle, the greater the potential for error. Regulations like CDPA ensure organizations are more transparent about their practices and how they protect, collect, use and share consumer data.”