Over the past few months, I have written about the threat first identified by the Institute for Critical Infrastructure Technology (ICIT) called disruptionware. We have previously described what disruptionware is, how it works, and outlined some of the defenses that can be used to defend against a multitude of disruptionware attacks. Many may have thought the immediate notifications of the threat posed by this new concept of disruptionware had been adequately made public and sufficiently identified. Unfortunately, disruptionware continues to impact new sectors.
According to ICIT, disruptionware is an evolving category of malware designed to “suspend operations within the victim organization through the compromise of the availability, integrity and confidentiality of the data, systems, and networks belonging to the target.” Recently, ICIT identified a new threat from disruptionware that will likely have a seriously adverse effect on the American energy sector. ICIT goes so far as to refer to disruptionware in the context of an attack on the U.S. energy grid as a “weapon of mass destruction.”
Contact tracing is recognized by health systems and governments as an effective method to identify individuals an infected person may have exposed to disease in order to notify those individuals and take action to prevent further spread of illness. Traditionally, the accuracy of contact tracing has been dependent upon an individual’s memory of (and willingness to disclose) where they have been and with whom they have been in contact in order to track down other people who may have been infected. Connected devices with geolocation capabilities allow for digital tracking of individuals, but also carries significant privacy issues.
On December 26, 2019, the U.S. State Department’s Directorate of Defense Trade Controls announced it is amending the International Traffic in Arms Regulations (ITAR) to streamline requirements for the secure storage and transfer of defense technical data. This rule change has important implications for IT service providers and companies that may wish to use cloud-based systems and services for the transfer, processing, and storage of ITAR technical data.
Read the full alert to learn about the new regulations and their potential benefits to U.S. companies and their overseas partners.
October is National Cybersecurity Awareness Month (NCAM). NCAM serves as a timely reminder to continue to assess and improve organizational cybersecurity.
On July 9, 2019, the U.S. Court of Appeals for the Second Circuit held that the First Amendment prohibits the government from blocking social media users from accessing the Twitter account @realDonaldTrump. See Knight First Amendment Institute at Columbia University v. Trump, — F.3d –, 2019 WL 2932440 (2d Cir. July 9, 2019).
The Court noted that President Trump “concedes that he blocked the Individual Plaintiffs because they posted tweets that criticized him or his policies,” and “that such criticism is protected speech.” However, the government contended that when the President took that action “he was exercising control over a private, personal account,” the character of which had not changed since it had been opened as a social media platform in 2009 to share opinions on popular culture, world affairs, and politics. The government further argued that the Twitter account is not a public forum or, in the alternative, if the Court were to find that the account was a public forum, that blocking the individual plaintiffs “did not prevent them from accessing the forum.”
Singapore’s Personal Data Protection Commission (PDPC) issued a statement on March 1 announcing its plan to introduce mandatory breach notifications as part of a set of proposed amendments to the country’s Personal Data Protection Act (PDPA). The proposed amendments come in response to the PDPC’s recent review of the PDPA in order “to ensure that it keeps pace with the evolving needs of businesses and individuals, and balances safeguarding individuals’ interests and enables the legitimate use of personal data by organisations.” The details of the mandatory breach notification have not yet been made public, but the amendment will likely require organizations to notify the PDPC and affected data subjects when a certain level of breach has occurred.