A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
The federal government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations, by issuing binding directives on agencies, passing laws, and promulgating regulations that include prohibitions on the use of these companies’ products, even by independent government contractors.
For example, the 2019 National Defense Authorization Act imposes new restrictions on procurements for certain telecommunications equipment or services from certain Chinese companies, including Huawei, ZTE, Hytera, Hikvision, and Dahua Technology.
Sheppard Mullin attorneys recommend that lawyers and cybersecurity professionals pay attention to the government’s various statements and prohibitions about foreign companies and their risks to cybersecurity, and that government contractors should study the NDAA’s provisions.
Further, they advise that a new executive order on this subject is expected soon.
Before the Senate adjourned in December, it passed a bill to secure the nation’s electric power grid from cyberattacks, starting with a pilot program adding analog stopgaps and redundancies, in what the bill’s authors called a “retro” approach to robustness.
The Securing Energy Infrastructure Act was introduced by Senators Angus King (I-ME) and Jim Risch (R-ID), inspired by a 2015 Russian cyberattack which took down much of Ukraine’s energy grid, but didn’t prevent operators from restoring service fairly quickly using human-powered backup measures.
The bill would give the Secretary of Energy $10 million and 180 days to get a pilot program running, in cooperation with the energy industry. It included another $1.5 million for a 10-member working group to assess that partnership’s recommendations, that would include representatives from the departments of Energy, Homeland Security, and Defense, the Office of the Director of National Intelligence, and the North American Electric Reliability Corporation.
The Department of Health and Human Services has released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a publication containing voluntary cybersecurity practices for healthcare organizations of all sizes. The guidance is the result of a two-year public-private partnership between HHS and more than 150 cybersecurity and healthcare experts.
The document presents both highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry, and recommends 10 cybersecurity practices to mitigate them. It also emphasizes the importance of moving quickly to address these threats.
Before the end of the 115th Congress, 15 Democratic senators, led by Senator Brian Schatz (D-HI) introduced the Data Care Act, which would require those offering websites and apps, and other online providers, to take steps to safeguard personal information and stop the misuse of users’ data.
The bill would require prompt notification of individuals affected by data breaches; prohibit the use of individual identifying data in ways that harm users; and ensure that data protection duties extend to third parties. It would grant the FTC rule-making authority.
Meanwhile, the nonprofit digital rights group Center for Democracy & Technology has drafted a model for a broad national privacy bill, which proposes to set limits on the use, collection and sharing of personal information and also aims to provide individual rights to access, correct, delete and port data.
The Government Accountability Office reports that federal agencies reported more than 35,000 cyber incidents to the Homeland Security in 2017, up from nearly 31,000 in 2016, but substantially less than the 77,000+ reported in 2015.
Roughly one in five incidents last year involved violations of agencies’ online use policies, while email and phishing attacks made up another 21 percent. Web-based attacks and misplaced equipment accounted for about 23 percent of incidents. Nearly one-third of attacks didn’t fall neatly within any major category.
Only 6 of the 23 CFO Act agencies have put in place effective information security strategies, and inspectors general at 17 agencies found security shortcomings in their organization’s financial reporting process
Similarly, only 6 agencies reported meeting all nine of the White House’s cross-agency priority goals for cybersecurity, and the OMB found only 13 agencies were managing their overall cyber risk.