Cyber Security Institute


Friday, July 05, 2013

New EU laws approve tougher sentences for cyber criminals

Under new laws the 28 EU member states will be required to set terms of no less than two years in prison for individuals caught illegally accessing information systems, tampering with data, illegally intercepting communications, or creating tools that help commit such offences. This mandated minimum rises to five years if the individuals involved target national systems such as energy plants, public transportation or government servers. The changes also directly address the creation and operation of botnets – groups of hacked computers that are run in tandem to commit offences such as sending out spam and denial of service attacks.


Friday, May 03, 2013

Dutch bill seeks to give law enforcement hacking powers

The Dutch government today presented a draft bill that aims to give law enforcement the power to hack into computer systems—including those located in foreign countires—to do research, gather and copy evidence or block access to certain data. Law enforcement should be allowed to block access to child pornography, read emails that contain information exchanged between criminals and also be able to place taps on communication, according to a draft bill published Thursday and signed by Ivo Opstelten, the Minister of Security and Justice.   Government agents should also be able to engage in activities such as turning on a suspect’s phone GPS to track their location, the bill said. Another problem is tackling distributed denial-of-service (DDoS) attacks that recently have been used to cripple the online services of Dutch banks and DigiD, an identity management platform used by Dutch government agencies.



Tuesday, April 23, 2013

Thailand revising cybercrime law for balance, better security

According to The Nation on Friday, Surangkana Wayuparb, the Electronic Transactions Development Agency (ETDA)‘s CEO said the agency was arranging a public hearing to allow widespread participation in the law’s revision. However, since enforcement of the law five years ago, there have been requests from several sectors for a review of the Act’s principles and the addition of a number of issues not covered in the original legislation.



Saturday, April 20, 2013

FISMA Reform Passes House on 416-0 Vote

By a vote of 416 to 0, the House passed on April 16 the Federal Information Security Amendments Act of 2013, which updates the Federal Information Security Management Act of 2002. The Federal Information Security Amendments Act, H.R. 1163, would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments. “This bipartisan legislation will address the shortcomings of FISMA by incorporating recent technological innovations, and enhance and strengthen the current framework that protects federal information technology systems,” said the bill’s chief sponsor, Rep. Although most federal agencies have chief information security officers to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agencywide IT security programs.



Tuesday, February 19, 2013

How will EU cybersecurity directive affect business?

The most obvious effect is that it will mean additional costs for all businesses covered by the proposed directive in terms of creating new processes and acquiring new technology to comply. The directive means that, for the first time, companies will be under a legal obligation to ensure they have suitable IT security mechanisms in place, which is likely to boost IT spending across the EU. The real effect of the proposed directive begins to emerge in the light of the fact that it requires that all “market operators” to ensure that the networks and information systems under their control meet minimum security standards, to be laid down by the EU.


Thursday, February 07, 2013

BBC News - EU proposes new cybercrime reporting rules

Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins under new rules proposed by the EU. The EU is keen that member states share information about attacks and shore up their cyber-defences. Under the proposals, each country would have to appoint a Computer Emergency Response Team and create an authority to whom companies would report breaches. These new bodies would decide whether to make the breaches public and whether to fine companies.


Thursday, January 31, 2013

Indian cyber laws lack teeth to bite data hackers

Even as India is planning to connect all major universities through the National Knowledge Network (NKN) and put most of the research papers and academic notes in the pipe, cyber security experts feel that Indian laws are not stringent enough to deal with data hacking incidents.


Saturday, January 26, 2013

Pandora’s Box - New US Cyber Security Bills Create a Worm Hole in the Internet Galaxy

There are two Bills that are floating through the corridors of power on the Hill that could potentially change the course of civil and political rights within the United States and the world. The two Bills touch on a common thread that are premised on “national security” however there are interesting challenges that will surface should the Bills be passed that affect global public interest that require further examination, introspection and discussion.


Tuesday, June 28, 2011

Federal agency issues new security rules for financial institutions

The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of “layered security” and fraud monitoring to better protect against cybercrime.  It’s the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.


Wednesday, April 13, 2011

Kerry-McCain privacy bill: What you need to know

A privacy bill of rights is something that tech pundits have talked about for years, but now Senators John Kerry and John McCain hope to make it a reality with a bipartisan bill in the Senate called the “The Commercial Privacy Bill of Rights Act of 2011.”  The Kerry-McCain bill would force companies to let users opt out of data collection when used for behavioral ads or transfer to third parties. ...  For sensitive information—religion, health records or other stuff that can cause physical or financial harm if made public—companies would need users’ consent through an opt-in.


Wednesday, August 11, 2010

Small And Midsize Businesses Look For Ways To Cut Compliance Costs

According to The 451 Group, an IT security analyst firm, there are nine different security technologies required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development lifecycle), and a vulnerability management solution.  Then there are the services: a qualified security assessor, an approved scanning vendor, and in the case of a breach, the qualified incident response assessor.  For small and medium businesses, the costs can be overwhelming, says Joshua Corman, research director for The 451 Group’s security practice.


Thursday, June 10, 2010

Ireland considers detailed data loss disclosure guidelines

The proposed code of practice has been published by the Office of the Data Protection Commissioner on its Web site and is open for public comment through June 18.  The code of practice would require organizations to report a breach within two working days with some exceptions if strong security measures are implemented.  All breaches that result in the loss of personal data affecting more than 100 people would have to be reported unless the personal data was encrypted to a “high standard” with a strong password and that password had not been compromised.


Friday, May 28, 2010

Microsoft Official Calls For Updating Two Key Computer Laws

Microsoft is part of a coalition that is pushing Congress to update the Electronic Communications Privacy Act, which governs government access to electronic communications.  Microsoft Vice President and General Counsel Brad Smith says lawmakers must also update the 1986 Computer Fraud and Abuse Act, the federal law that addresses computer-related crimes such as hacking.


Wednesday, May 26, 2010

C-29: The Anti-Privacy Privacy Bill

CanadiannIndustry Minister Tony Clement introduced two bills yesterday - the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians’ Personal Information Act (C-29).  The author has spoken positively about C-28, which is long overdue and should receive swift passage.  By contrast, C-29 is a huge disappointment.  The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007.  Just over three years later, the government has introduced a bill that does little for Canadians’ privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes).  The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere.


Tuesday, May 25, 2010

German watchdog tells firms to do own US privacy checks

German privacy watchdogs have told companies to conduct their own checks of US companies’ conduct before passing personal data to them, even if they are signed up to the EU-US ‘Safe Harbor’ data protection scheme.  It has said that companies must not simply take US companies’ word on their compliance with EU privacy principles if they plan to send personal data to them.  European Union laws on privacy are amongst the world’s strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.


Tuesday, May 18, 2010

Cloud Service Users Face Confusing Legal Landscape

Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week “We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout,” said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.


Monday, April 05, 2010

Firms unprepared for new ICO powers

Experts are warning that many firms may still not be aware of new powers granted to data protection watchdog the Information Commissioner’s Office (ICO) which will enable it to fine businesses up to £500,000 for serious breaches of the Data Protection Act (DPA).  The new powers, which it is hoped will act as a deterrent and promote compliance with the DPA, were initially approved by the justice secretary in January after years of lobbying by the ICO, and come into force on Tuesday.


Wednesday, March 24, 2010

Senate Committee OKs Cybersecurity Act

A crucial piece of cybersecurity legislation is one step closer to becoming law after being approved during a Commerce, Science & Transportation Committee hearing Wednesday.  The Cybersecurity Act, S. 773, aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sector firms that maintain that infrastructure, is now on its way to the Senate floor.


Tuesday, December 15, 2009

Sharjah, N.Emirates to Get Cyber Crime Court

A federal court to deal with cyber crime cases in Sharjah and the Northern Emirates will soon be established in Sharjah, according to the Minister of Justice.


Tuesday, March 10, 2009

Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know

For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation.  Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won’t be compliant, say industry experts familiar with the new regulation.  The regulation is described by many as the nation’s most cumbersome data security regulation.  It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program—even if the business or entity does not have offices in the state.


Friday, February 27, 2009

PCI council offering “milestones” for compliance

The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint.  The Prioritized Approach Tool offers six “milestones” that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.


Monday, February 02, 2009

S’pore data protection enforcement needs bite

As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant.  Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore’s data protection regime, is still ongoing.  “We’re currently looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest,” he said.  As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.”


Thursday, October 02, 2008

Second bill tackles laptop border searches

Three U.S. lawmakers announced this week that they had proposed a law to limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity.  The Travelers Privacy Protection Act, a bill written by U.S. Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Representative Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing.


UK cybercrime overhaul finally comes into effect

Modifications to the Computer Misuse Act (CMA) - which was enacted in 1990 before the advent of the interweb - were included in the Police and Justice Act 2006.  DDoS doubly illegal from 1 October.


Wednesday, October 01, 2008

New Federal Law Targets ID Theft, Cybercrime

President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.  The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual.  The new law allows federal courts to prosecute when the cybercriminal and the victim live in the same state.


Monday, September 15, 2008

UN Agency Working On Tech Standards To Get Rid Of Anonymity

Declan McCullagh has a somewhat scary report about how the UN’s International Telecommunication Union has been quietly working away on a proposal for new core internet technology that would allow a “traceback mechanism” to effectively get rid of anonymity, and allow those with access to identify who provided any particular piece of content.


Thursday, June 26, 2008

Web firewalls trumping other options as PCI deadline nears

Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts.  The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS).  Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications.


Saturday, May 03, 2008

Groups warn travelers to limit laptop data

A recent federal district court ruling upholding seizures of electronic devices, such as laptops and iPhones, at the U.S. border has traveler- and civil-rights organizations worried that personal and sensitive data could be put at risk.  On Thursday, almost three dozen organizations—including civil-rights advocates, academic groups, and religious and minority groups—sent an open letter to four congressional committees, asking that their members consider legislation to “protect all Americans against suspicionless digital border inspections.”


Thursday, April 24, 2008

US court says IP addresses are private

A US court has ruled that users have a “reasonable expectation of privacy” in their internet surfing records and that police must obtain warrants from higher than usual courts in order to force ISPs to hand over records.


Wednesday, April 23, 2008

Two additional supplements for PCU

The PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls.  Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts.