Category: Regulations

To disable a botnet it is necessary to access the command and control servers that control the botnet which can be located in a foreign country, according to the bill. The new investigative powers would also allow law enforcement to infiltrate computers or servers located in foreign countries if the location of those computers cannot be determined.

“It is important that the government wants to combat cybercrime but this proposal is rushed: it is unnecessary and creates new security risks for citizens,” said Simone Halink of Dutch digital rights organization Bits of Freedom in a blog post on Thursday.

At the moment the draft bill is in the consultation phase, meaning parties involved such as the police and other law enforcement as well as citizens and advisory bodies will be able to comment on it, ministry spokesman Wiebe AlkemaA said. Following that, the bill will be sent to sent to the Council of Ministers after which it will be sent to the Dutch Council of State, an advisory body on legislation.

Link: http://m.networkworld.com/news/2013/050213-dutch-bill-seeks-to-give-269341.html?mm_ref=http%3A%2F%2Fhackerattacks.einnews.com%2Farticle%2F148868025%2FMqlS6swIW71VD0gY%3Fn%3D2

Surangkana also explained the law left gaps in the cybercrime and the cyber environment, so people are still concerned about the balance between freedom of speech and the exercise of authority to maintain the right to privacy.

Meanwhile, other countries’ governments have better realisation and awareness on information security, which is a sensitive issue involving a balance between security and the liberty of people as a whole,” Surangkana said.

The draft revision of the computer crime law is expected to be completed in the next six months, following which, the ETDA will then conduct a further public hearing before submitting the draft for the Cabinet’s approval.

She said that the agency had established focus groups covering five areas–freedom of speech, law enforcement, consumers and victims, hardcore security versus professional security, and evaluation and revision of computer crime law–to balance and develop the law to protect against threats, the country and all those in the cyber-security environment.

However, the overall revision of computer crime law is expected to take three years, and will include the development of best practices and a code of conduct to encourage the law’s use against new threats and cybercrime from the Internet. For example, it will cover the rights of Internet users, especially students who develop their own blogs and websites to disclose private information, a practice which open to abuse and often risky online.

Link: http://www.zdnet.com/th/thailand-revising-cybercrime-law-for-balance-better-security-7000014389/

The bill addresses a perceived shortcoming of FISMA, which promoted a checkbox mindset in the federal government, where grading agencies on the security items they can check off a list to impress auditors seemed more important than monitoring systems continuously to determine if they’re secure.

Absent from the Federal Information Security Amendments Act are provisions that would grant the Department of Homeland Security increased authority to oversee federal civilian agencies in the implementation of information security. The Obama administration, backed mostly by Senate Democrats, has ceded some of the Office of Management and Budget oversight of government IT security to DHS, and the Cybersecurity Act of 2012 would have codified that. Distrust exists among some lawmakers about giving that kind of authority to DHS, and contention last year over Homeland Security’s role in governing IT among civilian agencies is one (but not the only) reason the Cybersecurity Act never came up for a vote.

Under the Cybersecurity Enhancement Act, approved 402-16, the National Science Foundation, National Institute of Standards and Technology and other key federal agencies would develop and implement a strategic plan for federal cybersecurity research and development. NIST would be required to have a specific focus on the security of the industrial control systems that run critical infrastructure, such as the power grid, and identity management systems that protect private information.

Link: http://www.govinfosecurity.com/fisma-reform-passes-house-on-416-0-vote-a-5694?rf=2013-04-19-eb&elq=5a344ab33c544dcaa0986c8c9693692a&elqCampaignId=6502

“This is huge,” said Stewart Room, partner at FFW, because the directive recognises that anything on the web that permits anyone to sell anything, offer information or engage with the rest of the world requires as much regulation as a telecommunications company.

This is the logical next step of an EU directive introduced in 2009 that required telcos and internet service providers not only to report all breaches of personal data, but also introduced a separate legal obligation to report all other data breaches in the interests of cyber security.

The important thing to note is that the proposed directive introduces the idea of a “market operator” which currently covers not only providers of information society services and critical infrastructure, but also organisations that fall into six broad categories.

In addition to the obvious large firms like Amazon, iTunes, PayPal, Google, LinkedIn and Facebook, the proposed directive will affect a whole range of other smaller organisations, potentially even down to the level of small family-owned businesses, said Room.

Theoretically, this will have the positive effect of improving the security and resilience of all networks and information systems, but this is a classic case of having to “be careful what you wish for,” he said, because the cost implications for businesses large and small could be enormous.

Whether or not the cyber threat is as bad as the EU, US and security technology suppliers are making it out to be, network and information system security will be the cost of doing business in a cyber-enabled world as old business models fade away and slip into history.

Not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too “The big problem is not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too,” said Room.

Link: http://www.computerweekly.com/news/2240178256/How-will-EU-cybersecurity-directive-affect-business?utm_medium=EM&asrc=EM_ERU_20700092&utm_campaign=20130220_ERU%20Transmission%20for%2002/20/2013%20(UserUniverse:%20635379)_myka-reports@techtarget.com&utm_source=ERU&src=5109056

Announcing the changes, Ms Kroes said: “Europe needs resilient networks and systems and failing to act would would impose significant costs on consumers, businesses and society.”

According to the EU, only one in four European companies has a regularly-reviewed, formal ICT security policy.

A recent study by accountants PwC suggested that three quarters of UK small businesses, and 93% of large ones, had recently suffered a cybersecurity breach.

Link: http://www.bbc.co.uk/news/technology-21366366