backSenators Urge President Obama To Raise Cybersecurity During G20 Summit – In advance of the 2016 Group of 20 (“G20”) Summit, which convened in Hangzhou, China, on September 4 and 5, several Democratic Senators sent a letter to President Obama urging him to make cybersecurity a priority. The Senators reasoned that discussions regarding cybersecurity in financial institutions “merit attention not only in finance ministries and central banks, but also in executive leadership circles across the globe.” They suggested the development of a global strategy to combat cyber threats in the international community.
In their letter, the Senators explained that cyber-criminals, whether independent or state-sponsored, imperil the interconnected system of global commerce in a way that very few threats do. They cited last February’s hacking of the Central Bank of Bangladesh, in which $81 million was stolen from the bank, as an example of the threat. Hackers in that attack used the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) international messaging service to request nearly $1 billion from an account at the Federal Reserve Bank of New York.
The Senators contended that global coordination on cybersecurity will serve to safeguard the integrity of the financial system and improve collaboration among international law enforcement and financial regulators to better enable them to pursue terrorist financing.
The signatories on the letter included Senators Mark Warner (D-VA), a co-founder of the newly formed Senate Cybersecurity Caucus, Gary Peters (D-MI), Sherrod Brown (D-OH), Kirsten Gillibrand (D-NY), Martin Heinrich (D-NM), and Debbie Stabenow (D-MI). Treasury Secretary Jack Lew and Federal Reserve Chair Janet Yellon were copied on the letter.
President Obama did raise the issue of cybersecurity in his meeting with Russian President Vladimir Putin on the sidelines of the G20 Summit. In a news conference following his 90-minute meeting with the Russian leader, President Obama said that he urged Putin not to let cyberspace become the “wild, wild west” and issued a warning against a cybersecurity arms race, stating that America had “more capacity than anybody, both offensively and defensively.” Nevertheless, cybersecurity was not mentioned in the G20 Leaders’ Communique released at the conclusion of the Summit.
Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, ldonoghue@kslaw.com.
DHS Partners With States To Strengthen Election Cybersecurity Infrastructure – Last week, the National Association of Secretaries of State (“NASS”) appointed four secretaries of state to the Department of Homeland Security’s (“DHS”) Election Infrastructure Cybersecurity Working Group (“Working Group”). The secretaries of state include Denise Merrill of Connecticut (NASS President), Connie Lawson of Indiana (NASS President-elect), Alex Padilla of California (NASS Elections Committee Co-Chair), and Brian Kemp of Georgia (NASS Committee Co-Chair).
As part of DHS’ newly convened Voting Infrastructure Cybersecurity Action Campaign (“Cybersecurity Campaign”), the Working Group is tasked with helping states manage cybersecurity risks to election and voting systems.
DHS Secretary Jeh Johnson announced the Cybersecurity Campaign during an August 15 conference call to discuss election cybersecurity with members of NASS and other state election officials. Through the Cybersecurity Campaign, DHS intends to bring together experts from all levels of government and the private sector to raise awareness of potential cybersecurity threats affecting voting infrastructure, as well as to promote security of the electoral process. The U.S. Election Assistance Commission (“EAC”), the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”), and the U.S. Department of Justice (“DOJ”) will also participate in the Cybersecurity Campaign. During the call, DHS Secretary Johnson invited NASS members to join the Working Group to provide their input and expertise.
The DHS Secretary also promised state election officials the assistance of DHS in addressing cybersecurity risks related to each state’s election system. DHS can, for example, help states manage risks to state voting machines, and states can call on DHS’ National Cybersecurity and Communications Integration Center (“NCCIC”) to obtain vulnerability scans, actionable information, and other resources for improving cybersecurity. In addition, DHS Secretary Johnson encouraged state election officials to implement existing NIST and EAC recommendations related to securing election infrastructure.
DHS’ increased focus on election security comes amidst several high-profile U.S. political party and election breaches. The Democratic National Committee reported a breach of its systems by suspected Russian hackers on the eve of the Democratic National Convention in July. Moreover, the FBI Cyber Division announced that hackers exfiltrated voter registration data from the Illinois Board of Election website in July, as well as attempted intrusion into Arizona’s voter registration system in June.
Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.
Survey Of Federal Government IT Personnel Finds Big Data Analytics Enhances Cybersecurity; Challenges Persist – On August 29, 2016, MeriTalk, a public-private partnership that works on government Information Technology (“IT”) issues, released a report titled “Navigating the Cybersecurity Equation.” The report examines how federal agencies use big data analytics in connection with battling cybersecurity threats (the “Cybersecurity Report”). MeriTalk surveyed 150 federal IT managers in researching the Cybersecurity Report, which found that 81 percent of federal government agencies said their agency uses big data analytics for some cybersecurity-related work. Nonetheless, data breaches remain a vulnerability; 59 percent of agencies reported that “their agency deals with a cybersecurity compromise at least once a month due to its inability to fully analyze data.”
The Cybersecurity Report notes that there has been a significant increase in the use of big data analytics—generally, the examination of large volumes of data for trends or patterns—by federal agencies since 2013. Still, practically harnessing big data remains an uphill battle; the Cybersecurity Report states that “[f]ewer than half of those using big data for cybersecurity (45 percent) say they trust their efforts to be highly effective.” A majority of agencies reported that the task of gleaning cybersecurity intelligence from vast quantities of data has grown more difficult in the last two years, with survey respondents pointing to challenges like the lack of proper systems to gather cybersecurity information effectively.
Despite these difficulties, the survey found that “[n]early all of big data users (90 percent) have seen a decline in security breaches as a result of using big data and analytics.” Further, 84 percent of big data users reported being able to successfully thwart a cyber-attack by deploying big data. The Cybersecurity Report states that federal agencies said “big data is having the most significant impact on advanced threat detection, network monitoring, and authentication” and 94 percent intend to further invest in big data initiatives in the coming years.
The Cybersecurity Report concludes by indicating that, if big data analytics are effectively used, federal agencies “agree they can improve protection from internal and external cybersecurity threats.” Accordingly, agencies “must focus on securing the infrastructure, tools, and training necessary” to realize the benefits of big data analytics.
Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com.
Regulator Issues Report On Russia’s Data Localization Rules – On September 1, 2016, Russia’s Federal Service for Supervision in the Sphere of Connection, Informational Technologies and Mass Communications (“Roskomnadzor”) issued a report summarizing the results of implementation and compliance control of the data localization rules in force in Russia as of September 1, 2015.
The data localization rules require data operators that collect personal data about Russian citizens to use databases located in Russia for storing and processing the data. According to a press release available on the regulator’s website, over the last 12 months, 1,036 privacy compliance audits have been carried out, and 1,882 breaches of personal data regulations detected, out of which only 31 related to data localization rules.
While the details of Roskomnadzor’s audits, as well as its reasoning, are not publicly available, some of the reports coming from the regulator’s regional divisions suggest that in most cases, the audits are focused on documentary confirmation of the fact that personal data is stored and processed on Russia-based servers, rather than on actual examination of technical means employed by data operators.
It is reported that in respect of all detected violations of data localization rules, the parties audited have received Roskomnadzor’s orders to cure the violations, with the cure period of up to six months.
Roskomnadzor indicates that 479 more privacy audits are scheduled to take place before the year-end.
Reporter, Alla Naglis, Moscow, + 7 495 228 8504, anaglis@kslaw.com.