European cousins Intellexa and Cytrox essentially banned by Commerce Dept. — Predator/ALIEN not welcome in U.S.

The post Biden Admin. Adds ‘Mercenary Spyware’ Firms to Ban List appeared first on Security Boulevard.

The EU has proposed legislation that would govern the use of AI and could be used for a blueprint by other countries looking to put guardrails around the technology.

The post As Goes GDPR, So Goes AI: EU Leads With Proposed AI Law appeared first on Security Boulevard.

NYOB accuses TeleSign, Proximus and BICS of misusing phone users’ private data. Reputation scoring = privacy violation?

The post GDPR FAIL: US Firm ‘Profiles Half the World’ — it’s Max Schrems Again appeared first on Security Boulevard.

The post Insights into the Digital Services Act: Unveiling the First Designated Very Large Online Platforms and Search Engines appeared first on Securiti.

The post Insights into the Digital Services Act: Unveiling the First Designated Very Large Online Platforms and Search Engines appeared first on Security Boulevard.

The EU to the AI Rescue (Again)

--

Leading the Way in Compliance and Regulations — Thankfully

The Artificial Intelligence Act of 2021, released by the European Union, is an incredible moment we should not take lightly. Like the General Data Protection Regulation(GDPR), the EU continues to demonstrate the willingness and fortitude to create legislation with clear and concise enforcement elements.

Many US-based regulations continue to be self-enforced and often need more actual enforcement or mandates for compliance. On the surface, the Federal Education Rights and Privacy Act is designed to help protect students’ privacy. Yet, most that follow this often are reminded that the act is self-governed by the Department of Education and carries several exemptions, including medical disclosers and notifications.

The AI-ACT carries several critical components, including products containing AI will need to clear an assessment of its capabilities before being allowed within the EU.

Why this seems a bit harmful, most would agree that AI, if gone unchecked and unregulated, will continue to morph into something that very few people will have the means to stop. The idea of AI continuing to learn through access to more public and potentially private data domain information combined with deep learning, easier could become a force without any means to prevent disaster from happening.

What the EU has done is provide an initial guardrail around AI, requiring medical device companies, technology providers, and other entities to explain their AI capabilities and the impact on the privacy of others, how decisions made within AI will have an effect on the society, and what are steps within the AI that will provide safeguards.

The EU is banning practices that deploy AI to manipulate or exploit people’s vulnerabilities which may result in physical or psychological harm. The law helps drop indiscriminate use of real-time remote biometric identification in public spaces for law enforcement or the use of AI-social scores by authorities to unfairly disadvantage individuals or groups.

I applaud the EU for their actions. In the rest of the world, “greed” continues to take center stage in the battle for whose AI is better and what impact this capability will have on the bottom line. We are already seeing large companies replace jobs with AI to improve their bottom line.

There is no doubt that AI will change the world. However, thanks to the EU, this disruptive technology may become less destructive in our time.

The post The EU to the AI Rescue (Again) appeared first on Security Boulevard.

GDPR Move for Mark’s Money: No legal way to move Europeans’ data to the US since 2015. Cloud industry better take note.

The post Facebook Fined $1.3B — Zuckerberg Furious in GDPR Fight appeared first on Security Boulevard.

Successful cyberattacks against both hardware and software products are becoming disturbingly frequent. According to Cybersecurity Ventures, cybercrime cost the world an estimated 7 trillion USD in 2022. With such a high price tag there is no wonder that both companies and governments are taking notice. The U.S. led the way with the presidential executive order on Improving the Nation’s Cybersecurity issued on May 12, 2021. This was followed by the secure software development framework (SSDF) from NIST that is slowly becoming an established new best practice, required as a matter of course in any software product. The European Union isn’t standing idly by — The European Cyber Resilience Act is a proposed piece of legislation designed to strengthen the cybersecurity of critical infrastructures across the EU.

The feedback-gathering phase for the bill started back in December 2020 but the first draft of the bill was only published on September 14, 2022. Since any such large-scale legislation could potentially have wide-reaching implications we thought we’d take the dive and try to explain what this bill is all about and who’s going to be impacted by it. Let’s start with a brief overview of the proposed legislation.

Breaking Down the Bill: What You Need to Know

The ECRA aims to strengthen the cybersecurity of critical infrastructures across the European Union (EU). The act primarily affects operators of essential services and digital service providers. These are defined in the EU’s existing Directive on the security of network and information systems (NIS Directive) and include, among others, energy, transportation, banking, health, and digital infrastructure sectors.

The proposed act would also apply to digital service providers that are not covered by the NIS Directive, but which offer online services to consumers in the EU. These include online marketplaces, cloud computing services, and search engines.

Since it aims to cover any connected devices not already covered by other EU legislation it’s likely it would impact IoT and other connected devices, particularly those that are already on the market.

The proposed act includes a number of measures, such as:

• The establishment of a cybersecurity certification scheme for operators of essential services and digital service providers.
• The creation of a cybersecurity information-sharing platform to help organizations share information about cyber threats and incidents. The proposed bill includes a reporting obligation for any cybersecurity event within 24 hours to The European Union Agency for Cybersecurity (ENISA).
• The adoption of a common methodology for assessing cybersecurity risks and the development of guidelines for risk management.
• The establishment of a European Cyber Resilience Centre to provide support to member states in the event of a cyber attack.

Importantly, the proposed legislation includes a certification scheme for ICT products, services, and processes. The certification process involves a conformity assessment by a designated conformity assessment body (CAB) to determine whether the product, service, or process meets the requirements specified in the Act. The Act establishes a European Cyber Resilience Certification Board, which is responsible for maintaining the certification scheme and ensuring its consistency across the EU. Regular testing and auditing are meant to continue even once the new board issued a certificate of conformity to the provider of the product, service, or process in question. Continued monitoring would ensure that compliance with the bill’s requirements doesn’t slack off once a certificate is granted — maintaining compliance is meant to be continuous.

In addition, the ECRA proposes a number of measures to improve cooperation and information-sharing between EU member states and to strengthen the EU’s cybersecurity capabilities. These include the establishment of a European Cybersecurity Competence Center and a network of national cybersecurity coordination centers, as well as the development of a common framework for cybersecurity incident reporting and response. The bill also proposes the establishment of a European vulnerability database so as not to rely solely on the U.S.’s NVD.

The bill also covers market surveillance and enforcement to make sure the new standards are properly observed within all member states and for any covered devices and services offered within the EU market, no matter where they were manufactured.

How Does It Relate to Recent U.S. Best Practices?

As mentioned above, both the U.S. and the EU have set out to upgrade their respective markets’ cybersecurity protections. As such it makes sense to see if any of the new U.S. best practices have found their way into the ECRA.

To those familiar with the SSDF (NIST 800–218) some of the ECRA’s language might seem familiar. The bill requires that security be included in products from their inception and not be ‘added on’ later. The ECRA includes requirements for the identification and management of supply chain risks, and the proposed European Cybersecurity Certification Scheme, though still not properly defined, would likely require the use of Software Bill of Materials (SBOM) and secure software development practices.

The proposal also calls for the implementation of technical and organizational measures to secure information systems and data, including the use of strong authentication and encryption, monitoring and detection capabilities, incident response planning, and regular security testing and auditing — all elements clearly defined in the SSDF.

One of the new best practices promoted in the U.S. is the use of the SBOM to track dependencies, vulnerabilities, and software licensing. It’s meant to increase product transparency and enable manufacturers and users a clearer view of what exactly might be hidden inside the product. While the ECRA doesn’t mention the SBOM explicitly it is worth noting that the issue of software transparency, which includes the concept of SBOMs, has long been a topic of discussion in the context of the European Union’s cybersecurity strategy. In June 2021, the European Commission released a proposal for a Regulation on Digital Operational Resilience for the financial sector, which includes a requirement for financial entities to use and maintain a “comprehensive and up-to-date inventory of their ICT systems and assets.” This inventory should include “an up-to-date map of the interconnections and interdependencies of the ICT systems and assets and, where relevant, of the respective software and hardware components.”

While this requirement is specific to the financial sector, it does suggest that the European Union is considering the importance of software transparency in ensuring cybersecurity resilience. It remains to be seen whether the European Cyber Resilience Act or other legislative initiatives will include more explicit requirements for SBOMs in the future.

How Is This Bill Going To Affect You?

As the ECRA is not yet final it’s hard to be definitive here. What we can do is draw parallels to another comprehensive EU legislation — the GDPR.

The General Data Protection Regulation (GDPR) is a comprehensive privacy and data protection regulation that the European Union adopted (EU) in April 2016 and it went into effect on May 25, 2018. The bill applies to all organizations that collect, process or store the personal data of individuals located in the EU, regardless of the organization’s location or the location of the stored data. It imposes obligations on organizations to ensure the security and privacy of personal data, including requirements for data breach notification, data protection impact assessments, and privacy by design and default. Organizations that fail to comply with the GDPR can face significant fines and other penalties.

In the years since we saw the GDPR bill go into effect, we noticed a ‘trickle-down’ effect of this regulation. Initially, only organizations that did business in the EU felt they needed to comply. U.S. businesses faced several steep fines for disregarding the bill’s requirements. Today, even businesses that have nothing to do with EU citizens follow the regulation. It only makes sense to comply so that if and when you want to sell to Europe there is no need to scramble for compliance.

Overall, the ECRA feels much the same way. With a lot of the world still scrambling to respond to the spike in cybersecurity incidents, any comprehensive and clear legislation designed to mitigate the security shortcomings of software producers has a good chance of being adopted. Again — it makes sense to comply in advance so that if and when you’re ready to sell to the EU you’re already covered.

That means that the answer to the question ‘Is this bill going to affect me?’ is a resounding yes if you have anything to do with software manufacturing. It may not affect you out of the gate but at some point, you will need to be compliant, even if it’s just recognized as a new common best practice.

A Final Word: Don’t Get Caught Unprepared

The European Cyber Resilience Act is currently only a proposal and has not yet been adopted by the EU. The proposed act is currently in the legislative process, being reviewed by the European Parliament and the Council of the EU. The bill is expected to undergo several rounds of negotiations and revisions before it is adopted as law. There is a good chance that the act’s final version may change, including the provisions related to product security, certification, and the products and sectors that the bill covers.

It is worth noting that the details of how the act proposes to verify that products meet cybersecurity standards have not yet been fully covered in the published draft. The final version of the act may include more specific requirements for product certification and verification among many other areas that require clarification. Since the legislation isn’t yet fully realized, industry stakeholders suggested that the legislation should include more precise definitions, taking into account variations in the creation, functionality, and use of digital products. They made it clear that too strict cybersecurity requirements run the risk of keeping SMEs out of the market. To show exactly how uncertain things are, a new update from December 2022 has already placed SAAS products clearly outside of the regulation’s scope.

To give both the EU states and the relevant product developers time to adjust, the proposed regulation will take effect 24 months after it enters into force, with the exception of the reporting requirement for manufacturers, which will take effect 12 months after the date of the bill becoming law. Two years may seem like a long time but if you run a small or medium business and suddenly have to follow a whole host of new cybersecurity regulations, that time frame may feel far too short.

Regardless of the exact details, the ECRA represents a significant step forward in the EU’s efforts to enhance cybersecurity and protect critical infrastructure and we can all look forward to a world where most businesses comply with the ECRA as naturally as they inform clients of their cookie collection policy.

You can Learn more here.

The post Defending Your Digital Services: An Inside Look at the European Cyber Resilience Act appeared first on Security Boulevard.

The European Union “is failing to protect children.” Something must be done—and, yes, what they’re proposing is indeed something.

The post EU Has Lost the Plot, Will Ban Encryption — Think of the Children appeared first on Security Boulevard.

An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials.

The post NSO Group Spied on European Union—on French Orders? appeared first on Security Boulevard.

Meta, Facebook’s parent, warned investors that it might need to pull out of Europe. Here’s why …

The post Facebook’s Threat to Exit Europe—EU Waves Buh-Bye appeared first on Security Boulevard.