Network security

US BIS to propose rule for securing connected vehicle supply chains

The Bureau of Industry and Security (BIS) of the US Department of Commerce has introduced a Notice of Proposed Rulemaking to address national security risks associated with the connected vehicle supply chain, particularly concerning foreign adversaries such as China and Russia. Building on Executive Order 13873, which focuses on securing the US information and communications technology supply chain, the proposed rule outlines three main categories of prohibited transactions.

First is importing vehicle connectivity system (VCS) hardware from entities owned or controlled by China or Russia. Second, the sale of completed connected vehicles that incorporate software developed by these foreign adversaries and third, restrictions on manufacturers linked to these countries from selling connected vehicles.

Additionally, the rule mandates compliance mechanisms, including mandatory annual Declarations of Conformity certifying adherence to regulations and general and specific authorisations for certain otherwise prohibited transactions. Furthermore, it imposes recordkeeping requirements that necessitate maintaining documentation related to compliance declarations for ten years.

Notably, prohibitions on software are set to take effect for the model year 2027, while hardware prohibitions will begin in 2030. In addition, violations of the proposed rule may incur significant penalties, with civil fines reaching up to $368,136 and criminal penalties as high as $1 million. The regulatory framework reflects the US government’s commitment to safeguarding national security by regulating the import and sale of connected vehicle systems tied to foreign adversaries.

Why does it matter?

Consequently, it underscores the importance of compliance for stakeholders in the automotive and technology sectors, highlighting the need for vigilance in navigating these new regulatory challenges.

Oman’s TRA to safeguard children online

Telecommunications Regulatory Authority (TRA) in Oman has launched several initiatives to protect children’s internet usage in Oman, responding to alarming statistics revealing that nearly 86% of children in the Sultanate engage with the internet. Recognising that a substantial portion of this demographic spends considerable time online, 43.5% using it for information searches and 34% for entertainment and communication, the authority is actively pursuing a proposed law to regulate children’s internet activities.

The initiative aligns with ITU’s definition of a child, per Oman’s Child Protection Law No. 22/2014, which defines children as individuals under 18. Among these initiatives are the ‘Be Aware’ national awareness campaign, aimed at educating families on safe internet practices, the Secure Net program developed in partnership with Omantel and UNICEF to offer parental control features, and the Safe Net service designed to protect users from online threats such as viruses and phishing attacks.

Through these efforts, the TRA is committed to promoting a safe and responsible digital environment for children in Oman. By addressing the growing challenges of internet usage among minors, the authority aims to foster a culture of awareness and security that empowers families and protects the well-being of the younger generation in the digital landscape.

New wave of online scams targeting young crypto users

Coinbase has warned Gen Z users about the increasing threat of online scams, particularly those targeting cryptocurrency investors. In a recent blog post, the platform highlighted four major risks – social media fraud, romance scams, fake websites, and recovery schemes. The company stressed the importance of personal responsibility when securing crypto assets, as users are their own safeguards in the decentralised crypto world.

Among the scams discussed, fraudsters frequently use social media platforms like Instagram and TikTok to lure victims by impersonating public figures or promoting fake investment opportunities. Romance scams, also known as ‘pig butchering’ scams, were another key threat, with scammers building fake relationships to steal funds from their victims. A recent scam in Vietnam saw victims lose over $700,000 through a fraudulent investment platform.

Coinbase also pointed out the dangers of fake websites that mimic legitimate companies to trick users into providing sensitive information or funds. The platform encourages users to stay vigilant and report suspicious activity to law enforcement or platforms like Coinbase, helping prevent others from falling victim to similar fraud.

Ghana to launch new cybersecurity policy

Ghana has launched its revised National Cybersecurity Policy and Strategy (NCPS) to tackle the escalating cybersecurity threats arising from its rapid digital transformation. The comprehensive framework is designed to address current cyber risks and anticipate emerging ones, ensuring that Ghana’s digital infrastructure remains resilient and secure over the next five years.

The initiative was officially unveiled during the opening ceremony of the 2024 National Cybersecurity Awareness Month (NCSAM) in Accra, which, notably, saw significant participation from high-ranking officials, including the leadership of the Ghana Armed Forces and key stakeholders in cybersecurity. Moreover, the policy is anchored on five essential pillars – Legal Measures, Technical Measures, Organisational Measures, Capacity Building, and Cooperation.

Why does it matter?

The NCPS addresses the rapid digitalisation occurring across critical sectors such as finance, healthcare, education, and commerce at a pivotal moment for the nation. While these advancements offer substantial socioeconomic benefits, they also expose the nation to significant cyber risks that could jeopardise economic stability and public safety.

Therefore, by implementing the NCPS, Ghana aims to strengthen its defences against these threats, protect its digital achievements and ensure sustainable technological progress. Furthermore, Minister Ursula Owusu-Ekuful emphasised that the policy serves as a vital roadmap for addressing current and future cyber threats. In addition, that underscores the importance of enhancing public-private collaboration to bolster the country’s overall digital resilience.

Japan’s move toward active cyber defence: a strategic shift in national security

On 10 September, the Liberal Democratic Party (LDP) proposed a groundbreaking system of ‘active cyber defence’ (Nōdō-teki saibā bōgyo) for Japan. This initiative, presented to Prime Minister Fumio Kishida by former Defense Minister Itsunori Onodera, aims to bolster national cybersecurity by allowing the government to collect and analyse metadata from domestic telecom providers. The goal is to detect potential cyber threats early and take pre-emptive actions to prevent attacks.

Onodera, who chairs the LDP’s Security Research Commission, emphasised the critical importance of this system for Japan’s national security. The proposal acknowledges the need to limit data collection to comply with Japan’s constitutional protection of ‘secrecy of communications’ under Article 21.

The push for heightened cyber defences gained momentum in April 2022, when former US Director of National Intelligence Dennis C. Blair warned Tokyo that Japan’s cybersecurity measures lagged behind its allies, especially the US. Blair’s recommendations called for Japan to establish stronger cyber leadership, create institutions akin to the US National Security Agency (NSA) and Cyber Command, and enhance collaboration with the US Joint Cyber Defense Collaborative (JCDC).

The current LDP’s proposal is a key part of Japan’s broader national security overhaul, as reflected in the revised National Security Strategy (NSS), National Defense Strategy (NDS), and Defense Buildup Program (DBP), approved by the Japanese government in December 2022. The NSS acknowledges the growing cyber threats, particularly from China and Russia, and emphasises the need for active cyber defence, the procurement of counterattack capabilities, and investment in advanced technologies like AI and unmanned weapons systems.

In the cyber domain, the shift toward ‘active cyber defence’ marks a significant change. Japan plans to create a new organisation to oversee cybersecurity policies and coordinate efforts. The Ministry of Defense will increase its cyber personnel from 1,000 to 4,000 ‘cyber warriors’ and provide training to 16,000 JSDF members over the next five years.

To implement these changes, revisions to existing laws, such as the Telecommunications Law and Unauthorized Computer Access Prohibition Law, are expected. This will enable Japan to carry out administrative interception, bringing it in line with practices in other Western nations. With these measures, Japan aims to strengthen its cybersecurity posture and safeguard critical infrastructure from growing cyber threats.

FTC pushes Marriott to improve cybersecurity after data breaches

Marriott International will implement an information security program following a settlement with the US Federal Trade Commission (FTC) over data breaches that impacted more than 344 million customers between 2014 and 2020. The settlement requires Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, to address the vulnerabilities that led to multiple breaches over several years.

The hotel chain also agreed to provide US customers with a way to request deletion of their personal data linked to their email address or loyalty rewards account. In addition, Marriott will review loyalty rewards accounts upon request and restore stolen points. A separate settlement sees Marriott paying $52 million to resolve similar data security claims across 49 states and the District of Columbia.

Marriott has stated that protecting guests’ personal data remains a top priority and that the company continues to invest heavily in improving its cybersecurity measures. However, Marriott did not admit liability for the breaches in either the FTC settlement or the agreements with state Attorneys General.

In 2020, the company faced a class action lawsuit in London brought by millions of former guests seeking compensation after their personal information was compromised during the breaches, considered one of the largest in history.

Google enhances Android security with new anti-theft tools

Google is gradually rolling out new security features to protect user data, focusing on preventing unauthorised access in cases of theft. The latest tools, which include Theft Detection Lock, Offline Device Lock, and Remote Lock, were announced in May and are becoming available on various Android devices.

Theft Detection Lock uses AI to lock the screen when it detects movement commonly associated with theft, such as someone snatching the phone. Offline Device Lock automatically secures the screen if a phone remains offline for a while, while Remote Lock allows users to lock their phone remotely using only their phone number, even if they can’t log into Find My Device.

Some users have reported seeing the features on devices like the Xiaomi 14T Pro, though others may need to wait as Google rolls out these updates over time. Users are encouraged to ensure their Google Play Services are updated to potentially access these features sooner.

The new security options are supported on Android 10 and up for Theft Detection Lock and Offline Device Lock, while Remote Lock works on devices running Android 5 and higher.

American Water disconnects systems after cyberattack

American Water, a major US utility, has disconnected parts of its computer network following a cybersecurity incident. The company, which serves over 14 million people, paused billing and customer service as a precaution.

The utility detected unauthorised activity on its systems on 3rd October, prompting the immediate disconnection of several systems. This step was taken to safeguard customer data and prevent potential damage to the environment.

Based in New Jersey, American Water has not yet provided further details about the nature of the breach. However, the US has faced numerous cyberattacks in recent years, often from criminals seeking cryptocurrency ransoms.

Such cyberattacks are known to cripple services, and American Water’s measures aim to mitigate the potential impact on its operations and customers.

New Google feature highlights verified companies

Google is testing a new feature that adds blue check marks next to verified companies in its search results to help users identify trustworthy sources, a company spokesperson confirmed on Friday. This move aims to protect users from fraudulent websites that impersonate official businesses, potentially spreading false information and damaging brands.

The spokesperson mentioned that Google frequently tests new features to help users identify credible businesses online, with this checkmark initiative being a limited trial. While Google already employs automated systems to block ‘scammy’ or fake content from its search results, this additional feature offers an extra level of verification.

According to The Verge, some users have noticed these blue checkmarks next to official site links for companies like Microsoft, Meta, and Apple. However, the feature is not yet widely available, suggesting that Google is still in the early stages of testing.

Atos aims for strategic government deal

Atos, the French IT firm, is pushing forward with efforts to sell its most strategic assets, including cybersecurity and supercomputing units, to the French government. The company, which supports the country’s military and secret services, announced that despite the expiration of an initial offer, discussions remain open, with a new proposal already submitted.

The company has been undergoing financial restructuring, having secured an agreement with key creditors earlier this year. The government in France, keen to retain control over critical technology, intends to continue negotiations and has promised a revised acquisition plan soon.

Atos shares have experienced a severe decline, falling 0.6% in early Paris trading and down 90% overall this year. Concerns over the country’s budget deficit, expected to reach 6.1% of GDP this year, may affect the government’s ability to mobilise the necessary funds for the acquisition.

The strategic assets at stake include Atos’ Advanced Computing, Critical Systems, and Cyber Products units. These divisions employ around 4,000 people and generate nearly €900 million in annual revenue. Any deal would require approval from the Nanterre Commercial Court, with a decision expected later this month.