// HIGHLIGHT //
USA’s new cybersecurity strategy: Big companies should take more responsibility for insecure software products and services
The White House’s new National Cybersecurity Plan, released last week, makes a major announcement: The US government will shift the burden of defending cyberspace to large tech manufacturers and software companies and away from individuals, small businesses, and local governments.
In essence, this means new laws – down the line – that will hold large companies accountable for failing to take reasonable precautions to secure their products and services. Down the line, because it’s not something that will be developed overnight. And with the presidential election in 2024, there’s only so much that can be achieved. (Let’s also wait for the strategy’s implementation plan to be published in a few months’ time).
And yet, this sets the tone for a fundamental shift away from a decades-long environment where the end users (you and me) have been facing the brunt of digital technologies vulnerable to viruses due to early releases or personal data breaches, which companies failed to adequately prevent. The idea is that companies that fail to meet specific standards will be held liable for any data losses or harm caused by cybersecurity errors that could have been avoided with more rigorous security. They will also be prevented from strong-arming their way out of liability just because they hold market power.
An updated cyber-social contract. This major shift in who should bear responsibility is what Kemba Walden, acting national cyber director, described as a change in America’s cyber-social contract. In a press briefing, Walden explained: ‘Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.’
Under this reimagined cyber-social contract, the division of tasks between governments and the private sector is quite clear. The strategy explains that ‘in a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.’
On the other hand, ‘government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats.’
The days of self-regulation are numbered. The strategy’s heavy stance on regulation signals a break from two decades of efforts to get companies – including those in critical sectors – to voluntarily strengthen all aspects of their cybersecurity, both internally and in their products, databases, and services.
Voluntary approaches to cybersecurity are no longer adequate, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger explained during an event in Washington.
Coalitions for combating ransomware. You may all recall the Biden-Putin summit in Geneva in June 2021, which marked the start of cyber detente (we even ran a monthly newsletter on cyber detente). At the time, the two countries agreed to cooperate to deter ransomware criminal cells (of Russian origin or operating from Russia). Technical work was progressing, until it all went downhill just over a year ago.
In lieu of such cooperation, the USA is working with its allies (such as through the Counter Ransomware Initiative) to pressure Russia and other countries to disrupt malicious behaviour. Through the new plan, the USA also hopes to strengthen these partnerships and carry out what the USA-Russia cyber detente failed to do, especially in combating ransomware.
| Digital policy roundup (27 February – 6 March) |
// DATA PROTECTION //
EDPB welcomes improvements under EU-US Data Privacy Framework, but concerns remain
The European Data Protection Board (EDPB), the EU’s data watchdog, wants to see the USA’s commitment to limiting US security agencies’ data collection activities not only on paper but also in practice.
The EDPB’s non-binding opinion on the Draft Adequacy Decision (published by the European Commission in December) welcomes the improvements introduced by a recent executive order, which limits data collection to what is necessary and proportional. However, ‘close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also necessary regarding temporary bulk collection and the further retention and dissemination of the data collected in bulk,’ the watchdog said.
An adequacy decision will ultimately confirm that the data of European citizens can be transferred to the USA without additional safeguards.
Digital India Bill to introduce rules for non-personal data sharing
The Indian government is discussing new rules for non-personal data sharing under the draft Digital India law. The rules could include pricing for sharing anonymised data sets and provisions for free government access to boost the efficiency of the government’s welfare schemes.
A public consultation on the basic guiding principles and architecture of the upcoming law will take place on 9 March. Once the consultation process is concluded, the government will release a final draft for consultation. The law will replace the decades-old Information Technology Act.
(File photo. Credit: European Parliament)
// METAVERSE //
‘It is already time’, says EU competition chief
Speaking during a public event, EU Commissioner for Competition Margrethe Vestager hinted that European policymakers are already looking into metaverse policy.
She said: ‘digital markets have not fulfilled their promise for small businesses to achieve scale and greater reach with fewer physical barriers to get in their way. We have certainly not been too quick to act – and this can be an important lesson for us in the future. We need to anticipate and plan for change, given the obvious fact that our enforcement and legislative process will always be slower than the markets themselves. For example, it is already time for us to start asking what healthy competition should look like in the metaverse, or how something like ChatGPT may change the equation.’
// AI //
Can an AI machine be granted a patent for an invention?
This is the question which UK Supreme Court judges are deliberating after hearing arguments brought forward on appeal by American inventor Stephen Thaler.
The case involves two patent applications for two inventions which Thaler says were created by an AI machine he owns called Dabus (an acronym for Device for the Autonomous Bootstrapping of Unified Sentience). The case has already been dismissed by the High Court and the Court of Appeal, which ruled that patents cannot be awarded in cases where the inventor is not a natural person.
Thaler’s attempts at similar applications have also been refused in the EU, the USA, and Australia but a patent was granted in South Africa.
The UK’s Supreme Court is expected to hand down a final judgement in the coming months.
| The week ahead (6–12 March) |
| #ReadingCorner |
EU Cyber Resilience Act: Enforcing cyber norms far beyond Europe
A new article by our colleague Anastasiya Kazakova looks at the extra-territorial effect that the EU’s upcoming cybersecurity law, the Cyber Resilience Act, will have on products and services developed by the private sector for citizens (these points are also potentially applicable to new US laws imposing liability for cybersecurity flaws once they materialise). Assuming that companies decide not to lower the bar for non-EU users, the new rules will mean that users worldwide will benefit from these stricter requirements. Moreover, EU member states adopting these rules will also contribute to implementing at least three of the norms on responsible state behaviour.
