At a glance.

  • The latest version of the ADPPA limits targeted ads.
  • Senators introduce quantum security bill.
  • Tips on applying for the US Rotational Cyber Workforce Program 
  • More on the SEC’s cyberincident disclosure rules.
  • TSA’s revised pipeline cybersecurity regulations.

The latest version of the ADPPA limits targeted ads.

Since the US Congress released its first draft of the American Data Privacy and Protection Act (ADPPA) in June, the measure has undergone a massive overhaul. Wired takes a look at the newest version, which privacy advocates are hopeful could win bipartisan approval. The bill focuses on data minimization, specifying seventeen permitted purposes for data collection, and prohibiting companies from collecting data that falls outside of these parameters. This approach represents a major shift from privacy bills like the EU’s General Data Protection Regulation, which instead emphasize user consent. Sara Collins, senior policy council at consumer advocacy group Public Knowledge, told Wired, “The bill at the outset is like, ‘One, you don’t collect any more data than you reasonably need, and, two, here’s a list of reasons you might need this data.’” The ADPPA allows targeted advertising, but sets strict limits, prohibiting the collection of sensitive data like health info, geolocation, or browser history, and completely banning targeting ads to minors. Borrowing an idea from California’s recently passed privacy law, the bill directs the Federal Trade Commission to create a standard for a universal opt-out setting that would allow users to easily decline all targeted advertising.

Of course, not everyone is pleased. Some privacy advocates are disappointed that the ADPPA would preempt existing state privacy laws and does not direct any additional resources to the Federal Trade Commission to support its privacy efforts. Understandably, the ad industry is less than enthusiastic about the bill’s restrictions on targeted advertising, and last week the Association of National Advertisers issued a statement in opposition of the bill, claiming it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes.”

Senators introduce quantum security bill.

On Thursday US Senators Rob Portman of Ohio and Maggie Hassan of New Hampshire co-sponsored a bipartisan cybersecurity bill focused on improving the federal government’s quantum computing defenses, the Hill reports. “The development of quantum computers is one of the next frontiers in technology, and with this emerging technology comes new risks as well,” Hassan stated. The measure would require all federal agencies to maintain the most up-to-date cybersecurity protections, with the Office of Management and Budget (OMB) creating guidance for a systems assessment one year after the National Institute of Standards and Technology releases its forthcoming post-quantum cryptography standards. OMB would also be required to send an annual report to Congress detailing how those cryptography standards are being upheld. 

Tips on applying for the US Rotational Cyber Workforce Program 

The recently passed Federal Rotational Cyber Workforce Program Act gives federal personnel in information technology, cybersecurity, or other cyber-related positions the opportunity to temporarily try on cyber workforce positions in other agencies. Several departments and offices will be involved in the implementation of the program, with the Office of Personnel Management (OPM) developing a list of eligible positions, and the Government Accountability Office assessing and reporting on the program’s outcomes. Jennifer Miller, a business operations manager at the Defense Health Agency, shared with SIGNAL her advice for employees considering the program. She urges applicants to work with OPM to learn more about the available cyber career fields and their necessary knowledge, skills, and abilities (KSAs). She also recommends joining professional associations related to rotational areas of interest, and perhaps volunteering at a national or local level to minimize any KSA gaps. 

More on the SEC’s cyberincident disclosure rules.

Security Info Watch offers an overview of what to expect from the US Securities and Exchange Commission’s (SEC) upcoming rules regarding disclosure of cybersecurity incidents impacting publicly traded companies. Requirements will likely include reporting about “material” cybersecurity incidents, updates on previously reported incidents, disclosure of a company’s risk identification and management policies, and details on the cybersecurity expertise of both the board of directors and management. While many companies already disclose this information, SEC Chair Gary Gensler stated, “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” Jason Rader, Global Vice President for Security and Chief Information Security Officer at Insight Enterprises, agrees that the new rules will motivate companies that have historically been behind in their reporting practices, as well as companies that have tried to intentionally circumvent reporting rules. He also sees the rules regarding board oversight as a necessary improvement, as the level of engagement from high-level management differs from company to company. “Definitely engaging the CISO with the board and feeling comfortable reporting and talking about risk with the board is a good starting point,” Rader states. 

Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, commented:

“All companies need to start preparing for quantum computer attacks now. Starting with taking a data protection inventory, identifying data that needs to be protected for more than a few years, figuring out the effective cryptography, and then figuring out which of the quantum resistant protections they need to implement. Every company needs to budget for and start a quantum defense team project now. It’s going to take most organizations many years to do. And unfortunately, almost no company is even aware of what’s coming.”

TSA’s revised pipeline cybersecurity regulations.

The US Transportation Security Administration (TSA) has revised the pipeline cybersecurity regulations are year after they were issued in the wake of the Colonial Pipeline ransomware attack. The revised guidelines have received some positive reviews from industry. Thomas Pace, former DoE head of cybersecurity and CEO of XIoT cybersecurity firm, NetRise, sees firmware patching as a key element of the revised policy:

“The updated TSA guidelines include a very key component around patching firmware vulnerabilities on critical cyber systems. At this point, most oil & gas operators lack the visibility into what firmware is actually running on their XIoT systems, let alone what vulnerabilities those devices house. Unlike IT systems, XIoT devices are often running a variety of vulnerabilities unknown to both the operators who run them and manufacturers that build them. For this to be a realistic ask of oil & gas operators, TSA and CISA need to rally around trusted tools to scan firmware for vulnerabilities and create more information sharing through required software bill of materials (SBOMs) to make sure everyone’s eyes are wide open.”

Ben Miller, Vice President of Services at Dragos, approves of a regulatory approach that’s as much conversation as it is command:

“We appreciate that the Biden administration is continuing to make OT/ICS cybersecurity for critical infrastructure like the nation’s pipelines a priority and we are wholly supportive of TSA’s new directives that include extensive input and lessons learned from industry stakeholders and a year of collaboration. The new focus on performance-based, rather than prescriptive, measures to achieve strategic cybersecurity outcomes and to accommodate differences in systems and operations will help support the distinct needs and challenges of the sector and of individual companies. In addition, TSA will partner and work with owners and operators to set dates and other decisions, making it a conversation rather than a command, and help to refine tactical execution. Further, the focus on continuous monitoring and auditing to assess the achievement of outcomes, as well as the approval to use compensating controls, represents a major improvement for all pipeline owners and operators. This revised directive aligns with industrial cybersecurity standards globally and lifts the industry overall, putting oil and gas companies in a better position to address the evolving and intensified threat of cyberattacks and to improve resiliency throughout our nation’s infrastructure.”