State Department Establishes Cybersecurity Bureau
The U.S. Department of State on April 4 launched a new Bureau of Cybersecurity and Digital Policy (CDP). The bureau will focus on national security challenges and economic opportunities related to cybersecurity and digital rights. It will consist of three units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom. According to a statement from the State Department, the CDP, “leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace and advance policies that protect the integrity and security of the infrastructure of the Internet, serve U.S. interests, promote competitiveness, and uphold democratic values.” And according to CNN, “The new bureau is aimed at putting more diplomatic personnel and expertise toward State Department priorities such as shaping norms of responsible government behavior in cyberspace and helping US allies bolster their own cybersecurity programs.
“As what’s happening in Ukraine and Russia illustrates, we’re in a contest over the rules, infrastructure, and standards that will define our digital future,” Secretary of State Antony Blinken said.”’
U.S. Intelligence Community Gets New CIO
Adele Merritt will assume the position of permanent Chief Information Officer for the U.S. intelligence community. Merritt has been in the role since January, but an announcement last week by Director of National Intelligence Avril Haines cemented her position. A longtime government IT leader, Merritt will oversee the deployment of a new Intelligence Community Information Technology Enterprise initiative according to FedTech, which is designed to focus on four key goals: “a mission-driven enterprise, security, interoperability and supporting the deployment of emerging technology.” Merritt will also oversee a shift to a multi-cloud approach, where cooperation amongst various cloud providers will be incentivized by the intelligence community, which seems to be aligning itself with the Biden administration’s push for stronger cybersecurity and data protection practices.
Ransomware Facilitator Hit With Sanctions
As cryptocurrency enters the mainstream, governments are working to regulate the industry and its players. On April 5, the U.S. Department of Treasury Office of Foreign Assets Control (OFAC) moved to sanction the Russian-based, dark web cryptocurrency exchange known as Hydra Marketplace, as well as the Estonia-based virtual currency Garantex. Both entities were added to the department’s Specially Designated Nationals List (SDN). Hydra and Garantex have been used to facilitate ransomware payments According to Secretary of the Treasury, Janet Yellen, the move sends a message to cybercriminals: “that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world.”’ If your organization is hit with a ransomware attack and asked to make a ransom via Hydra, or another entity on the SDN list, think again. Doing so would place your organization in direct violation of OFAC’s Sanctions Compliance Guidance for virtual currency, which can be viewed here.
Colorado AG Issues Early Guidance on Data Security
Ahead of implementing the Colorado Privacy Act, which will take effect July 2023, Colorado Attorney General (AG) Phil Weiser recently released guidance outlining best practices for data protection that affected entities should start complying with now. To see if you’re a covered entity, read our report here. Per Mondaq, Weiser’s guidance includes the following directives: Inventory types of data collected and establish systems to store and manage data; Develop a written information security policy; Adopt a written data incident response plan; Manage vendors’ security; Train employees to prevent and respond to cybersecurity incidents; Follow the Colorado Department of Law’s ransomware guidance; Notify affected individuals and the Colorado AG of a breach, as required under law; Protect individuals affected by a data breach from identity theft and harm; and Review and update security policies regularly.
* * * * * * *
For an in depth discussion on the steps your organization can take now to keep pace with the constantly shifting cybersecurity and data privacy threats, read our recently published article here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.