John Pescatore - SANS Director of Emerging Security Trends
This week’s Drilldown will focus on two items (included below) from the only NewsBites issue of the holiday-shortened (for the U.S., anyway) week, Issue 52, both of which involved new or changing legislation.
The two pieces of legislation referenced (rewriting of the U.K.’s Computer Misuse Act and in the U.S., Michigan passing a law banning employers from requiring implant chips for employees) brings to mind often diverging views about legislation overall:
“A good compromise, a good piece of legislation, is like a good sentence; or a good piece of music. Everybody can recognize it. They say, 'Huh. It works. It makes sense.'”
President Barack Obama
“You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered.”
President Lyndon B. Johnson
The U.K. Computer Misuse Act (CMA) is similar to the U.S. Digital Millennium Copyright Act (DCMA) in that the major intent was to allow prosecutors to have a legal basis to go after those who break into computers or disclose vulnerabilities to others who then break into computers. Of course, that is exactly what penetration testers and security researchers do. The CMA and DMCA wordings have always failed the test mentioned by both President Obama and President Johnson--they just didn’t make sense and the harms of improper application were obvious.
It is hard to be against any law that prevents businesses from drilling holes in their employees, but technology-specific laws almost always have unintended consequences. What if future vaccines are most efficiently delivered by implanted chips, for example?
Now, of the three major factors that cause breakage in cybersecurity programs (changes in business use of technology, changes in threat and new legislation), legislation generally has the least impact. It often raises the cost of demonstrating compliance (either through increased reporting or by requiring low-gain actions to be taken), but legislation is usually so far behind technology and threat changes that the major issues raised in cybersecurity legislation have little real business impact.
However, privacy laws and regulations are different. They focus on the rights of individuals and their data and often conflict with what companies would like to do with that information. Even in periods of slowly changing threats and technologies, changing societal norms around can change drastically. While threats and technologies are pretty much the same globally, privacy norms differ by country and state/locality and even by different labor agreements. The impact of the European General Data Protection Regulation and the U.S. California Consumer Privacy Act are powerful examples.
CISOs should keep CXOs and Directors aware of meaningful changes in legislation proactively, especially around new privacy legislation.
British Tech Companies Urge Reworking of Computer Misuse Act
(June 29, 2020)
A group of British technology organizations and individuals signed a letter to Prime Minister Boris Johnson, urging him to act to reform the Computer Misuse Act (CMA). The law was created 30 years ago, when less than one percent of the U.K.'s population used the internet and "the concept of cyber security and threat intelligence research did not exist." The letter also notes that "the CMA inadvertently criminalises a large proportion of modern cyber defence practices."
[Neely] Writing legislation that stands the test of time is challenging, particularly in this space where both technologies and practices evolve rapidly. As such, it is optimal to include a plan for review and updating cyber legislation at the outset.
[Murray] We have often noted here that drafting legislation that has only the intended results while avoiding unintended consequences is difficult. On the other hand, we have a much better understanding of computer misuse and abuse than we did 30 years ago. It is time to undertake the task of replacing the CMA and CFAA (Computer Fraud and Abuse Act).
Read more in:
BBC: Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform
Reg Media: Letter to Prime Minister Boris Johnson (PDF)
Michigan House of Representatives Passes Bill Prohibiting Employers from Requiring Implanted Microchips for Workers
(June 29, 2020)
The Michigan House of Representatives has passed a bill that would prohibit employers from requiring workers to have RFID chips implanted. The measure is proactive; there have not been instances in which employers have actually imposed this requirement. A company in Wisconsin has used implantable ID chips for its employees on a voluntary basis. The Microchip Protection Act now heads to the Michigan Senate for consideration.
[Pescatore] I usually try to only comment on news items where there is a meaningful or interesting tie-in to real-world enterprise security issues, but this one was hard to pass up. Proactiveness seems to be in short supply among politicians and legislators. I'd certainly rather see states focus that scarce resource more on increasing election security (where the Michigan Secretary of State has been taking steps) than on preemptive technology-specific laws.
Read more in:
ZDNet: Michigan tackles compulsory microchip implants for employees with new bill
abc12: Bill requires employers to keep implanted microchips voluntary for workers
Michigan Legislature: House Bill 5672 (as passed by the Michigan House of Representatives)