On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure
Critical infrastructure
Bill C-26: a first step at reinforcing Canadian cybersecurity
On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts:
- The first is to amend
…
White House Issues Cybersecurity Order
On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”). The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.
The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.
U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents
On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex). The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure. The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.
Cyber Attackers Targeted by US Treasury Department OFAC Sanctions
On April 1, 2015, President Obama issued Executive Order 13694, creating a new sanctions program that targets the growing and evolving threat posed by cyber-attacks. The Order authorizes sanctions against those who seek to use cyber-attacks to harm critical infrastructure, target network availability, and steal sensitive information, such as trade secrets and personal financial information.
The Order requires the freezing of assets of designated cyber-attackers in the United States or in the control or possession of US persons. It also prohibits US individuals and organizations from engaging in any transactions with those on the sanctions list or any entities they own.
Cybersecurity incident notification bill introduced in the Netherlands
On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).
The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to notify the Minister of Security and Justice in the event of an ICT Breach. Notifications would need to be submitted to the Dutch National Cyber Security Centre (National Cyber Security Centrum, the NCSC), a specialized department within the Ministry of Security and Justice.
Sharing Cyber Threat Information: A Legal Perspective (ISSA Journal Article)
The ISSA Journal recently included an article, Sharing Cyber Threat Information: A Legal Perspective, authored by Utsav Mathur and I (David Navetta) concerning potential legal risks associated with intra-industry sharing of cyber-threat information. The article summarizes recent…