Written by: Caroline Grace Parisher, Parsa Sedghi, and Sarah Mollin
Washington Watch is an amalgamation of executive, congressional, and judicial action on various topics within cybersecurity designed to inform on the trends and conversations happening in Washington surrounding cyber. We hope the information provided here will help your organization prepare for any changes it will need to make based on legislation or other federal action that may be taken and that it will start a conversation about the national movement towards greater cybersecurity and resilience.
Office of the President
On 07/13/23 President Joe Biden released the Biden-Harris Administration Published the National Cybersecurity Strategy Implementation Plan following February’s release of the National Cyber Strategy. The plan calls for two shifts in how the United States approaches cyber security, specifically, ensuring that the biggest, most capable, and best-positioned entities in the public and private sectors assume a greater share of the burden for mitigating cyber risk and increasing incentives to favor long-term investments into cybersecurity. Essentially, this plan is an explanation of the first steps the government is taking to fulfill the Five Pillars of the National Cyber Strategy.
On 3/15/23 The President’s Council of Advisors on Science and Technology (PCAST) announced that they created a working group on cyber-physical resilience, collaborating with experts in the field from academia, public, and private sectors. This working group was created to create a “resilience to failure, description, and degradation for critical infrastructure.”
On 2/07/23 the Office of the President released a statement in conjunction with Australia, Japan, and India about the launch of a public campaign to improve cyber security across the four nations called Quad Cyber Challenge.
On 3/31/23 the White House released new suggestions to encourage user privacy for both private and public sectors. This will focus on lessening bias and increasing efficiency in an equal way. This was originally released by the Office of Science and Technology Policy called the “National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.” This cemented the administration’s goals to support the research, development, regulation, and use of solutions to the issues with data collection and analysis.
In May 2023, the White House announced an exploration into a ban on ransomware payments as part of the administration’s efforts to deter ransomware attackers. Any ban would provide an exception for the delivery of critical services as long as it is done in coordination with the appropriate government agency.
Securities Exchange Commission
The Security Exchange Commission’s (SEC) new rule makes companies report cyber incidents within two days of detection. It also causes some financial organizations to test for vulnerabilities annually. This rule covers broker-dealers, clearing agencies, major security based swap participants, the municipal securities rulemaking board, national security associations, national security exchanges, security based swap data repositories, security based swap dealers, and transfer agents.
The Department of Homeland Security
On 3/31/23 the DHS released 028 Enhanced Cybersecurity Services (ECS) in conjunction with CISA and PIA. The ECS is a voluntary program that shares indicators of malicious cyber activity between the DHS and participating Commercial Service Providers (CSPs) and Operational Implementers (OIs). Also on this day they released 026 National Cybersecurity Protection System (NCPS) which is a “system for intrusion detection, analysis, intrusion prevention, and information sharing capabilities that are used to defend the federal civilian government’s information technology infrastructure from cyber threats.”
Office of Science and Tech Policy
On 3/28/23 the Office of Science and Tech Policy announced the Cybersecurity Labeling Program for Smart Devices to Protect American Consumers. This cybersecurity certification will help buyers understand the risks associated with various products and help raise awareness around personal cyber protection. The program was unveiled on July 18.
Environmental Protection Agency
On 3/3/23 the EPA released an action to improve the public water system’s cybersecurity. This has been put forth and subsequently blocked by three state attorney generals (Iowa, Missouri, and Arkansas) who filed a lawsuit against the EPA. The analysts at Consortium Networks wrote an article that goes in detail on these guidelines.
Department of Energy
This year the Department of Energy released a Federal Energy Management program, specially called the Federal Fleet Cybersecurity, that discusses vehicle cybersecurity threats to the public.
In June of this year the DOE announced the creation of the Office of Cybersecurity, Energy Security, and Emergency Response that is focused on Strengthening Cybersecurity Across the Liquified Natural Gas Lifecycle. The office was created to help industry partners mitigate and lessen cyber risks within the liquified natural gas life cycle.
National Institute of Standards and Technology
On 1/19/23 the NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework was published by the National Institute of Standards and Technology. The NIST cybersecurity framework or the CSF was originally created to provide insight to companies or organizations on how to approach, mitigate, and lessen cybersecurity risks. This document is meant to be fluid and changed over time as technology evolves.
Transportation Security Administration
On 3/8/23 the Transportation Security Administration (TSA) released new emergency procedures for airports and aircraft crew that will require them to implement procedures for increased security measures. This was suggested to “reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel.” However, these rules have been given lots of negative feedback by airport crew due to having to report every incident.
Department of Justice
In June of 2023 a new crime unit was formed by the Department of Justice that will focus on prosecuting nation-state cybercrime. This unit’s goal is to take an active approach to combating digital threats from outside the country. This group is organized by geographical threat as a direct mirror of the FBI’s cyber division.
National Infrastructure Advisory Council
In March of 2023 the National Infrastructure Advisory Council released the Cross-Sector Collaboration to Protect Critical Infrastructure : Barriers and Recommendations for Improvement. This was created to encourage communication between different sectors to increase the flow of information and hopefully prevent cyber attacks. They made a series of recommendations that are as follows:
- Form a convening group to develop cross sector drills to enhance coordinated responses to physical or cyber-attacks on critical infrastructure
- Harmonize standards that govern common activities of the private sector
- Enhance coordination among local, state and federal government entities
- Engage vulnerable communities in planning and restoration efforts
- Enhance the timeliness and transparency of threat information
- Undertake a common cause failure analysis for critical infrastructure supply chains and services
- Prioritize standard setting in the areas of threat modeling, network segmentation, access provisioning and privileged account management
- Pilot-test the benefits that additional third-party certifications can provide to sector and cross sector stakeholders
- Develop methods to ensure timely delivery of infrastructure support provided by the Infrastructure Investment and Jobs Act and the Inflation Reduction Act
- Ensure consistency in international trade requirements and “Buy America” mandates in federal, state and local contracts
Federal Communications Commission
In June of 2023 the Federal Communications Commission (FCC) launched a data and privacy protection task force, the first of its kind, to address SIM swapping and broader data privacy concerns. This task force will be led by Loyaan Egal and will coordinate the FCC’s rulemaking efforts.
In a proposed rule to the FCC on 1/23/23 there is a suggested expansion of their definition of the word ‘breach’ to include unintentional reveals of customer information. Also suggested, making companies alert the FCC, Secret Service, and FBI as soon as possible when a breach occurs and do away with the waiting period before a company can alert customers.
Cyber Incident Reporting Council
A report is coming soon from the Cyber Incident Reporting council that will contain recommended ways to smooth out incident reporting across the various sectors. This council was created last year to lessen the industry burden and enforce awareness of cyber incidents that can impact critical infrastructure that lie within federal components. This will establish a federal standardization around incident reporting.
S.2256: The “Federal Cybersecurity Workforce Expansion Act” was introduced by Sen. Margaret Hassan (D-NH) in July. This bill would augment cybersecurity workforce development pathways, by adding 2 new programs: one to establish a cybersecurity apprenticeship program at CISA and the other to establish a pilot program within the Department of Veterans Affairs to give cybersecurity training to veterans. . This bill may pass.
S.1777: Sen. Jacky Rosen (D-NV) introduced “The Bipartisan Abraham Accords Cybersecurity Cooperation Act” in May. This bill would increase civil cybersecurity cooperation, to protect critical infrastructure, and enable greater security in the region. This bill is not likely to pass.
S.1191: Senator Marsha Blackburn (R-TN) Introduced the “Enhancing K-12 Cybersecurity Act” in April. This bill establishes resources and a program to address cybersecurity of elementary and secondary schools. It is not likely that this bill will pass.
S.1493: The bill “LifeLine Cybersecurity Responsibility Act” was introduced in May by Sen. Kyrsten Sinema (I-AZ). It requires the Substance Abuse and Mental Health Services Administration (SAMHSA) to undertake efforts to protect the 9-8-8 Suicide & Crisis Lifeline from cybersecurity threats. This bill is not likely to pass.
S.1425: U.S. Senator Gary Peters (D-MI) reintroduced the “Satellite Cybersecurity Act ” in May that would require CISA to help protect commercial satellite owners and operators from disruptive cyber-attacks. This bill may pass.
S.1862: Senator Gary Peters (D-MI), introduced the “DHS International Cyber Partner Act” to strengthen cybersecurity assistance partnerships between the United States and its international partners. The bill would allow the Department of Homeland Security to quickly provide support to foreign partners, such as Ukraine, that continue to face increasing cybersecurity threats. This bill may pass.
S.513: Sen. John Hickenlooper (D-CO) introduced the “Insure Cybersecurity Act of 2023” in February. This bill requires the National Telecommunications and Information Administration (NTIA) to establish a working group on cyber insurance policies. It is very unlikely that this bill will pass.
S.1835: Senator Gary Peters (D-MI) Introduced the “National Cyber Security Awareness Act ” that aims to equip the most frequent targets of ransomware attacks and underserved communities across the country with critical access to cybersecurity training, education and resources. This Act would require CISA to launch a new public-private campaign promoting cybersecurity best practices. This bill may pass.
S.903: Sen. Jacky Rosen NV (D-NV) introduced the “ Department of Defense Civilian Cybersecurity Reserve Act,” which was processed in March. This bill requires the Department of the Army to establish a Civilian Cybersecurity Reserve via a four-year pilot project to address malicious cyber activity and cyber workforce challenges. This bill is highly unlikely to pass.
S.1560: Sen. Josh Hawley (R-MO) introduced The “Rural Hospital Cybersecurity Enhancement Act,” in June. This bill requires CISA to develop and annually report to Congress about a workforce development strategy to address the unmet need for cybersecurity professionals in rural hospitals. It is unlikely this bill will pass.
S.885: Sen. Jacky Rosen (D-NV), introduced the “Department of Homeland Security Civilian Cybersecurity Reserve Act” in March this year. It authorizes CISA to create a temporary Civilian Cybersecurity Reserve to address U.S. cybersecurity needs with respect to national security. This bill is not likely to pass.
House of Representatives
Passed in the House
H.R.302: The “Energy Cybersecurity University Leadership Act of 2023” passed the House of Representatives in February of this year. Deborah Ross’ (D-NC) bill requires the Department of Energy to support the development of a next-generation, energy-specific, cybersecurity workforce. Specifically, DOE must provide financial assistance to graduate students and postdoctoral researchers pursuing a course of study that integrates cybersecurity competencies within disciplines associated with energy infrastructure needs. In addition, DOE must provide graduate students and postdoctoral researchers with research and training experiences at its National Laboratories and utilities. Further, DOE must conduct outreach to historically black colleges and universities, tribal colleges or universities, and minority-serving institutions.
H.R.1123: Rep. Anna Eshoo (D-CA) passed the bill “Understanding Cyber Security of Mobile Networks Act ” through the House of Representatives in March this year. This bill requires the National Telecommunications and Information Administration to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries. This bill may pass.
H.R.4502: The “Modernizing the Acquisition of Cybersecurity Experts Act” was introduced to the House of Representatives in July this year by Rep. Nancy Mase (R-SC). This bill limits the use of educational requirements in government hiring of cybersecurity workers. “People who don’t attend or finish college are often barred from consideration for jobs in this field when really they shouldn’t be,” Mace said during the markup. “Some of these young people literally have the skills to hack into critical federal IT systems, but they can’t get their foot in the door for employment at federal agencies.” Making it easier to enter the field is a shared focus of many in the cyber workforce space. This bill may pass.
H.R.3809: The “Cybersecurity for Rural Water Systems Act of 2023” introduced by Rep. Donald Davis (D-NC) in July, would increase cybersecurity technical assistance to rural water systems across America to protect them from cyber-attacks. This bill would give rural communities across the country necessary resources to bolster their cybersecurity programs. This bill is highly unlikely to pass.
H.R.1160: Rep. Tim Walberg (R-MI) introduced the “Critical Electric Infrastructure Cybersecurity Incident Reporting Act” in May. Rep. Walberg’s legislation aims to clarify the role of the Department of Energy (DoE) in reporting requirements and pull on the agency’s expertise in critical electric infrastructure cyber preparedness and defense. This bill may pass.
H.R.2866: The “Critical Technology Security Centers Act” was introduced Tuesday by Rep. Ritchie Torres (D-NY) would create two cybersecurity-focused offices to evaluate and test the security of critical technology used by the federal government. This bill is unlikely to pass.
H.R.3286: Rep. Mark Green (R-TN) introduced the “Securing Open Source Software Act” in May. This bill would authorize CISA to improve the security of open-source software. The bill would require the agency to identify and mitigate vulnerabilities in open-source software used by federal agencies. This bill may pass.
H.R. 4311: The “DELETE Act” was introduced to the House of Representatives by Lori Trahan (D-MA) in June to create a system for individuals to request all commercial data holders to delete any personal data they may have collected, and not to collect it again in the future. This bill is very unlikely to pass.
H.R.1360: The “American Cybersecurity Literacy Act” introduced by Jay Obernolte (R-CA) in March requires the National Telecommunications and Information Administration to develop and conduct a cybersecurity literacy campaign to increase knowledge and awareness of best practices to reduce cybersecurity risks. This bill may pass.
H.R.285: The “Cybersecurity Vulnerability Remediation Act” introduced by Lee Jackson (D-TX) in February authorizes the Department of Homeland Security to take certain actions with the goal of countering cybersecurity vulnerabilities. It is very unlikely that this bill will pass.
H.R.1219: The “Food and Agriculture Industry Cybersecurity Support Act” introduced by August Pfluger (R-TX) Requires the establishment of a clearing house for food and agriculture cybersecurity resources and the development of related best practices recommendations. It is very unlikely that this bill will pass.
H.R. 1165: The “Data Privacy Act of 2023” presented by Patrick McHenry (R-NC) was introduced to the House of Representatives in February. This bill addresses the privacy and security of personal information held by financial institutions. The bill expands the application of current protections, it provides individuals with controls for limiting the collection of their information, and it establishes data privacy standards nationwide. This bill is unlikely to pass.
H.R.57: The “Protecting Personal Data from Foreign Adversaries Act” presented by Jack Bergman (R-MI), was introduced to the House of Representatives in January of this year. This bill authorizes sanctions and other prohibitions relating to software that engages in user data theft on behalf of certain foreign countries or entities. This bill is not likely to pass.
US Senate Committee on Homeland Security & Governmental Affairs
Hearing To Examine The Cybersecurity Risks To The Health Sector: On March 16th, 2023, a full committee hearing chaired by Gary C. Peters was held to examine the cybersecurity risks faced by the healthcare sector. The purpose of the hearing was to discuss the threats posed to the healthcare sector, the efforts made by both the federal government and healthcare providers to combat these threats, and to determine the necessary actions Congress should take to strengthen cybersecurity defenses against such attacks. The witness panel included Scott Dressen (CISO at Corewell Health); Kate Pierce (Senior Virtual Information Security Officer at Fortified Health Security); Greg Garcia (Executive Cyber Director at the Healthcare and Public Health Sector Coordinating Council); and Stirling Martin (Senior Vice President & CPSO at Epic Systems).
Artificial Intelligence In Government: On May 16th, 2023, a full committee hearing was held to discuss how AI has the potential to help the government better serve the American people and what pitfalls we need to be aware of as the government adopts AI tools. The witnesses at the hearing included Richard A. Eppink (Of Counsel at the American Civil Liberties Union of Idaho Foundation); Taka Ariga (Chief Data Scientist at the U.S. Government Accountability Office); Lynne E. Parker, Ph.D. (Associate Vice Chancellor and Director of the AI Tennessee Initiative at the University of Tennessee); Daniel E. Ho (Professor at Stanford Law School); and Jacob Siegel (Writer).
Goa’s 2023 High Risk List: Recommendations For Reducing Waste, Fraud, And Abuse: For over 30 years, GAO has reported on “high risk” government programs and operations at the start of each Congress. The High Risk List identifies government programs that are vulnerable to fraud, waste, abuse, and mismanagement or need reforms to improve them. This year, GAO placed the nation’s cybersecurity as one of the top five high-risk areas that need significant attention, and has issued more than 4,000 recommendations in the cybersecurity domain since 2010. For this hearing there was only one witness: the Honorable Eugene L. Dodaro (Comptroller General of the United States)
US Senate Committee on Energy & Natural Resources
Full Committee Hearing To Examine Cybersecurity Vulnerabilities To The United States’ Energy Infrastructure: On March 23rd, 2023, a full committee hearing was held to discuss and examine the steps needed to address the cybersecurity vulnerabilities within the United States’ energy infrastructure. The hearing emphasized the need to combat cybersecurity threats and discussed recent incidents such as the Colonial Pipeline ransomware attack. In this hearing, the committee primarily focused on the following: the current threat environment, recent United States Energy Infrastructure cyberattacks and their effects, and current federal efforts to improve federal cybersecurity. The witnesses at this hearing included: Mr. Puesh M. Kumar (Director of the Office of Cybersecurity, Energy Security, and Emergency); Mr. Robert M. Lee (CEO/Co-Founder of Dragos Inc.); and Mr. Stephen L. Swick (CSO of American Electric Power).
House of Representatives
US House Committee on Natural Resources
Examining Ongoing Cybersecurity Threats Within The Department Of The Interior And The Nexus To State-Sponsored Cyber Actors: On June 7th, 2023, the subcommittee on Oversight and Investigations held a hearing to analyze the cybersecurity weaknesses at the Department of the Interior (DOI) from reports that expose the vulnerability of DOI’s information systems, DOI’s assets, and America’s offshore energy infrastructure. This discussion emphasized the need for all U.S. government agencies, including the DOI, to prioritize cybersecurity due to potential disruptions to government operations and threats to national security and owned assets. The witnesses at the oversight hearing included: Mark Greenblatt (Inspector General of the US Department of the Interior); Marisol Cruz Cain (Director of Information Technology and Cybersecurity at the Government Accountability Office); Dr. Charles Clancy Sr. (Senior Vice President at MITRE Corporation); and Rhea Siers (Senior Advisor at Teneo).
US House Committee on Science, Space, and Technology
Artificial Intelligence: Advancing Innovation Towards The National Interest: On June 22nd, 2023, the committee met to discuss the various ways the federal government can advance artificial intelligence (AI) in a trustworthy and beneficial manner for all Americans. The discussion included various aspects related to AI including the importance of high-quality data for AI system performance, the role of AI models, the increasing need for computational resources, the importance of a skilled workforce and capital investment, the impact of open-source tools, and the potential risks associated with AI systems. The witnesses at the hearing included: Dr. Jason Matheny (President & CEO of RAND Corporation); Dr. Shahin Farshchi (General Partner at Lux Capital); Clement Delangue (Co-founder & CEO of HuggingFace); Dr. Rumman Chowdhury (Responsible AI Fellow at Harvard University); and Dr. Dewey Murdick (Executive Director at the Center for Security and Emerging Technology).
US House Committee on Energy and Commerce
Protecting Critical Infrastructure From Cyber Attacks: Examining Expertise Of Sector Specific Agencies: On May 16th, 2023, the subcommittee on Oversight and Investigations held a hearing focusing on understanding how each federal agency secures critical infrastructure against cybersecurity threats and understanding their roles in the federal cybersecurity enterprise. The subcommittee discussed how to prevent bad actors and adversaries from undermining the United State’s national security, economy, and infrastructure. The witnesses at this hearing included: Puesh Kumar (Director, Department of Energy); David Travers (Director, Environmental Protection Agency); Brian Mazanec (PhD, Deputy Director, Department of Health and Human Services).
Addressing America’s Data Privacy Shortfalls: How A National Standard Fills Gaps To Protect Americans’ Personal Information: On April 27th, 2023, the subcommittee on Innovation, Data, and Commerce held a hearing focusing on identifying and addressing the gaps that exist in order to strengthen people’s privacy protections on online services and preserve innovation and entrepreneurship. During the session, the focus was on analyzing the gaps in protections for consumers’ personal information, the challenges businesses face in complying with sector-specific laws, and the urgent need for Congress to establish a comprehensive privacy and data security legislation to address these gaps. The witnesses at this hearing included: Morgan Reed (President, ACT | The App Association); Donald Codling (Senior Advisor for Cybersecurity and Privacy, REGO Payment Architectures, Inc.); Edward Britan (Head of Global Privacy, Salesforce, Inc.); and Amelia Vance (Founder and President, Public Interest Privacy Center).
Tiktok: How Congress Can Safeguard American Data Privacy And Protect Children From Online Harms: On March 23rd, 2023, a full committee hearing was held to meet with the CEO of popular social media app TikTok regarding user data privacy. In this 5 hour hearing, TikTok Chief Executive Shou Zi Chew was asked various questions regarding China’s relationship with his company, data privacy, possible teen addiction to the app, misinformation and fentanyl. In the hearing, the CEO says that TikTok plans to host all U.S. data with Oracle, firewalled from overseas access, and will keep the app safe from possible cybercriminals.
US House Committee on Homeland Security
Growing The National Cybersecurity Talent Pipeline: On June 22nd, 2023, the subcommittee on Cybersecurity and Infrastructure Protection held a hearing on growing the national cybersecurity workforce. The committee focused on identifying the roles and responsibilities for federal agencies and the private sector to continuously develop the cyber workforce while also addressing shortages and burnout within the industry. The committee engaged in learning about current approaches to cyber education and how organizations can provide scalable solutions to attack the present challenges. The witnesses at this hearing included: Anjelica Dortch (Senior Director, U.S. Government Affairs, SAP America, Inc.); Will Markow (Vice President of Applied Research, Lightcast); Tara Wisniewski (Executive Vice President for Advocacy, Global Markets, and Member Engagement, ISC2); and Col. Chris Starling (Ret.) (Executive Director, California, NPower).
CISA 2025: The State Of American Cybersecurity From CISA’s Perspective: On April 27th, 2023, the subcommittee on Cybersecurity and Infrastructure Protection held a hearing with testimony from CISA Director Jen Easterly on the nation’s current cybersecurity posture when it comes to defending our critical infrastructure through public-private collaboration. Director Easterly also discussed CISA’s priorities for 2023 and 2024 where the organization will focus on strengthening the nation’s cyber and physical defenses by collaborating with government partners, private sector entities, and local communities. CISA will continue making investments in mission-enabling activities and functions to support operational capabilities and ensure a diverse and talented workforce. They will also prioritize the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), including staffing, processes, and technology capabilities.
The Supreme Court
UPDATE: Twitter, Inc v. Taamneh: This case considered whether Internet service providers are liable for “aiding and abetting” a designated foreign terrorist organization in an “act of international terrorism” by recommending such content posted by users under Section 2333 of the Antiterrorism and Effective Death Penalty Act of 1996. In May 2023, the Supreme Court unanimously ruled that the charges brought against Twitter and other companies were not permissible under the Antiterrorism Act and did not address the Section 230 question.
UPDATE: Gonzalez v. Google: This case addressed the scope of liability and immunity for internet service providers as relating to Section 230. In May 2023, the Supreme Court sent this case back to the lower courts on a per curiam decision with instructions to consider the Court’s decision in Twitter v. Taamneh.
Miller v. Syracuse University: Former Syracuse University student Trevor Miller filed a class action lawsuit against his former university claiming that a breach in September 2020 resulted in the theft of sensitive information of almost 10,000 students and prospective students. The 2nd Circuit Court concluded that Syracuse University broke a contract with the plaintiff, so Miller is able to move forward to pursue compensation. Miller may still request such relief in accordance with the Federal Rules of Civil Procedure and the Local Rules of Practice for the United States District Court for the Northern District of New York.
Koeller v. Numrich Gun Parts Corp: Edward Koeller filed this class action against Numrich Gun Parts Corporation alleging that the defendant failed to properly protect his sensitive information from disclosure arising from a data breach. On May 23, 2023, U.S. District Judge David N. Hurd determined that Numrich may be liable for failing to stop hackers from gaining access to the personal information of 45,000 customers. In addition, Numrich still faces claims of negligence, breach of implied contract, and unjust enrichment.
Jones v. Google: Plaintiffs in the case filed an action against Google (and other organizations) alleging that, on its YouTube platform, Google collected and used the IP addresses of children for advertising purposes without parental consent. If true, this would be a violation of the Children’s Online Privacy Protection Act (COPPA). The 9th Circuit decided that Google did use persistent identifiers to collect data and track their online behavior without their consent, thus violating COPPA. Google subsequently filed for a rehearing in the 9th Circuit..
Steinmetz v. Brinker International: Between March and April 2018, Brinker International, Inc., the owner of Chili’s restaurants, faced a cyber-attack in which customers’ credit and debit cards were compromised. Chili’s customers have brought a class action because their information was accessed (and in some cases used) and disseminated by cybercriminals. On July 11, 2023, 11th Circuit decided that risk of future harm stemming from a data breach satisfies the requirements of Article III standing when the information is placed on the dark web.
States of Missouri, Arkansas, Iowa v. U.S. Environmental Protection Agency: On March 3rd, 2023, the EPA’s CyberSecurity Rule required all states to change how they conduct sanitary surveys under the Safe Drinking Water Act and imposed increased technology costs on small (and rural) Public Water Systems (PWSs). This new rule marked the first federal mandatory cyber regulation outside of incident reporting in the United States. Three states’ Attorneys General filed a lawsuit against the EPA in the 8th Circuit Court on April 17th, claiming that this rule is a federal intrusion on a state issue and that the requirement would be overly costly for small and rural PWSs.
Racine v. Meta: A Superior Court Judge has dismissed the lawsuit filed against Meta by the Attorney General of Washington, DC. The lawsuit alleged that Meta’s privacy policies were “lax” and contributed to the Cambridge Analytica scandal of the 2010s. In the ruling, the judge argued that Meta took enforcement actions against the third-party app involved, including ordering the deletion of user data and initiating an investigation. The judge stated that although the district may disagree with Meta’s approach, there was no legal basis requiring Meta to act differently and its actions were consistent with its stated policies.
About Consortium Networks
Consortium Networks is a cybersecurity risk, technology, and networking organization on a joint mission to connect and educate the community. Consortium was founded to change the “game” and help our clients make sense of the spaghetti labyrinth they call cybersecurity. By mapping our clients’ controls to industry standards and risk, we help them reduce complexity and risk to their organization and people. The outcome: clients will quickly understand their gaps and realize the impacts of their investment decisions, strengthening their cyber hygiene, and ultimately, protecting the business.
Our Concierge way of working sets us apart and follows four timeless principles of customer service: attitude, consistency, service, and teamwork. We are devoted to helping others selflessly in both our work and personal communities.
Consortium Networks’ Penetration Testing Services are designed and deployed by an expert team of in-house security professionals utilizing cutting-edge techniques and tools to simulate real-world attack scenarios to assess the security posture of your organization’s networks, systems, and applications. By deploying controlled, authorized attempts to exploit weaknesses, Consortium Networks uncovers potential vulnerabilities and delivers accurate and actionable results, enabling you to strengthen your defenses proactively.
Cyber Risk Assessments
The expert team of cybersecurity professionals at Consortium helps you identify and prioritize where to direct your limited capacity by conducting a comprehensive cybersecurity assessment. We leverage industry standards and accepted frameworks along with a cyber risk quantification platform to obtain an objective view of your current cyber risk backed by empirical data.
Request for Proposals (RFP) and Procurement Advisory
Using Consortium’s in-house expertise with vendor selection, RFP drafting, and submission review along with our knowledge of the unique aspects of your business and cybersecurity environment, Consortium will review your RFP to ensure it sets a solid foundation for your relationship with the technology providers you ultimately select. We help you avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.
Cybersecurity Policy Library Development
The expert team at Consortium helps you implement a concise policy library based on industry best practices and conformant standards, specifically NIST Cyber Security Framework and NIST SP 800-53 v.5. The Cybersecurity Policy library document enables you to forge a consistent strategy for correlating the needs of your business to the ongoing process of cyber risk management.
Cybersecurity Incident Response Preparedness
The Consortium CSIRT program provides you with an expert evaluation of your current incident response (IR) capabilities to identify strengths and areas for improvement and provides practical recommendations and supporting documentation for the development and formalization of your CSIRT program.