Ravi Nayyar’s Post

Alrighty, the big cybery reforms package of three bills (Cyber Security, ASD Limited Use, Enhanced Response and Prevention) has been sent to the PJCIS for their review. Having gone through the bills, some brief thoughts. Enhanced Response and Prevention Bill: - Good amendment re data storage systems handling business critical data = part of the CNI asset; - Happy with the proposed all-hazards, multi-assets consequence management powers (see paras [48]-[49] of the Explanatory Memo). Especially when they are not expanding the scope of the intervention request regime beyond cyber security incidents (I am very reassured the latter was not expanded — see my views: https://lnkd.in/gJTq8Qeq; see paras [38]-[40] the EM). - Thrilled with the CIRMP directions power, especially given the damning findings of the CISC CIRMP audits. - Good thing we're amending the protected information regime to make it easier for harmless sharing to occur in order to enable better incident response/normal ops. - Good to bring telecom security regs under one CNI regulation roof. ASD Limited Use Bill: - Love it. Very, very clear language. The question is whether industry bites. Cyber Security Bill: - Great IoT security stuff (pending the rules), including that it's a labelling regime as well as a product security one. But why is enforcement being handled by Dep-Sec Home Affairs and not the ACCC/Minister who looks after the Competition and Consumer Act 2010? After all, product recall, etc powers exist under the CCA too.  - Great ransomware reporting law (thank you, Timmy Watts), especially because of the limited use doctrine re payments reports. Again, let’s see if industry bites. Good to see the reporting regime is only for CNI people with SOCI pt 2B obligations/large companies ≥ rules-prescribed turnover.  - Good to have codification of the role of the NCSCoordinator. - Clear limited use doctrine re data shared with NCSC. Again, let’s see if industry bites. Good that the regime is open to any business or CNI operator. - Super thrilled that the Cyber Incident Review Board is enshrined as an independent statutory body, has a document production power, combined with limited use doctrine re info given to it, which should encourage more robust participation by industry. But I don’t like the requirement that the Minister approves the terms of reference of each review. General question: - Is Home Affairs resourced to fulfil its role as an IoT security regulator on top of housing the CISC and regulating telecoms security? PJCIS inquiry page: https://lnkd.in/gTVWjfHB

'Our nuclear facilities have also been targeted by cyberattacks, as well as networks like fuel distribution, municipal networks, transportation networks, ports, and similar sectors'. OT hit? Or just the IT? Also, what is a 'heavy cyberattack'? Wipers? 

Oh dear: https://lnkd.in/gms9J2vf (CIRMP = Critical infrastructure risk management program - see Pt 2A of the SOCI Act.)

#CNI https://lnkd.in/gQJJnE2q

I’m especially excited today because my thesis concerns the regulation of software supply chain risks to CNI assets, particularly from and via critical software.

THE CYBER RESILIENCE ACT HAS BEEN ADOPTED BY THE COUNCIL OF THE EUROPEAN UNION! The EU is weeks away from becoming the first jurisdiction with a bespoke regulatory framework for the product security _and_ labelling of all software sold commercially in the EU (save stuff covered by other EU rules like cars and healthtech). Yes, the Yanks (via EO14028–>NIST) defined critical software (the CRA has ‘important products with digital elements’ and ‘critical products with digital elements’), but the Yanks, for now at least, have only gone down the procurement route for regulating vendor SDLCs. The EU, on the other hand, is covering everything sold commercially (bar the stated exceptions) to anyone in the EU. Big day for all us SDLC regulation people! What happens next: Council and EuroParl President sign it —> Publication in the EU OJ —> Entry into force 20 days later —> Application of most provisions 36 months later. Press release (includes link to final text): https://lnkd.in/gJT3Aqxi

‘Starting in September 2023, SVR cyber actors have exploited JetBrains TeamCity CVE-2023-42793’. Targeting the software supply chain. https://lnkd.in/grvHfAnk

‘But a spokesperson for the German interior ministry said the three countries, representing 40% of the affected passenger traffic, were not ready to implement EES because the "necessary stability and functionality of the EES central system to be provided by the EU agency EU-Lisa is not yet in place"’. https://lnkd.in/g_wS2VSr

‘Microsoft doesn’t know what’s in that file. ‘Microsoft is now investing in a capability [to run stuff in user mode]. ‘But at this point, we have no plans to revoke kernel access from anyone … Our goal is to create an equivalent, and an option, for user mode. ‘Of greater importance is software testing prior to deployment – and the use of safe deployment practices … ‘… effective SDP is the better ROI in terms of protecting an incident … whether you’re in kernel or user mode … ‘We discussed ways to de-conflict the various SDP approaches being used by our partners, and to bring everything together as a consensus on the principles of SDP. ‘If it finds that a partner has ignored the SDP, it can withdraw signing any kernel driver … insistence on transparency would show customers that this provider is not being honest with them. ‘Kernel mode, user mode – not saying those are invalid, just saying those are a much smaller part of the problem. SDP can help prevent outages both inside and outside of the kernel’. https://lnkd.in/gPGSeY6i

‘… connected to the National Intelligence Database and makes it easy to search data … Other iOS apps used by NZ Police provide situational awareness, showing cops if any persons of interest are known to frequent an area or if it’s a place where crime has previously occurred … ‘The LAPD is also about to start trialing Vision Pros for its surveillance work, according to public records. “A room of display monitors and a command post can all be done on a single pair of goggles” … ‘… deployment of CarPlay by the Western Australia Police Force, where cops are using Siri to access police data and update their department with incident updates …’ This is actually quite cool. https://archive.md/HxKaq