In a recent report, U.S. Cybersecurity Posture The report examined efforts to improve the overall cybersecurity of the United States and assessed progress toward achieving 2023 goals. National Cybersecurity StrategyThe report is full of praise, many of which are well-deserved, highlighting the fact that 33 of the 36 initiatives were completed on time, a feat that is certainly worthy of celebration. Trends driving the implementation include risks to critical infrastructure, a rampant ransomware ecosystem, supply chain concerns, commercial spyware markets, and potential threats from irresponsible use of artificial intelligence. With nearly all initiatives accomplished, the administration appears poised to tackle the second phase of the implementation plan. This follows an April 2024 Government Accountability Office (GAO) report on the Executive Order (EO). 14028 Improving National Cybersecurity The report identified 55 leadership and oversight requirements that must meet or exceed established standards to strengthen federal cybersecurity. GAO also gave these efforts a positive review. The U.S. appears to be moving in the right direction and making significant progress in key areas, but it remains to be seen how these indicators will translate into improved security against cyberattacks.
especially, Cybersecurity Posture The report states that managing risks to data security and privacy is one of 12 key actions the administration has taken, with a focus on protecting cross-border commerce and promoting the development of privacy-enhancing technologies. The report downplays this point, touting initiatives such as EO 14117 implemented during the Biden administration. Preventing countries of concern from accessing large volumes of sensitive personal data of U.S. persons and U.S. government-related data; Presidential Decree No. 14110 Development and use of safe, secure and trustworthy artificial intelligence; and EU-US Data Privacy FrameworkHowever, while these are laudable, they appear to be more of a Band-Aid than a practical solution when it comes to protecting citizens' data privacy – and the report even notes up front that these efforts were undertaken “in the absence of a national data privacy law,” implicitly acknowledging their shortcomings.
The inability to create one has been the administration’s Achilles heel ever since data breaches became major incidents, exposing the personal information of Americans who depend on it for their healthcare and economic well-being. Even the Trump administration’s initiatives to protect sensitive citizen and corporate information from the intrusive collection activities of hostile cyber threat actors ignored how organizations can protect privacy data. The Clean Network program represented an effort to consolidate partnerships between trusted partners and focused on four main pillars to mitigate the threat posed by countries such as China exploiting technology for profit: Clean Carriers (preventing untrusted foreign carriers from connecting to U.S. telecommunications networks), Clean Stores (removing untrusted apps from U.S. mobile app stores), Clean Apps (preventing untrusted smartphone manufacturers from pre-installing apps), Clean Cloud (preventing sensitive public and personal information from being stored and processed in cloud environments accessible to hostile nation-state actors), Clean Cable (ensuring the integrity of undersea cables), and Clean Path (preventing untrusted vendors from accessing the government’s 5G network).
Despite Clean Network's global support (at its peak, it was supported by 27 of the 30 NATO allies, 26 of the 27 European Union (EU) member states, 31 of the 37 Organization for Economic Cooperation and Development (OECD) member states, and 11 of the 12 Three Seas member states), the program was focused on countering threats to classified information and not on policies addressing organizations' responsibility to protect it. The potential corruption or misuse of classified information by bad actors has immediate consequences that are difficult to overcome. The proposed settlement, offering one year of free credit monitoring to organizations that fail to protect their information, is more of an insult than a consolation.
Part of the problem may be that the emphasis is on data transfer, rather than on the people who control the information on either side of the endpoint. Even when we're talking about managing data security risks, Cybersecurity Posture The report emphasizes the importance of “enabling secure, data-rich cross-border commerce and promoting the development of privacy-enhancing technologies.” Executive Order 14117 focuses on nation states that consume large amounts of information and the data brokers that sell that information. With regard to data transfers, as the Atlantic Council noted in an issue brief, the United States has historically overridden national security concerns over data protection requirements, primarily considering “the surveillance of foreign nationals' personal data in the course of commercial transfers as an entirely separate matter.” With the United States recently updating parts of its surveillance framework and extending by two years the period for warrantless data collection from non-US citizens around the world, this is expected to become the norm.
surely, transfer Data privacy is a key component of data privacy, especially when it comes to international trade, commerce, and even non-financial transactions such as health-related information that travel over the internet. Unfortunately, however, it has taken precedence over what happens when the data is received and what security considerations are put into its handling, processing, storage, and protection. According to a site dedicated to providing news and analysis for those who “make government work,” nearly all of the breaches that occurred in 2023, affecting 349 million victims, were due to data breaches, which are incidents in which unauthorized individuals steal sensitive information. From storage location. The italicized portion of this sentence is important because it suggests that the U.S. government’s focus on addressing data privacy issues may be misplaced, as the more widespread and larger-scale breaches occurred when data was at rest, not in transit.
In the absence of a national data privacy law, states like New Hampshire have tried to fill the void. However, as evidenced by Vermont’s recent attempt to enact one of the strongest state-focused data privacy bills, these efforts are often opposed by big tech companies. That said, even if all 50 states were to draft and enact their own data privacy laws, it would still be a patchwork of laws similar to each other but made of different materials and sizes. Again, this is merely a bandaid to treat a wound that needs more thorough treatment.
The United States has made great strides in cybersecurity, but much of this has been led by the federal government. Public-private partnerships are seen as a cornerstone to strengthening public sector organizations. If this is true, then what is needed is for each department to work together to establish cybersecurity. Required Set a cybersecurity baseline appropriate for your industry and implement best practice guidance from agencies like NIST into your own environment using standardized yet extensible guidelines. And data privacy must be at the core of this effort; otherwise, you'll continue to apply stopgap security solutions to situations that call for more.