Category: cybersecurity

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Article By Linn F. Freedman of Robinson & Cole LLP

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Electronic Medical Record Provider Pays $930,000 in First Civil Cyber-Fraud Initiative Settlement

For the first settlement as part of the Department of Justice’s Civil Cyber-Fraud Initiative, DOJ settled a case against medical services government contractor Comprehensive Health Services, LLC (CHS) for $930,000.  This settlement resolves allegations brought forth in two qui tam lawsuits, where four whistleblowers filed suit on behalf of the government under the qui tam provision of the False Claims Act.  Three of the whistleblowers received $15,000, in addition to attorneys’ fees, and one relator received $127,050 for reporting fraud.

“This settlement serves notice to federal contractors that they will be held accountable for conduct that puts private medical records and patient safety at risk,” said the United States Attorney for the Eastern District of New York.

CHS, as part of the medical services they provided to the U.S. government, was paid to implement a secure electronic medical record (EMR) system as part of contracts with the State Department and Air Force at various U.S. consulate and military locations in Iraq and Afghanistan.  The EMR system housed personal health information and medical records for anyone who received medical treatment at the locations CHS served, including U.S. service members, diplomats, officials, and contractors.  According to the allegations, CHS did not consistently store patients’ medical records on the secure EMR system and indeed left scans on a network drive which non-clinical staff could access.

As part of several contracts to which CHS was a party, CHS was supposed to provide medical supplies, including controlled substances subject to U.S. Food and Drug Administration (FDA) or European Medicines Agency (EMA) approval.  According to the allegations, CHS “knowingly, recklessly, or with deliberate ignorance” submitted claims for payment for controlled substances that they obtained by means not sanctioned by these contracts.  Not only did CHS lack a Drug Enforcement Agency license to export controlled substances, but CHS also obtained controlled substances by having their U.S.-based subsidiary request that a South African physician prescribe controlled substances, according to the allegations.  The South African physician prescribed these controlled substances, absent FDA or EMA approval, and a shipping company from the same country imported the substances to Iraq.

Government contractors are supposed to adhere to the terms of their contracts in order to receive reimbursement from the U.S. government.  This medical services provider ignored procurement guidelines to obtain controlled substances, undermining safety controls and misrepresenting their adherence to contract terms in providing medical services to U.S. military personnel.  The DOJ’s Civil Cyber-Fraud Initiative brings the power of the False Claims Act to bear on contractors whose job is to protect sensitive information and critical systems.  Representing that data is secure when it is, in fact, not is a violation of the False Claims Act and constitutes cyber-fraud.  As the Special Agent in Charge of the U.S. Department of State OIG, Office of Investigations noted, “…this outcome will send a clear message that cutting corners on State Department contracts has significant consequences.”

Whistleblowers raised data privacy concerns to CHS, but the contractor failed to implement better cybersecurity protocols in response to their concerns.  The Department of Justice has rewarded its first whistleblowers as part of the Civil Cyber-Fraud Initiative, and they’re just getting started.

© 2022 by Tycko & Zavareei LLP
For more articles about digital health, visit the NLR Health Care Law section.

Department Of Financial Protection & Innovation Issues Guidance Regarding “Situation in Ukraine and Russia”

Last Friday, Commissioner Clothilde V. Hewlett issued guidance concerning the “situation in Ukraine and Russia”.   The guidance reminds licensees of their obligations under federal, and to a lesser extent, California law.  The guidance mentions three areas of concern: sanctions, virtual currency and cybersecurity.  I was somewhat taken aback by the guidance reference to the “situation”, but in several places, the guidance refers to the “Russian invasion”.

With respect to virtual currency, Commissioner Hewlett notes that the Russian invasion “significantly increases the risk that listed individuals and entities may use virtual currency transfers to evade sanctions”.   She advises that all licensees engaging in financial services using virtual currencies should have policies, procedures, and processes to protect against the unique risks that virtual currencies present.

When Russia Came To California

In may come as a surprise that Russia once had plans to expand into California and even occupied a fort here for nearly three decades.  Fort Ross, now a California state park, is situated on the California coast about 60 miles north of San Francisco.  It was established in 1812 and represents Tsarist Russia’s southernmost settlement on the North American continent.  The name of the fort is derived from the word “Russia”, which is derived from the name of a medieval people known as the Rus.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more articles on cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

US Crypto Regulatory Enforcement Ramps Up – NFTs Now More in Focus

For the past decade the crypto space has been described as the wild west. The crypto cowboys and cowgirls have innovated and moved the industry forward, despite some regulatory certainty. Innovation always leads regulatory clarity. There’s a new sheriff in crypto town – the US government and its various regulatory agencies. They seem intent on taming the wild west.

According to a recent report, the IRS Has Sent 10,000 Letters on Taxpayer Digital Assets seeking to collect taxes on gains from crypto assets including NFTs. This is no surprise and we have cautioned on this dating back to 2017. While many people have focused on the tax issues with crypto currencies, the IRS is also focusing on NFTs as reported here.

This comes on the heels of another report this week that the SEC is now targeting certain NFT uses. According to the report, the SEC is probing whether NFTs are being utilized to raise money like traditional securities. The SEC has reportedly sent subpoenas related to the investigation and is particularly interested in information about fractional NFTs. As we discussed here, fractionalization is just one of the potential securities law concerns with certain NFT business models. NFTs that represent a right to a revenue stream and NFT presales can also presents issues in some cases.

Other recent regulatory activity relating to NFTs includes the following. The Department of the Treasury published a study on the facilitation of money laundering and terrorist financing through the art trade, including NFTs. See our report on this here.  The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Latvia-based digital asset exchange and designated 57 cryptocurrency addresses (associated with digital wallets) as Specially Designated Nationals (SDNs). These designations appear to be the first time NFTs have been publicly impacted as “blocked property” – as one of the designated cryptocurrency addresses owns non-fungible tokens (NFTs). See our report on this here. A number of NFTs are also being used to facilitate illegal gambling.

In addition to the regulatory issues, the number of NFT-related lawsuits and other legal disputes continues to increase. Many of these disputes relate to IP ownership, IP infringement, failure to apply an clear or enforceable license to the NFT, among others.

Most of these issues are avoidable with proper legal counseling early on.

The use of NFT technology to tokenized and record ownership of physical and digital assets, as well as entitlements (e.g., tickets, access, etc.) is just getting started. We believe this technology will see wide scale adoption across many industries. The vast majority of the NFT business models are legal.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.
For more about cryptocurrency regulations, visit the NLR Cybersecurity, Media & FCC section.

Securities Litigation: An Emerging Strategy to Hold Companies Accountable for Privacy Protections

A California federal judge rejected Zoom Video Communications, Inc.’s motion to dismiss securities fraud claims against it, and its CEO and CFO, for misrepresenting Zoom’s privacy protections. Although there have been a number of cases challenging inadequate privacy protections on consumer protection grounds in recent years, this decision shifts the spotlight to an additional front on which the battles for privacy protection may be fought:  the securities-litigation realm.

At issue were statements made by Zoom relating to the company’s privacy and encryption methods, including Zoom’s 2019 Registration Statement and Prospectus, which told investors the company offered “robust security capabilities, including end-to-end encryption.” Importantly, the prospectus was signed by Zoom’s CEO, Eric Yuan. The plaintiffs, a group of Zoom shareholders, brought suit arguing that end-to-end encryption means that only meeting participants and no other person, not even the platform provider, would be able to access the content. The complaint alleged that contrary to this statement, Zoom maintained access to the cryptographic keys that could allow it to access the unencrypted video and audio content of Zoom meetings.

The plaintiffs’ allegations are based on media reports of security issues relating to Zoom conferences early in the COVID-19 pandemic, as well as an April 2020 Zoom blog post in which Yuan stated that Zoom had “fallen short of the community’s  ̶ ̶  and our own  ̶ ̶  privacy and security expectations.”  In his post, Yuan linked to another Zoom executive’s post, which apologized for “incorrectly suggesting” that Zoom meetings used end-to-end encryption.

In their motion to dismiss, the defendants did not dispute that the company said it used end-to-end encryption.  Instead, they challenged plaintiffs’ falsity, scienter, and loss causation allegations – and all three attempts were rejected by the court.

First, as to falsity, the court did not buy the defendants’ argument that “end-to-end encryption” could have different meanings because a Zoom executive expressly acknowledged that the company had “incorrectly suggest[ed] that Zoom meetings were capable of using end-to-end encryption.”  Thus, the court found that the complaint did, in fact, plead the existence of materially false and misleading statements. The court also rejected the defendants’ argument that Yuan’s understanding of the term “end-to-end encryption” changed in a relevant way from the time he made the challenged representation to his later statements that Zoom’s usage was inconsistent with “the commonly accepted definition.” The court looked to Yuan’s advanced degree in engineering, his status as a “founding engineer” at WebEx, and that he had personally “led the effort to engineer Zoom Meetings’ platform and is named on several patents that specifically concern encryption techniques.”

Lastly, the court rebuffed the defendants’ attempt at undermining loss causation, finding that the plaintiffs had pled facts to plausibly suggest a causal connection between the defendants’ allegedly fraudulent conduct and the plaintiffs’ economic loss. In particular, the court referenced the decline in Zoom’s stock price shortly after defendants’ fraud was revealed to the market via media reports and Yuan’s blog post.

That said, the court dismissed the plaintiffs’ remaining claims, as they related to data privacy statements made by Zoom or, in general, by the “defendants,” unlike the specific encryption-related statement made by Yuan. The court found that the corporate-made statements did not rise to the level of an “exceptional case where a company’s public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication.” Because those statements were not coupled with sufficient allegations of individual scienter, the court granted the defendants’ motion to dismiss those statements from the complaint.

© 2022 Proskauer Rose LLP.
For more articles about business litigation, visit the NLR Litigation section.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.
 
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Is Your School District Ready for the Next Round of Cyber Attacks?

It isn’t if, but when, the next round of cyber-attacks will happen. One common type of cyber-attack that schools face is ransomware, where a hacker takes over a school district’s computer systems and holds the systems “hostage” until the district pays a ransom or can restore the system on its own. Restoration for some districts can be nearly impossible.

Like any other multi-million-dollar organization with sensitive data, schools are unfortunately natural targets for cyber-attacks. Per one leading anti-malware provider, in 2021 alone, 62 school districts and 26 colleges and universities were impacted by ransomware. These attacks disrupted learning at 1,043 individual schools. The recovery costs following an attack can be very significant. For example, Baltimore County Public Schools spent more than $8.1 million on recovery after an attack at the end of 2019.

And it isn’t just the ransom amounts that can be frightening. Public concern over compromised data security, feelings of invasion of privacy, and negative public perception can also pose real and significant consequences for school districts. Imagine the response of a guardian or parent who receives notice that his or her student’s personal information has been compromised. The inability to access necessary computer or network systems may also require schools to close and disrupt both short- and long-term operations. In 2021, on average, a school in the United States experienced seven days of downtime following a cyber-attack before resuming educational operations, and significant additional time was required to fully recover from the attack.

Why Are Schools Attractive Targets?

School districts are appealing targets for two main reasons: (1) school districts often have one of the largest budgets in the community, making them an appealing financial target; and (2) the data school districts store includes highly-sensitive student and employee personal information, including Social Security numbers, health information, and other pupil data. This information can be a gold mine to cyber criminals who are interested in identify theft or simply extorting money from a school district.

What Should School Districts Do?

School district administration should embrace cybersecurity best practices to protect their schools from cyber-attacks. This requires administrators to review current practices and thereafter remain vigilant in conducting an ongoing review of such practices. Here are a few things school districts can do to help protect themselves:

  • Develop a communication plan. Time is critical when a cyber-attack occurs. It is essential that you are ready to address guardians and parents, the media, and the community, and to work with your insurers and law enforcement immediately when an attack happens. Different laws require notice to individuals affected by privacy breaches. Your district should pre-emptively develop a communication plan so it is immediately ready to address required stakeholders. This communication plan should be routinely discussed with relevant administrators and employees.
  • Update Systems. Network users should apply software patches and updates as soon as possible. Hackers often exploit systems that don’t timely install patches and updates.
  • Create a strong password policy. Password policies must require users to update in regular intervals and integrate best practices, including passphrases, sequences and having different passwords for multiple accounts.
  • Purge outdated technology. Schools may hang on to older devices due to budget constraints. However, older devices may not be as secure as newer systems.
  • Implement multi-factor authentication to protect network access.

Some tips to help districts recover more quickly include:

  • Back up essential data frequently. The ability to restore data is a significant factor in determining whether a school district should pay a ransom.
  • Train employees. Train staff to recognize phishing emails and other types of cyber-attacks.
  • Develop a cyber-attack response plan. Schools should work with their IT staff, IT providers and legal counsel to pre-emptively develop a plan to handle varying cyber-attacks and return to normal operations.
  • Evaluate cyber liability insurance coverage. Based on publicly available information, ransom demands vary dramatically: as low as $10,000 to millions of dollars.
  • Stay in close contact with experienced legal counsel. To the extent protected personal information was accessed or taken, notification to the victims and, in some states, notification to data protection authorities may be required. Legal counsel familiar with these situations help coordinate communication with law enforcement and communication with staff, students, and the public. Legal counsel also communicates with the threat actors, coordinates with your insurance company, and assists with records requests that may come in post-attack.

Most importantly, school districts should engage with their insurance agent, legal counsel and IT staff now to develop and gain a mutual understanding of the process that will be followed at the time of a cyber-attack, as well as best practices that are to currently be utilized by district employees and officials. These pre-emptive, relationship-building opportunities may expose vulnerabilities and will best prepare your district for a cyber-attack. A proactive approach may also help your district avoid an attack altogether or, at a minimum, reduce the damage.

©2022 von Briesen & Roper, s.c
For more about education, visit the NLR Public Education & Services section.

White House Focuses on Improving the Cybersecurity of National Security Systems

President Biden recently signed a National Security Memorandum on cybersecurity. This memorandum was required by an earlier executive order, which we previously have discussed here.  The new memorandum (NSM) requires certain network cybersecurity measures for any government information system that is used for highly sensitive national security purposes. The requirements go into effect on a rolling basis over the next 6 months.

Systems covered include those used for intelligence activities, command and control of military forces, or weapons systems (dubbed, “National Security Systems” or “NSS”). Requirements will include use of multifactor authentication, encryption, cloud technologies, and endpoint detection services.  Notably, the NSM:

  1. requires agencies to identify their National Security Systems and report cyber incidents to the National Security Agency (NSA) (the agency tasked with responsibilities over NSS);
  2. authorizes the NSA to create Binding Operational Directives requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities; and
  3. requires agencies to secure cross domain solutions (i.e., tools that transfer data between classified and unclassified systems).

The NSM also outlines how the cybersecurity requirements will be implemented.

Putting it into Practice: At this point, the NSM is directed only at requirements for agencies (rather than contractors or vendors). But, as we’ve seen in the past, once agencies have new policies and processes in place, these requirements are likely to impact or flow-down to contractors that support National Security Systems.

This article was written by Townsend Bourne and Nikole Snyder of Sheppard Mullin law firm. For more articles on cybersecurity, please see here.