shift change 2024-4

Welcome to shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.

• National security exceptions to the SEC’s newly operative material cybersecurity incident reporting rules.

If you are a company required to submit public reports regarding material cybersecurity incidents, and you are concerned releasing that information is a harm to national security please contact the Attorney General about one of the following exceptions to the normal reporting procedures:

1. There is no “well-known mitigation” to the cause of the incident, or reporting the incident would likely cause an outbreak of more incidents.
2. If the incident poses a substantial risk to national security or public safety because it involves “a system operated or maintained by a registrant that contains sensitive U.S. Government information, or information the U.S. Government would consider sensitive, and public disclosure required by Item 1.05 would make that information and/or system vulnerable to further exploitation by illicit cyber activity…”
3. Disclosure would undermine or negatively impact remediating the incident.
4. If number 2, above, happens, but the US government identifies the incident before the company experiencing the incident.

Substantial risk or substantial harm to national security are familiar standards to anyone who has worked in national security before, and really should be familiar to anyone and everyone who has held a clearance and been read-in to even a low security program, but all my bells and warnings go off for a standard like “information the U.S. Government would consider sensitive…”

If you believe you fall in to any of these exceptions, or a government agency has reached out to let you know bad things are happening in your network, contact anyone in federal law enforcement for a re-direct to the FBI, who will help you assess if you are going to be sending paperwork to the US Attorney General.

• The Markup is doing a series on easy to implement privacy protections, first one up: screen protectors!

• Speaking of the SEC’s cyber incident reporting, the hackers are coming after ski, skate, and work apparel.

The corporate entity that for-all-we-care owns Vans, North Face, and Timberland (and others) noticed malicious activity including encrypting company resources and stealing personal and company data on December 13, reported the incident on December 15, and share prices had dropped by the 18th. 

Thanks for reading shift change, a few stories that caught my eye, and maybe need to catch yours.