Crossroads Blog | CYBER SECURITY LAW AND POLICY

Uncategorized

Cyber Roundup (9/2): Shopping for zero-days, SEC guidelines gain power, and public-private partnerships for information sharing . . .

Hope you’re having a great Labor Day weekend, here’s a quick survey of today’s cyber news . . .

***

On Sep 1, James Ball reported for The Washington Post on the zero-day exploit markets.  Zero-day exploits are undiscovered software vulnerabilities.  A hacker can make great use out of zero-day.  Indeed, Stuxnet relied on a number of zero-day exploits.

The WashPo article looked at the “little-known and barely regulated trade” in zero-days, noting that “researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece.”  The article raised a few legal points: can their trade be regulated under the Commerce Clause?  Is computer code free speech? Is regulating the industry “possible or even desirable[?]”

***

Lisa Sandler wrote for the San Francisco Chronicle on the SEC guidelines on when a company should disclose that it has suffered a cyberattack.  Remember that little under a year ago, the SEC issued non-mandatory guidelines for cyberattack disclosures during routine filings.  A few companies disclosed, but it wasn’t all too clear whether the new guidelines were having any effect.  That may change.

Sandler reported that the SEC guidelines “have become de facto rules for at least six companies, including Google and Amazon.com . . ..”

Does getting Google and Amazon on board bode well for further compliance?  Can’t hurt.

***

Interesting blog post from Paul Rosenzweig over at Lawfare.  The post contains a graphic demonstrating the complexities behind public-private-partnerships.  Check it out!

***

Finally, Kevin Kwang writes for ZDNet on how the Taiwanese government is stepping up its cybersecurity efforts.  In what is probably news to no one, the Taiwanese government is concerned about the Chinese cyber threat.

Leave a Reply