Politics

What the government’s new cybersecurity report could mean for business

Industry is apparently part of the problem — and the solution.

Sen. Angus King

Sen. Angus King, I-Maine, co-chairs the Cyberspace Solarium Commission, which issued a report Wednesday saying the U.S.' cybersecurity infrastructure is dangerously inadequate.

Photo: Aaron P. Bernstein via Getty Images

America's cybersecurity strategy needs an overhaul, according to a massive new government report — but what does that mean for the technology industry?

"The reality is that we are dangerously insecure in cyber," co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., wrote in a letter prefacing the report, which was released by the bipartisan Cyberspace Solarium Commission on Wednesday. "Your entire life — your paycheck, your health care, your electricity — increasingly relies on networks of digital devices that store, process and analyze data. These networks are vulnerable, if not already compromised."


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


The 182-page report argues for an approach of "layered cyber deterrence" and makes dozens of recommendations that would affect public and private sectors alike. The more than 75 recommendations run the gamut, from concrete suggestions about ensuring paper trails for voting machines to additional authorities for the Cybersecurity and Infrastructure Security Agency, as well as specific legislative fixes aimed at spurring private sector security changes.

Many of the recommendations in the report "do not break new ground," James A. Lewis, senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies, told Protocol. But if they are enacted, some of them could have a significant impact on technology companies and other industries.

There's a lot to dig through, but here are some key takeaways.

Industry is part of the problem — and the solution

The report is littered with references to public-private partnerships and collaboration, many of them vague. But the general vision laid out in the report "will require private-sector entities to step up and strengthen their security posture," King and Gallagher not, adding that most critical infrastructure "is owned by the private sector." The underlying message: That some of that infrastructure is not resilient enough.

If the strategy laid out were followed through, there would be additional expectations placed on private industry — generally in the form of things like adhering to new security standards and working with various new federal structures designed to help manage digital national security risks.

However, King and Gallagher say they "do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government." That suggests that even they are looking for voluntary cooperation in many circumstances.

Data security and privacy liability incoming?

That said, there are some places where the Commission calls for concrete changes that would change business practices.

One of the most significant is the recommendation that Congress pass legislation requiring "that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities for as long as they support a product or service."

This would provide clarity and increased protections for consumers, it argues, while putting businesses on the hook for keeping their products and services secure. Expect plenty of pushback from across the tech sector and beyond over any proposed lawmaking along those lines.

On a similar front, the Commission recommends Congress "pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention and sharing of user data." Right now, there is no overarching federal standard, akin to Europe's General Data Protection Regulation, for data security. Instead a patchwork of state regulations help set the effective floor of privacy protections, led by more stringent regulation out of California.

The impact of any such law on businesses would obviously depend on just how strict it is — but there is increasing bipartisan support for some form of data privacy regulation, so watch this space.

One other recommendation that could affect industry is the proposal that Congress establish a "National Cybersecurity Certification and Labeling Authority" to run programs including voluntary security certifications and labeling for IT and communications products. While voluntary, this would be a step toward giving cybersecurity safety certifications similar to those used to show certain electric products meet basic safety standards — and could change customer perceptions of the products and services they buy.

But don't assume Congress will act

While the report lays out the stakes as dire — it even opens with a bit of dystopian fiction about a post-cyberpocalypse Washington — there's no guarantee Congress will take action anytime soon. In fact, many of the report's recommendations, including a comprehensive federal data privacy law, are proposals that have been floating around in the legislative ether in one form or another for years.

Angus acknowledged the legislative status quo in an interview with Wired, saying he hopes that around half of the recommendations will be considered as part of the National Defense Authorization Act in May.

Still, Rep. Jim Langevin, D-R.I., a member of the commission and co-founder and co-chair of the Congressional Cybersecurity Caucus, said he has "never felt more optimistic" during his decade of working on cybersecurity issues than with the release of this report.

"We have a long way to go as a nation to close our aperture of vulnerability in cyberspace," the Congressman told Protocol in an emailed statement. "But the strategy we lay out today will make us much more secure if we have the political will to execute it."

Fintech

Apple's new payments tech won't kill Square

It could be used in place of the Square dongle, but it's far short of a full-fledged payments service.

The Apple system would reportedly only handle contactless payments.

Photo: Nathan Dumlao/Unsplash

Apple is preparing a product to enable merchants to accept contactless payments via iPhones without additional hardware, according to Bloomberg.

While this may seem like a move to compete with Block and its Square merchant unit in point-of-sale payments, that’s unlikely. The Apple service is using technology from its acquisition of Mobeewave in 2020 that enables contactless payments using NFC technology.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

A CCO’s viewpoint on top enterprise priorities in 2022

The 2022 non-predictions guide to what your enterprise is working on starting this week

As Honeywell’s global chief commercial officer, I am privileged to have the vantage point of seeing the demands, challenges and dynamics that customers across the many sectors we cater to are experiencing and sharing.

This past year has brought upon all businesses and enterprises an unparalleled change and challenge. This was the case at Honeywell, for example, a company with a legacy in innovation and technology for over a century. When I joined the company just months before the pandemic hit we were already in the midst of an intense transformation under the leadership of CEO Darius Adamczyk. This transformation spanned our portfolio and business units. We were already actively working on products and solutions in advanced phases of rollouts that the world has shown a need and demand for pre-pandemic. Those included solutions in edge intelligence, remote operations, quantum computing, warehouse automation, building technologies, safety and health monitoring and of course ESG and climate tech which was based on our exceptional success over the previous decade.

Keep Reading Show less
Jeff Kimbell
Jeff Kimbell is Senior Vice President and Chief Commercial Officer at Honeywell. In this role, he has broad responsibilities to drive organic growth by enhancing global sales and marketing capabilities. Jeff has nearly three decades of leadership experience. Prior to joining Honeywell in 2019, Jeff served as a Partner in the Transformation Practice at McKinsey & Company, where he worked with companies facing operational and financial challenges and undergoing “good to great” transformations. Before that, he was an Operating Partner at Silver Lake Partners, a global leader in technology and held a similar position at Cerberus Capital LP. Jeff started his career as a Manufacturing Team Manager and Engineering Project Manager at Procter & Gamble before becoming a strategy consultant at Bain & Company and holding executive roles at Dell EMC and Transamerica Corporation. Jeff earned a B.S. in electrical engineering at Kansas State University and an M.B.A. at Dartmouth College.
China

Why does China's '996' overtime culture persist?

A Tencent worker’s open criticism shows why this work schedule is hard to change in Chinese tech.

Excessive overtime is one of the plights Chinese workers are grappling with across sectors.

Photo: VCG/VCG via Getty Images

Workers were skeptical when Chinese Big Tech called off its notorious and prevalent overtime policy: “996,” a 12-hour, six-day work schedule. They were right to be: A recent incident at gaming and social media giant Tencent proves that a deep-rooted overtime culture is hard to change, new policy or not.

Defiant Tencent worker Zhang Yifei, who openly challenged the company’s overtime culture, reignited wide discussion of the touchy topic this week. What triggered Zhang's criticism, according to his own account, was his team’s positive attitude toward overtime. His team, which falls under WeCom — a business communication and office collaboration tool similar to Slack — announced its in-house Breakthrough Awards. The judges’ comments to one winner highly praised them for logging “over 20 hours of intense work nonstop,” to help meet the deadline for launching a marketing page.

Keep Reading Show less
Shen Lu

Shen Lu covers China's tech industry.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Entertainment

Spoiler alert: We’re already in the beta-metaverse

300 million people use metaverse-like platforms — Fortnite, Roblox and Minecraft — every month. That equals the total user base of the internet in 1999.

A lot of us are using platforms that can be considered metaverse prototypes.

Illustration: Christopher T. Fong/Protocol

What does it take to build the metaverse? What building blocks do we need, how can companies ensure that the metaverse is going to be inclusive, and how do we know that we have arrived in the 'verse?

This week, we convened a panel of experts for Protocol Entertainment’s first virtual live event, including Epic Games Unreal Engine VP and GM Marc Petit, Oasis Consortium co-founder and President Tiffany Xingyu Wang and Emerge co-founder and CEO Sly Lee.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Enterprise

Lyin’ AI: OpenAI launches new language model despite toxic tendencies

Research company OpenAI says this year’s language model is less toxic than GPT-3. But the new default, InstructGPT, still has tendencies to make discriminatory comments and generate false information.

The new default, called InstructGPT, still has tendencies to make discriminatory comments and generate false information.

Illustration: Pixabay; Protocol

OpenAI knows its text generators have had their fair share of problems. Now the research company has shifted to a new deep-learning model it says works better to produce “fewer toxic outputs” than GPT-3, its flawed but widely-used system.

Starting Thursday, a new model called InstructGPT will be the default technology served up through OpenAI’s API, which delivers foundational AI into all sorts of chatbots, automatic writing tools and other text-based applications. Consider the new system, which has been in beta testing for the past year, to be a work in progress toward an automatic text generator that OpenAI hopes is closer to what humans actually want.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins