All news in category "Regulation and Policy Brief"

Secure Integration of AI into Operational Technology

🔒 CISA and the Australian Signals Directorate released joint guidance, Principles for the Secure Integration of Artificial Intelligence in Operational Technology, to help critical infrastructure owners and operators balance AI benefits with OT safety and reliability. The guidance focuses on ML, LLMs, and AI agents while remaining applicable to traditional statistical and logic-based systems. It emphasizes four core areas—Understand AI, Assess AI Use in OT, Establish AI Governance, and Embed Safety and Security—and recommends integrating AI considerations into incident response and compliance activities.

Pall Mall Process to Define Responsible Cyber Intrusion

🛡️ The Pall Mall Process, launched in 2024 by the UK and France with 27 governments and major tech firms onboard, seeks to set guidelines for commercial cyber intrusion capabilities. Its second phase invites input from the offensive cyber industry — vendors, brokers, researchers and service providers — on what constitutes responsible behaviour. The guidance will complement the existing Code of Practice for States and aims to curb irresponsible trade in spyware and zero‑day exploits. The public consultation closes on December 22.

FTC Settlement Requires Illuminate to Delete Student Data

⚖️ The FTC has proposed a settlement requiring Illuminate Education to delete unnecessary student data and strengthen its security program after a 2021 breach that exposed information for about 10.1 million students. The agency alleges failures including lack of access controls, storing data in plain text, weak patching, and misrepresenting encryption in contracts. The proposed order mandates data minimization, a public retention schedule, prompt breach reporting to the FTC, and will be open for 30 days of public comment; violations could trigger civil penalties.

India Orders Messaging Apps to Bind Accounts to SIMs

🔒 India's Department of Telecommunications (DoT) has directed messaging apps to bind accounts to an active, KYC‑verified SIM linked to the user's mobile number, with platforms required to comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 aims to curb phishing, cross‑border fraud and remote account takeovers by closing gaps from long‑lived web/desktop sessions. Providers must enforce continuous SIM linkage and force web sessions to log out every six hours, requiring QR re‑linking. The DoT also announced a Mobile Number Validation (MNV) platform for decentralized, privacy‑compliant verification.

AI Requires Difficult Choices: Regulatory Paths for Democracy

🧭 The piece argues that AI forces a societal reckoning similar to the arrival of social media: it can amplify individual agency but also concentrate control and harm democratic life. The authors identify four pivotal choices for executives and courts, Congress, states, and everyday users—centering on legal accountability, privacy and portability, reparative taxation, and consumer product choices. They urge proactive, aligned policy and civic action to avoid repeating past mistakes and to steer AI toward public-good outcomes.

ICO Reviews Mobile Games for Children's Code Compliance

🕹️ The UK Information Commissioner's Office has launched a focused review of 10 popular mobile games to assess compliance with the Children’s Code (Age-Appropriate Design Code). The review will scrutinize default privacy settings, geolocation controls, targeted advertising and other design features that could affect children’s privacy. The ICO cited parental research showing high levels of concern about data collection, exposure to strangers and harmful content in mobile games.

Vaillant CISO: From Technology to Strategic Cyber Leadership

🔒 Raphael Reiß, CISO at Vaillant Group, warns that rising geopolitical tensions and increasingly professional cybercriminals — now aided by AI — have lowered the barrier to complex attacks. Vaillant applies a holistic, multilayered security approach that spans IT, global production and customer-facing products, combining preventive and reactive controls. Reiß emphasises people-first awareness training and pragmatic compliance with standards such as NIS2, DORA and the Cyber Resilience Act. His advice is direct: analyse your starting point and start rather than wait.

India Orders Phones to Preinstall Government Cyber App

📱 India’s telecommunications ministry has instructed major handset manufacturers to preload the government-backed cybersecurity app Sanchar Saathi on all new phones within 90 days, according to Reuters. The directive, dated November 28, 2025, reportedly requires the app to be non-removable and non-disableable and mandates pushing it via updates to devices already in the supply chain. Sanchar Saathi enables reporting of fraud and malicious links, blocking and tracking stolen devices, and checking multiple mobile connections; it has more than 11.4 million installs and has helped trace and recover hundreds of thousands of handsets.

US State Attempts to Ban VPNs in Name of Child Safety

🔒 Wisconsin lawmakers are advancing legislation that would require age verification on sites deemed potentially sexual and mandate blocking users who access content via VPNs. The measure, A.B. 105 / S.B. 130, expands definitions of harmful to minors and would force site operators to verify age and detect or block VPN connections. Critics argue it undermines privacy, free expression, and effective safety outcomes, and advocates such as the EFF call the proposal a terrible idea.

EU 'Chat Control' Shift Should Alarm Businesses Across Europe

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.

Key Provisions of the UK Cyber Security and Resilience Bill

🛡️ The Cyber Security and Resilience Bill — introduced to the House of Commons on 12 November and outlined by Shona Lester (DSIT) on 24 November — aims to strengthen protection for essential services by expanding regulatory scope and accelerating incident reporting. It brings data centres, large load controllers, managed service providers and designated critical suppliers into an Operators of Essential Services regime and requires 24‑hour notification of incidents with fuller reporting to follow. The bill also increases regulators’ enforcement powers and penalty regimes.

UK Committee Urges Legal Liability for Software Insecurity

⚖️ The UK’s Business and Trade Committee has recommended making software providers legally accountable for insecure products, arguing that voluntary measures like the Software Security Code of Practice are insufficient to protect economic stability. The report highlights 2025 incidents affecting Co-op, M&S and Jaguar Land Rover that produced heavy public costs and operational disruption. It urges mandatory compliance, stronger enforcement powers and compulsory incident reporting to shift financial risk back to vendors.

UK Lawmakers Urge Legal Shift on Economic Cybersecurity

🔒 The House of Commons Business and Trade Committee has urged the UK government to enshrine a new approach to economic security in law, warning that cyber and other threats increasingly imperil the nation's open economy. The committee's report, Toward a new doctrine for economic security, stresses that economic security cannot be achieved without cybersecurity and highlights attacks on critical national infrastructure and private firms. Key recommendations include making the voluntary Software Security Code of Practice mandatory, introducing tax relief for IT services that enhance operational resilience, and consulting on a mandatory cyber-incident reporting regime.

FCC Reversal Removes Telecom Cybersecurity Mandates

⚠ The FCC has reversed its January 2025 Declaratory Ruling that required US telecom providers to adopt and annually certify stricter cybersecurity controls under CALEA. The agency said the earlier order was misconstrued and unlawful, citing recent engagements with carriers and targeted actions instead of prescriptive mandates. Critics, including FCC Commissioner Anna Gomez and security experts, warn the rollback could leave critical infrastructure more exposed after the Salt Typhoon attacks.

FCC Reverses Telco Cybersecurity Mandate After Salt Typhoon

🔒 The FCC has rescinded a January 2025 declaratory ruling under CALEA that would have required telecom carriers to adopt formal cybersecurity risk-management plans, submit annual certifications, and treat network cybersecurity as a legal obligation after the Salt Typhoon intrusions. The agency, now led by new commissioners, also withdrew the accompanying NPRM, calling the prior approach inflexible and legally flawed. Carriers say they have strengthened defenses and agreed to continued coordination, while critics warn that relying on voluntary measures risks leaving national communications infrastructure exposed.

SEC Drops Lawsuit Against SolarWinds After Years-long Probe

📰The U.S. Securities and Exchange Commission has voluntarily dismissed its lawsuit against SolarWinds and CISO Timothy G. Brown, filing a joint motion to dismiss on November 20, 2025. The October 2023 complaint alleged fraud, internal control failures, and misleading disclosures tied to the late-2020 supply-chain compromise attributed to APT29. Many allegations were rejected by the SDNY in July 2024 as relying on hindsight. SolarWinds' CEO said the company emerges stronger, more secure, and better prepared.

CISA Issues Guidance to Combat Bulletproof Hosting Abuse

🔒 CISA, together with US and international partners, has published a joint guide addressing bulletproof hosting (BPH) services that enable ransomware, phishing, malware delivery and other attacks. The guidance explains how BPH providers lease or resell infrastructure to criminals, enabling fast-flux operations, command-and-control activity and data extortion while evading takedowns. It recommends concrete defensive actions — including curating a high confidence list of malicious internet resources, continuous traffic analysis, automated blocklist reviews, network-edge filters, threat intelligence sharing and feedback processes — to help ISPs and network defenders reduce abuse while limiting collateral impact.

UK, US and Allies Sanction Russian Bulletproof Hosters

🔒 Western allies have announced coordinated sanctions targeting three bulletproof hosting providers — Media Land, ML.Cloud and Aeza Group — and four associated Russian executives, including Alexander Volosovik (aka Yalishanda). The measures, backed by the UK, US and Australia, also named UK-registered front Hypercore and aim to seize assets and cut access to legitimate banking channels. Authorities say the hosts supported numerous ransomware and infostealer operations, and Five Eyes nations published guidance to help ISPs and defenders mitigate malicious activity enabled by such services.

US, UK, Australia Sanction Russian Bulletproof Hosts

🔒 The US, UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land and related companies for supporting ransomware gangs such as LockBit, BlackSuit, and Play. Three executives were also designated and assets frozen, while clients and facilitators face secondary sanctions. Five Eyes agencies issued guidance for ISPs to detect and block BPH-enabled abuse.

Legal Limits on Vulnerability Disclosure and Research Rights

🔒 Kendra Albert's USENIX talk, highlighted by Bruce Schneier, argues that modern managed bug bounty programs often impose contractual confidentiality that prevents researchers from publicly sharing vulnerabilities. These restrictions can flip the original bargain of coordinated vulnerability disclosure, silencing researchers while allowing vendors to delay or avoid fixes. Schneier urges platforms and companies to prohibit mandatory non‑disclosure terms and restore the balance between researcher reporting and vendor remediation.