Time for another regulation roundup.
The Department of Justice has formed a task force specifically focused on ransomware. The group focuses on training, improved intelligence across the department, and work to identify “links between criminal actors and nation states.”
In the UK, smartphones will be included in the scope of a “security by design” law focused on consumer devices. This coming law focused initially on IoT devices, and builds on a code of practice for IoT device manufacturers from 2018. Now, the plan covers essentially all smart devices. PCs and tablets without cellular connections are not covered.
In the EU, officials have proposed a new set of regulations around high-risk uses of artificial intelligence. The rules prohibit “remote biometric identification” for uses like surveilling crowds, define a list of those high risk uses, and lay out fines for companies that break the rules. This proposal would move through the process, and likely will take years.
Why do we care?
These are each a bit different, and I’m presenting in order of impact. I’ve previously said that we can’t expect different results without more investment from law enforcement. The formation of a dedicated task force by the DOJ is a specific focus. There are specific resources now collecting information on ransomware and finding the links between organizations. We can hope that effort against the systematic criminal organizations helps.
The UK set of laws is interesting as it’s another round of specific basics. It includes banning default passwords, points of contact to report vulnerabilities, and upfront notification of how long security updates are to be delivered. The basics get covered. Again, hopes that the basics get covered.
The EU laws are a lot more forward looking, and certainly show regulators interest in privacy. The EU has clearly led here, and many are saying this could be the GDPR of AI. GDPR was hugely impactful – so even if it’s taking years, this debate will impact product design.