October 2013

NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February.

I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms.

The result is a mixed

I’ve been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.

His tale of disillusionment revealed three

I’d like to offer readers a short quiz on judicial independence.

Imagine a field where liability is common but damages vary widely — patent law, perhaps, or disability claims. In this field, there is a specialized court that has attracted Congressional and press criticism because it rules for the plaintiff 99% of the time. Stung

Officials in the EU often deride the lack of a national data protection authority in the US. It is absurd to suggest that the existence of a national DPA is itself a litmus test for a country’s commitment to privacy protection. Indeed, I would put the US system of constitutional checks and balances and sectoral

In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security.

My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement

Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s

Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order