Bob Sullivan

Are European companies on the brink of another potentially crippling data border dispute with the U.S.? I’ve spent a lot of time in Ireland recently, so I’m acutely sensitive to the possibility.

As tech companies here try to position themselves for Trump 2.0, downstream impacts from the new presidents’ flurry of executive orders and sackings are quickly being digested. But one issue stands out: the ability of US firms to operate with EU data is, once again, threatened.  At worst, the issue could potentially cause EU schools and businesses to stop working immediately with US cloud providers like Google and Amazon, with potentially catastrophic results.

As history shows, that worst-case scenario is likely to be avoided, but yet again, the tenuous nature of international privacy agreements between the U.S. and its largest trading partner has been betrayed.

To review, E.U. citizens enjoy fundamental privacy rights not granted to U.S. citizens, in part because Congress has yet to pass a federal privacy law.  Back in 1998, the EU mandated that data on its citizens cannot be exported outside the nation unless it is treated with EU-level care and its citizens are guaranteed EU-level privacy protections.  This seeming impossible stalemate has never really been permanently resolved, but it has been papered over several times by “agreements.” The first such deal was called “Safe Harbor” back in 2000. It was declared invalid by an EU court in 2015, and then replaced by “Privacy Shield,” declared invalid in 2020.  That was replaced two years later by the Transatlantic Data Privacy Framework, which stands today. Maybe.

This week, new President Donald Trump required all Democrat members of an organization called the Privacy and Civil Liberties Oversight Board to resign, a not-unexpected step. But that leaves the board with only one member, rendering it essentially non-functional. That’s important because the Transatlantic Data Privacy Framework rests on the ability of this “independent” civil liberties board to deal with complaints by EU citizens about data mistreatment.  Legal scholars worry the board’s demise could mean demise of this latest data-sharing agreement.

In reality, the “court” established to hear such EU citizens’ dispute has yet to adjudicate a single case, according to one of its lawyers.  So the Great Atlantic Data Firewall is likely not as immanent as some suggest; we’ve been on this brink many times before.

However, the executive order which President Biden signed initiating the entire Transatlantic Data Privacy Framework is due to be reviewed by the Trump administration within 45 days and it’s easy to see that baby being tossed with the bath water.  Then, real questions about a potential data-sharing wall arising over the Atlantic Ocean could be raised.

Perhaps, as Max Shrems suggests, it’s time to find a more permanent solution to this thorny problem?   The best way to understand all that’s going on is to head over to NOYB.eu and read Schrems’ thoughts on the situation.

The purpose of this research is to determine how effective the financial services industry is in managing the certificate lifecycle, PKI and securing the software supply chain. As shown in this research, 62 percent of respondents say their organizations experienced one or more outages or security incidents due to an issue with digital certificates that resulted in diminished service quality or availability. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks or exploits in the past year. Some of the adverse consequences included putting customers at risk due to a system compromise and prolonged disruption to operations.

Sponsored by DigiCert, Ponemon Institute surveyed 2,546 IT and IT security practitioners in the United States (507 respondents), the United Kingdom (295 respondents), Canada (272 respondents), DACH (Germany and Switzerland 363 respondents), France (361 respondents), Australia (237 respondents), Japan (252 respondents) and Singapore (259 respondents). Forty eight percent of respondents work in banking and 52 percent are in the insurance industry. All respondents are familiar with their organization’s PKI and involved in certificate lifecycle management (CLM). Ninety-six percent of respondents either have responsibility (47 percent) or share responsibility with others (49 percent) in setting and/or implementing their organizations’ software supply chain security strategy

Conducting inventories to identify every certificate is critical for crypto-agility and becoming quantum-ready. A key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Thirty-six percent of respondents agree, the most important feature of a CLM solution is the continuous discovery of public and internal certificates. Another 36 percent of respondents say lifecycle automation using standard and proprietary interfaces is another top two important feature.

The following research findings describe the current state of CLM, PKI and software supply chain security.

• Most organizations are in the dark about their certificate inventory and the kind of certificates they have. As discussed above, a key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Without this visibility, organizations are at risk because of unsecured certificates within their organization.
• A CLM solution must support multiple CAs to allow for redundancy and to accommodate the decentralized nature of PKI within enterprises. Thirty-three percent of respondents say support for multiple CAs is one of the most important features when choosing a CLM solution.
• Certificate outages are common mostly due to expirations or revocations, which can be solved by a CLM solution. Sixty-two percent of respondents say their organizations experienced one or more outages due to an issue with digital certificates. These outages were mainly due to expired certificates, revoked certificates and misconfigured certificates. These risks can be mitigated with an automated CLM system which streamlines the process of CLM through a variety of automated workflows done within a single platform.
• The most important feature of PKI solutions is the ability to consolidate management of public CA and private CA certificates. According to respondents, the most important feature when choosing a PKI, is a single vendor for public CA and private CA certificates (46 percent of respondents). Also important is scalability and performance (46 percent of respondents. The PKI technologies most often used are service provider/cloud provider managed private PKI (44 percent of respondents), internal private PKI (42 percent of respondents) and managed PKI service (e.g. SaaS PKI or PKI as a service) (29 percent of respondents)
• Digital certificates are also known as a public key certificate and used to cryptographically verify the ownership of a public key. Digital certificates are for sharing public keys to be used for encryption and authentication. According to the research, the most important use case for digital certificates is user authentication for WiFi, VPN or other network access (59 percent of respondents). Authenticating cloud workloads (55 percent of respondents) indicates progress in modernizing digital certificate security. Another important use case is digital signatures for electronic documents (54 percent of respondents).
• Software supply chain attacks are growing, primarily from security issues with open source software. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks in the past year. Most of these attacks were caused by malware, vulnerabilities or other threats in open source software. The two top consequences were customers at risk due to a system compromise and prolonged disruption to operations.

To read the full findings of this report, visit Digicert’s website.