At a glance.
- European governments weigh risks of Huawei participation in 5G buildout.
- Ransomware payments may violate sanctions.
- Four energy sector security bills clear the US House.
- Iowa joins Ohio in adopting a state-level vulnerability disclosure program.
Europe weighs excluding Huawei.
Germany plans to shut out Huawei from their 5G infrastructure, according to GizmoChina. A “new security law” will block the “leading telecommunications based equipment provider in the world” via a process that looks at the politics and reliability of participating companies as well as the soundness of their parts. Several countries suspect the Chinese company of espionage, as the CyberWire has discussed.
Meanwhile, US Secretary of State Mike Pompeo reminded Rome that Beijing’s telecommunications tech risks residents’ privacy and national security, Reuters reports. Chinese businesses are required to assist government intelligence operations. Huawei Italian envoy Luigi De Vecchis commented, “We will open our insides, we are available to be vivisected to respond to all of this political pressure.” Unlike other Washington allies, Rome has not yet barred the company, and in fact cozied up to Beijing last year by engaging in their global infrastructure initiative. A functionary reportedly expressed to Reuters that preparations to take a stronger stance were underway.
And Reuters reports that the UK's Huawei oversight board has reported that the company's products showed an unacceptably high number of vulnerabilities: “These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.” Huawei sees it differently: “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.”
Treasury warns that paying ransom may violate sanctions.
Pay ransom; risk penalties. Yesterday the US Treasury Department's Office of Foreign Assets Control (OFAC) issued a friendly reminder that companies involved in ransomware payouts risk transgressing OFAC regulations and incurring “civil penalties.” The notice specifically names “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” Looping in law enforcement is encouraged and counts as good behavior in any assessment of penalties. OFAC added that such payments “can undermine the national security and foreign policy objectives of the United States.”
CEO of ransomware response company Coveware Bill Siegel told BleepingComputer, "The payment of a ransom IS the revenue line item for the cyber extortion economy and should be avoided by all means by any victim." Insurance Journal notes that underwriters are likely to close-read Treasury's letter.
Charles Carmakal, SVP & CTO at FireEye Mandiant shared some thoughts with us on the Treasury letter. He thinks it well-intentioned but ill-advised, because in his view the warning is likely to contribute to confusion:
"Today, the U.S. Department of the Treasury issued advisories through the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) on ransomware on the risks of paying extortion demands by ransomware operators. The OFAC advisory is well-intentioned, but it will certainly add more pressure and complexity to victim organizations already challenged recovering after a security incident.
"OFAC already provides a list of sanctioned entities. Victim organizations are required to check the list prior to paying extortion demands. However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions. Sometimes victims pay threat actors before they are sanctioned. For example, many victims have paid the 'SamSam' ransomware operators in the past, not knowing they were based in Iran at the time.
"In recent months, the individuals (referred to as 'EvilCorp') involved with the Dridex banking malware have been connected with the WastedLocker ransomware family. Some extortion payment organizations have decided that they would not pay extortion demands associated with WastedLocker incidents out of fear of violation U.S. Treasury sanctions.
Carmakal added some general considerations on the ransomware threat, lest anyone be inclined to minimize it.
"Ransomware is the most significant and prevalent cybersecurity threat facing corporations today. Most threat actors choose to monetize their intrusions by stealing data, deploying ransomware, shaming, and extorting victims. Some threat actors have specifically targeted hospitals in an attempt to make millions of dollars, a line that many threat actors refuse to cross.
"Today’s ransomware and extortion problem is unbearable. Mandiant is aware of over 100 organizations in which ransomware operators had network access to in September alone, more than double what we were aware of in September of the previous year.
"Many ransomware operators steal a large volume of sensitive data from organizations prior to deploying encryptors and locking organizations out of their systems and data. Threat actors may ask for money for a decryption tool, a promise to not publish the stolen data, and a walkthrough of how they broke into the network. These extortion demands are in the 6-figure range for smaller companies and 7-8 figures for larger companies. We are aware of several victim organizations that paid extortion demands between $10M and $30M."
One takeaway from the Wall Street Journal's coverage: if you do pay, don't keep ransomware payments quiet. It's a bad look, and it will land you in hot water.
Comment on the US energy security bills.
The Cyber Sense Act, the Enhancing Grid Security Through Public-Private Partnerships Act, the Energy Emergency Leadership Act, and the Grid Security Research and Development Act all cleared the US House of Representatives this week by voice vote, and with strong bipartisan support. The four measures now go to the Senate for further action.
Andrea Carcano, co-founder of Nozomi Networks approves of the legislation, and hopes it bears fruit:
“We applaud these legislative efforts that underscore our own efforts to enable critical infrastructure organizations to improve cyber resiliency. Many utilities, for example, are evaluating options for augmenting the cyber security of their industrial networks. One fundamental security best practice is having real-time visibility into cyber security attacks, risks and incidents. Previously, the technology to provide such visibility for large, heterogeneous, high availability (HA) industrial systems, did not exist.
"Increasing cyber threats, management concerns and government policies are driving power generation, substation and electric grid operations to improve the resiliency of their systems with enhancements to cyber security programs. An important part of this effort is the implementation of innovative solutions that improve OT and IoT network visibility, cyber resiliency and availability. Without network and device visibility, it’s difficult to stay on top of what’s happening at the grid or substation level. One small change or networking issue can impact reliability, safety and revenue.
"While a fast response to threats and anomalies is critical, spotting issues requires real-time visibility into assets, connections, communications and more. Unfortunately, these are capabilities that many power transmission and distribution systems lack. Security gaps related to people, processes and technology can have a big impact on operational resiliency too. For example, the traditional divide between IT and OT, at time when power grid networks are increasingly connected with business networks, can lead to cyber security blind spots. But, with a focus on training, best practices and the right technology, power grid operators can improve reliability and resiliency.”
Iowa inaugurates VDP.
Although Vulnerability Disclosure Programs (VDPs) are a cybersecurity best practice, only two US states have them, StateScoop reports: Ohio, and now Iowa. Yesterday Iowa announced that it will be working with white-hat hackers at Bugcrowd to test state-operated election, business, and victim outreach websites for vulnerabilities. The crowdsourcing security company has already uncovered multiple minor issues.