Expertise and non-proliferation. Big Tech to testify. Cyprus and critical infrastructure. Reactions to US Treasury ransomware advisory.

Summary

By the CyberWire staff

At a glance.

Expertise as a proliferation risk.
Big Tech will come to Capitol Hill.
Cyprus initiates critical infrastructure protection programs.
Reaction to US Treasury "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments."

Think tank sounds alarm about “know-how proliferation.”

A recent report by UK think tank The Tactics Institute for Security and Counter Terrorism says the EU and UK should “treat the export of technology and technological know-how like the export of conventional weapons” and deploy rigid antiproliferation tactics, according to an Institute press release. The call comes in response to cyberthreats posed not only by China and Russia, but by the potential abuse of cyber tools by other regimes, generally friendly but with checkered records, like Saudi Arabia and the United Arab Emirates. One worry is that cyber tools can be used to gather kompromat on influential figures; another is the potential for human rights abuses and the targeting of political opponents. Cautioning that Western intellectual property and human capital in the wrong hands can be used to “subvert democracy,” the Institute also appeals to NATO to participate in a solution that would combine blacklists, licenses, and penalties. Of particular concern are ex-military, intelligence, and law enforcement personnel. The authors recommend regulating powerful technology and banning “cyber-mercenaries” from “working with regimes engaged in hostile action against any EU or NATO country.”

Zuckerberg, Pichai, and Dorsey will testify before US Senate.

Politico reports that Google, Twitter, and Facebook CEOs have voluntarily decided to appear (virtually) before the Senate Commerce Committee after the commission unanimously voted in favor of subpoenas to compel their testimony. The Committee will review the companies’ existing legal immunities amid concerns about speech and information regulation (as the CyberWire's Pro Policy Briefing has discussed). Democrats initially fought the move, but acquiesced when the hearing’s purview was broadened to include “data privacy” and “media consolidation.”

Cyprus tackles cybersecurity.

Financial Mirror says Cyprus is taking cybersecurity by the horns in recognition of current risks to commercial and governmental interests. As of now, “ministries,” “ports,” “electricity distribution networks,” “transport,” “water,” “energy,” “banking,” “shipping,” “healthcare,” and “digital infrastructure” are “essentially unprotected.” EU regulations require the country’s Digital Security Authority (DSA) and Computer Security Incident Response Team (CSIRT) to enact a 2016 cybersecurity Directive. The agencies must design rules, oversee their implementation, track and respond to threats, and share information with other EU members. Cyprus is working to entrench best practices in the business community as well, since private entities often partner with public, and pose additional attack vectors. Next on the list are initiatives aimed at the general public, such as an interactive cybereducation facility for schoolchildren.

More reaction to the US Treasury Department's letter on ransom and sanctions violation.

We received comments late Friday from Nozomi Networks CEO Edgard Capdevielle and from Melody J. Kaufmann, cyber security specialist for Saviynt, on the letter the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) published to remind organizations that paying ransom may place an organization in violation of OFAC-administered sanctions. The caution applies not only to the organization directly targeted by ransomware, but to third parties (like insurance companies) who might assist ransomware victims in paying their attackers.

Nozomi's Capdevielle thinks that both regulation and practice are moving away from paying ransom demands:

“Ransomware attacks are continuing to rise, and without a doubt the stakes are getting higher. These attacks are increasing in volume and sophistication and while it might be tempting to pay a ransom, doing so only fuels the fire. We are seeing more instances where the public and private sector respond to the pressure and pay the ransom. In addition to this week's OFAC advisory, Senators Warren and Wyden have both introduced separate bills that would hold corporate executives accountable if they fail to take cybersecurity seriously.

"Ransomware attacks and other cyberthreats will continue to remain constant as our personal lives and business operations continue to digitalize. That’s why choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery. Building, maintaining and constantly improving an organization’s cybersecurity program is always the best approach and there are certainly tools available today that provide cost effective solutions.

"Fortunately, choosing to pay a ransom is not an approach we’ve seen corporate boards take in the industrial networking and critical infrastructure space. Paying a ransom can be a slippery slope - and even illegal in some cases as we now see with the OFAC advisory. Organizations that give into hackers’ demands are only supporting the profitability and growth of ransomware activity. When it comes to ransomware attacks, prevention will always be better than a cure.”

Kaufman, on the other hand, sees Treasury's warning as appealing on its face but fundamentally misguided, more performance theater than helpful regulation:

"This advisory is a lot like a good-looking partner who is a horrible person. On the surface, it's attractive, but there's an awful lot that's wrong about it. Ransomware persists because it's profitable. Penalizing businesses that pay off attackers sounds like it will make ransomware less lucrative. The converse is true. This advisory will propagate ransomware rather than reduce it for three key reasons. First, it disincentivizes reporting ransomware attacks, robbing law enforcement, security professionals, and analysts of data vital to combat future attacks. Second, it fails to provide an effective data recovery alternative. Third, It favors big corporations while crushing small to medium businesses beneath its heel.

"Small and medium businesses are notorious for having weak security because maintaining an information security team is often cost-prohibitive. Lack of security increases their risk and the likelihood of infection. This advisory discourages them from contacting law enforcement by increasing the chance of a fine. Often paying the ransom is cheaper than the cost of losing their data or recovering from back-ups, which few small businesses even maintain. The treasury department will only learn of a ransomware attack on a small or medium business via a disgruntled employee or a media outlet reporting it. By not engaging law enforcement, these businesses reduce the odds of dealing with a penalty. For companies struggling in an economy devastated by the pandemic, recovering operations after an attack is the difference between survival and permanent closure. Adding the weight of a penalty simply because they reported the attack could push them out of business. This advisory makes contacting law enforcement more of a threat than the attack itself.

"Larger businesses, on the other hand, know the eyes of the world are watching; thus, involving law enforcement isn't out of the norm. A ransomware attack on these operations will hit the news cycle, so a cover-up isn't feasible. Enterprises with enough resources to maintain a security team generally have both an off-site back-up as well as a recovery plan recoverable. Neither Penalties nor the expense of "full and timely cooperation with law enforcement" are likely to force them out of business should they elect to pay the ransom.

"On close inspection, this treasury advisory is a performance theater on their part with the potential for harmful unintended consequences rather than a realistic attempt to staunch the flood of ransomware attacks. At best, it creates excessive burdens on all companies to demonstrate compliance with law enforcement. On the other hand, it leans heavily toward victim-blaming encouraging small and medium businesses to remain silent about attacks they might otherwise have reported."

Selected Reading

A guide to the General Data Protection Regulation (Pinsent Masons) The entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018 brought about the biggest overhaul of EU data protection law in more than 20 years and represented an attempt by EU policy makers to ensure the law on the collection, use, sharing and protection of personal data was fit for the digital age.

Spy panic: Thinktank calls for BAN on British spies joining hostile foreign governments (Express) A leading thinktank has called on former British spies from being banned from getting jobs with hostile foreign governments.

Cyprus getting to grips with Cybersecurity (Financial Mirror) The Digital Security Authority (DSA) is bolstering efforts to enhance cybersecurity in Cyprus by addressing risks to essential services while creating a safer environment for investors and businesses. Recent comments by high ranking state officials have put the spotlight on cybersecurity gaps in crucial state services such as ministries, ports, water, and electricity distribution networks.

Opinion | A Huawei Turning Point (Wall Street Journal) Germany could soon effectively ban the firm from its 5G network.

Greece joins 'anti-Huawei camp' as US seals stronger ties (Nikkei Asia) Nation turns sharply from pro-China policy amid Turkish standoff in Mediterranean

Former lawmaker warns: Cell towers can be ‘bridges’ for espionage (The Manila Times) Former Bayan Muna party-list representative Neri Colmenares has warned against the putting up of cell towers within camps of the Armed Forces of the Philippines (AFP) by the Dito Telecommunity, saying it might become a bridge for China’s espionage mission in the country. Colmenares, chairman of the support advocacy group Citizens for Philippine Sovereignty, said […]

Expert On GCHQ Discovered 'Nationally Significant' Vulnerability In Huawei Equipment (Information Security Buzz) A “nationally significant” vulnerability were discovered in Huawei equipment used in the UK’s telecommunications networks. Vulnerabilities are usually software design failures which could allow hostile actors (in particular the Chinese state when it comes to Huawei) to conduct a cyber attack. They are not necessarily intentional and can’t be seen as an indication of any hostile intent …

Trump Attack On Huawei Imperils US Chipmakers (Forbes) Slowly but surely politicians in Washington and Beijing are splitting the internet in half, and that is bad news for innovation and technology investors.

House Version of EARN IT Act Introduced (Decipher) The EARN IT Act has now made its was into the House of Representatives, with a key change from the Senate version’s stance on encryption.

Senate panel secures top tech CEO testimony for Oct. 28 (POLITICO) The heads of Facebook, Google and Twitter will testify virtually less than a week before the election.

()

Cyber safety awareness campaign launched in Assam (ETTelecom.com) The 'CyberSafety' campaign will be jointly conducted by the Assam Police and cyber-security think tank Cyber Peace Foundation (CPF), Additional Direct..

Secretary Pate launches new measures to bolster Iowa election security (KTVO) Iowa Secretary of State Paul Pate announced Thursday a new cybersecurity initiative to ensure the protection of Iowa's election infrastructure.

California Governor Newsom Signs into Law Extension to CCPA Employee Personal Information Exemption, Vetoes Another Privacy Bill (Lexology) On September 29th, California Governor Gavin Newsom signed into law AB 1281, an amendment to the California Consumer Privacy Act (“CCPA”) that would…

()

Deputy minister: Cyber crime cases in Malaysia worrying as 94pc of children exposed to porn online (Malay Mail) According to police sources, 9,215 commercial crime cases have been recorded nationwide involving losses amounting to RM717.2 million for the period January to April. Communications and Multimedia Deputy Minister Datuk Zahidi Zainul Abidin said 5,697 incidents of cyber fraud...

Ransomware victims find themselves between rock and hard place (Fortune) Pay up and risk breaking the law, or remain crippled.

Justice Department Appeals Injunction Against WeChat (Wall Street Journal) The Trump administration filed court papers seeking to overturn a federal magistrate’s ruling that stopped a U.S. ban on China’s ubiquitous messaging and e-commerce app WeChat.

Brennan Rebuffed Requests to Lower Confidence in Key Russia Finding (New York Times) The revelation that the former C.I.A. director sided with analysts over senior officers, contained in his new book, has been a focus of the Justice Department review of the Russia inquiry.

Ex-CIA Director Reveals Internal Division At Spy Agency Over Trump-Russia Intelligence (Daily Caller) Former CIA Director John Brennan reveals in a forthcoming book and interview that there was internal divisioin at the spy agency over Trump-Russia intelligence.