At a glance.
- Expertise as a proliferation risk.
- Big Tech will come to Capitol Hill.
- Cyprus initiates critical infrastructure protection programs.
- Reaction to US Treasury "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments."
Think tank sounds alarm about “know-how proliferation.”
A recent report by UK think tank The Tactics Institute for Security and Counter Terrorism says the EU and UK should “treat the export of technology and technological know-how like the export of conventional weapons” and deploy rigid antiproliferation tactics, according to an Institute press release. The call comes in response to cyberthreats posed not only by China and Russia, but by the potential abuse of cyber tools by other regimes, generally friendly but with checkered records, like Saudi Arabia and the United Arab Emirates. One worry is that cyber tools can be used to gather kompromat on influential figures; another is the potential for human rights abuses and the targeting of political opponents. Cautioning that Western intellectual property and human capital in the wrong hands can be used to “subvert democracy,” the Institute also appeals to NATO to participate in a solution that would combine blacklists, licenses, and penalties. Of particular concern are ex-military, intelligence, and law enforcement personnel. The authors recommend regulating powerful technology and banning “cyber-mercenaries” from “working with regimes engaged in hostile action against any EU or NATO country.”
Zuckerberg, Pichai, and Dorsey will testify before US Senate.
Politico reports that Google, Twitter, and Facebook CEOs have voluntarily decided to appear (virtually) before the Senate Commerce Committee after the commission unanimously voted in favor of subpoenas to compel their testimony. The Committee will review the companies’ existing legal immunities amid concerns about speech and information regulation (as the CyberWire's Pro Policy Briefing has discussed). Democrats initially fought the move, but acquiesced when the hearing’s purview was broadened to include “data privacy” and “media consolidation.”
Cyprus tackles cybersecurity.
Financial Mirror says Cyprus is taking cybersecurity by the horns in recognition of current risks to commercial and governmental interests. As of now, “ministries,” “ports,” “electricity distribution networks,” “transport,” “water,” “energy,” “banking,” “shipping,” “healthcare,” and “digital infrastructure” are “essentially unprotected.” EU regulations require the country’s Digital Security Authority (DSA) and Computer Security Incident Response Team (CSIRT) to enact a 2016 cybersecurity Directive. The agencies must design rules, oversee their implementation, track and respond to threats, and share information with other EU members. Cyprus is working to entrench best practices in the business community as well, since private entities often partner with public, and pose additional attack vectors. Next on the list are initiatives aimed at the general public, such as an interactive cybereducation facility for schoolchildren.
More reaction to the US Treasury Department's letter on ransom and sanctions violation.
We received comments late Friday from Nozomi Networks CEO Edgard Capdevielle and from Melody J. Kaufmann, cyber security specialist for Saviynt, on the letter the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) published to remind organizations that paying ransom may place an organization in violation of OFAC-administered sanctions. The caution applies not only to the organization directly targeted by ransomware, but to third parties (like insurance companies) who might assist ransomware victims in paying their attackers.
Nozomi's Capdevielle thinks that both regulation and practice are moving away from paying ransom demands:
“Ransomware attacks are continuing to rise, and without a doubt the stakes are getting higher. These attacks are increasing in volume and sophistication and while it might be tempting to pay a ransom, doing so only fuels the fire. We are seeing more instances where the public and private sector respond to the pressure and pay the ransom. In addition to this week's OFAC advisory, Senators Warren and Wyden have both introduced separate bills that would hold corporate executives accountable if they fail to take cybersecurity seriously.
"Ransomware attacks and other cyberthreats will continue to remain constant as our personal lives and business operations continue to digitalize. That’s why choosing to pay a ransom is too often a short-sighted response that could come at a high cost. Research has shown that paying a ransom can double the cost of recovery. Building, maintaining and constantly improving an organization’s cybersecurity program is always the best approach and there are certainly tools available today that provide cost effective solutions.
"Fortunately, choosing to pay a ransom is not an approach we’ve seen corporate boards take in the industrial networking and critical infrastructure space. Paying a ransom can be a slippery slope - and even illegal in some cases as we now see with the OFAC advisory. Organizations that give into hackers’ demands are only supporting the profitability and growth of ransomware activity. When it comes to ransomware attacks, prevention will always be better than a cure.”
Kaufman, on the other hand, sees Treasury's warning as appealing on its face but fundamentally misguided, more performance theater than helpful regulation:
"This advisory is a lot like a good-looking partner who is a horrible person. On the surface, it's attractive, but there's an awful lot that's wrong about it. Ransomware persists because it's profitable. Penalizing businesses that pay off attackers sounds like it will make ransomware less lucrative. The converse is true. This advisory will propagate ransomware rather than reduce it for three key reasons. First, it disincentivizes reporting ransomware attacks, robbing law enforcement, security professionals, and analysts of data vital to combat future attacks. Second, it fails to provide an effective data recovery alternative. Third, It favors big corporations while crushing small to medium businesses beneath its heel.
"Small and medium businesses are notorious for having weak security because maintaining an information security team is often cost-prohibitive. Lack of security increases their risk and the likelihood of infection. This advisory discourages them from contacting law enforcement by increasing the chance of a fine. Often paying the ransom is cheaper than the cost of losing their data or recovering from back-ups, which few small businesses even maintain. The treasury department will only learn of a ransomware attack on a small or medium business via a disgruntled employee or a media outlet reporting it. By not engaging law enforcement, these businesses reduce the odds of dealing with a penalty. For companies struggling in an economy devastated by the pandemic, recovering operations after an attack is the difference between survival and permanent closure. Adding the weight of a penalty simply because they reported the attack could push them out of business. This advisory makes contacting law enforcement more of a threat than the attack itself.
"Larger businesses, on the other hand, know the eyes of the world are watching; thus, involving law enforcement isn't out of the norm. A ransomware attack on these operations will hit the news cycle, so a cover-up isn't feasible. Enterprises with enough resources to maintain a security team generally have both an off-site back-up as well as a recovery plan recoverable. Neither Penalties nor the expense of "full and timely cooperation with law enforcement" are likely to force them out of business should they elect to pay the ransom.
"On close inspection, this treasury advisory is a performance theater on their part with the potential for harmful unintended consequences rather than a realistic attempt to staunch the flood of ransomware attacks. At best, it creates excessive burdens on all companies to demonstrate compliance with law enforcement. On the other hand, it leans heavily toward victim-blaming encouraging small and medium businesses to remain silent about attacks they might otherwise have reported."