At a glance.
- Regulating social media as critical financial infrastructure.
- Banning ransomware payments.
Twitter as “critical infrastructure?" New York regulator recommends more oversight.
A New York State Department of Financial Services (DFS) report completed at the behest of the US state’s governor after July’s major Twitter breach (which the CyberWire followed) calls for enhanced social media oversight, according to the Wall Street Journal and New York’s official website. DFS backs classification of the platforms as “systemically important,” a designation typically accorded to vital infrastructure like banks and utilities.
Platform activity currently falls under the patchwork jurisdiction of the Federal Trade Commission, Securities and Exchange Commission, and Justice Department along with various state laws. Yesterday’s communiqué recommends establishing a “dedicated regulator” and contrasts Twitter’s response to the attack with that of the more heavily regulated cryptocurrency exchanges, which successfully stopped $1.5 million worth of fraudulent transactions.
Superintendent of Financial Services Linda Lacewell said, “Social-media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity. The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer.” DFS found Twitter lacked a chief information security officer when the event occurred.
Ransomware payments: to ban or not to ban.
In view of the US Treasury Department’s recent ransomware advisory and the potential first ransomware fatality, two occurrences the CyberWire covered, Search Security hosted a conversation on the viability of ransomware regulation.
Former UK National Cyber Security Centre CEO Ciaran Martin said the Treasury Department’s selective ban is nonsensical, and victims have no surefire way of identifying their assailants (and thus determining whether they are on the no-pay list.)
CrowdStrike Senior VP of Intelligence Adam Meyers thinks a blanket ban would be unenforceable. Sophos representative John Shier suspects criminals would find workarounds like disguising payments as “consulting fees” and using shell companies.
Cybereason CISO Israel Barak would prefer guidelines that allow for professional “discretion” to legislation, and Mandiant Senior VP and Strategic Services CTO Charles Carmakal says victimized organizations have it hard enough as is.
Emsisoft argued that ransomware payments amount to public funding of criminal enterprise and perpetuate the cycle. Earlier this year CrowdStrike CTO Mike Sentonas commented that abundant payments are “fueling an industry.”