At a glance.
- A call for Congressional action on ransomware.
- Russia says it didn't do nothin'. Says Russia.
- Verizon releases its look at cyberespionage.
- Canada considers a comprehensive data privacy law.
- Christopher Krebs is out at US CISA.
A call for US Congress to knuckle down on ransomware.
The newly appointed chair of the House cybersecurity subcommittee, Representative Underwood (Democrat, Illinois 14th), said at a speaking engagement that the Government shouldn’t merely direct organizations not to pay ransom and then abandon them “to fend for themselves,” StateScoop reports. Her recommendations include, first, Senate passage of a House approved $400-million cybersecurity fund, second, charging CISA with responding to attacks, and third, facilitating better state and local cybersecurity education.
Russia denies responsibility for Covid hacks, plays the whipping boy.
Moscow is attributing Microsoft’s finger-pointing over the spate of recent attacks on vaccine researchers to a hot new anti-Russia trend in geopolitics, according to SecurityWeek. Deputy Foreign Minister Sergei Ryabkov said the country is pleased enough with its own progress, which includes registered vaccines Sputnik V and EpiVacCorona, and Russian companies are actually the ones under attack.
Verizon debuts cyber-espionage lookbook.
Verizon’s 2020 Cyber-Espionage Report shows North America having the most total breaches over the past seven years, but the fewest espionage-related breaches. The Asia-Pacific region was subject to the most espionage-related breaches, closely seconded by the Europe, Middle East, and Africa region. Ninety-three percent of the threat actors behind espionage breaches were state-directed or affiliated (to the best of Verizon’s knowledge), while just fourteen percent of total breaches were.
Proposed Canadian privacy law has teeth.
Ottawa’s potential new Digital Charter Implementation Act, drafted to refurbish decades-old rules, would fine businesses up to five percent of their total revenue for misusing Canadians’ data, Reuters reports. If Parliament passes the law, residents will be able to request deletion of their information, or else, a la the EU’s GDPR. The law would also require greater transparency from companies about how their AI and algorithms “make significant recommendations about individuals.”
Trevor Morgan, product manager with comforte AG wrote us, “The introduction of Canada’s proposed Digital Charter Implementation Act continues the trend toward tighter governmental regulation of businesses handling and processing consumers’ private and sensitive data. Steeper fines only add to the incentive for companies to comply with data privacy mandates, joining other negative outcomes such as tarnished brand reputation and loss of trust in the offending business."
Ave atque vale, Director Krebs.
Last night President Trump fired Cybersecurity and Infrastructure Security director Christopher Krebs. In the two-Tweet thread he used to announce the dismissal, President Trump called Director Krebs’s assurance that the recent US elections were secure “highly inaccurate,” and gave that assessment as his grounds for the firing. The move had been expected for several days, with speculation that Director Krebs was in White House hot water having circulated since the middle of last week at least.
At issue, apparently, were repeated assurances by the CISA Director that there was no evidence of any systematic large-scale hacking of voting systems. Krebs’s work at CISA had received good, bipartisan, international, and industry reviews; he was generally well-regarded in the cybersecurity sector. The Wall Street Journal and SC Media are among the publications that summarize reactions to his dismissal. We’ve seen few comments that approve of the firing. Most of those in and around the cybersecurity sector think he’d been doing a good, focused, and nonpartisan job throughout his tenure. Many will miss the quiet voice and the loud socks.
We received a comment from Chloé Messdaghi, VP of Strategy at Point3 Security, that's not unrepresentative of what we're seeing elsewhere:
"The dismissal of Christopher Krebs as Director of the Cybersecurity and Infrastructure Security Agency is political, surreal, and disheartening. We in the cybersecurity community are deeply committed to identifying and preventing or blocking all threats to the best of our ability, including misinformation and disinformation. Chris Krebs and the CISA team have done a singularly brilliant job, and done it transparently, under what has been one of the most divisive and fraught election cycles in our Country’s history.
"CISA's role was to be the organization that works closely with all stakeholders - industry, public sector and the American people – and to help keep the US ahead of cybersecurity threats, both those in the form of attacks and of misinformation campaigns. Chris and the team have done a brilliant job in protecting this Country, and fully realized that their jobs were at potential risk for doing so. Many in the cybersecurity community are deeply disappointed and more than a bit nervous."
From an ally, Ciaran Martin, until his retirement this summer Director of GCHQ's National Cyber Security Centre, tweeted, "Not seeking to distract attention from the wider issues, but I just want to put on record a tribute to the outstanding service of @CISAKrebs. He’s been the best partner an ally could hope for. People in [the US, the UK] and beyond are safer online because of his work and leadership."
Matthew Travis, who had been Deputy Director, is also reported to have resigned. As we write, CISA hasn’t updated its leadership page yet, but it would appear that the agency will be run on an acting basis by its Executive Director, Brandon Wales. We heard from Jerry Ray, COO of SecureAge, who shared some thoughts about succession with CISA:
"While unlikely that the firing of the CISA Director will inspire cyber attacks from abroad on critical infrastructure in the US because systems appear more vulnerable today than yesterday, industry partners, observers, and US citizens certainly will be skeptical of any statements made by CISA about the election or anything else between now and January 2021. Supporters of the President will have bought in to his claims of CISA and its Director having failed completely and lied about election security. And detractors of the President will assume that anyone who accepts such a tenuous appointment by the lame duck President as the new Director will be complicit in his claims. Until the Biden administration can take over, the best outcome for now would be an interim appointment of someone within CISA who built the Agency together with Krebs."
It’s worth noting that Krebs had long publicly explained, before and during Election Day, that unofficial results reported by the media were just that, unofficial. He had also publicly insisted, right up to the eleventh hour, that the election wasn’t going to be over until any necessary recounts had been conducted, and the votes were all certified. Everyone should expect, he said, that process to take weeks.
These have been at least as clearly the themes of his public statements as have his reassurances about security. In fairness this seems hardly the sort of thing a shill for hostile partisans would be likely to emphasize. May all honest counting and recounting continue.