At a glance.
- US Coast Guard forms a Cyber Operational Assessments Branch.
- The US Department of Homeland Security issues pipeline cybersecurity regulations.
- An overview of New Zealand's response to the Waikato ransomware incident.
- Privateers in cyberspace.
US Coast Guard to form a Cyber Operational Assessments Branch.
A reorganization at the US Coast Guard, Federal News Network reports, will see the service’s cyber blue team become a Cyber Operational Assessments Branch, complete with a red team. The blue team will continue its work on vulnerability assessments, endpoint scanning, and acquisitions security, and the red team will assist with penetration testing while playing the role of cyber adversary. The new Branch plans to prioritize 5G “challenges and opportunities.”
US DHS issues pipeline cybersecurity requirements: both TSA and CISA are involved.
As expected, the US Department of Homeland Security this morning released its cybersecurity requirements for pipelines. The Transportation Security Administration (TSA) directive requires pipeline owners and operators "to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days."
New Zealand’s response to the Waikato DHB ransomware attack.
Two articles in the NZ Herald examine Wellington’s reaction to “the biggest [cyber incident] in New Zealand’s history,” a ransomware attack stalling operations at a District Health Board (DHB) overseeing five hospitals. Health Minister Andrew Little commented, "Ransomware attacks are a crime. The New Zealand Government will not pay ransoms to criminals because this will encourage further offending." The Ministry is standing by to assist the DHB as necessary with any fallout from leaked data, and the health system is bracing for a “backlog” of patients and unentered records.
The Officials' Committee for Domestic and External Security Co-ordination (ODESC), a crisis response unit, met earlier this week, as did another “cross-Government emergency response group.” The units are providing both cyber and logistical support.
Privacy Commissioner John Edwards urged the country’s DHBs to remediate known vulnerabilities, warning that negligent Boards could face liability for resultant harms. "If we find that any DHB does not have adequate security,” he said, “we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions.”
An emerging species of threat actor?
Cisco Talos makes the case for a new category of “state-related” threat actors, “privateers,” who “enjoy some kind of protection from Governments,” usually in the form of shelter from law enforcement. Ransomware gangs that avoid hitting members of the Commonwealth of Independent Countries, for example, benefit from impunity in the region.
(Setting aside that absent legal status or formal agreements, “pirates” might be a more historically accurate descriptor, since brigands of the sea also struck wink-and-nod bargains of mutual benefit with ruling parties), privateers, in contrast to petty crooks or other categories of state-related actors, rely on sophisticated infrastructure, target “big game,” and follow the profit motive.
Talos concludes, after their first crack at mapping the evolving threat landscape, that we’ll be hearing a lot more from privateers in the coming years. But we should keep a few things in mind, even as we consider Talos's useful contribution: classic privateers were lawful combatants who operated under national authority and within the scope of admiralty law. Cyber privateers are criminals, however useful they may be to the governments who foster them.