At a glance.
- US adopts tougher anti-ransomware policies.
- SCOTUS limits CFAA.
US anti-ransomware policy: advice to industry and centralizing reporting.
Deputy National Security Advisor for Cyber Anne Neuberger this week issued a memo to industry leaders titled “What We Urge You To Do To Protect Against The Threat of Ransomware.” After summarizing the Federal Government’s progress towards building international partnerships, holding safe harbors to account, disrupting ransomware infrastructure, tracking threat actors, and formulating ransom payment policies, Neuberger turned to the private sector’s “critical responsibility.” Noting that “no company is safe” from ransomware’s threat to “core business operations,” she encouraged executives to “immediately convene” and “ensure your corporate cyber defenses match the threat.”
The memo recommended six targeted actions:
- “Implement the five best practices from the President’s Executive Order”
- “Backup your data, system images, and configurations, regularly test them, and keep the backups offline”
- “Update and patch systems promptly”
- “Test your incident response plan”
- “Check Your Security Team’s Work”
- “Segment your networks”
Reuters says the Department of Justice (DOJ) is moving to implement in ransomware cases a process ordinarily preserved for combatting national security issues like terrorism. US attorneys’ offices were directed yesterday to share information about cyber investigations involving ransomware, digital money laundering, cryptocurrency, unlawful digital marketplaces, botnets, bulletproof hosting services, and counter anti-virus services with a central team in Washington. Former US Attorney Mark Califano explained that “heightened reporting could allow DOJ to more effectively deploy resources” and “identify common exploits.”
Ilia Kolochenko, founder of ImmuniWeb, commented that the decision is timely, but that the criminal market is to a significant extent sustained by the security practices that make successful ransomware attacks possible and lucrative:
“It’s a timely decision as financial losses caused by ransomware campaigns have already surpassed the damage caused by terrorist attacks in the last decade. The measure should, however, be underpinned by interagency collaboration and supplementary funding. Federal agencies have to compete for security and legal talents with the wealthy private sector and often cannot afford to hire the experts they need. Moreover, international collaboration is essential to curb surging ransomware attacks, including baseline cooperation with traditionally hostile jurisdictions. Otherwise, even once uncovered, the perpetrators will likely enjoy impunity due to missing an extradition treaty with a foreign jurisdiction. Finally, the government should consider promoting cybersecurity among businesses to establish a continuous, risk-based and process-driven information security programs based on ISO 27001 or similar standards that cover people, processes and technologies. Most of the ransomware victims of all sizes neglected even the basics of data protection, eventually becoming a low-hanging fruit for unscrupulous cybercriminals. Therefore, merely prosecuting the criminals with more force will not help without first enhancing national cybersecurity awareness and preparedness."
Supreme Court narrows the reach of major cybercrime law.
In a six-three decision, the US Supreme Court yesterday ruled in Van Buren v. United States that Federal prosecutors may not go after authorized individuals who access databases for unauthorized purposes under the 1986 Computer Fraud and Abuse Act (CFAA), Politico reports. The incident in question in Van Buren v. United States concerned an ex-officer caught searching a license plate database in return for a bribe.
Though explaining the decision as a product of the law’s language, not its effects, Justice Barrett wrote in the majority ruling, “The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity" including “using a pseudonym on Facebook.” Justice Thomas in a dissenting opinion observed, “Much of the Federal Code criminalizes common activity," and “discomfort” with that fact “does not give us authority to alter statutes.”
Technology and advocacy groups like the National Whistleblower Center had raised concerns that the standing interpretation of the law jeopardized free speech and security research in addition to criminalizing trivial terms of service violations. Organizations like the Federal Law Enforcement Officers Association, on the other hand, worry that narrowing the scope of the CFAA will limit prosecutors’ ability to tackle “insider threats.” A CNN Supreme Court analyst said the ruling will require Governments and companies “to be far more specific in their policies governing access to databases.”
Robert Cattanach, a partner at the international law firm Dorsey & Whitney, offered comments on the distinction the majority drew:
"The consequences of the decision will be far-reaching, as an important tool for law enforcement will now be strictly limited to outside intruders. Conversely, however, the decision avoids the specter of vague line-drawing, and the threat of criminal prosecution, for when a user’s activities were ‘authorized.'
"In a divided decision, the Supreme Court ruled that individuals with approved access to computers, but misusing that access for improper purposes, do not violate the Computer Fraud and Abuse Act (CFAA). The decision resolves a split among US Circuit Courts of Appeal, which had adopted conflicting interpretations of the law. In a rare alliance of liberal and conservative Justices, in an opinion authored by Justice Barrett the Court ruled that the language of the CFAA regarding unauthorized access meant whether the user was allowed to access the computer system itself, and not whether the use made of the system was within the scope of authority of the user. Justice Thomas dissented, joined by Chief Justice Roberts and Justice Alito."