At a glance.
- Updates on the US-Russian summit.
- Reaction to the summit's outcome.
- Prospective breach legislation under consideration by the US Senate.
Updates on the Russo-US summit.
The Guardian reports President Biden and President Putin’s cyber takeaways from yesterday’s summit. President Biden drew a red line around domestic critical infrastructure, reminding Moscow of the US’ “significant cyber capabilities,” according to the BBC. It’s not clear this line will ward off privateers. President Putin announced an arrangement to “begin [cybersecurity] consultations,” where an ongoing working group will hammer out mutual understandings and address individual events. Reuters notes that diplomats will now be reinstalled, with both leaders describing the talks in polite terms: President Putin used the words “efficient” and “substantive,” according to AP News.
President Biden did ask President Putin how he’d “feel” if a ransomware gang based in the US state of Maine or Florida attacked Russian oil pipelines, the “single lifeline to their economy,” claiming “he could see the question’s impact on Russian officials.” Look beyond the schoolyard categorical imperative in which the President couched his words: it clearly amounted to raising a credible prospect of retaliation. While President Biden said he made no “threats,” Politico reports a US official’s remarks that “‘The Sopranos’ and the ‘Godfather’ movies are instructive on dealing with these folks.”
President Putin marked a “glimpse of hope” for mutual trust; President Biden described “self-interest and verification of self-interest” as more reliable measures of progress. For Moscow to alter course, President Biden said, “the rest of the world” must apply pressure. The Hill casts moving towards a “workable degree of predictability” as the Biden Administration’s goal for the summit, noting critics’ fears that President Putin benefited from the opportunity to preen on an international stage.
Two Washington Post articles observe outstanding disagreements regarding cybersecurity, sovereignty, and human rights. While President Biden sees President Putin as incentivized by dents in Moscow’s global reputation, others argue that public censure has done little to impede Russian cyberattacks, and concrete consequences are necessary. Former cyber official James Lewis remarked, “They’re going to test us…The next phase is coming up with ways to more comprehensively threaten them.”
Setting critical infrastructure off limits also presents difficulties for two reasons. Critical IT, defense, and communications systems are frequent targets of both foreign and domestic espionage, and systems are often deemed ‘critical’ retrospectively. The call to put critical infrastructure off-limits to cyberattack is reminiscent of the ways in which certain targets are prohibited under international laws of armed conflict.
Reactions to the Russo-American summit.
We received several comments on the summit from observers. Meg King, Director of the Science and Technology Innovation Program at The Wilson Center, sees some prospect for future cooperation between Russia and the United States:
"President Biden's announcement that the US and Russia will task experts in both countries to address the threat of ransomware attacks being carried out within Russia to discuss 'what's off-limits and to follow up on specific cases' is critical.
"Sold as a mutual interest, which President Putin confirmed separately, this technical working group will deepen and create relationships necessary to get a better early warning about criminal hacking groups and agree on efforts to stop them. Putin's comment that 'we need to get rid of insinuations' and 'begin consultations on this topic' suggests that Russia will cooperate, at least at the working level."
Marcin Kleczyski, CEO of Malwarebytes, welcomed the attention placed on the international dimensions of ransomware, and would like to see some Federal action to address the problem domestically as well: “It’s overdue ransomware receive international spotlight, and while international relations is important, we need to start at home. I encourage the US to pass legislative controls and instate cybersecurity standards for all. Federal action cannot wait any longer.”
Mark Manglicmot, VP, Security Services at Arctic Wolf, recalls some lessons from the Cold War:
“The reality is we still need to ‘trust but verify’ when it comes to Russia, just as Ronald Reagan said more than 30 years ago. While the recent summit offered possible glimmers of encouragement, it’s clear this is no time to stand down and organizations cannot put their guard down when it comes to anticipating and defeating cyber-attacks.
“As a country, we must take cybersecurity seriously, just like any other national security issue. Ransomware remains a critical issue Western leaders and companies need to continue addressing. We advise that everyone remain vigilant with their cyber defense policies and programs and focus on comprehensive security operations to have the ability to detect and mitigate these threats quickly before they turn into breaches.”
Cybersecurity legislation under consideration in Congress.
Among the measures being deliberated in the US Congress is legislation drafted in the Senate is a Federal law that would mandate data breach disclosure. CNN describes the draft legislation as requiring disclosure within twenty-four hours.
Ilia Kolochenko, founder of ImmuniWeb, wrote about the likely effects of this and other legislation:
“Receiving breach reports for centralized investigation and prevention, while providing companies with certain immunities for the disclosure, is a wise and timely idea. In view of the gigantic volume of data such legislation may create, CISA will certainly need a tenfold increase of its existing budget, otherwise, valuable threat intelligence information will just gather dust in CISA archives. Furthermore, interagency collaboration is to be enhanced and better organized to enable investigation and judicial prosecution of wrongdoers, something that CISA is not entitled to perform without the FBI and DOJ for example.
"Another point to bear in mind is whether the new federal law will preempt existing state and federal laws, such as HIPAA or HITECH, that already incorporate mandatory breach notifications that are, however, mostly focused on notifying victims. Finally, the privacy question is crucial: many breach notifications may inadvertently disclose sensitive information about individuals including foreign citizens or expose corporate trade secrets. A comprehensive data protection and privacy framework must be defined by CISA prior to requesting the data breach reports.”