At a glance.
- CISA rethinks Federal network defenses, post-SolarWinds.
- Mandatory reporting, Washington and Canberra style.
- The US International Cybercrime Prevention Act
CISA rethinks network defenses and directives post-SolarWinds.
Over the course of answering Congressional queries in the wake of Holiday Bear’s gambol, FCW says Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales disclosed that CISA does not track which Federal agencies are segmenting and segregating their networks in line with CISA’s voluntary guidance. A spokesperson for Senator Ron Wyden (Democrat of Oregon) told FCW CISA should use its “authority to require agencies to adopt cybersecurity best practices.”
Wales confirmed that proper firewalls could have impeded Holiday Bear’s movement, but clarified that some of the one-hundred agencies under CISA’s purview might not be able to implement them for operational reasons. CISA is “continuously evaluating opportunities to use binding operational directives or other authorities to drive appropriate security measures,” Wales added, noting, “we need to rethink our approach.”
Wyden also wondered why CISA’s $6 billion EINSTEIN program didn’t flag network traffic related to the SolarWinds breach. Wales shared that CISA intends to leverage its $650 million American Rescue Plan budget increase to "rapidly accelerate the transition from a perimeter defense construct to a construct whereby agencies and CISA will be better situated to identify threat activity within federal networks in near-real-time."
US and Australian legislatures weigh mandatory reporting.
Breaking Defense summarizes US Senators Mark Warner (Democrat of Virginia), Marco Rubio (Republican of Florida), and Susan Collins’ (Democrat of Maine) much-anticipated draft incident disclosure law. The Cyber Incident Notification Act of 2021 would give Federal agencies, critical infrastructure owners and operators, and Government contractors twenty-four hours to report breaches to CISA. To provide impacted parties social and legal cover, the law would shield incident reports from non-Congressional subpoenas, Freedom of Information requests, and legal proceedings.
Similar bills are in the works in both the House and Senate, and, of course the lawmakers may ultimately consolidate them in conference. At present, a patchwork of state and Federal laws, orders, and rules govern incident reporting. The Cyber Incident Notification Act is designed to preserve existing regulations.
The Record reviews Canberra’s proposed Ransomware Payments Bill 2021, which would require businesses to notify the Australian Cyber Security Centre (ACSC) if they plan to pay a ransom, contextualizing the action within other countries’ emerging ransomware policies. The US’ Ransomware Task Force suggested mandatory reporting of compromise and compensation, as four US states evaluate ransom bans. France and Britain meanwhile are pressuring insurance firms to limit ransomware coverage.
Comment on the International Cybercrime Prevention Act.
The International Cybercrime Prevention Act would, among other things, make violations of CFAA, the US Computer Fraud and Abuse Act, a RICO predicate, and use of illegal interception devices a money laundering predicate offense. These would give prosecutors more ways of going after sophisticated cybercriminals. We heard from two industry sources on the legislation. David Stewart, CEO of Approov, likes the more powerful law enforcement tools: "Extending the ability to seek relief when 'modern' attack vectors such as APIs are utilized is a very positive step forward. Although ransomware is much in the news currently, there is a constant backdrop of data exfiltration and plain old fraud via the exponentially expanding threat landscape. Therefore being able to aggressively pursue the perpetrators of CI ransomware and other criminal acts is very welcome."
Dr. Chenxi Wang, General Partner at Rain Capital, also likes what she sees: "It is about time that cybercriminals, especially those that perpetuate ransomware attacks, are prosecuted to the full extent of the law. I am happy to see that the government is considering stricter penalties for those threat actors, many of them are foreign based. Because of the widespread impact of these attacks, I also think it is important to go a step further to establish international coalitions or treaties against ransomware and critical infrastructure attacks, perhaps in the same vein as the nonproliferation [clauses] of nuclear weapons treat[ies].”