At a glance.
- Organizing an international response to cybercrime.
- Promoting cybersecurity literacy and awareness.
- The US Federal Trade Commission, anti-trust action, and Big Tech.
- Clarity about criticality, from NIST.
An update on organizing an international response to cybercrime.
The US Department of Homeland Security says Secretary Mayorkas’ Portugal trip early this week with the Justice Department for the US-EU Justice and Home Affairs Ministerial resulted in an agreement with European Commissioner Johansson to launch an EU-US anti-ransomware working group. The taskforce will deploy, among other efforts, “preventive and law enforcement measures.” Mayorkas also discussed hybrid threats, disinformation, data protection, cybersecurity, and information sharing on his visit.
The European Commission calls their new Joint Cyber Unit “an important step towards completing the European cybersecurity crisis management framework” and a “concrete deliverable of the EU Cybersecurity Strategy and the EU Security Union Strategy.” The Unit will coordinate civilian, defense, law enforcement, industry, and diplomatic partners via a physical and virtual commons with the goal of averting and responding to cyber crises. In addition to swapping best practices and real-time intel, the Unit will develop bloc-wide threat detection capabilities and run EU Cybersecurity Rapid Reaction Teams, Security Operation Centres, and the EU Cybersecurity Incident and Crisis Response Plan.
Promoting our European Way of Life VP Margaritis Schinas commented, "We need to pool all our resources to defeat cyber risks…Building a trusted and secure digital world, based on our values, requires commitment from all.”
Dr. Chenxi Wang, General Partner at Rain Capital, thinks these represent steps in the right direction. An international problem, she wrote, requires a coordinated international response:
“Ransomware is now an international problem and it will require International-scale coordination and collaboration as a response. Information sharing is one area in which the EU and US can strengthen their collaboration. Ransomware gangs may target businesses in multiple regions. The ability to share attack signatures and tactics, techniques, and procedures (TTPs) in a timely manner can be an effective measure against widespread ransomware attacks.
“Special criminal prosecution and extradition policies for ransomware offenses are another area that the EU and US can tackle. Criminals may think twice about targeting another country's businesses or infrastructure if they know they could be prosecuted in that country's jurisdiction.
“Establishing a no-ransomware treaty could be another area for collaboration. The impact of ransomware could rival some of the most destructive weapons ever created in human history. That is why a treaty, much in the same vein as the Nuclear Arms treaty may be required to contain this problem.
“Traditional measures like law enforcement are difficult to work across International boundaries when sovereign countries have different views and attitudes toward the problem. Countries may have to work on special laws/policies for prosecution and extradition for ransomware offenses across the borders.
“Having a coalition between the EU and US on ransomware helps, but there are other countries where there are very few economic opportunities. People in those countries may turn to cybercrime as an outlet and their local law enforcement may not be incentivized to do anything, as these activities may create economic value for the country. This is an international-scale problem, and countries need to work together to create an international-scale response. EU-US coalition could be the first step, but collaboration must extend to other countries where cybercrimes are rampant.”
Bill to promote cybersecurity literacy introduced in the US House.
The Hill has an account of the bipartisan American Cybersecurity Literacy Act, which would direct the National Telecommunications and Information Administration to set up a public cyber literacy program. The program would cover online safety, cybersecurity, and attack prevention with a focus on phishing, password hygiene, multi-factor authentication, and the risks of public WiFi.
Doug Britton, CEO of Haystack Solutions, thinks the priority the bill attaches public education is right and proper:
“Educating and training the public and a cyber workforce should be national priorities. With an increasingly alarming and disruptive attack pattern making headlines and impacting citizens directly, the urgency on both fronts is real. The nation is underprepared to meet current and future demands for cybersecurity talent. As a nation we need to educate the public, and also be innovative and find cyber talent regardless of background or education. This is an excellent time to showcase the incredible opportunity for young people as well as career changers, who are interested in entering the cyber security industry. We have the tools to find aptitude for cyber talent wherever it lies. Bolstering this approach with public and private investment will be critical in ensuring the safety and public welfare of the nation.”
Rajiv Pimplaskar, CRO of Veridium, hopes that educated consumers will push for more frictionless authentication:
“Education is half the battle, and it’s great to see the NTIA launching a cyber literacy campaign. One of the key topics of awareness needs to be acknowledging that a chain is as strong as the weakest link and sparking a debate about balancing security with convenience and choice at the user level.
“Educated users will be more willing and better prepared to move away from complex, unwieldy and easily abuse passwords and choose new and better passwordless authentication methods instead. Such authenticators like phone as a token or FIDO2 security keys are more resistant to phishing attacks and help establish a trusted digital relationship between the end user and the IT service.
“This bill has several potential advantages in terms of advancing the public good. Beyond the urgent necessity of improving security for individuals and organizations, heightened user awareness and demand can incentivize B2C and B2B companies to offer increased choices of such authenticators, which in turn reduce customer friction and improve productivity.”
Checks and balances: FTC braces for legal fights; antitrust bills advance, with asterisks.
Bloomberg predicts trouble for new Federal Trade Commission (FTC) Chair Lina Khan’s tough-on-big-business agenda from a breakup-cautious Federal judiciary. As we’ve seen, Khan is known for advancing a novel theory of competitive harm centered on market processes and structures instead of price effects. Her “first big test” has already arrived in the form of Amazon’s planned MGM acquisition. Sustained legal defeats may dishearten the FTC but galvanize lawmakers, amid growing bipartisan antitrust concerns.
Meanwhile, the House Judiciary Committee’s bundle of six ‘antitrust’ bills faced a lengthy markup process, revealing ongoing disputes that may still kill the bills on the House floor, the Verge reports.
NIST offers clarity with respect to criticality.
In accordance with direction issued in Executive Order 14028, the US National Institute of Standards and Technology has issued its account of what counts as critical software in the supply chain, of "EO [for Executive Order] critical software. A NIST white paper defines EO critical software as "any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- "is designed to run with elevated privilege or manage privileges;
- "has direct or privileged access to networking or computing resources;
- "is designed to control access to data or operational technology;
- "performs a function critical to trust; or,
- "operates outside of normal trust boundaries with privileged access."