Regulating ransom payments. Rotating industry talent into government. Cyber piracy.

Summary

By the CyberWire staff

At a glance.

Regulating ransom payments, at the US Federal and state levels.
Bringing private sector cyber expertise into the US Federal Government.
Reflections on cyber piracy.

Four US states, Executive Branch consider regulating ransom.

As we’ve seen, four US states are contemplating restrictions on ransomware payments. CSO Online reports expert opinion that mandatory reporting would be preferable, as New York Senate Bills S6806A and S6154, Texas House Bill 3892, North Carolina House Bill 813, and Pennsylvania Senate Bill 726 advance. Advocates of the bans expect cutting off funding to dissuade attackers; critics worry organizations faced with the alternative of going under or shutting off critical services will keep their situation quiet and turn to shady brokers.

The Federal Government is hesitant to prohibit ransom payments, says CyberScoop, but the Administration is considering a mandatory ransomware reporting regime, according to Deputy National Security Advisor for Cyber Anne Neuberger.

BusinessWire has the results of a survey on ransomware conducted by cloud security firm Menlo Security. Nearly eighty percent of respondents think victims should not pay up. Over half of respondents said the Government should be responsible for protecting organizations from ransomware.

Congress revives plan to rotate industry experts through Federal Agencies.

FedScoop describes the US Senate’s Federal Rotational Cyber Workforce Program Act and its House counterpart, which have gained new life amid growing concern about the Federal cyber talent pipeline. The bills would launch a rotation program where private-sector tech professionals take shifts serving the Government, similar to existing DARPA and Intergovernmental Personnel Act Mobility Program initiatives.

Towards reclaiming the cyber seas?

An opinion in the Brisbane Times weighs an array of responses to the new “pirates of the cyber seas,” including internationally-coordinated info-sharing, diplomacy, sanctions, policies, and operations, and the possibility of weaponizing friendly firms. Cisco Talos recently dubbed cyber gangs that “enjoy some kind of protection from governments” ‘privateers,’ a hat tip to the “pirates with papers” of yore, like those enlisted by Britain in the 1700s to reclaim the seas from Spain. Authorities around the world, as we’ve seen, are losing patience with Russian cyber gangs that target political adversaries with impunity.

Notes.

A note to our readers.

Independence Day is observed Monday, and we'll be taking the holiday off. We'll be back as usual on Tuesday. In the meantime, enjoy the Fourth (even if it's celebrated on the Fifth).

Selected Reading

The UK’s Integrated Review And The Future Of Cyber – Analysis (Eurasia Review) Cyber is a centrally crucial element to the UK’s future vision of national security. The Integrated Review considers cyber as a core component of national power, rather than a mere security issue i…

Pirates of the cyber seas: How ransomware gangs have become security’s biggest threat (Brisbane Times) The info security community is increasingly endorsing the notion that ransomware gangs require a different approach than other hackers.

House bill urges more funding and data on K-12 cybersecurity (Security Info Watch) Legislation would direct CISA to to establish a cybersecurity incident registry and cybersecurity information exchange program

New bill aims to secure federal government IT against cyberattacks (TheHill) A bipartisan bill introduced in the Senate on Thursday would attempt to address cybersecurity threats to the federal government stemming from the use of potentially insecure third party services.

FTC Vote Could Pave Way for New Privacy Rules (Wall Street Journal) In a 3-2 vote, the agency’s commissioners voted to tweak its approach to prescribing new rules for unfair or deceptive business practices under Section 18 of the FTC Act. The changes include shifting oversight of the process from an administrative law judge to the FTC chair, eliminating a staff report on proceedings and cutting some public comment periods.

Cyber Center of Excellence and Fort Gordon holds change of command ceremony (WFXG) The U.S. Army Cyber Center of Excellence and Fort Gordon held a change of command ceremony Wednesday morning.

DHS adds hundreds of new cyber professionals to its ranks (The Record by Recorded Future) The US Department of Homeland Security on Thursday announced that it is onboarding nearly 300 cybersecurity professionals and has extended job offers to 500 others in what it refers to as "the most successful cybersecurity hiring initiative in DHS history."

CISA headquarters plans finalized as DHS consolidated campus reaches ‘critical mass’ (Federal News Network) The Department of Homeland Security is moving ahead with plans to build its Cybersecurity and Infrastructure Security Agency a new headquarters on a consolidated DHS campus.

After contact tracing data breach, Pa. sidesteps scrutiny on new $34M contract (Inquirer) State lawmakers are calling into question whether the Department of Health should be jumping into another, more expensive contact tracing contract after a severe data breach with the last company.

NY Regulator Issues New Guidance On Ransomware Attacks (Law360) The New York Department of Financial Services has issued guidelines for companies to fend off cybersecurity risks, saying the rate of ransomware attacks increased 300% in 2020 and cybercriminals are jeopardizing the stability of the financial services industry.

Moore: State must create a system that protects sensitive information from cyberattacks (Telegram & Gazette) It is critical that we then create a system that protects all of the sensitive information held by private businesses and government agencies.