At a glance.
- Stockpiling zero-days.
- Data privacy and the training of AI.
- Australia considers directors' liability for cyberattacks.
- CISA offers MSPs and small-to-medium businesses advice on protecting themselves from ransomware.
- US State Department offers a million-dollar reward for tips on cyberattacks.
Private disclosure and a potential zero-day stockpile.
The Record summarizes the Cyberspace Administration of China’s new Regulations on the Management of Security Vulnerabilities in Network Products, which C4ISRNet says require Chinese citizens to report any discovered vulnerabilities to the CCP, and not to “overseas” folks, excluding the relevant supplier.
SecurityWeek sees an opportunity for stockpiling zero-days, giving Beijing’s APTs an advantage, and putting Western organizations at risk. One consequence could be fewer participants in hacking tournaments, patching efforts, and bug bounty programs; another could be emigration of Chinese cyber talent to greener pastures. Luta Security CEO Katie Moussouris points out a third possibility: continuing to allow Chinese participants in US vulnerability disclosure programs (VDPs) could “effectively introduce a backdoor straight to the Chinese government.”
In addition to the prohibition on “collect[ing], sell[ing], or publish[ing]” vulnerabilities, the rules mandate the establishment of VDPs and impose penalties on firms that neglect to produce or apply patches.
And the value of data privacy in training AI (or restricting such training).
Defense One explains US National Security Advisor Jake Sullivan’s position that Western partners need to keep data privacy at the forefront of any efforts to determine global cyber guidelines. While the US and EU have butt heads in recent years over data protection standards, allies should find common ground in the alternative worldview they can offer the international community, one in which absolute Government dominion over data is not the norm.
This doesn’t mean sitting out the big data and artificial intelligence contests. On the contrary, the bloc can develop and promote emerging solutions like “privacy-preserving machine learning,” which protect personal information through processing. (Of course, prioritizing data privacy might also help keep PII out of the hands of the CCP.)
Australia considers placing incident liability on corporate directors.
Information Age reviews Canberra’s options for incentivizing company leaders to take a more active role in cybersecurity. Despite consensus that cyber risks are only growing, and big business needs to do better, only six percent of Asia-Pacific CEOs meet with their CSOs, according to a Ponemon Institute survey, and cyber-unsavvy board members continue to dodge the tough conversations.
The Government has pitched a number of fixes, from mandatory disclosure to insurance policy revisions and, most recently, voluntary and compulsory cybersecurity “governance standards” alternatives that weigh direct liability for leadership. Onlookers worry about the cost of implementation and the impact on international investment.
Stakeholders are also invited to discuss topics like labeling and standards regimes for smart devices and victims’ legal rights.
CISA publishes advice on mitigation and hardening.
As managed service providers (MSPs) and small- and medium-businesses increasingly appear as targets of cyber threat actors, the US Cybersecurity and Infrastructure Security Agency (CISA) has directed advice at these organizations in its role as "the nation’s risk advisor."
US State Department announces reward for info on foreign threats to US infrastructure.
The US State Department's Diplomatic Security Service this morning offered a reward of up to $10 million for "information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act." The announcement particularly calls out both cyberespionage (although not under that name) and the related threat of ransomware. The offer was tendered under State's Rewards for Justice Program, which the Department has operated since 1984.
Mike Hamilton, Founder and CISO at Critical Insight, and formerly DHS Vice-Chair for the State, Local, Tribal, Territorial Government Coordinating Council, sees a significant nuance in the announcement:
"This is an interesting (and not unexpected) application of the Rewards for Justice program. The key phrase here is, 'while acting at the direction or under the control of a foreign government,' meaning that the target is not organized criminals writ large, it’s those that are supported by (either overtly or tacitly) by a government. It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime. If the US Government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome."
Austin Berglas, Global Head of Professional Services at BlueVoyant, and formerly Assistant Special Agent in charge of the FBI’s New York Office Cyber Branch, wrote to point out that reward programs come with potential downsides as well as upsides:
"Reward programs will no doubt increase the amount of leads, but there is the potential to turn the reporting mechanism into a public payphone. The difficulty is the amount of resources that will be necessary to separate the 'signal' from the 'noise' and identify the legitimate tips. Other considerations include attribution to, and information provided by the tipster. If there was an arrest made and follow on prosecution (based on an anonymous lead), investigators will have to be able to provide evidence of the crimes alleged by the anonymous party. This may or may not be possible without the cooperation of the anonymous lead source. Also, OFAC has to be considered when making anonymous payments - how is due diligence going to be performed prior to making a payment to a foreign national? Is this an opening for rival malicious hacking groups to make money and reduce the amount of competition in the market? Lastly, we still have to overcome the safe harbor provided by Russia and others - there are numerous existing cases where warrants are obtained and red notices are disseminated for criminals residing in these countries.