At a glance.
- US national security memorandum on ICS cybersecurtiy.
- Opening shots of the next war to be heard from cyberspace?
- Project Pegasus prompts reviews of export control regimes.
- Pending US ransomware legislation.
"Improving Cybersecurity for Critical Infrastructure Control Systems."
US President Biden this morning issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Among other goals, the Memorandum seeks to initiate development of "baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems."
The memorandum formally establishes the President’s Industrial Control System Cybersecurity Initiative, “a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.” That initiative began, incrementally, with electrical grid and pipeline security efforts, and the next two sectors to be taken up will be "the Water and Wastewater Sector Systems and Chemical Sector," guidance for which will follow later this year.
Next war could begin in cyberspace? (President Biden speculates.)
US President Biden mused in a speech to Office of the Director of National Intelligence personnel yesterday that “if we end up in a war, a real shooting war with a major power, it's [likely] going to be as a consequence of a cyber breach of great consequence,” Reuters reports. The President stressed the mounting cyber threats posed by Russia and China, according to the Las Vegas Sun.
We might add that cyber operations would be as much a part of mobilization plans in the early Twenty-First Century as railroad schedules would have been in the early Twentieth.
Calls for export controls on intercept technology.
Reuters says Israeli Defense Minister Benny Gantz in a visit with his French analogue today will address the preliminary conclusions of Jerusalem’s NSO taskforce. (French President Macron was reportedly among the list of suspected Pegasus targets, and today’s meeting follows a request from President Macron to Israeli Prime Minister Bennett, the Times of Israel notes, for further investigation into the matter.) Jerusalem’s Defense Ministry regulates surveillance tech exports, and is expected to terminate contracts with clients found to have misused NSO’s tools. The review process could last weeks and doesn’t reflect any issues with NSO “oversight,” according to a Defense spokesperson.
Reuters has an account of anti-surveillance protests in Hungary. An opposition party politician called the Government’s alleged use of NSO spyware against critics the largest scandal since communism, saying, “This is not acceptable in a country where people know how the socialist regime used to work…security services [can’t be used] to cling to power." Local prosecutors are looking into claims of abuse.
The Washington Post summarizes a joint statement by four Congressional Democrats backing sanctions against NSO group and similar firms. The Commerce Department, the representatives said, should blacklist reckless actors in the “hacking for hire industry,” and the Securities and Exchange Commission should block US investments into irresponsible actors and require transparency and human rights reports from surveillance tech exporters. The Administration, the lawmakers argued, should also “lead a multilateral initiative to impose strengthened controls…on items with surveillance capabilities.”
US Department of Justice, FBI urge Congress to pass ransomware legislation.
CyberScoop says the FBI and Justice Department pushed for breach and ransomware reporting laws during a Senate Judiciary hearing yesterday. Justice official Richard Downing observed that “investigative opportunities are lost [and] our ability to assist other victims facing the same attacks is degraded” under voluntary disclosure regimes. A number of reporting bills are currently circulating Capitol Hill.
Downing also spoke against hack-back schemes, while FBI and Secret Service representatives reasoned against banning ransom payments on the grounds that such prohibitions would discourage collaboration with law enforcement and provide cybercriminals with additional kompromat on those who pay.
Roger Grimes, data driven defense evangelist at KnowBe4, commented on the proposed legislation, which is on the side of the angels, but in a complicated space:
"It is a really tough call, and if we could get the entire world to truly not pay any ransom ever, ransomware would be gone in a week. But there [are] always going to be those who skirt the rules, just enough so that ransomware gangs will keep encrypting, exfiltrating and extorting. And the people who play by the rules will simply be hurt more than all the entities that do not. If you outlaw ransom paying, you will immediately explode the amount of "ransomware recovery" firms that claim they do not pay the ransom, but secretly do. There will be a whole lot of firms that claim AI or quantum computers or their own internal crypto experts allowed them to recover the encryption keys. You will have firms paying out of foreign-locate entities. And you will have a lot more firms that simply do not get law enforcement involved, pay the ransom and never report it. You will be turning otherwise law abiding firms into unwanted criminals. So, I really get what people calling for a ban on paying the ransom are trying to do...but it is only going to work in a perfect world...one that we do not have. I would rather our government work on securing a digital Geneva Conventions on what is and is not tolerated across international digital lines and get global agreement on what is and is not allowed so that we can arrest these criminals and put them in jail."