At a glance.
- NIST resilience guidelines out for comment.
- US preparing sanctions on Belarus?
- Perspectives on cyber deterrence.
- Updates on the NSO scandals.
NIST solicits comments on updated guidance for cyber resilience.
The National Institute of Standards and Technology (NIST) announced a call for comments, open through September 20, on a draft of Special Publication 800-160 Volume 2, Revision 1, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach.” The update “turns the traditional perimeter defense strategy on its head” by focusing on internal defense.
US readies Belarus sanctions.
US President Biden is preparing an Executive Order on and additional sanctions for Belarus, CNN reports, with potential cybersecurity ramifications. Belarus President Alexander Lukashenko has been under US sanction for fifteen years. US Ambassador to Belarus Julie Fisher said Washington remains concerned about “promoting accountability for those individuals and entities who are responsible for, or are complicit in the regime’s violent repression of civil society.” Belarusian opposition leader Sviatlana Tsikhanouskaya presented the Administration with a catalog of possible targets, businesses controlled by President Lukashenko and pals.
An industry perspective: defense is inadequate; look to deterrence.
A piece published by Yahoo outlines a three-pronged strategy for deterring ransomware attacks: hold companies liable for negligent cybersecurity, stage proportional counterattacks against gangs and their benefactors, and block hackers’ access to crypto profits. The authors don’t think much of sanctions, indictments, and privateering proposals.
Mandiant VP Ron Bushar also wants to prioritize deterrence, according to Breaking Defense. He’s not thrilled with the progress from existing defensive, diplomatic, and naming and shaming efforts. Accurate attribution, he said, will unlock the next steps in deterrence, though Washington will need to stay wary of escalation and revealing capacities.
Further developments in the NSO scandal.
The Hindustan Times says India’s Government is attempting to block a question raised in Parliament about Pegasus, using discretionary procedural rules that can bar inquiries pertaining to subjects under adjudication. The question sought details about the Government’s interactions with NSO Group and similar organizations. New Delhi has yet to confirm any relationship with NSO, but has denied performing “illegal surveillance.” The Hindu relates concerns from retired Indian law enforcement personnel about historical Government abuses of hacking and surveillance tools. ORF calls for an independent inquiry and updated data protection legislation.
The Jerusalem Post downplays Project Pegasus revelations, pointing to past reports of US-led spying, and noting lingering questions about the sourcing and meaning of the list of 50 thousand phone numbers. The Post posits the most likely sources of the list as Qatar, Iran, Palestinian activists, or a rival firm like Google or Microsoft. WhatsApp comes in for special attention, given its ongoing lawsuit against the company, and resultant uniquely detailed knowledge of NSO operations.
While acknowledging that Project Pegasus “broke the most damaging information yet to come to light” on NSO, the Post concludes that “there is almost nothing concrete to grab on to,” and the revelations merely fill out knowledge that NSO clients occasionally misuse Pegasus. The piece does recount skepticism about NSO’s claimed total ignorance of clients’ targets and actions and inability to target Americans’ phones, and repeats reports that the firm terminated Saudi and UAE contracts as a consequence of the scandal.
Amid some investor turmoil, NSO seems to have retained the support of Israel’s Defense Ministry, and now faces the “big question” of whether Jerusalem’s diplomatic strategy will pivot away from spyware as a pot-sweetener.
The Times of Israel says warnings about potential human rights abuses stemming from cyber exports were circulating the Defense Ministry in 2020; the Ministry denies the report.