At a glance.
- Ransomware, money laundering, and cryptocurrency exchanges.
- State-level biometric laws in the US: Illinois has the most restrictive regulations.
- Government union's animadversions about proposals to create a cyber reserve force.
A caution about proposed controls on the use of cryptocurrency for ransomware payments.
The Treasury Department’s sanctions against the Russian cryptocurrency exchange SUEX for its role in laundering ransom payments suggest the direction sanctions are likely to take as the US Government looks for ways of dismantling ransomware's criminal infrastructure. Treasury’s action has met with generally positive notices from the cybersecurity sector, and the sanctions against SUEX seem to be tightly focused on one particular exchange.
Nick Tausek, Security Solutions Architect at Swimlane, wrote today to express approval, in general, of that approach. He adds a call for cooperation between the exchanges themselves and government:
"Given the dramatic spike of ransomware and supply chain attacks affecting the United States this year, the lack of serious response from the federal government is no longer appropriate or acceptable. Imposing sanctions against SUEX is a good small first step in beginning to fight back against ransomware groups. The goal is to disrupt the financial supply chain of these cybercriminals without the entire crypto economy being overly disrupted. In order for the Biden administration to more effectively combat ransomware and other cyberattacks, they should consider imposing sanctions against nations known to be fostering an environment of cybercrime, such as Russia, next. This could encourage regulatory action where many of these attacks are rooted and show that the U.S. is leaning more on accountability than before. The federal government should consider further collaboration with crypto exchanges to establish and bolster a standardized set of best practices for avoiding the facilitation of ransomware, as well as providing guidance on the benefits for complying and how to do so."
There have been concerns expressed, however, that bans on ransom payments could easily become indiscriminate, and unfairly burden legitimate commerce. Cryptocurrency ransom payment prohibitions, Forbes argues, would punish the wrong parties and ignore the “law of unintended consequences.” They wouldn’t deter breaches, which predate digital exchanges and follow valuable data, but would encourage organizations to conceal attacks. Crypto payment bans would also cut off law enforcement and policymakers from useful information and enforcement action, given the currency’s traceability. “[S]imply mandating a top-down ban on using crypto to pay ransomware demands will not solve, prevent, or mitigate the underlying threat of weak cybersecurity policies,” the piece concludes.
Illinois biometric laws are the most restrictive in the US.
The US state of Illinois requires companies to secure written consent in advance of compiling biometric data, bans the transfer or sale of the data collected, and allows citizens to sue for violations and collect damages without demonstrating harm, Reuters reports. Most states and cities have no similar regulations, potentially exposing residents to discrimination, identity theft, and privacy risks.
Lawsuits in Illinois have taken on the business practices of large corporations like Facebook, TikTok, Amazon, Google, and McDonald’s along with those of smaller, regional establishments. Chicagoland Chamber of Commerce CEO Jack Lavin worries that “Illinois law has been weaponized,” driving “a cottage industry for suing companies.” As other localities weigh similar laws, businesses point to the crime-reduction and life-saving potentiality of biometric security systems.
No scabs, please, or maybe just a few.
MeriTalk notes that the American Federation of Government Employees’ (AFGE) offered objections to Representative Gonzalez’s (Republican, Texas 23rd) proposed National Digital Reserve Corps in the General Services Administration and new support for Representative Panetta’s (Democrat, California 20th) proposed Civilian Cyber Reserve in the Department of Homeland Security following negotiations with Panetta’s office. AFGE represents 700 thousand Government employees across 70 agencies.
The union sees existing, longer-term Military Reserve mobilization authorities as cost-effective and protective of Government hiring practices and proprietary information, and Gonzalez’s program as potentially redundant, wasteful, disruptive, and demoralizing, Defense Systems explains. One worry is that short-term deployments will advantage the private sector at the expense of “apolitical civil service,” in AFGE National President Everett Kelley’s words.
Panetta’s program, AFGE now finds less objectionable since it will operate on a “pilot” as opposed to permanent basis, permit two-year deployments, and incorporate public disclosure requirements. The House Rules Committee is still deciding which amendments to the 2022 National Defense Authorization Act will receive a vote.