At a glance.
- A growing practice: preemptive litigation against claims of Chinese IP theft.
- China perceives the Quad as an alliance directed against China.
- Russia sees NATO involvement in Ukraine as crossing a "red line."
- US Senators consider cryptocurrency regulation.
- A mandatory cyber incident reporting bill is introduced into the US Senate.
Chinese firms filing preemptive suits against IP theft claims.
The Wall Street Journal describes Beijing’s use of anti-suit injunctions to drive legal decisions favorable to domestic firms accused of IP theft. Anti-suit injunctions limit cases to one jurisdiction. Despite the CCP’s commitments in recent years to take more care of trade secrets, Akin Gump partner Brian Pomper explains that "What the Chinese are doing is using this legal tool…to make it so Chinese courts—really the Chinese government—and nobody else decides how valuable intellectual property is.”
In one case underway between Beijing brand Oppo and Japan’s Sharp, a court in Munich has submitted an anti-anti-suit injunction against a Shenzhen court. Many US companies seem to have given up trying to face down China, however: the number of IP suits filed is on the decline. Former US congressman Charles Boustany commented, "China’s growth and development strategy is contingent upon IP theft and forced technology transfer.”
China doesn’t like the Quad.
CyberScoop reports Beijing’s opinion that the new alliance between Japan, India, Australia, and the US—dubbed “the Quad”—represents a “closed, exclusive clique targeting other countries” and “is doomed to fail.” The Quad’s goals include elevating software security, cyber workforce development, and Indo-Pacific stability. “Today, we begin new cooperation in cyberspace and pledge to work together to combat cyber threats, promote resilience and secure our critical infrastructure,” announced the coalition following its first in-person meeting at the White House last week.
Red lines in the Near Abroad.
As Russia and Belarus, and Ukraine and NATO, run dueling joint drills, President Putin is warning that growth of NATO “infrastructure” in Ukraine crosses a red line of his—and Belarusian President Lukashenko has his back, according to Reuters. In response, Ukraine’s Foreign Minister reminded President Putin that Moscow is not the boss of Kyiv: "Putin's 'red lines' are limited to Russia's borders. On our side of the Ukrainian-Russian border we can figure out ourselves what to do."
Ukrinform details last week’s EU-Ukraine incident response exercises, which involved blue teams composed of more than fifty personnel from Ukraine’s Defense Ministry, Cyber Police, National Bank, Security Service, and State Service of Special Communications and Information Protection.
Heightened tensions over this matter will inevitably find expression in cyberspace.
Cryptocurrency mining attracts US Senatorial attention.
The Hill summarizes Senator Hassan's (Democrat of New Hampshire) and Senator Ernst’s (Republican of Iowa) proposal to investigate international cryptocurrency mining. The bill would direct the US Department of Treasury to inform Congress about global mining practices and their effect on critical supply chains.
The Cyber Incident Reporting Act of 2021.
Yesterday the Cyber Incident Reporting Act of 2021 was introduced in the US Senate. The measure would, among other things, give CISA's Cyber Incident Review Office a central place in collecting and analyzing reports of cyber incidents. "The term ‘covered cyber incident’ means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the interim final rule and final rule issued pursuant to section 2232." "The term ‘covered entity’ means an entity that owns or operates critical infrastructure that satisfies the definition established by the Director in the interim final rule and final rule issued pursuant to section 2232." Many classes of incidents are covered, but the bill's language gives particular importance to ransomware. Among the more interesting provisions of the bill are its time limits. Critical infrastructure owners and operators would in general have no more than seventy-two hours to report a covered incident to CISA. And if they should pay ransom to an attacker, they'd get only twenty-four hours to report such payment.
We received reactions to the bill from several cybersecurity companies. Saryu Nayyar, CEO of Gurucul, sees the measure as relatively toothless n terms of penalties. "The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance," she wrote, adding, “Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness. Nevertheless, disclosure helps everyone understand the nature of the threat, and gives organizations the opportunity to share detailed information and work together to combat existing and future threats. In this regard, this bill is a step, albeit small, in the right direction.”
Nasser Fattah, North America Steering Committee Chair at Shared Assessments, hopes the measure will help the Government organize incident response. “There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures. Ideally, as the government gets timely information related to a ransomware attack, including any payments, then it can formulate an overall response that can best serve businesses of all shapes and sizes. It is also important to include in the Act very clear and understood definitions for key terms, including incident.”
Ron Bradley, VP at Shared Assessments, thinks that organizations shouldn't be surprised. Regulation has been coming for some time:
“My sincere hope is this piece of legislation doesn't come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.
“The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.”
His colleague, Shared Assessments' CISO Tom Garrubba, likes what he sees in the draft legislation. “I applaud and welcome the US Congress for taking such action, as cyber security threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident), however, not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures.”
YouAttest's CEO, Garret Grajek, sees the bill as the precursor of more stringent regulation. "The CISA is in information gathering mode. By requiring all most organizations to report incidents of ransomware and collating this information, the CISA can start determining the real extent of the threat. Once this information is collated - many believe more stringent cybersecurity requirements are expected to follow. Like the CMMC, Cybersecurity Maturity Model Certification mandates for the U.S. DoD contractors.”
Alex Pezold, CEO of TokenEx, sees the bill as both expected and positive:
“The proposed Senate bill to mandate cyberattack and ransomware reporting is what we expect to see from the federal government. It is a positive step, to ensure that cybercrimes are reduced, and that critical infrastructure is protected, as well as the private sector. We've already seen related activity when President Biden met with technology industry leadership. Now, the government is taking action, which will move everyone further toward the prevention of cybercrime and data breaches in the future.”
Exabeam's CISO, Tyler Farrar, thinks that the attractiveness of critical infrastructure to attackers imposes certain special responsibilities on the operators:
“Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful -- even in part.
The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality -- regardless of how small -- should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.
"Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk and attacks in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.”
Neil Jones, cybersecurity evangelist at Egnyte, likes the deadlines for reporting:
“With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that current approaches to addressing ransomware just aren't working. So, I'm excited to see bipartisan support for this proposed measure that will require financial institutions and critical infrastructure operators to promptly report cybersecurity incidents and ransomware payments to the federal government.
"It is especially reassuring to see a CCPA or GDPR-style incident reporting timeframe of 72 hours, so that organizations in those industries will no longer be able to delay reporting of potential data breaches for months and months, without informing the government. Finally, I'm reassured to see that organizations in industries that haven't traditionally invested significantly in IT security such as non-profit organizations, small- and medium-sized businesses (SMBs) and local governments will be required to report potential ransomware payments.”
Danny Lopez, CEO of Glasswall, hopes the legislation and other, related policies, will help realize a more secure future:
“The senate bill to mandate reporting cybersecurity incidents and ransomware payments is a crucial step in combating the wave of major cyberattacks we have seen in the last two years. While the U.S. government appears to have decided against making ransomware payments illegal, this disclosure structure should still play an important role in encouraging organisations to be proactive rather than reactive in regards to cybersecurity.
"This latest policy move, plus the administration's earlier executive orders (EOs) on the subject, show that federal cyber leaders are pushing for a more secure future for the U.S. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption, which we applaud. These are critical elements in an effective cybersecurity stack, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ proactive protection to the next level.
"Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported."
Where Gurucul's Nayyar saw little in the way of enforcement mechanisms in the proposed law, Bill Lawrence, CISO at SecurityGate sees more stick than carrot:
“Whatever the final reporting timelines will be, the proposed legislation is a great deal of 'stick' and hardly any 'carrot for owners and operators of critical infrastructure. Wouldn’t it be great for the US Government to be able to say, 'report a ransomware attack to us BEFORE you pay any ransom, and we’ll bring the full power of the Federal government to bear to help resolve the incident, decrypt your files, and siphon whatever is already in the criminals’ bank accounts?' (Sure, I dream….) Instead, US victims are threatened with subpoenas and civil action and the government will write more quarterly reports, among other things.”
Doug Britton, CEO of Haystack Solutions, gives the bill's sponsors credit for good intentions, but he too sees the law as unfortunately punitive:
“At Haystack Solutions, we fully agree that our national cyber defense is of the highest importance. Our country has been slow to respond in a comprehensive manner to a growing threat. Now after high-profile attacks that have impacted Main Street, we find a newly proposed legislation.
“Unfortunately, this appears to be a clumsy approach to penalizing victims of cyber-attacks. It appears the motivation of this legislation is to hold attackers accountable yet the 'how' is not apparent. There are many details left to be sorted out by CISA. Reporting a breach in 72 hours can be challenging as there needs to be sufficient time to validate flags and ensure the breach is real (e.g T-Mobile). Also, what constitutes a reportable breach? With penalties so high, an appeal process will surely be on the horizon. At this time, it appears to be heavy on the 'stick' and light on the 'carrot'
“Congressional efforts could be spent in more productive ways. The real focus needs to be on building our collective defense with a preventative posture. Can we establish industry standards to ensure that basic and highly effective protections are put in place? We have modern policies and procedures, many of which are highly effective in preventing data breaches. Can we consider legislation that would encourage companies to adopt policies akin to financial accounting that could be audited and enforced by regulators?
“What investment is going into developing the next generation of cyber security professionals? Our cyber defenses are woefully behind as indicated by a severe shortage in cyber talent. We have the tools to pull more folks into the industry. We need to push full steam ahead by developing a significant pipeline of cyber security talent. Despite this legislative attempt, these battles will be won with world-class teams rather than reporting penalties.
“Even with full deterrents in place, hackers, organized crime, nation state actors, and nebulous attack groups will remain ever present. Attempts to hold them accountable in the short-term will not become the 'deterrent' we think it will be. Building talent from the four corners of our nation will be the strongest course forward. We need to remain focused on that tack.”
Dr. Chenxi Wang, General Partner at Rain Capital, believes that most organizations will have difficulty determining how to comply with the law, should it be enacted:
"Most businesses and organizations lack the skills, tools, and experienced personnel to accurately determine or validate that a covered incident has occurred without assistance or outside investigation. It is not clear that 72 hours is a sufficient period of time for an organization to report an incident to CISA versus a focus on comprehensive assessment, validation, isolation, and remediation of the potential incident to reduce the risk of further damage. In addition, the disclosure of an incident that is ongoing or still being actively investigated may lead to unintended consequences such as the perpetrators covering their trails or inadvertently making the breach more difficult to remediate."