At a glance.
- TSA is preparing a cybersecurity directive for rail and air transportation.
- A look at the proposed US Ransom Disclosure Act.
- US Justice Department to use False Claims Act against contractors who fall short of cybersecurity standards.
- Defense, counteroffensive, and deterrence in cyberspace.
- Support expressed for international regulation of intercept technology.
US Transportation Security Administration will introduce cybersecurity requirements for airlines and railroads.
Addressing the 12th Annual Billington Cybersecurity Summit yesterday, US Secretary of Homeland Security Alejandro Mayorkas said that TSA would introduce new cybersecurity requirements for rail and air transport. Reuters reported that the Secretary explained that the measures would apply to “higher-risk” rail companies (the focus is on passenger rail, including Amtrak and commuter lines, not on freight haulers) and “critical” airport and aircraft operators. They would be expected to "name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur." CNN says that TSA's coming security directive would be issued before the end of this year.
Secretary Mayorkas characterized the coming regulations as "less prescriptive" than those TSA applied earlier this year to pipelines. The railroads don't think they need the help, according to the Washington Post, because they're already doing what the directive will mandate: "Railroad industry officers said the new mandates are not necessary. 'We’re doing all of those [measures],' said Thomas Farmer, assistant vice president for security at the Association of American Railroads, which represents the seven largest freight railroads and Amtrak, among other large systems." Farmer said, interestingly, that the railroads' interest in and commitment to cybersecurity dates to 1999, when they were concerned about the then much-feared but now largely forgotten Y2K problem. The recovery plans and information sharing programs developed then have apparently continued to the present day, The carry-over from Y2K also suggests the ways in which, for many sectors, security and safety are convergent problems.
Ransom reporting legislation proposed in the US Congress.
- "Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
- "Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
- "Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
- "Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity."
Leo Taddeo, President, Cyxtera Federal Group & Chief Information Security Officer, Cyxtera, is among those who urge caution with respect to imposing deadlines and requirements on ransomware victims:
“While ransomware is a serious crime, we should be very cautious in creating a requirement for victims to report attacks. There are many other highly impactful crimes, such as public corruption, securities fraud, and embezzlement, etc., that do not trigger a reporting requirement. Rather than treat this specific cybercrime as an exceptional threat, the government should properly staff and fund law enforcement to create a credible deterrent for cybercrime in all its forms.”
Taddeo doesn't say so, but one might add that organizations undergoing a ransomware attack are already under stress.
The Ransom Disclosure Act as drafted, strictly speaking, requires reporting of the payment of ransom, not, for example, the detection of a ransomware attack. The text of the bill defines the entities required to report ransom as any "public or private entity that (i) is engaged in interstate commerce or an activity affecting interstate commerce; or (ii) receives Federal funds." Local governments are required to report, but individuals are not. The elements of a required disclosure include:
- "The date on which such ransom was demanded.
- "The date on which such ransom was paid.
- "The amount of such ransom demanded.
- "The amount of such ransom paid.
- "An identification of the currency, including if cryptocurrency, used for payment of such ransom.
- "Whether the covered entity that paid such ransom receives Federal funds.
- "Any known information regarding the identity of the actor demanding such ransom."
What happens if an organization fails to disclose within forty-eight hours? That's up to the Secretary of Homeland Security: "The Secretary shall establish by regulation appropriate penalties for a covered entity that fails to make a disclosure required." How onerous such penalties might be would be determined by regulatory action.
False Claims Act to be used against contractors that fail to report cyber incidents.
The Wall Street Journal reports that Deputy Attorney General Lisa Monaco announced, in Aspen, yesterday, that the Department of Justice intended to use the False Claims Act to levy significant fines against Federal contractors who fail to meet what she characterized as “required cybersecurity standards.” Those standards include prompt reporting of cyber incidents. The tone of the announcement was fairly hard-nosed, fed-up, and directive. The Record quotes Ms Monaco as saying, "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”
Defense, counteroffensives, and deterrence in cyberspace: a view from NSA.
To judge from SecurityWeek's account of Rob Joyce's remarks at the Aspen conference, the NSA's Cybersecurity Director is in a Clausewitzian mood. He advocated looking for ways of increasing the adversaries' friction, of making it more difficult for them to achieve their objectives. “They don’t just get free shots on goal to keep trying and trying until they score,” SecurityWeek quotes him. He advocates working toward a "sand and friction" strategy in response to increasingly aggressive nation-state adversaries, notably Russia and China.
NSO Group tells the United Nations that it would welcome international regulation of spyware.
i24News reports that Asher Levy, chairman of the NSO Group whose controversial intercept tool Pegasus has been criticized for its use by repressive regimes in repressive ways, has written to the United Nations to express "strong support for the creation of an international legal framework" that would regulate spyware. He recommended, inter alia, that companies working in this sector be required to put human rights compliance policies in place.