At a glance.
- Update on the ransomware summit.
- Australia's ransomware policy.
- The state of required reporting.
- The prospect of "killware."
- US FCC solicits public comment on IoT policy.
- The EU may end anonymous domain registration.
Ransomware summit calls for global approach.
The White House is hosting an international ransomware summit, gathering officials from over thirty nations to discuss how they can work together to combat digital extortion. CyberScoop explains that officials will be leading sessions discussing their country’s individual approach to ransomware and covering topics like resilience, diplomacy, and illicit finance. US National Security Adviser Jake Sullivan explains, “No one country, no one group can solve this problem. Transnational criminals are most often the perpetrators of ransomware crimes, and they often leverage global infrastructure and money laundering networks across multiple countries, multiple jurisdictions to carry out their attacks.” It’s worth noting that Russia, which the US has accused of harboring cybercriminals, was left off the invitation list.
Australia’s new ransomware policy
Australia's Minister for Home Affairs has just unveiled the country’s new Ransomware Action Plan, a comprehensive policy to combat digital extortion in the country. Bleeping Computer offers highlights, which include the establishment of a multi-agency task force headed by the Australian Federal Police, mandatory ransomware incident reporting, ransomware awareness programs aimed at the business sector, and harsher punishments for threat actors based in the country. The Surveillance Legislation Amendment Act 2021 also aims to increase government authority in cyberattack investigations, giving the Australian Federal Police and Australian Criminal Intelligence Commission the power to delete data and take over devices and accounts associated with suspected cybercrime. The Record by Recorded Future adds that the initiative includes a strategy for seizing cryptocurrency transactions linked to cybercrimes, regardless of the origin of the attack. However, some security experts feel the initiative has room for improvement. H. Daniel Elbaum of VeroGuard told iTWire he feels the plan lacks measures "that would have immediate and material impact on the problem, such as mandating strong MFA rather than any MFA, integrating strong MFA and digital identity into government systems rather than vulnerable applications and biometric-based tools." And Scott Leach of Varonis Asia Pacific said the government could do more to promote compliance across a range of industries, “such as a Zero Trust approach and a strict policy of least privilege.”
Governments call for mandatory incident reporting.
Staying down under, in the Office of the Australian Information Commissioner’s latest Notifiable Data Breaches Report, the agency is calling for more diligence when it comes to breach reporting. Security Brief explains that the Federal Government’s Ransomware Action Plan will make ransomware incident reporting mandatory, as many incidents have gone unreported because the targeted businesses claimed there was no evidence of data theft. The OAIC stated, “It is insufficient for an entity to rely on the absence of evidence of access to, or exfiltration of, data to conclusively determine that an eligible data breach has not occurred.”
Meanwhile, stateside, the recently formed Joint Cyber Defense Collaborative effort aims to bolster cooperation between government and the private sector when it comes to incident reporting. Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales added that companies must be more proactive when it comes to preventing incidents in the first place, and if a ransomware attack does occur, avoid meeting the attackers demands at all costs.
Killware puts a (low) price on human lives.
The next big cyberthreat could be a matter of life and death, Yahoo News reports. With hackers increasingly targeting critical infrastructure like hospitals and fuel providers, attackers are proving they’re not opposed to putting lives on the line. The motive behind the recent (and luckily, unsuccessful) cyberattack on Oldsmar, Florida’s water system was not just financial; the attackers aimed to cause physical harm. And with heightened demand for internet-connected consumer products like autonomous cars, the opportunity for cyber-physical security incidents, dubbed killware, is greater than ever. In a recent report from security firm Gartner, researchers predicted that by 2025, “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.” As US Homeland Security Secretary Alejandro Mayorkas explained, such attacks illustrate “the grave risks that malicious cyber activity poses to public health and safety.”
Egress's VP of Threat Intelligence, Jack Chapman commented that, while alarming, this shouldn't be entirely unexpected:
“Malware, including ransomware, is a fast-growing criminal market, and over time it’s inevitable that we’ll begin to see increasing numbers of so-called ‘killware’ attacks, aimed at crippling infrastructure. In some cases, the motive of the attackers is more sinister than simply financial gain – they want to cause harm. In recent years, cybercriminals have increasingly targeted critical infrastructure, including public health facilities, with the aim of causing the maximum possible damage and disruption, including loss of life.
"The US government is taking the threat of cyberattacks increasingly seriously, proposing new legislation that would require critical infrastructure owners to report attacks to CISA to enable the government to gain a better understanding of the threat. This is an important step, but it’s also up to organizations themselves to ensure they have the right technology and security protocols in place to defend themselves. Sadly, I expect that we’ll begin to see a growing number of headlines about killware as these attacks become more widespread.”
FCC requests public’s take on IoT tech.
The US Federal Communications Commission (FCC) is seeking public input in creating regulations impacting “Internet of Things” (IoT) technologies, JDSupra reports. They’re looking for information regarding IoT growth, ways to update FCC rules to facilitate greater spectrum access for IoT products, and regulatory barriers to IoT use cases. The comment deadline is November 16.
The European Union will end anonymous domain registration.
BleepingComputer reports that the European Union is considering legislation that would prevent anonymous domain registration. Such anonymity has proven useful to cybercriminals in the past. Chad Anderson, Senior Security Researcher for DomainTools, commented on the impact this regulatory change can be expected to have on defenders:
“This change in posture shows just how important registrant information can be for defenders. We’ve certainly found other ways of fingerprinting actors based on tactics, techniques, and procedures (TTPs), but taking down large swaths of domains tied to a single individual is much quicker when they can actually be tied to that individual and time is increasingly of the essence.
"For those that say this will be a hit to whistleblowers and activists: that’s hogwash as they should all be using Tor and pre-built sites anyways to protect their anonymity. If anything this will force their hand to use better operational security. Leak sites will still exist and alternative registrars still exist. All of the problems for maintaining a private Internet where activists can work have already been solved.
"For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it’s digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there’s a gas leak on physical property. We’ve now seen from multiple pipeline ransomware events that critical infrastructure is just as in, if not more in danger, from a ransomware event than it is from a physical attack.
"For those that say this doesn’t matter because cybercriminals will just hide behind corporations or registrars in other countries: yes, that is the point. Defensive work is never about eliminating the threats, it’s about making it so expensive that the threat cannot operate. This raises the bar and makes it expensive for easy cyber criminality like business email compromise (BEC) and credential phishing campaigns. Additionally this reduces the attacking area left to monitor as it reduces the number of registrars that attackers can use.
"These are all wins in the defensive playbook. No crime won’t stop, but yes it will require a more sophisticated attacker and remove the run-of-the-mill non-technical cybercrime that is pervasive today.”