Revising the Budapest Convention? Mandatory reporting proposals. Election security. DPRK cybercrime. Appointment notes.

Summary

By the CyberWire staff

At a glance.

Proposed changes to the Budapest Convention.
Industry support for mandatory incident reporting.
US Federal election security measures proposed.
Cybercrime as national policy.
US Deputy National Cyber Director for Federal Cybersecurity appointed.

Updates to Budapest Convention to expedite cyberattack investigations.

Government leaders have proposed changes to the Budapest Convention aimed at maximizing the efficiency of cybercrime investigations. The Wall Street Journal explains that the modifications would allow authorities to communicate with tech companies outside their jurisdiction in order to quickly access necessary data. Currently under the Cloud Act, authorities can interact with domestic companies, but the revisions would allow countries to gather intel from companies in any of the countries who are part of the Convention, signed by sixty-five countries including the US, Japan, and Ukraine and members of the EU. The goal of the Convention, originally established in 2014, is to foster cooperation across borders when it comes to combating cybercrime. Marco Stefan, a research fellow at Brussels think tank the Centre for European Policy Studies, stated that the proposed changes, if agreed upon, “will significantly expand the geographic scope of law enforcement outreach.”

Industry leaders in support of mandatory reporting.

US officials have been working in recent days to determine reporting requirements for entities that have experienced cyberattacks, a group of industry leaders have submitted a letter to Congress advocating for mandatory reporting. Signed by representatives from the Institute for Security and Technology and the CyberThreat Alliance, the letter explains that mandatory reporting will increase the nation’s ability to defend against cyberattacks. The treatise also cites Cybersecurity and Infrastructure Security Agency Director Janet Easterly’s support of mandatory reporting at the recent Senate committee hearings. “By designing simple, easy to comply with reporting requirements for small businesses, Congress can effectively ensure that all businesses have equitable access to the vast array of resources offered by the U.S. Government, while still not overburdening small businesses,” the letter argues.

Mandatory reporting as election security safeguard.

Staying on the topic of incident reporting, CyberScoop discusses a Stanford Internet Observatory paper by Matt Masterson, the former top election security official at the US Cybersecurity and Infrastructure Security Agency, proposing that election technology should fall under mandatory reporting rules. Election tech was designated critical infrastructure in 2017, so it follows that it should be regulated by the same legislation that governs other essential industries like pipeline owners and electrical grids. However, federal oversight of the approximately 10,000 election jurisdictions across the country would be a very tall order, especially when partisan politics are already straining the country’s electoral system.

North Korea phishes for UN sanctions secrets.

Foreign Policy examines North Korea’s efforts to evade United Nations sanctions. The nation has already established an elaborate web of front companies, illicit bank accounts, and ransomware attacks, and even phishing operations unleashed in an attempt to spy on the UN’s panel of sanctions experts. In one recent attempt, an American UN official investigating North Korean sanctions violations received an email impersonating another UN colleague and containing a malicious link. Over the years, the attacks have grown more sophisticated and successful, spreading from email to social media platforms like LinkedIn, with many officials receiving up to four attempts a month.

Senior US Federal cybersecurity appointment.

US National Cyber Director Chris Inglis has announced the appointment of Chris DeRusha as the new Deputy National Cyber Director for Federal Cybersecurity. DeRusha will be dual-hatted: he'll also serve as the US Federal CISO.

Selected Reading

On the brink of full exposure (Tehran Times) On Wednesday morning, a group of hackers named Moses Staff hacked into the Israelis Ministry of Defense (read Ministry of War), gaining access to some groundbreaking information.

‘You Live With a Degree of Paranoia’ (Foreign Policy) Inside North Korea’s campaign to penetrate the U.N. sanctions experts’ wall of secrecy.

China pushes for security reviews of firms seeking to export user data (Reuters) China's top internet regulator on Friday published draft guidelines that will subject companies with more than 1 million users in the country to a security review before they can send user-related data abroad.

EU Parliament committee adopts new cybersecurity law for critical services (Euractiv) The leading committee of the European Parliament adopted on Thursday (28 October) a legislative proposal intended to secure Europe’s critical entities from cyberattacks.

Updated Cybercrime Pact Aims to Speed Cross-Border Investigations (Wall Street Journal) Proposed changes to the Budapest Convention are an attempt to inject some alacrity into sluggish cross-jurisdictional inquiries that give hackers time to disappear along with evidence.

Rethinking Surveillance on the 20th Anniversary of the Patriot Act (Just Security) 20 years ago, Congress enacted the PATRIOT Act. It's time to move on from that outmoded model of surveillance.

US Military ‘Well Postured’ For Any Chinese Cyber Onslaught, CIO Nominee Says (Breaking Defense) Elsewhere in the hearing John Sherman called attention to a growing concern at the Pentagon over the radio spectrum, saying "spectrum sharing" should be a DoD watchword.

[Letter to members of Congress] (Institute for Security and Technology) Dear Member of Congress: The undersigned organizations and representatives urge you to support forthcoming legislation that implements mandated reporting requirements for cyber incidents and in the event an organization makes a ransomware payment.

Election officials don't need to report cyber incidents to the feds. That could soon change. (CyberScoop) Security personnel charged with the challenging and high-stakes work of protecting election systems from digital threats might soon have another task on their to-do list: reporting any cyber incidents to the federal government.

Senate approves bill to protect telecommunications infrastructure from foreign threats (TheHill) The Senate on Thursday unanimously passed legislation to take steps to further crack down on the use of telecommunications products from companies deemed to be a national security threat, such as those based in Chin

Lawmakers examine TSA's growing role in cyber (FCW) Lawmakers on the Homeland Security Committee convened cybersecurity experts and key stakeholders from the transportation industry to discuss new rules in the works for the transportation sector.

A top cyber lawmaker is open to more regulations for vital industries (Washington Post) New cyber regulations could be coming for critical industries if they don’t raise protections on their own, Senate Homeland Security Chairman Gary Peters (D-Mich.) tells me.

U.S. lawmakers vote to tighten restrictions on Huawei, ZTE (Reuters) The U.S. Senate voted unanimously on Thursday to approve legislation to prevent companies such as Huawei Technologies Co Ltd (HWT.UL) or ZTE Corp that are deemed security threats from receiving new equipment licenses from U.S. regulators.

FTC wants to know when financial data is compromised, will require encryption (CyberScoop) The Federal Trade Commission is weighing updating its rules to require financial institutions to report within 30 days any security incidents in which misuse of customer data of at least 1,000 customers likely occurred.

Opinion: The State Department gets serious about the global technology race (Washington Post) Creation of a new State Department office is usually a snooze, even for diplomats. But Secretary of State Antony Blinken’s announcement Wednesday that he’s creating a new Bureau of Cyberspace and Digital Policy is worth noting — because it’s part of a much broader effort by the Biden administration to get serious about the global technology race.

Secretary of State Blinken announces a new bureau for cyber policy (NPR) In a speech, Secretary of State Antony Blinken announced that he's working with Congress to set up a new bureau for cybersecurity and digital policy.

Pegasus Is Only Sold to Governments, New Israeli Envoy to India Reiterates (The Wire) Naor Gilon, replying to questions over allegations of unauthorised surveillance using the Israeli company NSO Group's spyware, said the controversy is an 'internal matter'.