At a glance.
- Appropriations as a teaching tool.
- Studying retaliation as self-defense.
- Implications of the REvil arrests.
State cybersecurity funding used as teaching tool.
As we saw earlier this week, the US House of Representatives has approved a $1.2 trillion infrastructure bill that includes a $1 billion grant devoted to state and local government cybersecurity. As Politico discusses, only 35 percent of states currently have any funding allocated to cybersecurity, so the grant is not just a financial boost, but is also intended to get local governments onboard with the idea of incorporating cybersecurity into their budgets. Matt Pincus, director of government affairs at National Association of State Chief Information Officers, describes the program as “sort of like the ‘teach a man to fish’ adage.” To underline this effort, Congress has stated that in order to qualify for grant dollars, states must match a specified percentage of the federal funding.
The pros and cons of digital self defense.
The US Department of Homeland Security (DHS) is being asked to consider the controversial concept of “hacking back -- the idea that, just like householders defending their home, an organization has the right to defend its system by essentially counter-attacking the attacker. Security Week explains that a bi-partisan bill called the “Study on Cyber-Attack Response Options Act” was introduced this summer and asks the DHS to explain why private organizations should not have the right to hack their threat actors.
While the bill, on its face, seemingly urges DHS to condemn the tactic, the assumption is that DHS will have little valid argument against hacking back, forcing the department to consider how the government can enforce and regulate such activity. Some proponents assert that hacking back is already being put in practice on a federal level, as former assistant attorney general for the Justice Department’s national security division John Demers told the Washington Post, “The Justice Department is increasingly aiming to disrupt adversaries’ hacking activity rather than just call it out in indictments.” But other experts, like Jen Ellis of cybersecurity firm Rapid7 argue that hacking back could lead to catastrophe, if for no other reason than “it’s essentially impossible to know for certain that we’ve accurately attributed an attack,” which could result in the wrong suspected threat actor being targeted.
Did the REvil ransomware bust turn the tide?
As we observed yesterday, US authorities disclosed they had taken action against two threat actors suspected to be responsible for the massive ransomware attack that targeted software firm Kaseya and its many clients. Not only did authorities arrest a Ukrainian national affiliated with REvil, the ransomware gang behind the attack, but they also seized over $6 million in alleged ransomware payments from another gang member who was still at large. “Ransomware attacks are fueled by criminal profits; that is why we are not just pursuing individuals responsible for those attacks,” US Attorney General Merrick Garland stated at a press conference. “We are also committed to capturing their illicit profits and returning them whenever we can to the victims from whom they were extorted.” Wired posits that the bust, which some are calling the largest of its kind to date, sends a clear message that cybercriminals, no matter where they reside, can no longer avoid punitive measures. Some cybersecurity experts see this as a turning point, but only if government officials leverage the momentum. As Katie Nickels, director of intelligence at the security firm Red Canary, asks, “Adversaries are going to be looking to see is this as a limited action, or can law enforcement continue imposing costs?”