At a glance.
- Tensions continue to rise in Russia and the Near Abroad.
- Estonia urges enforcement of international law in cyberspace.
- New rules for UK businesses' digital supply chains considered.
- US Infrastructure Investment and Jobs Act signed.
Tensions continue to rise in Russia and the Near Abroad.
Russian President Vladimir Putin has declared he’s less than thrilled about NATO military activity in the Black Sea and neighboring countries. Kremlin spokesperson Dmitry Peskov told the National Interest that Putin is “concerned,” and in talks with German chancellor Angela Merkel, Putin described the activity as “destabilizing,” “dangerous,” and “provocative.” Peskov added that American and Russian militaries are engaging in talks to avoid potential conflict, but according to Military.com, some military analysts worry that the US’s efforts to protect Ukraine could backfire and push Russia to invade. The US and its allies are weighing their options for deterring Russian aggression, the Japan Times reports, and ANI News (which, it’s worth noting, sources the Russian-controlled outlet Sputnik) says there’s significant talk of imposing sanctions against Moscow and sending aid to Kiev. Experience tells us the conflict could result in increased cyberactivity from Russian-speaking threat actors.
Estonia urges nations to prosecute threat actors.
At a panel discussion at the Paris Peace Forum last week, Estonian President Alar Karis warned that cyberspace could devolve into a "Wild West" if nations don't take actions to keep that from happening. During a panel discussion with Microsoft president Brad Smith, chairman of the UN cybersecurity open taskforce Burhan Gafoor, and US deputy national security advisor for cyber and emerging technology Anne Neuberger, President Karis stressed that cyberspace is subject to international law, and that it’s up to individual nations to enforce that law, and thus to prosecute lawbreakers whenever necessary. The Baltic Times notes that Estonia hosted the world's first discussion on cybersecurity in the UN Security Council.
UK considers new cybersecurity rules for businesses' digital supply chain.
The UK Government has announced new plans for improving the cybersecurity of the country’s digital supply chains. Measures include requiring IT service providers to adhere to the National Cyber Security Centre’s Cyber Assessment Framework’s rules, procurement regulations requiring businesses only purchase services from firms with strong security, and improved guidance campaigns to advise businesses on managing their security risks. Minister for Media, Data and Digital Infrastructure Julia Lopez said, “Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data.” The plans are in response to recent guidance from the Department for Digital, Culture, Media and Sport on better protecting digital supply chains and third party IT services.
Ilia Kolochenko, rounder of ImmuniWeb, sees this approach to securing software and IT services as a model for other European governments:
“This is a great initiative that may serve as an example to other European countries. The avalanche of disastrous supply chains attacks in 2021 has clearly demonstrated that IT providers are the Achilles’ heel of the world's largest companies, banks and governmental agencies. While, for modern threat actors, IT vendors are a new El Dorado: breaching software companies is much easier and faster, for example, compared to frontally attacking financial service providers.
"The global IT services and software market is now highly competitive and, unfortunately, its players have to prioritize speed and cost-efficiency of operations over cybersecurity to win new contracts. Worse, small IT vendors have no technical capabilities at all to detect sophisticated intrusions by nation-state backed cyber mercenaries. Eventually, very sensitive data and intellectual property are silently stolen in a stealth mode. While, the existing vendor risk management programs are usually formalistic and mostly rely on bureaucratic questionnaires and template-based contracts that nobody bothers to audit or update.
"Importantly, this new initiative of the UK government's should not just impose formal annual audits but will also provide some tailored resources and actionable guidance on how to transform cyber-resilience and data protection into ongoing processes to be continuously reviewed and improved. Governmental support, especially for SMEs and startups, will play an essential role to make this laudable initiative successful.”
US President Biden signs infrastructure bill with major funding for cybersecurity.
President Biden yesterday signed the Infrastructure Investment and Jobs Act, which contains roughly $2 billion earmarked for cybersecurity. Highlights include $1 billion for state, local, and tribal government cybersecurity, $100 million for a Cyber Response and Recovery Fund to be administered by the Department of Homeland Security, and $21 million for the office of the National Cyber Director. The New York Times has a relatively accessible summary of the bill as a whole.
Reaction from industry was generally positive. Neil Jones, cybersecurity evangelist at Egnyte, was pleased by the evidence of bipartisan support for the measure:
“With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that the approaches most organizations use to address ransomware and targeted cyberattacks on critical infrastructure just aren't working. So, I’m excited to see that the $1 trillion infrastructure bill has allocated funds to maintain resilience of the USA's infrastructure against cyberthreats and malevolent nation-states. I'm particularly reassured to see both political parties supported the newly established office of National Cyber Director (NCD), including funding for the NDC to hire qualified personnel that will help him/her to achieve the group's important mission. Finally, I'm pleased to see that the Environmental Protection Agency (EPA) and CISA will take definitive action to identify public water systems that, should they become degraded or rendered inoperable due to cyberattacks, could significantly impact the health and safety of the general public. These changes will boost the country’s cybersecurity efforts and jump-start the government's response to cybersecurity intrusions. And, it will protect US citizens’ health and well-being -- an essential outcome you can’t put a dollar figure on during an ongoing pandemic.”
Exabeam CISO Tyler Farrar, CISO, Exabeam, thinks the magnitude of the risk warrants the expenditure, and urges more attention to automation for resilience:
“Critical national infrastructure (CNI) is a major target for cybercriminals due to the high, potentially life-threatening, impact successful attacks yield. So it’s extremely encouraging to see that the bipartisan infrastructure bill has dedicated investment dollars to protecting these systems.
"It’s crucial to understand and measure normal critical asset/system posture in order to protect critical infrastructure and avoid breaches. If there’s a digital route to systems in operational technology (OT), it’s at risk whether they are air-gapped or not. We have to be more rigorous in monitoring OT systems by securing all viable log data in terms of system setting, access control and maintenance. Even the smallest anomalies should be prioritized, investigated and managed accordingly. Simply relying on individual users for protection of our CNI systems will not scale.
"The only way to move forward for CNI protection is to work better with automation technologies to manage large volumes of data streams, analyze them for any anomalies and report risk and attacks in real time. This, along with constant user education on being diligent and the much-needed government support the infrastructure bill will provide, is critical to protecting CNI systems from ambitious cyberthreats.”
Danny Lopez, CEO of Glasswall, sees the bill as a necessary counterpart to the recent series of Executive Orders on cybersecurity:
“With the increase of cyberattacks we’ve seen throughout the last two years, the new infrastructure bill is a crucial step in improving the security of the nation’s infrastructure and modernizing systems to protect sensitive data and information.
"Here are a few important points. Following a rise in attacks on water systems in areas like Florida and the Bay Area, the bill requires the EPA and CISA to identify at-risk public water systems that could impact a large percentage of the population if deemed unsafe or inoperable due to cyberthreats. This is an extremely welcome initiative.s In addition, the bill incorporates the Cyber Response and Recovery Act of 2021, which allocated a whopping $100 million to improving government cybersecurity, and a significant investment in talent for the office of the new National Cyber Director.
"This bill, in addition to the administration's executive orders (EOs) on the subject, shows just how seriously federal cyber leaders take the threat we all face. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption. These are critical elements in an effective cybersecurity strategy, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ protection to the next level.
"Zero trust security sees the world differently so no one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach, organisations run the risk of attackers having free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported.”