At a glance.
- The costs and benefits of indicting foreign cyber operators.
- UK plans for regulating IoT security.
- US Justice Department stands up anti-ransomware task force.
- US Congress weighs limitations on surveillance.
How effective are indictments of foreign cyber operators?
SearchSecurity examines the pros and cons of indicting state-backed hackers. Among the pros: indictments serve to share information about the alleged bad guys, like their identities, affiliations, and techniques. They occasionally impact threat actors’ business dealings and ability to travel, and in some cases, where victims can’t knowingly pay off sanctioned groups, force outfits to abandon old tools. Indictments also carry geopolitical weight, and can influence narratives, negotiations, and norms.
On the other hand, indicted individuals will likely never face arrest, extradition, or trial, and indictments don’t appear to deter criminal groups. They might have less impact than would disruption campaigns, and they could ignite a “tit for tat.”
UK to regulate IoT security.
CityAM reports that legislation under consideration in the UK would require tech companies like Google and Apple to disclose the length of time their wares will be supported by security updates. The law would also prohibit universal default passwords and facilitate bug reporting.
With nearly half of residents having purchased a smart gadget since the outset of the pandemic, experts worry about the broader network vulnerability these devices introduce, as in the 2017 case where hackers pilfered casino data by breaching a fish tank. Buyers are keeping old gadgets longer, compounding the concern.
US Justice Department establishes an anti-ransomware task force.
CNN says the Department of Justice has set up an anti-ransomware task force after “the worst year ever for ransomware attacks.” The force will coordinate Federal efforts to “pursue and disrupt” ransomware networks, with an added focus on public-private collaboration, intelligence-sharing, and training. ZDNet highlights the initiative’s emphasis on “root causes,” explaining that disruptive measures could include seizing gangs’ profits and shutting down their servers.
Noting that ransomware threatens security and wellbeing in addition to business interests, the Wall Street Journal says the force will attack the “entire digital ecosystem” undergirding the enterprise. Everything from prosecutions to creative legal strategies and restrictions on enabling resources like digital forums and hosting services is on the table. One quandary the force will tackle is the conflict between assisting victims and curbing ransomware payments.
The FBI, Departments of Treasury and Homeland Security, Executive Office of US Attorneys, and global allies will also participate in the task force.
US Congress weighs surveillance limitations.
The Washington Post has an account of the Fourth Amendment Is Not for Sale Act, co-sponsored by Senator Wyden (Democrat of Oregon) and Senator Paul (Republican of Kentucky). The bill would seal “surveillance loopholes” by barring Government and police departments from purchasing personal data without a warrant or buying any “illegitimately obtained” data. The latter provision is meant to challenge the use of facial recognition software Clearview AI, which is currently employed by hundreds of US law enforcement agencies, and is powered by billions of images scraped from platforms like Facebook against the firms’ terms of service. The House is reviewing a similar bill.
A Clearview attorney said “downloading and analyzing photographs that people voluntarily post on the Internet” is not covered by the Fourth Amendment, “since there can be no reasonable expectation of privacy” there. Others worry about the lack of public and judicial oversight as Government agencies appropriate marketing resources for investigative purposes.