Why indict foreign cyber operators? IoT security regulation in the UK. Anti-ransomware measures and surveillance limitations in the US.

Summary

By the CyberWire staff

At a glance.

The costs and benefits of indicting foreign cyber operators.
UK plans for regulating IoT security.
US Justice Department stands up anti-ransomware task force.
US Congress weighs limitations on surveillance.

How effective are indictments of foreign cyber operators?

SearchSecurity examines the pros and cons of indicting state-backed hackers. Among the pros: indictments serve to share information about the alleged bad guys, like their identities, affiliations, and techniques. They occasionally impact threat actors’ business dealings and ability to travel, and in some cases, where victims can’t knowingly pay off sanctioned groups, force outfits to abandon old tools. Indictments also carry geopolitical weight, and can influence narratives, negotiations, and norms.

On the other hand, indicted individuals will likely never face arrest, extradition, or trial, and indictments don’t appear to deter criminal groups. They might have less impact than would disruption campaigns, and they could ignite a “tit for tat.”

UK to regulate IoT security.

CityAM reports that legislation under consideration in the UK would require tech companies like Google and Apple to disclose the length of time their wares will be supported by security updates. The law would also prohibit universal default passwords and facilitate bug reporting.

With nearly half of residents having purchased a smart gadget since the outset of the pandemic, experts worry about the broader network vulnerability these devices introduce, as in the 2017 case where hackers pilfered casino data by breaching a fish tank. Buyers are keeping old gadgets longer, compounding the concern.

US Justice Department establishes an anti-ransomware task force.

CNN says the Department of Justice has set up an anti-ransomware task force after “the worst year ever for ransomware attacks.” The force will coordinate Federal efforts to “pursue and disrupt” ransomware networks, with an added focus on public-private collaboration, intelligence-sharing, and training. ZDNet highlights the initiative’s emphasis on “root causes,” explaining that disruptive measures could include seizing gangs’ profits and shutting down their servers.

Noting that ransomware threatens security and wellbeing in addition to business interests, the Wall Street Journal says the force will attack the “entire digital ecosystem” undergirding the enterprise. Everything from prosecutions to creative legal strategies and restrictions on enabling resources like digital forums and hosting services is on the table. One quandary the force will tackle is the conflict between assisting victims and curbing ransomware payments.

The FBI, Departments of Treasury and Homeland Security, Executive Office of US Attorneys, and global allies will also participate in the task force.

US Congress weighs surveillance limitations.

The Washington Post has an account of the Fourth Amendment Is Not for Sale Act, co-sponsored by Senator Wyden (Democrat of Oregon) and Senator Paul (Republican of Kentucky). The bill would seal “surveillance loopholes” by barring Government and police departments from purchasing personal data without a warrant or buying any “illegitimately obtained” data. The latter provision is meant to challenge the use of facial recognition software Clearview AI, which is currently employed by hundreds of US law enforcement agencies, and is powered by billions of images scraped from platforms like Facebook against the firms’ terms of service. The House is reviewing a similar bill.

A Clearview attorney said “downloading and analyzing photographs that people voluntarily post on the Internet” is not covered by the Fourth Amendment, “since there can be no reasonable expectation of privacy” there. Others worry about the lack of public and judicial oversight as Government agencies appropriate marketing resources for investigative purposes.

Selected Reading

Putin promises a ‘quick and tough’ Russian response for foes that interfere with its interests (pennlive) The warning during Putin’s annual state-of-the-nation address came amid a massive Russian military buildup near Ukraine.

In annual address, Putin warns Russia's foes will be sorry (abc10.com) Putin’s warning during his annual state-of-the-nation address came amid a massive Russian troop buildup near the border with Ukraine.

'We don't need to panic': US and European powers alarmed by growing 'danger' from Putin's Russia (Washington Examiner) Russian President Vladimir Putin’s crackdown on domestic dissidents and military buildup along Ukraine’s border are driving relations between Moscow and the Western powers toward a perilous inflection point, according to U.S. and European officials.

China is against cyberspace attacks, willing to cooperate with other countries: Foreign Ministry (Global Times) China is willing to cooperate with other countries to safeguard global cybersecurity and opposes any country or organization smearing China on the issue of cybersecurity in order to achieve their political goals, the Chinese Foreign Ministry said on Wednesday.

This has just become a big week for AI regulation (MIT Technology Review) The EU has unveiled its new AI rules—but an announcement from the FTC may have more teeth.

Artificial Intelligence, Facial Recognition Face Curbs in New EU Proposal (Wall Street Journal) European officials want to limit police use of facial recognition and ban the use of certain kinds of AI systems, in one of the broadest efforts yet to regulate high-stakes applications of artificial intelligence.

EU’s Proposed AI Rules Add Compliance Burden for Business Use of Facial-Recognition Technology (Wall Street Journal) European Union regulations for how businesses can use facial-recognition technology proposed Wednesday would carry bigger fines than those permitted by the bloc’s existing privacy laws.

EU’s Artificial Intelligence Regulation – Tough Tests for Smart Products (cyber/data/privacy insights) EU proposal extends product safety, data protection and cybersecurity concepts to groundbreaking AI regulation What has happened? The European Commission has finally published its much-anticipated proposal for a broad regulation to cover the use of artificial intelligence in the EU. This is a

UK to force tech firms to disclose device security plans amid cyber fears (CityAM) Tech firms could be forced to tell customers how long their products will receive security updates amid fears about cyber attacks.

CISA issues third emergency directive since SolarWinds (FCW) The government's cybersecurity watchdog is increasingly issuing emergency instructions to agencies for handling high-risk vulnerabilities, something analysts say reflects both CISA's stature and the environment its working in.

White House: Here's what we've learned from tackling the SolarWinds and Microsoft Exchange Server cyber incidents (ZDNet) Partnerships with private companies in dealing with aftermath of cyberattacks "sets precedent for future engagements on significant cyber incidents".

Senators seek limits on some facial-recognition use by police, energizing surveillance technology debate (Washington Post) The legislation would restrict government purchase of private databases without a warrant in one of Congress’ most ambitious attempts yet at regulating the use of controversial technologies

US Senator Mark Warner calls for urgent transatlantic cooperation on cybersecurity (POLITICO) Mark Warner said the consequences of not acting could be ‘disastrous’

House green lights new State Department cyber bureau (CyberScoop) The House of Representatives passed a bill that would carve out a State Department cyber diplomacy office to help influence cyberspace norms.

Nakasone deflects senators' invitations to seek domestic spying powers (Defense Systems) Lawmakers have continued to prod the NSA chief to request new surveillance authorities that might prevent another SolarWinds-type breach.

Companies Complain to Senators About Apple’s and Google’s App Stores (New York Times) Tile said Apple boxed out its products and then copied them. Spotify said Apple blocked it from telling customers that they could find cheaper prices outside its iPhone app. And Match Group testified that it now paid nearly $500 million a year to Apple and Google in app store fees, the dating company’s single largest expense.

We Could Use a Private-Sector-Oriented Cyber Leader (Lawfare) All three of President Biden’s picks for the top cyber positions in his administration are excellent choices. It would have been better, however, if one of them had experience more rooted in the private sector.

FTC Nominee Khan Signals Support for Aggressive Approach on Big Tech (Wall Street Journal) Lina Khan, a Big Tech critic nominated to a seat on the Federal Trade Commission, appeared on track to win confirmation after a hearing Wednesday.

Nation-state hacker indictments: Do they help or hinder? (SearchSecurity) Infosec experts share their thoughts on the pros and cons of indictments against nation-state hackers, which have been on the rise recently.

WSJ News Exclusive | Ransomware Targeted by New Justice Department Task Force (Wall Street Journal) The department aims to curtail the cyberattacks with a strategy intended to make the extortion schemes less lucrative by targeting the entire digital ecosystem that supports them.