At a glance.
- Signaling gets lost in translation? Or just a right-back-at-ya?
- A regulatory response to the SolarWinds compromise.
- Capacity building in the US, post-Holiday Bear.
- Persistent engagement, as seen from abroad.
- Industry reaction to the US ransomware task force's recommendations.
- US science and technology policy.
Signaling lost in translation.
Russia seems to have interpreted Washington’s warning about “seen and unseen” consequences to mean some portion of the Holiday Bear response will be literally undetectable. Calling the notion “ridiculous,” "stupidity," Russian official Andrei Krutskikh said, “The technological capabilities of Russia allow us to see absolutely everything. It is naive to assume that a great nuclear power will suddenly not see something,” Interfax reports.
Regulatory response to Holiday Bear.
NPR has an account of President Biden’s planned executive order on cybersecurity, which the Administration hopes will address shortcomings uncovered in the SolarWinds hack, and better prepare the US for the next attack. As we’ve seen, the order includes provisions covering software development and transparency standards, cyber incident reporting, and a centralized cyber equivalent to the National Transportation Safety Board. The rules will apply to Government contractors, but the expectation is that they will “trickle down” through industry.
Capacity building in response to Holiday Bear.
War on the Rocks highlights the global capacity building element of the White House’s response to the SolarWinds supply chain incursion. The Administration’s April 15 "Fact Sheet" outlined a plan to educate allies on cyber defense, cyber norms, incident attribution, and the cyber implications of international law. The article cheers the renewed focus on capacity building as an essential element of a comprehensive national security strategy—since “stronger partners make better partners,” who make “all of cyberspace a safer place”—and encourages Congress to fully fund and empower the State Department’s new cyber office.
Specifically, the authors would like to see a new cyber fund for crisis aid and capacity building administered by State, characterizing current funding avenues as “inflexible” and “insufficient.” This administrative structure would facilitate the alignment of cyber supports with diplomacy objectives, in the interest of an “open, interoperable, reliable” Internet governance model. Given Beijing’s burgeoning influence over developing countries’ infrastructure, a counterbalance is needed to ensure future security and human rights protections.
Persistent engagement as seen from abroad.
Noting that persistent engagement’s columns of defend forward and strategic awareness stand on international alliances, the Diplomat offers some advice on investing Indo-Pacific partners:
- Understand that smaller countries don’t want to be sucked into full-scale Sino-American conflict, and find alternative, more limited common ground, like countering APTs and South China Sea-driven campaigns.
- Clarify what exactly Washington hopes to defend, disturb, or otherwise accomplish on site, so allies can pitch in.
- Establish a notification and information-sharing system.
- Clear up Cyber Command’s commitments to confidence building measures, transparency, state sovereignty, international law, and safeguarding host countries’ assets.
- Spell out these changes in revisions to the 2011 International Strategy for Cyberspace.
Without such investments, the essay observes, opponents will eventually capitalize on corroding regional trust.
Reaction to the Ransomware Task Force's recommendations.
As the US Department of Justice organizes its anti-ransomware task force, a report by the Institute for Security and Technology offered forty-eight recommendations. Prominent among them are calls for close international regulation of cryptocurrencies and assistance for victims who refuse to pay ransom. The report also called for stepped-up enforcement of existing law, and for other measures designed to undermine the criminal economy that's arisen around ransomware. The Department of Homeland Security concurred with the report's conclusion that ransomware represents a national security threat, Breaking Defense writes.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, liked the prospect of stepping up enforcement, and in general approved of the report's concentration on undermining the economic infrastructure of ransomware, especially its abuse of cryptocurrencies:
"The two biggest contributing factors to the ransomware epidemic are relative lack of risk of prosecution and the revolutionary ease of guaranteed payment due to cryptocurrency. Most ransomware gangs operate in locations with limited reach from their victim’s enforcement capabilities. They conduct their criminal attacks with relatively little concern that they will ever be brought to justice which allows them to be brazen in their strikes targeting victims including hospitals and even law enforcement organizations.
"Secondarily, the rise of cryptocurrency has given cybercriminals a mostly guaranteed way to monetize any computer network in the world. Before cryptocurrency, attackers would need to find ways to make fraudulent bank transfers on behalf of their victims which would often be caught by verification controls or sometimes reversed by the banking institutions themselves. Now however, cryptocurrency allows them a method of collecting extortion demands outside of the traditional financial system that is outside the reach of regulators or law enforcement.
"These factors create an environment where there is little risk and incredible lucrative rewards for cybercriminals. It’s therefore no surprise that attacks have exploded the past few years and until these incentives change will continue to. I applaud any efforts by governments and law enforcement to step up enforcement, both to catch the perpetrators as well as curtail their means of ensuring monetary results from their operations, but it is a very hard goal to accomplish."
Bryan Embrey, Director of Product Marketing at Zentry Security, applauds the report's recommendations, and hopes for more attention to VPN alternatives:
"With so many people working from home this past year and accessing critical business applications and resources primarily using a VPN, ransomware has taken off dramatically as an attack vector. And why not? VPNs are becoming less reliable, so malicious actors have taken full advantage of the opportunity to penetrate both public and private sector businesses to hold their systems and proprietary data hostage. Some estimates put the average ransom paid in 2020 at well over $300,000, and attackers don’t discriminate: they hit organizations of all sizes. Smaller organizations can be brought to their knees with a ransom that steep, and many small- to mid-size organizations are still suffering from losses during the pandemic. We applaud the efforts of this new Ransomware Task Force and will continue to advocate the use of VPN alternatives that provide much better protection against cyberattack."
Ilia Kolochenko CEO, Founder, and Chief Architect at ImmuniWeb sees the report as intelligent and valuable, but cautions that most of its recommendations are impractically burdensome and expensive:
“The report provides a wide spectrum of valuable and bright ideas, however, most of them are burdensome and far too expensive from a practical viewpoint. Strong global collaboration to combat cybercrime is probably a utopia, especially amid the rapidly growing political tensions around the globe, unclarity of international law’s application to cyber war and disruptive aggressions in the digital space.
"Sadly, virtually all Western law enforcement agencies are significantly underfunded today, while efficient combat with ransomware will probably require at least a tenfold budget increase - just to address this isolated phenomena. Spiraling pandemic losses will unlikely allow countries to spend more on cybercrime prosecution and investigation units, unless the private sector donates billions of dollars. Fighting digital currencies is a waste of time, cybercriminals will find a myriad of other smart ways to bypass sanctions and get paid in impunity.
"I’d rather suggest treating the root cause of ransomware: the widespread lack of basic cyber hygiene. Even the largest organizations from regulated industries often fail to follow the basics: maintain an up2date asset inventory, implement risk-based and threat-aware security controls, perform continuous security monitoring and anomaly detection, conduct ongoing security training and awareness, maintain software and patch management programs, and to enforce centralized identity management. Most organizations have no third-party risk management programs, lack Dark Web monitoring and incident detection and response (IDR) plan. Unless we can motivate and support targeted organizations to attain a basic level of cyber hygiene, ransomware will continue flourishing.”
Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer, now an SVP at KnowBe4, expressed disappointment at the lack of emphasis on training:
"It is disappointing to see that in an over 50 page report, "staff training" appears only once. Nearly all advice on ransomware treats only the symptoms, while ignoring the actual attack method -- social engineering -- and how to mitigate that threat by a strong security awareness training program. Without a robust program that includes frequent social engineering tests, then it is still a matter of when not if a ransomware attack will be successful. Despite the heavy weights on this task force, they managed to miss the most significant remedy to the ransomware epidemic: train and test your users."
And, finally, Baber Amin, COO of Veridium, liked what was in the report, but sees some room for improvement:
"The Task Force report is very comprehensive, informative and pragmatic. Ransomware actors are an extension of organized crime. Most of time we seem to forget this because when it comes to cyber security, we are prejudiced to think of lone wolf actors in black hoodies. The report list four goals of Deter, Disrupt, Help and Respond. These goals are great, but I believe that there should have been more emphasis on the following as part of these goals, or perhaps as additional goals:
- "Action 3.4.4. does not go far enough to alleviate fines and provide immunity from regulations imposed by OFAC (office of foreign assets controls). We need to encourage transparency and not penalize the company or individual who is trying to get their business back together.
- "Another missing part seemed to be the lack of involvement from ISP(s) network equipment manufacturers and data center operators. Even CDN operators. All of these entities can and should play a larger role in identifying, tracking and isolating attacks, and also have consistent processes for evidence preservation.
- "Table top exercises need to go farther. A ransomware attack in a red vs blue scenario should play it out to the end to identify all possible paths.
- "We should also consider limiting liability for PII disclosure in a ransomware attack where a baseline of appropriate measures were taken.
- "Technical controls and end user education needs to play a larger part in ransomware mitigation. Simple measures like MFA (multi factor authentication), elimination of passwords, elimination of security theater, encryption of important information at rest, and timely and ongoing backups can make a big difference. These are all well understood processes, and can help from the perspective of making it difficult for an attacker and making it easy for an organization to recover without paying a ransom."
Response to US President Biden's remarks on science and technology policy.
The remarks on science and technology policy US President Biden offered when he spoke to Congress were familiar: the Government should support the kind of research it's unreasonable to expect the private sector to undertake. Meg King, Director of the Science and Technology Innovation Program at The Wilson Center in Washington, DC, reacted to the President's remarks by noting with approval that it recognized a role for Federal involvement in funding riskier technology research:
"President Biden reminded us tonight that sometimes it takes government to make the big bets in science and technology research and innovation. What if the US Government hadn't conceptualized the Internet, which has kept children in school during the pandemic, or GPS, which financial institutions rely on to timestamp transactions as public health-friendly cashless systems became necessary?
"The private sector's bottom line can't afford the risk or scale necessary to fund significant research gambles, so "investments only the government is in a position to make" are crucial to advancing America's high-tech sector - from core technologies like semiconductors that enable our smartphones and cars to general-purpose capabilities like artificial intelligence that could, with more dedicated researchers and expensive computer clusters needed to run models, transform our health, economy and national security. Beyond clear domestic benefit, these proposed investments are also clearly a hedge against China."