At a glance.
- US FISA targeting slowed during 2020, as the targets' behavior changed during the pandemic.
- US Justice Department to hire a Liaison Prosecutor for Eastern Europe.
- The G7 issues a declaration on online safety.
- US Justice Department undertakes 120-day cyber review.
- US infrastructure bill to address water supply security.
- Comment on the anti-ransomware task force.
US domestic surveillance slowed during the pandemic.
As travel restrictions proliferated last year, the number of potential national security threats on US soil surveilled under the Foreign Intelligence Surveillance Act dropped off, possibly due to “target behavior,” the AP reports. While NSA surveillance of foreigners overseas dipped marginally from 2019 rates to nearly 203 thousand targets, FBI surveillance of suspected in-country foreign agents halved, from roughly one-thousand cases to fewer than five-hundred.
The New York Times notes that these are the lowest numbers on record, since the Office of the Director of National Intelligence began issuing transparency reports eight years ago following the Snowden scandal. Blowback from the Bureau’s “botched use of its eavesdropping power in the Trump-Russia investigation,” the Times adds, may have also put a damper on last year’s surveillance requests.
Justice Department appoints new liaison for Eastern European cybercrime.
The US Department of Justice is sending a new Liaison Prosecutor to help Eastern European officials tackle the notorious nesting ground of ransomware rings, according to the Record. In his or her role with Eurojust, the prosecutor will counsel local legislative, legal, and law enforcement authorities. The previous Transnational Organized Cybercrime Liaison Prosecutor for Eastern Europe stood down last December.
G7 declaration on online safety.
- “Internet safety principles” covering human rights, minors’ wellbeing, harmful and illegal behavior, democratic principles, and civil liberties, with associated obligations for tech firms.
- Regulatory coordination on data flows, records digitization, competition, standards, and critical infrastructure security.
Six more declarations are expected this year.
Justice undertakes comprehensive cybersecurity review.
The Washington Post says the US Justice Department’s one-hundred-twenty day cybersecurity review will consider emerging threats from supply chain attacks to AI-powered campaigns, and revamp its defensive strategy in response. Deputy Attorney General Lisa Monaco commented, “We need to rethink and really assess, are we using the most effective strategies against this kind of new evolution…? There is no time to lose.”
Cybersecurity included in US water infrastructure bill.
Nextgov emphasizes that the Drinking Water and Wastewater Infrastructure Act of 2021 would specifically authorize grants for cybersecurity initiatives. A 2018 attempt to fund cyber upgrades to water utilities stalled, but after the Oldsmar, Florida attack, the effort has gained new momentum. Deputy National Security Advisor for Cyber Anne Neuberger, for example, promised to work toward an elevation of industrial control system security.
Comment on the US anti-ransomware task force.
We continue to receive comments from industry experts on the anti-ransomware task force. Baber Amin, COO of Veridium, likes the task force's way of thinking, but has some advice on how he thinks it might improve its approach to the problem:
"The Task Force report is very comprehensive, informative and pragmatic. Ransomware actors are an extension of organized crime. Most of time we seem to forget this because when it comes to cyber security, we are prejudiced to think of lone wolf actors in black hoodies. The report list four goals of Deter, Disrupt, Help and Respond. These goals are great, but I believe that there should have been more emphasis on the following as part of these goals, or perhaps as additional goals:
- "Action 3.4.4. does not go far enough to alleviate fines and provide immunity from regulations imposed by OFAC (office of foreign assets controls). We need to encourage transparency and not penalize the company or individual who is trying to get their business back together.
- "Another missing part seemed to be the lack of involvement from ISP(s) network equipment manufacturers and data center operators. Even CDN operators. All of these entities can and should play a larger role in identifying, tracking and isolating attacks, and also have consistent processes for evidence preservation.
- "Table top exercises need to go farther. A ransomware attack in a red vs blue scenario should play it out to the end to identify all possible paths.
- "We should also consider limiting liability for PII disclosure in a ransomware attack where a baseline of appropriate measures were taken.
- "Technical controls and end user education needs to play a larger part in ransomware mitigation. Simple measures like MFA (multi factor authentication), elimination of passwords, elimination of security theater, encryption of important information at rest, and timely and ongoing backups can make a big difference. These are all well understood processes, and can help from the perspective of making it difficult for an attacker and making it easy for an organization to recover without paying a ransom."