At a glance.
- ASD found no good way to mitigate risk of Chinese hardware in Australian infrastructure.
- Changes at Data61.
- Governments mull approaches to controlling ransomware.
- Social Media Privacy Protection and Consumer Rights Act reintroduced in the US Senate.
Report: ASD found no way to mitigate risk of Huawei equipment.
After eight months of research, the Australian Signals Directorate (ASD) concluded that the risks of installing Huawei 5G gear throughout the country’s infrastructure could not be adequately remediated, the Sydney Morning Herald reports. Even with “300 separate security measures,” including full visibility into source code, hardware, and updates, Beijing could still switch off the network.
The espionage risks presented by Chinese vendors frequently make headlines, an ASD official observed, but interruptions to critical infrastructure (CI) like water treatment and transportation systems could have even graver consequences. Huawei maintains it would “never comply” with a shutdown order; former Prime Minister Turnbull calls this assertion “laughable.”
Data61 disbands cyber unit.
InnovationAus says a restructuring at Canberra’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) dissolved Data61’s crack cyber research team “Trustworthy Systems.” Trustworthy Systems was the brains behind the seL4 microkernel that “changed the notion of the possible” in software security, in the words of one member. Data61 is eliminating seventy positions and eventually establishing one-hundred others to advance CSIRO’s new AI priorities. Participants worry the move will result in funding and human capital losses.
Proposed approaches to controlling ransomware.
The US Internal Revenue Service (IRS) outlines the tax compliance implications of President Biden’s American Families Plan, including a requirement for cryptocurrency transfers totaling more than $10 thousand to be reported to the IRS, as Reuters reports. In addition to cracking down on tax evasion, the rule could improve Federal visibility into ransomware payments, and would come with modernized computer systems outfitted with machine-learning capabilities. The Wall Street Journal notes that the proposal’s realization depends on successfully training nearly 90 thousand new employees and navigating an IT “overhaul.” CNBC marks the opinion of some experts that Congress will soon expand the Securities and Exchange Commission’s authorities over cryptocurrency as well.
The Australian Financial Review looks at an alternative plan of attack: disclosure obligations for ransomware victims, which could facilitate threat intelligence and “smoke out” the wallets, crypto exchanges, and other infrastructure involved in the transactions. The Washington Post considers the pros and cons of the next logical step, banning ransomware payment. On the plus side, such a ban could starve and discourage the gangs that feed on the proceeds and apply them to further nefarious ends. In the minus column, a ransom ban might encourage law-breaking, bankrupt businesses, and jeopardize lives (in the case of CI attacks).
The Social Media Privacy Protection and Consumer Rights Act reintroduced in the US Senate.
The bipartisan reintroduction of the Social Media Privacy Protection and Consumer Rights Act in the US Senate was explained by its cosponsors, Senators Amy Klobuchar (Democrat of Minnesota) and John Kennedy (Republican of Louisiana) as follows.
From Senator Kennedy: “It’s common sense that people have a right to data privacy, and that right does not evaporate when someone logs on to their social media profile. Social media companies have a duty to protect their users’ data and to offer quick solutions when a breach occurs. The Social Media Privacy Protection and Consumer Rights Act would strengthen users’ control over their own data and better protect their privacy."
And from Senator Klobuchar: “For too long companies have profited off of Americans’ online data while consumers have been left in the dark. This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information,” said Klobuchar.
Reacting to the bill's reintroduction, Alexa Slinger, an identity management expert from OneLogin, sent us the following comments:
“Now more than ever, consumers rely upon the convenience of digital services in their daily lives. As breach and data privacy concern headlines continue to surface across media outlets, consumers are becoming more concerned about how companies are using their personal data. Despite this, exchanging personal information for the ease of experiences is still the norm for most consumers, as navigating through cookie acceptance forms and legal jargon with long terms & conditions isn’t feasible for the everyday user. That can leave consumers in a vulnerable position should a vendor they’re using suffers a breach.
"According to an Audit Analytics report, Trends in Cybersecurity Breach Disclosures, it takes an average of 108 days before companies discover a breach, and another 49 days to disclose the breach to consumers. This leaves buyers unknowingly at risk to further exploitation of their data, and companies subject to detrimental costs and penalties to their business.
"It’s in both the consumer and company’s best interest to implement standards, processes and systems to prevent breaches and protect valuable user data.”
We also heard from KnowBe4 security awareness advocate Erich Kron, whose general approval is toned with an awareness that the issues involved are complicated, and unlikely to be amenable to any single simple solution:
“While many of the measures in this bill are great, it would have to be seen how much impact they have in the real world. While explaining to people, even in plain terms, the types of data that are stored or collected by the platforms, this does not mean that people will understand the true risk it poses for them. Making people aware that the platform collects this data does not ensure that they will care.
"The provision to require notification of a breach within 72 hours of it occurring sounds like a great idea; however, in practice that may not be enough time to assess the incident and provide meaningful information. For this reason, the initial notification is liable to be very limited in usefulness. In addition, the requirement to notify users within 72 hours of the breach occurring is flawed, as often organizations do not realize the breach occurred until long after that deadline has passed. Better wording would be to require notification within a timeframe after the breach is identified, not occurred.
"There is the real possibility that the short notification window could hamper law enforcement actions as well, as oftentimes the breach is discovered while the attackers are still in the system. Once known, their actions could be tracked and even selectively blocked, giving responders an opportunity to attempt to identify the attackers. With a public breach announcement that soon, the attackers could be alerted, prompting them to cover their tracks and break off before meaningful forensics could be gathered.
"This is a very complicated issue that will continue to grow as more digital information is collected across the multitude of new and existing social networks, which is why it is so important to ensure that the laws being proposed take into account the nuances and complexities of dealing with data breaches”.