At a glance.
- TLDR Bill would mandate "nutrition-label" terms of service.
- FBI shifts cyber priorities.
- GAO reports on SolarWinds exploitation discovery and response.
- FSB liquidates REvil.
- Reaction to the FCC's proposed disclosure rules.
Too long, no longer have to read.
A bipartisan group of US lawmakers have drafted a bill aimed at making it easier for users to understand just what they’re committing to when they check that little “agree to terms of service” box on a website. The Washington Post explains that the cleverly named TLDR Act would require the typically tedious terms to be accompanied by a bit-sized summary statement designed to prevent companies from taking advantage of users’ unwillingness to read overly complicated text.
In addition to communicating what data the site collects, the summary would also inform users if the site has recently suffered any data breaches. Louisiana Senator Bill Cassidy, a proponent of the measure, stated, “Requiring companies to provide an easy-to-understand summary of their terms should be mandatory and is long overdue.” The measure would be enforced by the Federal Trade Commission and state attorneys general, and companies found in violation could face civil action.
FBI indicates a shift in cybersecurity priorities.
The US Federal Bureau of Investigation (FBI) is signaling a shift in their approach to confronting cybercrime, CyberScoop reports. While speaking at a Silverado Policy Accelerator event, assistant director of the FBI’s cyber division Bryan Vorndran indicated that the Bureau would be placing less focus on indictments. “The FBI specifically is moving away from an indictment- and arrest-first model into the totality of imposing costs on our adversaries, and we’re making tremendous progress there,” he stated. Tonya Ugoretz, deputy assistant director of the cyber division, explained that the FBI would focus more on ransomware payment seizures, as they did during last year’s attack on the Colonial Pipeline. “The types of ransomware seizures that you saw us undertake with the Department of Justice last year are certainly things we want to replicate … and try to scale,” Ugoretz stated.
However, some experts are concerned about such tactics. Josephine Wolff, a professor of cybersecurity policy at Tufts University, states, “Approaches to combating ransomware that might have a larger impact on the criminal ecosystem include cracking down on cryptocurrency transactions, making ransom payments illegal, making it illegal for insurers to cover those payments, and imposing security requirements on critical infrastructure operators to reduce the likelihood of infection in the first place.”
GAO reports on Solar Winds and Microsoft Exchange attacks.
The US Government Accountability Office (GAO) has released a report summarizing the federal response to two major recent cybersecurity incidents, the 2020 SolarWinds cyberattack, as well as the recent exploitation of vulnerabilities found in Microsoft’s Exchange server. FedScoop notes that the report highlights communication difficulties between the private and public sectors, as well as between government agencies. “Specifically, an official from ODNI’s Cyber Executive Office told us that information sharing among law enforcement, private sector, and intelligence groups was difficult and time consuming, as there were different classification levels for information,” the report states.
In response to these findings, GAO is calling for the establishment of a centralized forum to support interagency communication as well as correspondence between the government and industry. The report also details the creation of a unified coordination group (UCG) consisting of the Cybersecurity and Infrastructure Security Agency, the FBI, and the Office of the Director of National Intelligence, with assistance from the National Security Agency. A SolarWinds spokesperson told Fox Business that the report “highlights the criticality of improving public-private engagement, and that coordination and information-sharing needs to be a two-way street between government and the private sector."
FSB takes down REvil.
Russia's Interfax news agency reported this morning that the FSB has liquidated the gang in a series of arrests. "The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documentation of illegal activities has been carried out," an official statement said. The FSB said it had conducted the raids (which netted not only fourteen arrests, but $600,000 and €500,000 in cash, as well as computers, "crypto wallets used to commit crimes," and twenty luxury cars, all of which are said to be ill-gotten) at the "appeal of competent US authorities."
The arrests are noteworthy in that Russian ransomware gangs have operated effectively as privateers, permitted to steal from selected foreign targets insofar as such theft served the interests of the state. But REvil has apparently lost its letter of marque and reprisal. Ziv Mador, VP of Security Research, Trustwave SpiderLabs, calls the Russian action "unprecedented":
"This unprecedented action from the Russian Federal Security Service (FSB) aligns with the fear that we've observed while conducting cybercriminal chatter reconnaissance on the Dark Web. Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia. Time will tell if REvil resources will reemerge in another form, as we've seen with other ransomware groups many times in the past."
Reaction to the US Federal Communication Commission's (FCC) proposed disclosure rules.
Trevor Morgan, product manager with comforte AG, thinks the rules will place much of their burden on Federal agencies::
“The FCC’s proposition that data breach reporting rules should be more rigorous on telecom carriers reflects the pressure put on governmental agencies to take better proactive action on cybersecurity.
"Last year’s high-profile breaches that affected numerous supply chains and even large ICT organizations, many of which had a rippling effect on the average consumer, certainly caught the attention of governments and regulators across the globe.
"Carriers collect an enormous amount of information about their customers, much of it consisting of private and highly sensitive data, so ensuring that these businesses respond responsibility and rapidly to any data breach—intentional hack or inadvertent data leak—helps to create a better collective culture of data privacy and security, and incidentally nurtures public trust.
"Another mitigating tactic for businesses in telecom or any other industry is to adopt data-centric security, which applies strong tokenization or format-preserving encryption protection directly to sensitive data, making it unreadable and thus unusable by threat actors. Reporting that a breach has occurred but that no sensitive data has been revealed is a much better call than the alternative, with much better reception.”