At a glance.
- New cybersecurity measures could help protect the US economy.
- Banking industry leaders warn about the risks of cybersecurity information sharing.
- Investigation finds that Israeli police used Pegasus software unlawfully.
New cybersecurity measures could help protect the US economy.
As we previously noted, the US House of Representatives last week passed two new cybersecurity bills: the Energy Cybersecurity University Leadership Act, which will mandate the creation of a research program about the intersection of cybersecurity and energy infrastructure, and the RANSOMWARE Act. As Teiss explains, RANSOMWARE (short for “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies”) is authored by Republican Representative Gus Bilirakis of Florida and aims to make it easier for the US to respond to ransomware attacks from foreign adversaries. An update on 2006’s SAFE WEB Act, RANSOMWARE will require the Federal Trade Commission to file reports on cross-border ransomware complaints, and the measure specifically names China, Russia, Iran, and North Korea as potential perpetrators of cyberattacks. The Floridian Press notes that the measure could have a positive impact on the country’s economy, which is at the precipice of a downturn. Officials have warned of the negative economic impact of ransomware attacks, as they could (for example) adversely affect the US power grid or disrupt the delivery of essential goods and services.
We heard from David Mahdi, CSO and CISO Advisor at Sectigo, who framed the problem as an access and data security challenge:
“Ransomware isn’t solely a malware problem, bad actors want access to your data, so it really is a data security and access problem. However, many organizations are missing the point. For instance, as phishing is a common vector, many companies invest in email security and anti-virus to stop the malware. While this is a good best practice that will thwart many attacks; ransomware still makes its way in. This is like chasing shadows. What happens when there are new malware variants that leverage different vulnerabilities and penetration techniques? Can your anti-virus keep up? Time and again these advanced ransomware attacks aim to render traditional defenses useless.
"When we look at what ransomware does, it leverages a users’ access within an organization to encrypt sensitive files (and often also steal). The authentication given to a user defines the level of damage the hacker will do. Therefore, a zero-trust, identity-first approach is critical. To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organization, whether human or machine.
"This is where the combination of identity-first approaches combined with PKI certificates enable immutable proof that ‘this person (or entity) is who they say they are.’ When combining identity-first principles with least privilege data access security, ransomware attacks can be stopped in their tracks, and in some cases prevented entirely. Ultimately, ransomware attacks are mitigated, or even cut off at the source, and organizations aren’t left endlessly chasing shadows or putting out fires.”
Banking industry leaders warn about the risks of cybersecurity information sharing.
Last week the American Bankers Association and the Bank Policy Institute submitted a letter to the Senate Armed Services Committee and the Senate Homeland Security and Governmental Affairs Committee expressing concerns about a provision attached to the National Defense Authorization Act (NDAA), which was recently passed by the US House of Representatives. The provision requires banks to share details about their supply chain risk management protocols and report on their critical assets information that “shall directly support the department’s ability to understand and prioritize mitigation of risks to national critical functions.” However, NextGov explains, the letter’s writers say such information sharing could pose a risk to critical infrastructure. “Providing [the Cybersecurity and Infrastructure Security Agency] with [such] details…could expose firms to risk if it is inappropriately disclosed or stolen in a breach,” the letter reads. It also notes that the legislation doesn’t “specify what [Cybersecurity and Infrastructure Security Agency] would do with such information, [or] how it would be shared or protected against disclosure.” The NDAA is expected to come to the Senate in September, so there’s still time for changes to be made.
Investigation finds that Israeli police used Pegasus software unlawfully.
The Jerusalem Post reports that a recent probe into the Israeli police’s use of Pegasus spyware found that the authorities did use the controversial surveillance software to collect data without court approval, but they did not use the data they so obtained. The investigation team, headed by Deputy Attorney-General Amit Marari, worked with technological experts from the Shin Bet and the Mossad to inspect Israeli Police systems owned by Israel Police and questioned current and former police officers about police wiretapping methods. The investigation, which was launched after Israeli newspaper Calcalist reported that the police had used NSO Group’s Pegasus to spy on public figures, found that there was “no indication” that police had used the spyware to tap personal phones without a judicial order, AP News reports. However, the report does state that when the technology was used, police received information in excess of what was covered by the warrants – for instance, data created on the target advice before the date of a court order, or data that did not constitute “communication between devices.” According to police procedures, such data could not and was not used, but the police did overstep their authority by simply collecting the data. A summary of the report reads, “The team believes that the significance of introducing the use of a system with wide-ranging technological capabilities, which is a turning point in terms of the world of wiretapping, was not fully understood by the decision-makers in Israel Police.”
Meanwhile, as Avast notes, last week the US House Intelligence Committee held a hearing to discuss the abuse of spyware like Pegasus and how it could impact future legislation as the House prepares to vote on the Intelligence Authorization Act. Witnesses testifying at the hearing included Shane Huntley, the senior director of the Threat Analysis Group at Alphabet; Carine Kanimba, the daughter of Rwandan activist Paul Rusesabagina; and John Scott-Railton, a senior researcher at the the University of Toronto's Citizen Lab. Intelligence Committee Chair Adam Schiff stated, “Powerful spying tools are being sold on the open market, essentially offering sophisticated signals intelligence capabilities as an end-to-end service.”