At a glance.
- US ransomware threat-sharing initiative.
- FCC re-enters cyber regulation.
- A look at TSA’s rail cybersecurity directive.
US ransomware threat-sharing initiative.
The White House has issued a fact sheet summarizing its second International Counter Ransomware Initiative (CRI) Summit, which concluded yesterday. The CRI outlines the following goals for 2023:
- "Establish an International Counter Ransomware Task Force (ICRTF), led by Australia as the ICRTF’s inaugural chair and coordinator, to coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars. ICRTF members will commit to contribute to joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance.
- "Create a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, led by Lithuania, to test a scaled version of the ICRTF and operationalize ransomware related threat information sharing commitments. The RCDC will publish semiannual public reports on ransomware trends and mitigation measures. Through this effort, we will share technical information about ransomware (tools, tactics, and procedures) with a wide spectrum of stakeholders. Data provided by participating members will be aggregated and summarized by the RCDC.
- "Deliver an investigator’s toolkit, including lessons learned and strategies for responding to significant ransomware events and proactively tackling major cybercriminal actors; resources to build capacity to effectively disrupt the threat of ransomware; and consolidated “tactics, techniques, and procedures” (TTPs) and trends for key identified actors. This will allow CRI partners to benefit from the breadth of expertise and technical capability brought together under the working groups.
- "Institute active and enduring private-sector engagement based on trusted information sharing and coordinated action to improve our joint work towards operational disruption.
- "Publish joint advisories outlining TTPs for key identified actors. Ransomware has impacts that extend far beyond the borders of CRI partners. Joint public advisories will offer warning and mitigation measures to the international community so that the global community is enabled to close vulnerabilities to these cyber criminals, amplifying our collective reach.
- "Coordinate priority targets through a single framework, focused on hard and complex targets. We will translate these initiatives into concrete disruption results with law enforcement groups.
- "Develop a capacity-building tool to help countries utilize public-private partnerships to combat ransomware. The tool will feature a series of case studies of public-private partnerships that have been used in the counter ransomware fight.
- "Undertake biannual counter ransomware exercises to further develop, strengthen, and integrate our collective approach to combatting ransomware from resilience to deterrence."
CyberScoop notes that US financial companies suffered nearly $1.2 billion in losses due to ransomware attacks in 2021, according to a report released yesterday by the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN). FinCEN states that this reflects "a 188 percent increase compared to the total of $416 million for 2020."
FCC re-enters cyber regulation.
Law firm Hogan Lovells has published an article in JD Supra summarizing the steps the US Federal Communications Commission (FCC) is taking for securing communications systems. Most recently, the FCC issued a proposal for securing the US's emergency alert system:
"[O]n October 27, 2022, the FCC adopted a Notice of Proposed Rulemaking regarding strengthening the nation’s Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) programs against security threats. The FCC proposes to require participating alert providers to submit annual certifications that the provider has created, annually updated, and implemented a cybersecurity risk management plan. The risk management plan would need to address specific security controls, such as requiring multifactor authentication and installing security updates. Finally, the FCC would require EAS participants to provide the FCC notice of unauthorized access of the EAS equipment, communications systems, or services, within 72 hours of the incident. Comments will be due thirty days after the item is published in the Federal Register."
A look at TSA’s rail cybersecurity directive.
Attorneys at Bracewell LLP have published an article looking at the US Transportation Security Administration's (TSA's) recent initiative to improve railway cybersecurity:
"[T]he TSA directive imposes two primary requirements on passenger and freight rail operators, each of which will require numerous elements. First, these operators must, by February 21, 2023 (120 days after the effective date), develop a TSA-approved Cybersecurity Implementation Plan laying out specific measures the company is taking. Second, the operators must establish a Cybersecurity Assessment Program to include proactive testing and regular audits of cybersecurity upgrades and check for vulnerabilities. The TSA plans to initiate a rulemaking process and public comment period to create regulations in line with its security directives. Railroad carriers should remain aware of—and consider participating in the development of—this evolving guidance to ensure their cybersecurity response plans, and general cybersecurity practices, are compliant."