At a glance.
- US National Cryptocurrency Enforcement Team lead named.
- UK considers changes to Network and Information Security Regulations.
- A look at the Cybersecurity Literacy Act.
- Disclosure and litigation protection.
- Industry reaction to US CDC warning.
US DoJ selects National Cryptocurrency Enforcement Team head.
On Thursday, the US Justice Department named the first director of its National Cryptocurrency Enforcement Team. Seasoned cybersecurity prosecutor Eun Young Choi will head up the new unit focused on cracking down on the misuse of digital currency. Deputy Attorney General Lisa Monaco told Bloomberg, “If we’re going to see -- as I think we will -- cryptocurrency gaining more traction and gaining wider adoption, we’ve got to make sure that the ecosystem that they operate in can be trusted and, frankly, can be policed.”
The team’s establishment is part of a worldwide effort to determine how to regulate the expanding world of digital currency, which has become a hotbed for cybercriminals, often nation-state-supported, looking for a means to launder dirty money. Blockchain analytics firm Chainalysis reports that illicit cryptocurrency transactions totaled $14 billion in 2021, an almost 80% increase from 2020. Currently composed of about a dozen leading minds in cryptocurrency prosecution, the National Cryptocurrency Enforcement Team aims to be a “one-stop shop of all the subject matter experts within the department,” Choi says.
UK DCMS proposes changes to Network and Information Security (NIS) Regulations 2018.
The UK’s Department of Digital, Culture, Media and Sport (DCMS) has proposed measures to strengthen the cyber posture of the nation’s critical infrastructure by enhancing the coverage of the 2018’s Network and Information Security (NIS) Regulations. A consultation document was published last month with a deadline of April 10. Three “pillars” are being considered for reform, and Lexology offers an overview of two. The first is the expansion of the regulation of digital service providers to include managed service providers in order to tighten regulations for managed services like managed desktop/virtual desktop, WAN and LAN support services, and artificial intelligence, which have the greatest impact on the cyber-resilience of the nation. The second includes plans to “future-proof” current cybersecurity legislation by granting ministers the authority to make changes to NIS regulations. (The third pillar is focused on standardizing the competency standards for the cybersecurity profession.)
Can the Cybersecurity Literacy Act actually make a difference?
Security Boulevard’s Michael Vizard discusses the US’s new Cybersecurity Literacy Act with Dave Stapleton, CISO for third-party software risk management firm CyberGRX. Passed in December, the measure requires the National Telecommunications and Information Administration to create a campaign to increase citizens’ awareness of cybersecurity best practices. However, some experts question whether the act is little more than empty hand-waving on the part of politicians who want to appear knowledgeable and concerned about the country’s cybersecurity posture. “I’ve got to say I certainly hope it is meaningful and that it’s not just some grandstanding,” Stapleton says. “I think it’s something that’s probably overdue. As a country, and as a society, I guess you could say even on a global scale, we need to be better at recognizing cyber threats and learning how to address them.” He asserts that individuals have always been the first line of defense against threats, but that the general population has a great deal of learning to do in regards to defending themselves against attack, especially given that the average citizen has little control over the mechanics of the internet. He explains that measures like the Cybersecurity Literacy Act will hopefully aid in this learning. “We’re enabling and empowering our citizenry with the skills that they need to protect themselves,” he states.
The legal hurdles of cyberincident reporting legislation.
Lawfare offers an overview of US lawmakers’ recent efforts to enact a cybersecurity incident reporting law requiring private-sector businesses to formally report cyber events to the US Department of Homeland Security (DHS). Three comprehensive proposals were introduced last year: the Cyber Incident Reporting Act (CIRA), the Cyber Incident Notification Act (CINA), and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). None of the proposals was enacted into law, but they paint a picture of what future reporting legislature could look like. One hurdle any reporting law will face is the inherent legal ramifications of private-public information-sharing, especially when private businesses know that notifying the federal government of ransomware attacks or payments could land them in penalty purgatory or mire them in litigation. The Cybersecurity Information Sharing Act of 2015 sought to reduce liability concerns and encourage information sharing by including protections to ensure that incident reporting could not be used as a basis for regulatory enforcement actions.
Industry reactions to US warnings of Russian cyberespionage against Cleared Defense Contractors.
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and NSA earlier this week issued a Joint Cybersecurity Advisory. The Advisory, (AA22-047A) bears the descriptive title, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” The tactics the Russian operators are using are described as “common but effective.” Those tactics include “spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security.” The Advisory includes some direct advice about how organizations should protect themselves.
We received some reactions from industry to the Advisory. Gal Helemski, CTO and co-founder of PlainID, sees the advice as something that should motivate organizations to move toward zero trust:
"The government holds the most sensitive data out there, and in today’s world, you cannot put your trust in any static, perimeter-based security system. Every single data authorization needs to be assessed in real-time with a specific context of who is accessing what data, from where, and how. The key to protecting the data and the applications is to ensure that even if a bad actor has gained authorization credentials, they don't have automatic access to any or all data.
"That's why it's so important that the US government has stated that it is moving toward zero trust cybersecurity principles. To quote from the memorandum the government issued last month, 'Authorization, a critical aspect of zero trust architecture, is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorization determines what that user has permission to do.’”
Oran Avraham, CTO of Laminar, sees the Advisory as more evidence of the value of companies' data:
“The CISA’s recent warning on Russian cyberespionage agents emphasizes a well documented fact. Our data has become a highly desirable currency for nation states. Information associated with U.S. contractors is extremely valuable to nation-state threat actors. With a majority of the world’s data now residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. As cloud architectures become more dynamic and complex, solutions that are completely integrated with the cloud are able to identify potential risks and have a clear understanding of where the data resides without the use of agents or gateways that are a challenge to deploy 100% coverage. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls are in place.”
Steve Moore, chief security strategist at Exabeam, views the Advisory as an unfortunate but unsurprising development:
"In the current geopolitical climate, it is unfortunate but not surprising that Russian nation-state actors have broken into defense contractors' networks. An alert released yesterday from the FBI, NSA, and CISA revealed that contractors of various sizes and security maturity levels were hit via relatively commonplace but effective tactics, including; spear phishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation. These methods allow adversaries to gain access then move laterally for intel gathering and data exfiltration.
"The technical considerations in this new alert are spot on, including the emphasis on detecting suspicious activity using cloud-native SIEM tools, looking for evidence of known TTPs, credential hardening, vulnerability patching, and even employee security training. Regarding detecting abnormal activity specifically, though, we'd recommend more of an emphasis on credential-based security, leveraging data science to build baselines and attack timelines of entity and user behavior as the goal.
"However, having the listed tools and training in place won't absolve contractors and other organizations of risk. This alert will serve as a valuable checklist, but the defender's capabilities must grow beyond this advice. It's not a matter of if, but when these preventative suggestions fail, so teams must be able to manage intrusions. We recommend a follow-up 'playbook' for security alerts like this that help SOCs determine how to ingest data properly, make decisions and strategically create analytic capabilities. The technical is essential, but the people and the investigation strategy are what will make the most significant difference."