At a glance.
- More on President Biden’s digital assets Executive Order.
- Reaction to the Strengthening American Cybersecurity Act.
- Response to SEC’s incident reporting proposal.
More on President Biden’s digital assets Executive Order.
As we noted yesterday, US President Joe Biden this week issued a groundbreaking executive order focused on “ensuring responsible innovation in digital assets.” The Record by Recorded Future notes that the section of the order calling for federal agencies to crack down on the use of cryptocurrency for illicit payments could have an impact on ransomware operations. The EO reads, “Digital assets have facilitated sophisticated cybercrime-related financial networks and activity, including through ransomware activity.” The EO also urges agencies to curtail the use of cryptocurrency to circumvent sanctions, likely a reference to the fact that Russia is currently being pummeled with sanctions from the West in retaliation for its invasion of Ukraine.
David Mahdi, CSO and CISO Advisor at Sectigo, who sees this as a sign of the direction this particular line of history is taking:
“The crypto-currency and asset train has long left the station, so I am pleased to see official recognition by the administration and government as a whole, especially since this anticipated EO will help to drive consistency with approaches from other jurisdictions and countries. Regardless of all the hype, crypto now can be viewed as a legitimate part of the US financial markets.
"Furthermore, this will bring much-needed attention to cybersecurity elements of crypto. For many years, during my time as an industry analyst at Gartner, we spent time anticipating and advising large clients, such as banks and governments, on what to anticipate. We cannot rely on this tech if we don’t understand the risks associated with it, especially when it comes to cyberattacks focused on exposing crypto-currencies and other blockchain-based assets.
"Frankly, it was, and still is in many ways, a ticking time bomb of security issues. This EO, should hopefully bring legitimate attention to crypto and blockchain security - at least a baseline. One such area that we hope will have focus, is on identity security, a critical aspect of cybersecurity. Bad actors especially in the crypto-currency space have been targeting weak identities (i.e. stealing usernames and passwords of crypto-wallets), to steal funds. Compromising identities is a means to an end; the end being that they can have ala carte access to crypto accounts, or worse.
"Thus, we will be looking for specific identity-first security guidance over time, guidance such as the use of multi-factor authentication backed by strong cryptographic-based methods like public key infrastructure (PKI) digital certificates. Certificate-based authentication methods are the de facto standard for high government security today and should be the gold standard for crypto-currency identity security. This is compared to weaker methods such as SMS one-time passwords, which can be stolen or compromised.
"Guidance should also include the use of specialized hardware like crypto-wallets and/or use of secure enclaves that are present in most popular devices (i.e. Pluton, Apple Secure Enclaves, Google Titan, etc.). We will also need to see a Zero Trust security approach, emphasizing strong identity policies in which trust is never implicit and is continually monitored. The U.S. government has already outlined its directive for a federal Zero Trust architecture, so Zero Trust for crypto-currencies falls in line with that directive nicely. Coupled with Zero Trust, to prevent fraudulent transactions we will need fraud prevention and detection solutions that would not inherently trust every transaction, but rather, verify each one, especially if the transaction is outside of normal behavior patterns.
"As this space is only just getting started, we can expect more focus and guidance to come in the near future.”
Reaction to the Strengthening American Cybersecurity Act.
One of the key components of the Strengthening American Cybersecurity Act, passed last week by the US Senate, is the reporting mandate that would require critical infrastructure operators to notify the Cybersecurity and Infrastructure Security Agency (CISA) within seventy-two hours of a breach and twenty-four hours of a ransomware payment. The Record by Recorded Future notes that the measure has US officials divided. The White House, National Cyber Director Chris Inglis, and CISA Director Jen Easterly have voiced their support, but the Justice Department and the Federal Bureau of Investigation (FBI) are concerned because the measure does not include the FBI in the reporting framework. FBI Director Christopher Wray told the House Intelligence Committee on Tuesday that he has been testifying for improved cyber threat reporting for some time, but noted that “It’s important however that information flow real time…We have agents out in the field who are responding — often within an hour or so — to a business that’s been hit and that’s happening thousands of times a year, so we need to make sure that information flow is protected.”
There are clearly some details that remain to be worked out. We heard from Morrison & Foerster Global Risk and Crisis Management co-chair Alex Iftimie (also a former senior US Department of Justice national security official) who offered his summary overview of what he characterized as the “The new law is the first federal statutory requirement for private sector reporting of cyber incidents.” He said, “The requirement will apply to energy, financial services, food and agriculture, healthcare, and information technology, among other critical infrastructure sectors,” adding, “A number of key provisions—including the precise scope of critical infrastructure entities to which the requirement will apply and the types of cybersecurity incidents that will require reporting—are left to be further defined through CISA regulations, so it will be important to monitor how the requirements evolve.” It's a step forward toward a single Federal reporting structure, but regulatory agencies will have some work to do. "A critical task for CISA is to work with other agencies to harmonize reporting requirements and to create one door for the reporting of cyber incidents to the federal government, to replace the regulatory patchwork that currently exists.”
Response to SEC’s incident reporting proposal.
As we noted yesterday, the US Securities and Exchange Commission (SEC) voted 3-1 for the proposal of amendments to the Form 8-K reporting rules that would require public companies to report cyberattacks within four days of discovery. The new measures would also require companies to give periodic updates on previously reported incidents and provide details about how those incidents might impact the company’s bottomline. While some companies have voluntarily shared such information in the past, reporting has been inconsistent. The Wall Street Journal notes that SEC commissioner Robert Jackson conducted an analysis of 2018 regulatory filings and found that 90% of known cyber incidents at public companies were never disclosed. An SEC official told Reuters, "How a company might think about the impact (of a breach) to management's discussion and analysis of financial conditions ... should still be taken into consideration.” The vote is notable because it demonstrates that the SEC acknowledges that a company's cybersecurity posture can directly impact its value. Casey Ellis, CTO and founder with Bugcrowd, told Decipher, “In many ways, this reflects what we've seen from firms and organizations who have made vulnerability disclosure and transparency a standard, and are now regarded as the most secure, trustworthy, and valuable in the market." However, Republican Commissioner Hester Peirce, who voted against the proposal, worries such amendments would place too much power in the SEC’s hands. “This proposal flirts with casting us as the nation's Cybersecurity Command Center -- a role Congress didn't give us," she stated. Before determining whether the proposal will become a rule, the SEC will solicit comments for sixty days.