At a glance.
- Combating cybercrime with civil litigation.
- EU finalizes terms of the NIS2 cybersecurity directive.
- US focuses on securing open-source software.
Combating cybercrime with civil litigation.
In April the US Justice Department’s strategy of prioritizing “disruptive capabilities” was used to take down the botnet controlled by the Russian General Staff Main Intelligence Directorate (GRU) known as “Sandworm.” Lawfare discusses how this strategy can also be deployed by private companies. Just last month Microsoft obtained a court order to seize seven domains being used by the “Fancy Bear” GRU unit to attack institutions in Ukraine, and since 2010, Microsoft has won court orders to seize command and control servers in more than twenty cases that resulted in the seizure of over 16,000 malicious domains. Other tech giants like Google and Meta have begun using the same strategy to sue cybercriminals, and as Lawfare explains, private companies, with their wealth of resources, are able to overcome the financial constraints that limit the Justice Department’s capacity to carry out such operations.
EU finalizes terms of the NIS2 cybersecurity directive.
EU Cyber Direct reports that early Friday morning Representatives of the European Commission, Parliament, and EU Council reached an agreement on the Network and Information Security Directive (NIS2), a set of measures for a common level of cybersecurity across the EU. Replacing the first EU-wide Network and Information Security Directive, which was established in 2016, NIS2 expands the scope of cybersecurity regulations to medium and large entities in critical sectors including digital services, waste management, critical manufacturing, postal services, and public electronic communications services. European Commissioner for Internal Market Thierry Breton expressed the Commission's support of the directive, stating, “It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected. In today’s cybersecurity landscape, cooperation and rapid information sharing are of paramount importance. With the agreement of NIS2, we modernise rules to secure more critical services for society and economy.” NIS2 will implement more stringent enforcement requirements and information sharing provisions and harmonize sanctions regulations across the EU. The Record by Recorded Future adds that the measure will also establish the European Cyber Crises Liaison Organisation Network (EU-CYCLONE) to oversee responses to large-scale cybersecurity incidents. Politico notes that organizations found in violation of NIS2 could be subject to fines of up to 2% of turnover, figures that roughly mirror the demands of ransomware attackers. Bart Groothuis, the Dutch Liberal MEP who led the negotiations, says the law "is going to help over a hundred thousand entities to tighten their grip on security and make Europe a safe place to live and work. If we are being attacked on an industrial scale, we need to respond on an industrial scale." NIS2 now awaits formal approval from EU member countries and the European Parliament.
US focuses on securing open-source software.
The recent fallout from the discovery of the Log4Shell vulnerability has made the security of the open-source software supply chain a top priority in the US. The Open Source Security Foundation (OpenSSF) and Linux Foundation have been working to find solutions, and ZDNet reports that they’ve asked for $150 million in funding to resolve ten major open-source security issues over the next two years. Their goals include delivering basic secure software development education and certification to all; establishing a public, objective-metrics-based risk assessment dashboard for the top OSS components, accelerating the adoption of digital signatures on software releases, and establishing an OpenSSF Open Source Security Incident Response Team. Tech companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMware have already stepped up to the plate to the tune of $30 million, but that’s just a small fraction of the funding that will be needed to implement the changes OpenSSF has planned.
Meanwhile, the US House Committee on Science, Space and Technology met last week to discuss possible solutions to the open source software cybersecurity problem. Representative Bill Foster, who called the meeting, explained, “It’s safe to say that anyone who has used a computer has relied on open source software.” Brian Behlendorf, OpenSSF general manager, told GovTech, “The bad news is there is a lot of work to do, and a lot of different kinds of work is needed. The good news is we know what that work is, and we've got some proven tools and techniques that can scale up if the resources are made available.” With so much open-source software circulating, one first step will be to determine which software is most critical. A joint project from the Linux Foundation and Harvard Laboratory for Innovation Science has cataloged the one thousand most widely used open source libraries most widely, and released the list this March. As well, the National Science Foundation has announced it will provide grants for securing elements of the open source ecosystem.