At a glance.
- Australia-led ICRTF cracks down on ransomware.
- US GAO says there’s an “urgent” need for effective federal cybersecurity oversight.
- Fourth time’s the charm?
- Is cyber brandishing merely for show?
Australia-led ICRTF cracks down on ransomware.
Information Age takes a look at the newly created International Counter Ransomware Task Force (ICRTF), a partnership of cybersecurity experts from thirty-seven countries focused on anti-ransomware strategies, and the impact the group has had on Australia’s cyberdefense strategies. The product of talks at the annual Counter Ransomware Initiative Summit last November, the ICRTF has four key objectives: holding ransomware actors accountable, implementing anti-money laundering policies for digital assets, leveraging local laws to stop ransomware gangs, and information sharing.
As the inaugural chair of the group, Australia is helming such initiatives as the establishment of a ‘fusion cell’ center of expertise at Lithuania’s Regional Cyber Defense Centre. When announcing the launch of ICRTF, Minister for Home Affairs and Cyber Security Clare O’Neil stated, “Recent cyber incidents in Australia and around the globe are a stark reminder of the insidious nature of ransomware, and the ability of cyber criminals to cause widespread disruption and harm to broad sections of the community.” The country’s focus on fighting ransomware appears to be paying off, with newly released stats from Chainalysis’s latest annual crypto crime report showing payments to ransomware-linked crypto accounts have decreased from $1.2 billion in each of 2020 and 2021 to just $710 million in 2022.
US GAO says there’s an “urgent” need for effective federal cybersecurity oversight.
With the release of a report on the status of America’s cybersecurity posture, the US Government Accountability Office is urging President Joe Biden to release his long-awaited national cybersecurity strategy. The report shows that as of December 2022, federal departments have implemented only 40% of the cybersecurity recommendations the GAO has issued since 2010, noting in particular that no federal agency has fully carried out the GAO’s guidance on securing the supply chain. As Security Week notes, in 2020, out of twenty-three agencies reviewed, none had fully implemented all the seven foundational practices for defending the supply chain and fourteen had implemented none of these practices. The GAO says that the Biden administration’s strategy needs to address key “desirable characteristics of national strategies” such as performance measures, which were missing from the strategy established by ex-president Donald Trump in 2018. CyberScoop notes that the report also called out the Office of Management and Budget and the Department of Homeland Security for only partially implementing addressed recommendations aimed at alleviating the government’s cybersecurity workforce shortage, stating, “Without these practices in place, OMB and DHS will likely be unable to make significant progress towards solving the cybersecurity workforce shortage.” The Register explains that the recent report is the first of four the GAO plans to publish, this one focused on strategy and oversight.
James Campbell, Cado Security CEO & Co-Founder, argues that any adequate national strategy for cybersecrity will inevitably have to address cloud security:
"As cloud attacks have become more prevalent and sophisticated, we're seeing more regulations governing cloud providers -- which is a step in the right direction. Last year, the UK government tightened regulations, naming CloudHopper, a chain of attacks where managed service providers were compromised, as one of the reasons for this, and we've also seen various efforts on this front in the US as well with the White House's Executive Order on cybersecurity mandates. However, it's important to understand and recognize the shared responsibility model between Cloud Service Providers (such as AWS, Azure, GCP), Managed Service Providers (for those organizations that outsource some component of cyber security) and the organization's internal security function. There is only so much Cloud Service Providers (CSPs) can do e.g. it is the customer's responsibility to enable certain logging functionalities for their specific cloud network to ensure they have the proper visibility to identify and respond to cloud risk.
"As a response to major attacks like Operation Cloud Hopper and NotPetya, we anticipate that along with demanding greater transparency of Managed Service Providers (MSPs), the US Government is probably considering certain policies that could also lead to Cloud Service Providers (CSPs) enabling things like logging (i.e. logons, network traffic flows etc.) by default, without the reliance on the customer -- thus pushing some of the security responsibility further down to the CSP from the customer space.
Fourth time’s the charm?
For the fourth time, US Congress could be considering a bill focused on the disclosure of zero-day bugs. The Cybersecurity Vulnerability Disclosure Act, which would require the government to give Congress details about the practice of stockpiling zero-day bugs, has been reintroduced by Representative Sheila Jackson Lee of Texas, one of the most senior Democrats of the House Homeland Security Committee. Under the bill, the secretary of the Department of Homeland Security would be required to report annually to Congress on government policies focused on information sharing about flaws contained in commercially available software and computer systems. FCW recounts that in 2018, the bill passed the House of Representatives on a voice vote but did not get a vote in the Senate. The bill was offered again in 2019 and 2021, but never made it to the House. How the bill fares this time remains to be seen.
Is cyber brandishing merely for show?
Lawfare explores the art of cyber brandishing, or the act of demonstrating a cyber capability as a way of proving a power’s strengths over its opponents. General James Cartwright, former vice chairman of the US Joint Chiefs of Staff, said in 2011 “we’ve got to talk about our offensive capabilities … to make them credible so that people know there’s a penalty” for attacking the US. Indeed, instances of brandishing can be seen in the Cold War, when Soviet and American militaries regularly displayed their military capabilities to intimidate the other side. As cyberspace has become the new frontier, brandishing has gone digital, with one country, for instance, penetrating an adversary’s sensitive system as a way of saying, “Look what we can do.”
Some academics say brandishing is futile, as it only draws attention to the trespassed nation’s vulnerabilities, making them more vigilant. Martin Libicki wrote in 2013, “Brandishing a cyberwar capability, particularly if specific, makes it harder to use such a capability because brandishing is likely to persuade the target to redouble its efforts to find or route around the exploited flaw.” However, this writer posits, cyber brandishing can have its benefits, as security flaws can be actively exploited for years. Brandishing does not render those vulnerabilities instantly repaired, making them effective tools for coercion and deterrence. In truth such questions probably don’t lend themselves to resolution in a game-theoretic, abstract fashion, and some sound empirical history would be welcome to the discussion.