Lawmakers have in recent months stressed the urgency of finding policy solutions to address what former Cybersecurity and Infrastructure Security Agency director Chris Krebs called “a global digital pandemic.”
Over the past year thousands of critical services, including hospitals, schools and police departments, have been shutdown by cyberattacks using malicious software known as ransomware. Payment demands from cybercriminals have skyrocketed during that time. Estimates show cybercriminals made more than $300 millions off the attacks last year, more than three times the year prior. Criminals have also increasingly turned to leaking victims' data, something that can lead to further damage.
“These attacks are more than a mere inconvenience,” said subcommittee chair Rep. Yvette D. Clarke (D-N.Y.). “They are a national security threat.”
Witnesses at the hearing emphasized a need for strengthening resources for preparing for and recovering from attacks.
John Davis, vice president at public sector at Palo Alto Networks, told lawmakers the United States needs to lead by example by developing a clear framework for ransomware mitigation, response and recovery. He said precise security standards aimed at preventing attacks is the most important step toward reining in the ransomware crisis.
“The adage an ounce of prevention is worth a pound of cure is especially true in the case of ransomware, because once you've been hit, you've already lost the battle and can only play a painful catch up game," he said.
Both Davis and Stifel co-chaired a task force composed of industry, government and cybersecurity experts that last week recommended 48 ransomware policy solutions for lawmakers and the private sector.
The report also recommended the government establish a recovery fund for victims. Such a fund could reduce the number of victims who elect to pay the ransom demand because they would receive government help instead, said Stifel.
Denis Goulet, chief information officer for the state of New Hampshire and president of the National Association of State Chief Information Officers, emphasized that while some federal security grants covering cybersecurity exist, cybersecurity priorities normally see very little of what states receive.
“The amounts that we are able to access are not adequate to the task,” said Goulet.
Clarke announced she was close to reintroducing legislation that would authorize $500 million in annual grants to state, local, territorial and tribal governments to strengthen their cybersecurity. The funding passed the House with strong bipartisan support last session but didn't receive a vote in the Senate.
Both lawmakers and experts agreed that tackling ransomware will take a whole-of-government approach.
The White House, Justice Department and the Department of Homeland Security have all emphasized the need to combat ransomware in recent months, actions that experts and lawmakers cited as important steps.
DHS Secretary Alejandro Mayorkas spoke yesterday at a U.S. Chamber of Commerce event emphasizing the need for his department to assist local businesses. Businesses make up one-half to two-thirds of ransomware victims, he noted.
“The threat is not tomorrow's threat but is upon us,” said Mayorkas. “The losses from ransomware are staggering.”
Mayorkas also yesterday announced DHS would begin its next major 60-day initiative focused on workforce development. DHS plans to hire 200 new cyber employees by July, Sean Lyngaas at CyberScoop reports. That hiring could be a boon to the agency's ransomware capabilities.
The White House is also expected to soon release an executive order that would stipulate software security requirements for government contractors, a move that would strengthen cybersecurity in a number of critical industries.
Congress will still have to step in with some regulatory measures, experts suggested.
“There are specific parts of the economy, highest risk critical infrastructures, that have enjoyed an enormous amount of success in the economy. And they have to step up from a corporate citizenship perspective and apply enhanced security requirements,” said Krebs. “And that's an area to explore for regulation.”
But Krebs cautioned lawmakers to not be overly zealous about regulating emerging technologies that cybercriminals exploit, including digital currencies.
“Rather than cut it off and strangle it, we need to figure out how to get the outcomes we want — positive societal outcomes — while reducing and minimizing [risks]. And I think that's the area that Congress needs to spend a lot of time on policy-wise.”
A popular directory of dark web marketplaces was taken over by a hacker who faked a court order.
The domain was transferred to a scammer after Tucows, the world’s second-largest domain registrar, received a forged German court order ordering the site to be handed over, Motherboard’s Joseph Cox reports. The hacker then replaced the links to well-known dark web marketplaces with fake links that enabled the attacker to steal passwords and cryptocurrency, the site said.
The site has a disclaimer noting that it “is intended for researchers only.”
“Our findings show that Tucows was the victim of an intricate phishing scheme presented under the guise of a secret court order. This was a hyper-targeted phish designed with the direct intent of hijacking select domains,” Tucows spokeswoman Madeleine Stoesser said in a statement. “We immediately began steps to successfully retrieve the domains and have implemented new processes to mitigate future issues.”
A vulnerability in exercise company Peloton’s software left personal data vulnerable.
A security researcher was able to access personal data for users with public and private accounts, TechCrunch’s Zack Whittaker reports. The bug was reported in January but wasn’t fully addressed for months, the researcher said.
Jan Masters, a security researcher at Pen Test Partners, discovered the vulnerability and said that location data and information about users’ workouts was exposed. The company has a cult following and is used by celebrities and millions of other subscribers.
In early February, according to Masters, the company quietly made it more difficult to extract the data, making it accessible only to subscribers. But the company only acknowledged fully fixing the issues this week.
Peloton spokeswoman Amelise Lane said that the company “took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts.” It is not clear whether hackers accessed the data.
Apple’s AirTags work “frighteningly well” and could be used by stalkers, The Post’s tech columnist says.
Despite built-in safeguards to prevent “unwanted tracking,” the small devices can be used to stalk or track people who have not consented, Geoffrey Fowler writes. The devices play a chirping noise after three days of being separated from a device they are paired with, but the noises were relatively quiet, easily muffled and can be gamed by abusive partners, Geoffrey writes.
“These are an industry-first, strong set of proactive deterrents,” Kaiann Drance, Apple vice president of iPhone marketing, said in an interview. “It’s a smart and tunable system, and we can continue improving the logic and timing of, so that we can improve the set of deterrents.”
The alerts, which can be easily disabled, are not available to Android users. “I’m really wary of security problems that have to be fixed by buying an iPhone,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation.
Dr. Vesselin Bontchev:
The Record's Catalin Cimpanu:
Karen López of InfoAdvisors:
- Kenneth Bible, the Department of Homeland Security’s chief information security officer, speaks at an event hosted by the American Council for Technology and Industry Advisory Council today at 10 a.m.
- The Cyber Threat Alliance hosts a webinar on ransomware today at 11 a.m.
- Assistant Attorney General John Demers discusses the Justice Department’s response to cyberattacks at an event today at 1:40 p.m.
- The Intelligence and National Security Alliance holds an event on zero trust implementation today at 2:30 p.m.
- Rep. Mike Gallagher (R-Wis.) speaks at a Heritage Foundation event on defense supply chains on May 10 at 1 p.m.
- Erin M. Joe, the director of the Cyber Threat Intelligence Integration Center, speaks at the CyberSatDigital conference at 9:20 a.m. on May 11.
- The Senate Homeland Security and Governmental Affairs Committee holds a hearing on improving federal cybersecurity in the wake of the cyberattack on SolarWinds and other software on May 11 at 10 a.m.
- Lt. Gen. Vincent Stewart, the former director of the Defense Intelligence Agency and former deputy commander of U.S. Cyber Command, speaks at an event hosted by the Intelligence and National Security Alliance on May 12 at 4:30 p.m.
- Morgan Adamski, who leads the National Security Agency’s Cybersecurity Collaboration Center, speaks at the GovConWire Defense Cybersecurity Forum on May 12 at 2 p.m.