Articles

States step up cybersecurity efforts as threats increase

Spurred by recent attacks, some U.S. states are taking action and allocating funds to boost their defenses against cyber threats.

Earlier this month, Mandiant announced that it had responded to an intrusion by a Chinese-backed hacking group, APT41, that targeted a U.S. state government’s computer network. The security company ultimately discovered a persistent effort that allowed the malicious hackers to successfully compromise at least six U.S. state government networks by exploiting vulnerable internet-facing web applications using a zero-day vulnerability.

Mandiant couldn’t determine the hackers’ motives but said the intrusions were consistent with an espionage operation. The company also predicted that further investigation would reveal even more states whose agencies were affected by the effort.

These incidents underscore that state governments are just as attractive, if not even juicier, targets for malicious hackers as the federal government or any other organization. It’s no surprise then that state governments are stepping up their efforts to bolster their cybersecurity protections, launching task forces, hiring advisors, creating security centers, and boosting cybersecurity spending.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by OpenClipart-Vectors from Pixabay

 

Articles

Four states propose laws to ban ransomware payments

Some state legislatures are debating bills that could limit or ban ransom payments. A better option, experts say, is mandatory reporting of ransomware attacks.

Following the epic ransomware attacks on Colonial Pipeline and top meat producer JBS, some government officials have called on Congress and the administration to ban organizations from making ransom payments to threat actors. The goal of such a ban would be to codify the FBI’s current advice: Don’t pay ransomware attackers lest you encourage more of the same.

Despite some support at the federal level, most administration officials don’t seem to embrace the idea of an outright ban fully. “Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cybersecurity, told reporters at a White House press briefing in May. No member of Congress or the Senate has yet introduced legislation banning ransom payments.

But the picture is different at the state level. So far, four states have five pending pieces of legislation that would either ban paying a ransom or substantially restrict paying it. In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”

Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.”

New York stands alone in terms of barring private sector businesses from paying a ransom. Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. This public money prohibition would likely hamstring local governments from paying off ransomware attackers.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

States enact safe harbor laws against cyberattacks, but demand…

Connecticut might soon follow Ohio and Utah by enacting a law that offers liability protection against ransomware and other cyberattacks, but only if victims follow security best practices.

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, “While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene.”

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. “Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups,” Knake wrote. “Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make.”

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

New AI privacy, security regulations likely coming with pending…

CISOs should prepare for new requirements to protect data collected for and generated by artificial intelligence algorithms.

Regulation surrounding artificial intelligence technologies will likely have a growing impact on how companies store, secure, and share data in the years ahead. The ethics of artificial intelligence (AI), particularly facial recognition, by law enforcement authorities, have received a lot of attention. Still, the US is just at the beginning of what will likely be a surge in federal and state legislation regarding what companies can and cannot do regarding algorithmically derived information.

“It’s really the wild west right now in terms of regulation of artificial intelligence,” Peter Stockburger, partner in the Data, Privacy, and Cybersecurity practice at global law firm Dentons, tells CSO. Much like the California Consumer Protection Act (CCPA), which spelled out notice requirements that companies must send to consumers regarding their privacy protections, “a lot of people think that’s where the AI legislation is going to go, that you should be getting giving users notification that there’s automated decision making happening and get the consent.”

AI encompasses a wide range of technical activities, from the creation of deepfakes to automated decision-making regarding credit scores, rental applications, job worthiness, and much more. On a day-to-day basis, many, if not most, companies now use formulas for business decision-making that could fall into the category of artificial intelligence.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Winkler on Unsplash