ISMG Editors: Assessing the New US Cybersecurity StrategyAlso: Panel Discusses Vendor Liability, Ransomware and the Rise of Check Fraud Anna Delaney (annamadeline) • March 10, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how the new U.S. cybersecurity strategy doubles down on hitting ransomware, how the strategy shifts liability issues to vendors, and why check fraud is on the rise and what can be done about it.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Suparna Goswami, associate editor, ISMG Asia; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discuss:
- How President Joe Biden's new national cybersecurity strategy promises to unlock resources to battle ransomware as a national security threat;
- How the road map places far greater mandates on private industry and - if adopted into law - would likely make tech firms liable for vulnerabilities in their code that lead to cyberattacks;
- The reasons for the sudden rise in check fraud and how to fight it.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 24 special edition on zero trust and the March 3 edition discussing how the U.S. Supreme Court may limit the identity theft law.
Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly roundup with fellow ISMG editors on what's happening in the world of cybersecurity. This week I'm joined by Mathew Schwartz, executive editor of DataBreachToday and Europe; Suparna Goswami, associate editor at ISMG Asia; and Tony Morbin, executive news editor for the EU. Great to see you all. Matt, Biden's U.S. cybersecurity strategy was unveiled earlier this week, which stirred some excitement in the industry. The general consensus being that it's a positive step. There's talk of disrupting and dismantling threat actors, and ransomware is now considered a national security threat. So it seems to be using the right vocabulary. What's your initial reaction to what was laid out?
Mathew Schwartz: Well, there's a lot to like here. As you know, this is the Biden administration's cybersecurity strategy. It's the first one we've seen in five years. And if you look back over the past five years, all has not been quiet on the cybersecurity front. And I'm sure we're going to get into some of the nuances of the National Cybersecurity Strategy. For me, one of the big things that jumps out is what could be a decade long effort to try to transfer more liability onto commercial software providers. That is part of a push to help us just improve the baseline. And improving the baseline is something we've been hearing about since Joe Biden became president. There has been this multi-pronged strategy of attempting to disrupt ransomware and other kinds of cybercrime via law enforcement. There were diplomatic efforts, which I think are kind of on pause at the moment where the officials of Western countries were trying to get Russia to crack down more on cybercrime from inside its borders. There is also a focus on business resilience, and getting organizations to the point where their defenses were so good that they could just better repel all sorts of attacks. And so we've seen a number of efforts by the administration. And it's great to see them now codified into this National Cybersecurity Strategy, which draws a line in the sand, I think, in terms of where we've come from, where we need to get to, and what the administration is saying it wants to see happen to help us get there. Now, some of this is contingent on working with Congress, for example. That's a big X factor. But already the hot last couple of years, we've seen some notable results. And so one of the pieces I wrote recently about the new National Cybersecurity Strategy is what it means for ransomware because not everything is about ransomware when it comes to cybercrime, but certainly it helps illustrate the cutting edge of what attackers are doing. And also there have been remarkable gains made by law enforcement. For example, with the Hive takedown that we saw, Dutch, German, U.S. collaboration between law enforcement, they infiltrated Hive in the middle of 2022, identified tons of victims, and passed them free decryptors. There was about $130 million in ransoms demanded by Hive that the FBI says they were able to prevent. And I think that is a nice small illustration of what's now being done to disrupt ransomware groups and other threat actors, and Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, said Hive and some of the other things they've been doing shows how they're disrupting and dismantling threat actors and also elevating the work on ransomware - from being just a cybercrime threat to a national security threat. We've seen this happening in other countries as well. Here in Britain, for example, there has been a very clear pivot or escalation to treating ransomware as a national security threat. Now, that might just sound like words. But in speaking with experts in the U.S., they say, by reclassifying ransomware as national security, it gives President Biden and by extension, all of the executive department and the various agencies, more tools, levers of power, in order to disrupt ransomware. Everything up to military power is on the table now, whereas previously, it may not have been. Now, that doesn't mean we're going to see the U.S. Army deploying to take down ransomware actors. But I think it does reflect how many more kinds of disruption and tools - be they intelligence, possibly military units being used to gather intelligence or to disrupt ransomware - is being brought to bear. We spoke with retired Air Force General Gregory Touhill. He's been in our stages before. He's now director of the CERT division at Carnegie Mellon University's Software Engineering Institute. He says, elevating it to this national security threat, it doesn't make it mutually exclusive with treating it as a criminal activity. It just means that we're bringing additional political, diplomatic, economic, and military instruments of power to bear. So we're seeing lots of activity. Already, the administration has been disrupting the use of virtual currencies for laundering ransom payments. And not just the U.S. here, of course. There's a coalition of over 30 countries working to disrupt ransomware and by extension, other kinds of cybercrime that are laundering money, using cryptocurrency, for example, or where there are potential safe havens for criminals who are launching these types of attacks. So I think the National Cybersecurity Strategy unveiled again, by the Biden administration last week, is great for showing how we can be playing offense and the additional kinds of strategies they're going to be brought to bear. Will it help? I'm sure it will, because you've already been seeing better disruptions, better efforts to bring down cybercrime. Again, it's nice to see that codified. And it's nice to see this memo, if you will, from the White House, about how it wants to see public and private strategies, taking us to the next step of disrupting cybercrime.
Delaney: Great stuff! Matt, what details were missing for you, or at least what questions remain for you as to how this all plays out?
Schwartz: Well, I think Tony's going to be getting into the liability piece. And that's a big, open question for me. I give law enforcement a lot of credit for how they have been combating increasingly innovative ransomware groups by bringing their own kinds of innovation to their law enforcement strategies, helping victims much more than they have been before. So I like the fact that we've already seen that working. It doesn't need to be blue sky thinking. It has been delivering results. Whether or not we can get Congress to do anything meaningful, though, in terms of transferring some of the responsibility on to the private sector is a huge X factor for me. I love the White House for saying this is what it wants. But I think we'll see if it happens. You can write down everything you want to see. But again, that doesn't mean everyone else is going to play ball. So that's one of the big questions for me.
Delaney: Yeah. And Tony will move on to you in a moment. But Suparna, I just wanted to ask you. What's the press in India, the media in India, saying about the strategy? Are they making much chatter about it?
Suparna Goswami: Oh, yes, there is. So one thing is of course, whatever is being done in the U.S. is usually a big thing here. But yes, this is making news for the right reasons. And we are having the summit tomorrow, day after tomorrow. I'm sure we'll get to discuss a lot more with the CISOs on this particular topic on what they want to but, yes, on SBOMs; there has been a lot of discussion nothing has been finalized. People are talking about the practicality of it. But Matt, I would love to ask you, so how much are you expecting outside of the U.K. and U.S. of course, countries taking inspiration from this and making ransomware - like the U.S. has - a national crime?
Schwartz: Yes, that's a great question. I think we will see more governments outside the U.S., the U.K., elevating ransomware to this national security threat, because of all of the disruption and damage it's causing. We see that across so many sectors, but especially the healthcare sector. Ransomware groups are wanton in their disregard for public safety and public health. And I think it's only appropriate that these additional tools of power be brought to bear to disrupt it. So yes, very much, I think we'll see not just the five eyes countries comprising not just the U.S. and Canada, the U.K., New Zealand, Australia, but also many more Western governments. Hopefully, India, I don't know, hopefully, elevating it to this national security imperative, because of all the disruption and damage that it's doing. Hopefully, Suparna, that's my answer.
Goswami: The only thing here in India is, and I just take a few seconds here, ransomware is big, of course, you talk to CISOs off the record, and they will talk about it, but nothing gets public. In U.S., we keep hearing that this organization has been attacked, there has been ransomware attack here and there. In India, we hardly get to hear anything. So that's probably one of the reasons that we don't get news as such on ransomware because people do not talk about it.
Schwartz: Mandatory reporting would be great. A lot of the security experts I talk to say that it does disproportionately hit the U.S. and a handful of Western European nations, I think because of their proclivity to pay, and possibly the valuations of companies in general, being larger. So I think ransomware attackers are more naturally attracted to those areas, and also, again, the propensity of those victims to pay. But like you say, we just don't know how bad the problem is, including in India.
Delaney: This has been a great opener, I mean, sticking with the strategy, Tony, the interesting thing about this strategy, which differs from other versions before it, is that it urges far greater mandates on private industry. And it comes coincidentally in the same week, when we've learned that the LastPass hack was down to an engineer's failure to update software on their personal computer. So what do you want to highlight with regards to this particular aspect?
Tony Morbin: Well, as you say, and as Matt was saying earlier, it is a fully integrated strategy and offense is a large part of it, but so is defense. And I think a significant aspect that was announced in the strategy is addressing the issue of end users currently bearing to greater bear a burden for mitigating cyber risks. So it notes how a single person's momentary lapse in judgment, use of an outdated password or an errant click on suspicious link can potentially be leveraged to have national security consequences. Exactly as you said, LastPass, great example of our vulnerability. So the recent hack of security provider LastPass, was made possible because one of their company's DevOps engineers failed to update Plex on their home computer. Attackers targeting their home computer with a keylogger malware exploited a three-year old now patched flaw in Plex, and were able to achieve code execution. Then they obtained credentials and breached the cloud storage environment to steal partially encrypted password vault data and customer information. So hugely embarrassing and consequential for LastPass, but down to an unpatched home laptop. Now, this policy is putting more responsibility on the vendors, but it's not about beating up the vendors or condemning lack security procedures. It is true, we often hear analogies along the lines of "if aircraft manufacturers built planes that kept crashing, no one would buy them." So why are information technology providers allowed to produce products and services that continue to be vulnerable? And I'll put my hands up, I've said that myself. I'm still of the opinion that manufacturers should be required to take more responsibility for the security of their products in building security from the outset. But to be fair to the security vendors, unlike civilian aircraft manufacturers, they are under constant attack from both state and criminal actors. Plus, the offensive cyber capability is widely available. So perhaps a better analogy might be that you wouldn't build a military aircraft that was easy to shoot down. So we need to reframe our thinking to understand that we're operating in a high risk environment. And while we can't live mitigate the risk as the benefits of digital communication are just so great and increasingly integral to modern life. But we can and must mitigate those risks and take the burden off the individual. And that's where the strategy is coming in. It's saying, we need to ask more of the most capable and best positioned actors to make more, basically, to make our digital ecosystem inherently defensible, resilient, and it's coming from the U.S. so aligned with U.S. values, although further on, they talk about and sharing with partners. Those that own and operate the systems that hold our data responsible for their security, along with the technology providers that build the systems. And it's saying that where there are market failures, industry and government need to work together to protect the most vulnerable and defend the shared digital ecosystem. And it does further on say that, it feels that the market hasn't delivered. So to facilitate this, the strategy is calling for incentivizing creation of a more resilient and defensible system, using both market forces and public programs to reward security and resilience, build robust drivers, and a diverse cyber workforce, embrace security and resilience by design, and strategically, coordinate research and development investments in cybersecurity. So as a result, we can expect what the report calls generational investments in renewing infrastructure, including modernizing cryptographic techniques. As Matt also said, it's going to be realigning foreign and domestic policy priorities as well. So there'll be the whole offensive side as well. To one lens cybersecurity is very much now become the new health and safety, we can and we should expect everything to be done to keep us safe when we're online. And just as there are critics who decry regulatory burdens, here in the U.K., they call it health and safety gone mad. And there will be those that argue too much burden is being transferred to the vendors. But the fact is that cybersecurity is now an essential and an integral part of a functioning modern society. And we've all got to play our part in achieving and maintaining it. And the new strategy includes both carrot and stick with lots of funding programs, and also likelihood of more regulation as well. As it said, carrot and stick. You do it right, there's all this money going to be available. I don't know how much yet. But there's also the regulations. Again, we don't know how much they're exactly. And some of the things are still waiting to be found out, how they're going to address cyber insurance, which they are now saying they're going to address.
Delaney: Some are saying that maybe tech companies will be less transparent about vulnerabilities. And what have you heard from the vendor community? We often talk to CISOs who say they're trying to get answers from them, and they don't receive the information that they'd like. How do you think this might play out?
Morbin: I think the strategy has got the two drivers, fear and greed. If you provide the money, they'll provide it. If you, through regulation say you must, then I'm afraid they must.
Delaney: Good language! Let's hope so. This is great. Well, Suparna, moving on to a different area, of one of your favorites, fraud. You've been spending time focusing on check fraud in the past couple of months. What is the state of check fraud today? And can you share any highlights from your interviews?
Goswami: Yes. And as you mentioned, I have been speaking with people on check fraud. So the big headline in the fraud world these days is that check fraud is back. Well, to be honest, technically it never went away, but it has never been dominated or has ever dominated the news headlines in the past two decades. Now, according to the U.S. Treasury Department, check fraud increased 84% in 2022, in comparison to 2021, and even the Financial Crimes Enforcement Network in the last week of February, has issued an alert and said it is collaborating with the United States Postal Inspection Service and has identified red flags that will help financial institutions to detect and prevent suspicious activity around check fraud. But definitely this is not going to be enough. Now the question is why has check fraud become such a huge problem all of a sudden? Now first, let us understand that it is no longer a manual theft where thieves are just stealing checks from the mailboxes. And like most crimes, it too has evolved and has gotten a little more sophisticated. Now criminals are using platforms like Telegram, which has become a one stop shop for criminals from buying your stolen checks to hiring people - known as walkers - to deposit them. So there's literally ads on Telegram which says, I'll pay you this much, this check needs to be deposited. And there are walkers who get interviewed. And we are seeing criminals selling the checks on Telegram along with sensitive information on the victims, like your social security numbers, balances in accounts, etc. Now, why are banks not able to deal with this problem, which I thought is not as sophisticated as other problems that banks deal with on a regular basis? Now, for the better part of the past 20 years, check fraud has been extremely stable and very, very predictable. But now it has changed. I spoke with Karen Boyer, who is from M&T Bank, and she said that check fraud is getting into a space, which is kind of new for bank and banks have not seen that before. I'll give you an example. So historically, banks have established a check form by calling a person to verify if he has written a check of this amount to this person. The problem now is that the name stays the same, but the account number is changed. So if I'm a banker, and I call you and verify you, and I have you deposit this check to XYZ for this amount, it does not show red flag, because you will say yes, I have deposited this; this all looks fine. So as a banker, it is fine, it is a legitimate check. But the account number is changed. So this is a typical case of identity theft, and synthetics that are being fabricated and made to match these lucrative checks that are coming through to bypass the authentication. Now, though, banks are trying to do their best, the technology is still not out there. Because up until now, there has not been much demand from the banks. As I said, it has been low and predictable. But hopefully that's changing now. I've been speaking to vendors. There are many vendors who are now specifically looking at check fraud. And we are beginning to see a pickup in activity around innovation in the space. So hopefully something will be out soon. But there's still time.
Delaney: What are the particular gaps those vendors are hoping to address, in terms of how can we solve this and at what point of the process?
Goswami: So many companies, or at least the vendors, they are trying to get some intelligence about stolen checks, and then have the tools consulting with the data repository. Now getting a data repository is a challenge in banks, because banks are not allowed to share that data with each other. So that's a huge issue and banks are working towards it. But data repository will govern whether a check is stolen or not. Then image analysis, they're working on that as well, better image analysis tools. But again, if a check is legitimate, image analysis will not work. So they're trying to find better ways of detection. But as I said, the industry is still looking for solution which can detect fraud in check in an efficient manner. But it's a fabulous space. I did not follow that space, to be very honest, last year. I was hearing constantly about check fraud. And my thinking was again it's just a mail theft from mailboxes, what's the technical aspect to cover in that? But you speak to any banker, suddenly check fraud is just dominating. And they are losing a lot of money on that. So I see a lot of vendor activity in this space going forward.
Delaney: As you say, it's one of the oldest crimes in finances and just seeing how it's been brought up to date. But let's see what happens and track the movement. Thank you, Suparna. Okay, finally, as it's International Women's Day, or even week, who is the most inspirational woman making ways in the industry right now for you?
Goswami: It could be the practitioners we speak with?
Goswami: So I have two of them. So one is Mel Migriño. She is from Philippines. So up until the end of last year, she was the CISO of Meralco, which is one of the largest power companies in Philippines. And she is now the chairman and president of Women in Security Alliance Philippines. Now I turn to her for OT security, zero trust and supply chain. She's one person who I've seen, grow a lot in her space. And the other woman would be Shivangi Nadkarni. She's from India, and she's my go to person for privacy. A great person to speak with. She has been a longtime friend of ISMG. And we can go to her on anything to do with data protection and privacy. So I think these two women for me are doing great in their own fields.
Delaney: Excellent choices. Matt?
Schwartz: And I have a few so I don't want to step on anybody else's toes in terms of who they might be lauding. But I've seen Lindy Cameron, the CEO or head of the National Cybersecurity Center here in the U.K., speak on multiple occasions, and it's always good very reassuring to hear and see the level of insight that she has into what's happening and the advice that she's promulgating to others. Jen Easterly at CISA, also the same. It's good to know that there are good people bringing their expertise to bear to help make us safer. And finally, Anne Neuberger. I mentioned her before she was part of the development of the new National Cybersecurity Strategy. She advises Biden on cyber and emerging technology. She used to be at the National Security Agency, also looking at emerging technology, such as quantum-resistant cryptography. She led the NSA's election security effort. So again, someone where you look at the skills and expertise that she's bringing to bear and you think, thank goodness, we need this. And we have it in the form of these women.
Delaney: We are in good hands, it seems. Tony?
Morbin: Clearly, Matt and I are in tune today because I was also going to say Lindy Cameron, but I was going to also mention somebody else. Betty Webb, a woman I interviewed who was one of the code breakers at Bletchley Park in World War II, not because she's currently a mover and shaker at 99. You can't expect that. But her role was so constrained among the code breakers, and to contrast that with Lindy Cameron now heading up our National Cybersecurity Center leading from the front as the most prominent person in cybersecurity in the U.K. I guess if I was specifically looking at promoting the role of women in cybersecurity, I'd probably say Jane Frankland, but I'd love to then call out other practitioners because there are the ones that I'd be missing. So I have named three. So that will be fine.
Delaney: There are so many, and yes, absolutely not forgetting the women who have paved the way for all of these women who are at the top positions at the moment. Well, I'm going to just nominate all my female colleagues at ISMG. Suparna, of course, you are included. I mean, we have a tremendous team of very hard working women. And they work hard at what they do and they are inspiring and very supportive. So thank you to you all. And thanks so much for watching. Until next time.