Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! I hope you had lovely holidays. I spent most of my time over the break with my stellar nieces and mom back in Indiana.
Below: A ransomware gang shows rare contrition, and local governments debate TikTok. First:
Europe has become a nucleus of cyber policymaking in recent months, taking action on software security and swift disclosure of major cyberattacks.
It’s a direct response to Russia’s aggression against Ukraine, Lorena Boix Alonso, the European Commission’s top cybersecurity official, told me in a recent interview.
The commission was already “very, very, very, very busy” over the last two years, Alonso said. But Russia’s war in Ukraine, which has featured some prominent cyberattacks, “pushed us to adapt our cybersecurity policy” and made the European Commission “more ambitious,” she said.
The biggest steps of late from the commission, which are far from the only ones, include:
Those steps are more expansive than recent policymaking in the United States, where Congress last year passed legislation requiring reporting of major cyber incidents after 72 hours rather than 24 hours, and where an executive order in 2021 tackled the issue of secure design only for tech sold to the U.S. government.
But to hear Alonso tell it, the difference between the E.U. and U.S. approaches isn’t so stark.
“I think we operate well with the U.S.,” she said. “Honestly, I see a lot of commonality of interest. Sometimes we do it differently. The structures and powers are different, but we’re targeting the same things.”
The rules that Europe is advancing could have an impact on the United States. A similar phenomenon occurred when Europe advanced the General Data Protection Regulation, as sites operating in Europe even if they weren’t Europe-based had to play by its rules. That data protection regulation is why, for example, so many sites ask you whether you will accept cookies.
Alonso — whose full title is director for digital society, trust and cybersecurity in directorate general for communications networks content and technology — said at a September event that the Cyber Resilience Act stood to make Europe a leader on cybersecurity.
“This will impact not only the European Union,” she said, as reported by Luca Bertuzzi of Euractiv. “This will change the rules of the game globally, one way or another. Because they will copy us or because they will not have the tools to abide by our rules. This is good not only for the level of cybersecurity but for the competitiveness of Europe.”
That proposal stems from the conclusion that the majority of cyberattacks rely on exploiting tech vulnerabilities, Alonso said.
“Producers and developers don’t have much incentive to reduce these vulnerabilities,” she said, because the “cost is on users” when there’s an attack.
Under the Cyber Resilience Act, tech deemed the most critical would need to get a third-party assessment of whether it’s meeting E.U. security standards.
NIS2 tackles more subject matter, like supply chain security, responsibilities for corporate executives and the establishment of fines and penalties, in addition to the 24-hour reporting requirement.
But Alonso said the U.S. and E.U. standards are closer than they might appear. The E.U. initial notification requirement is 24 hours, with cyberattack victims having another 48 hours to provide more information. That gives victims a total of 72 hours to provide information to authorities. They have a month to produce another report.
Despite a number of steps imposing requirements on industry, Alonso said she hasn’t seen any “radical reaction” against it from the private sector.
Enhancing international cooperation, including with the United States, is another lesson from Ukraine, she said.
The LockBit ransomware group apologized around 11 days after the Hospital for Sick Children (SickKids) was hit in a ransomware attack, Bleeping Computer’s Lawrence Abrams reports. It’s not clear what caused the delay, and the gang said it “blocked” the “partner” that broke its rules against hitting hospitals. The group also released what it said was a free tool to decrypt affected devices.
LockBit has banned its partners from encrypting files in key medical organizations. “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” the group’s policies state, per Bleeping Computer.
Cybersecurity firm Emsisoft’s tally of ransomware attacks in 2022 included more than 100 counties, 45 school districts, 44 colleges and universities, and two dozen health-care providers, Bleeping Computer’s Ionut Ilascu reports. But those numbers are almost certainly undercounts because some organizations don’t publicly say that they were the victim of ransomware.
Since 2019, the number of ransomware attacks on local and state governments, as well as the education sector, has remained relatively consistent, Emsisoft said. But only small city governments — and not larger ones — appeared to be affected by ransomware last year, Emsisoft said. The firm added that it’s “concerning” that there hasn’t been a drop-off in ransomware despite U.S. and international efforts to limit the spread of ransomware. “Despite these initiatives, ransomware appears to be no less of a problem,” the firm said.
At least one city — Charlotte — has banned the app on city employee devices after an FBI warning, WCNC Charlotte’s Nathaniel Puente reports. Meanwhile, the Rapid City, S.D., city council is debating whether it should also ban TikTok from city devices and networks, but not all members of the council are on board, the Wall Street Journal’s Stu Woo reports.
The city-level debates come after a wave of Republican governors and other officials banned TikTok on state devices and networks last month. Last week, the U.S. House of Representatives banned TikTok on House-managed devices. A new federal spending bill bars the app from being installed on government devices. The Biden administration, meanwhile, is negotiating a potential deal with TikTok amid concerns over the company’s Chinese ownership.
TikTok spokesman Jamal Brown previously told The Technology 202 that the company believes that the concerns driving state TikTok bans “are largely fueled by misinformation about our company,” and that TikTok is “always happy to meet with state policymakers to discuss our privacy and security practices.”
PyTorch discloses malicious dependency chain compromise over holidays (Bleeping Computer)
Wickr Me, Amazon’s encrypted chat app, stops accepting new users (CNBC)
Google to pay Indiana $20 million to resolve privacy suit (Associated Press)
Maybe next time…sike..🐈🐾🤝😂😂 pic.twitter.com/ZCQHohN9hj
Thanks for reading. See you tomorrow.
