TechLetters #32 - G7 on cyber, US-UK on cyber, US-EU on cyber, NATO on cyber, Biden-Putin on cyber, ICRC on cyber. And the bad state of cybersecurity.
Éditorial
Biden, in a discussion with Putin in Geneva, mentioned red lines for cyberattacks. Certain areas (i.e. critical sector) should be off-limits for cyberattacks. We do not know if other policy officials or personnel discussed it any further. We do not know if this was concluded with any formal agreement. What we know is that transgressing red lines is one of the classic ways of testing one's foe/adversary/opponent/etc. Will “red lines” in the US be crossed, transgressed, is another story. It is worth watching this territory, this dimension of cyberpolicy, cyberpolitics, and cybersecurity.
Security
Exchange of cyber criminals? Putin said that they’re open to exchange of cybercriminals, if the US would be willing to hang over “their” criminals. Biden said he’s also open on exchange of cybercriminals.
ICRC on cyber. International Committee of the Red Cross published a report on military cyber operations. My analysis here.
G7 on cyber. The G7 Group issued a statement. Issues of technology and cybersecurity included prominently. New and catchy technology policy term: "from cyber space to outer space"?
Ransomware is officially of interest at the top of international relations. "We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions".
"we call on Russia to urgently investigate and credibly explain the use of a chemical weapon on its soil (…). to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes"
NATO on cyber. The previous was followed by NATO’s statement, which features cybersecurity prominently, in many places. “Cyber threats to the security of the Allianceare complex, destructive, coercive, and becoming ever more frequent. This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm”.
Biden-Putin in Geneva on cyber. “Another area we spent a great deal of time on was cyber and cybersecurity. I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list, if I’m not mistaken — I don’t have it in front of me — 16 specific entities; 16 defined as critical infrastructure under U.S. policy, from the energy sector to our water systems. … Responsible countries need to take action against criminals who conduct ransomware activities on their territory” American president Biden warned/threatened Russian president with a potential of cyber response to attacks. "We will respond with cyber".
The bad state of security. “The reality is many organizations are barely holding it together at the best of times, and cannot operationally cope with malicious actors turning up and deleting their entire infrastructure in one evening. It is a serious problem on the ground. Ask anybody on the ground within IT and security operations roles and you will find out the scale of the challenge. There is no “Just patch” or “just implement multi-factor authentication” wands here … one ransomware group receiving a $40m payment for attacking a cybersecurity insurance company gives the attackers more budget to launch cyberattack than most medium to large organizations have to defend against attacks in total. And that’s just one attack, from one group ”. Just Patch Software security advice doesn’t work.
2G insecurity. It turns out that the cipher used to encrypt 2G packet access (GDPR/EDGE) contains a deliberate security weakness. (paper)
In case you feel it's worth it to forward this letter further, I leave this thingy below: