I have struggled to find something with which I disagree in Michael Fischerkeller’s response to my thought experiment adopting the 2018 U.S. Cyber Command (USCC) Command Vision. A couple of such points are addressed below, but for the most part I agree with him. He does make one claim that I find surprising. He writes: 

Read the rest at Lawfare Blog

ON 8 NOVEMBER 2021, the US Justice Department announced the arrest of several members of the Russian-speaking REvil ransomware group, in a large-scale operation involving US allies in Europe and around the globe. The REvil group, who have since been charged, have been deploying ransomware attacks against American targets including the software provider Kaseya in July 2021. Furthermore, the State Department added REvil to a bounty programme that offers up to US$10 million for information on the REvil leaders.

These efforts followed the two-day virtual international summit on ransomware hosted by the Biden administration on 13-14 October. This summit included 30 countries and was a decisive step towards building a coalition against ransomware attacks. It was acknowledged by all countries that ransomware posed a global and national security threat. Russia ─ as well as China, Iran, and North Korea ─ was not invited.

Read the rest at RSIS

The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect? An experience with a house cat provided insights. I am allergic to cats. My daughter came home, cat in hand, and I had to find a way of confining Pounce to a limited area. Everything I tried to confine Pounce worked for a little while but eventually failed as he found a way past my newest security barrier — just as hackers eventually find their way through the cybersecurity barriers erected to stop them.

Read the rest at Los Angeles Times

Herbert Lin, a senior research scholar for cyber policy and security at Stanford University, told RFE/RL that conference participants need to focus on how to interfere with cryptocurrency payments.

Ransomware will become less attractive if cybercriminals can't turn the cryptocurrency payments into cash, he said.

Read the rest at RadioFreeEurope

Read the rest at The Jerusalem Press Club

The oldest information system the government operates might also be the most crucial one. No, not the IRS master file system. It’s the technology that controls nuclear weapons. It dates to the 1950s. Yet imagine if the control systems were online in the age of ransomware. Our guest has thought about exactly that. A long time scholar and researcher in cybersecurity, he’s written a book called Cyber Threats and Nuclear Weapons. Stanford University Fellow Dr. Herb Lin joined Federal Drive with Tom Temin.

Read the rest at Federal News Network

In 2018, U.S. Cyber Command (USCC) released its Command Vision statement for the organization, advancing officially for the first time “defend forward” and “persistent engagement” as new elements in the United States’ approach to advancing its security interests in and through cyberspace. Since then, much debate has ensued about the pros and cons of these concepts. But this debate has not included much discussion of one key aspect—what would be the impact of other cyber powers adopting these concepts in pursuing their own security interests?

Read the rest at Lawfare

Emerging and disruptive technologies spell an uncertain future for second-strike retaliatory forces. New sensors and big data analysis may render mobile missiles and submarines vulnerable to detection. I call this development the “standstill conundrum”: States will no longer be able to assure a nuclear response should they be hit by a nuclear first strike. If the nuclear weapons states can manage this vulnerability, however, they might be able to escape its worst effects. “Managing” could mean shoring up nuclear deterrence; it could mean focusing more on defenses; or it could mean negotiating to ensure continued viability of second-strike deterrent forces.

Read the rest at Texas National Security Review

They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.

Read the rest at The Guardian

A problem for investors is that companies don’t have proper incentives for preventing attacks. Herb Lin, cyber policy and security scholar at Stanford University’s Hoover Institution, said companies spend too much energy avoiding responsibility for attacks, rather than preventing them. As a result, manufacturers don’t take responsibility for fully protecting themselves from security breaches, he said.

Kaseya’s end-user agreement largely absolves it of breaches that compromise customers’ data unless there was gross negligence or misconduct.

A Kaseya spokeswoman said in an email that their agreement’s language is “standard for our industry.”

According to Lin, widespread use of such agreements is precisely the problem.

“Companies go out of their way to say we’re not liable for any consequences of this type of attack,” he said, pointing to user agreements pre-emptively absolving themselves of responsibility, and seemingly catastrophic events without lasting harm to companies’ stock prices.

Read the rest at Barron's