WASHINGTON, July 27, 2022 – The federal government should incentivize the reporting of cyberattacks through safe harbor and shield laws, said experts at an Atlantic Council event Tuesday, as a recent law requiring companies in critical infrastructure sectors to report such attacks to the federal government is limited and currently unclear on who exactly it impacts.

The Cyber Incident Reporting for Critical Infrastructure Act passed in March does not cover private companies who do not operate in the critical infrastructure sectors and does not include safe harbor and shield laws that would encourage private companies to engage in the process.

Oftentimes, companies will avoid interacting with law enforcement to avoid the stigma associated with being a victim of a cyberattack and out of fear of being held liable by regulators and investors, said Trent Teyema, senior fellow at technology policy university collaborative GeoTech Center.

Teyema called for a safe harbor framework, a law that provides protection against legal liability when other conditions are met. Such a provision would decrease the risk of companies being held liable for cyberattacks from regulators, investors, and the public.

He also called for shield laws that would protect against revealing certain information to the government as a requirement for receiving law enforcement assistance.

The government needs to make it easy for the private sector to share information with law enforcement, said Teyema.

“Information sharing between the government and the private sector, while integral to tackling ransomware, is inconsistent,” read a report written by Teyema and David Bray, fellow at GeoTech Center. Information sharing across sectors allows cybersecurity experts in both sectors to learn about new vulnerabilities in software and new attack vectors. It strengthens collective resiliency and can influence the processes used to anticipate and respond to threats, continued the report.

Ransomware on the rise

Ransomware attacks in which bad actors demand money to release encrypted data are increasing dramatically, reported the White House last year. Ransomware incidents often disrupt critical services, such as banks, hospitals and schools that require constant access to data. In 2021, there was approximately $20 billion in damages from ransomware attacks in the United States, with $11 billion in 2020 and $5 billion the year before, said Bray.

This follows on the heels of the 2021 Colonial Pipeline hack that targeted the billing system and led to the shutdown of the largest fuel pipeline in the United States. The Russian-speaking cybercrime group responsible, DarkSide, received $4.4 million in ransom from Colonial, part of which was later recovered by the United States law enforcement.

Research firm Cybersecurity Ventures predicts that there will be a ransomware attack every two seconds by the year 2031 with global costs exceeding $265 billion.

WASHINGTON, July 25, 2022 – The United States needs to adopt a more offensive cybersecurity posture to survive in an evolving digital world by enacting sanctions against malicious states, developing artificial intelligence capabilities to identify possible cyberthreats, and engaging in diplomacy to deter cyberattacks before they initiate, said experts at an Internet Governance Forum event on Thursday.

“The U.S. absolutely needs to bolster its response to malicious cyberactivity,” said Nazak Nikakhtar, a former assistant secretary for industry and analysis in the Commerce Department and current partner at law firm Wiley. “The United States is so far behind in addressing these threats.”

The United States is taking a defensive posture on cybersecurity by responding to threats as they come, said Nikakhtar. No one is talking about bettering our offensive capabilities in deterrence for malicious cyberattacks, she said.

Nikakhtar suggested enacting sanctions and penalties for violating privacy restrictions against hostile nation-states to deter cyber-attacks. She also suggested collaborating with allies to aggregate data to develop artificial intelligence that would identify possible cyberthreats. She called for think tanks and strategists around the world to come up with an offensive international strategy.

“I don’t think enough Americans are concerned about who has access to their data,” said Nikakhtar. “The aggregation of data by our adversaries, like China… is terrifying.” Our adversaries are finding out how they can weaponize our data and it should cause us to consider the risks and what we need to do to protect our data, she said. This follows Russian cyberattacks on Ukraine and an increase in cyberattack threats to the United States.

For example, experts say popular video-sharing application TikTok, which is owned by Chinese company ByteDance, is required by Chinese law to comply with the Communist government’s surveillance demands. Nikakhtar — who was nominated for her Commerce role by former President Donald Trump, who himself wanted to ban TikTok over national security concerns — argued that there is “no alternative” to banning TikTok.

But John Morris of the Internet Society expressed concern that banning specific apps would encourage hostile nations to respond in kind by banning American apps, eliminating free exchange of information.

Meanwhile Eric Burger, research director at Commonwealth Cyber Initiative, suggested that the United States levy its diplomatic power by gaining political support from other countries to deter hostile nation-states from initiating cyberattacks. It is powerful to get a whole chunk of the world on our side regarding cyber war are, he said.

Google executives have previously called for the Department of Defense to continue making investments in AI to protect the cyberspace. “One of AI’s critical uses is finding anomalies in activity that would indicate a new threat vector,” said Andrew Moore, vice president and director of Google Cloud in a Senate subcommittee meeting on cybersecurity in May.

WASHINGTON, July 13, 2022 – A nonpartisan think tank is urging the United States to adopt three initiatives to help it navigate what it calls an increasingly hostile global internet, including coordinating with allies and proactively addressing threats.

The Council on Foreign Relations discussed its recommendations at an event it hosted Tuesday, as Washington comes on the heels of major cyber attacks that have rocked the private sector. A publication from the CFR argued that the United States cannot “capture the gains of future innovation by continuing to pursue failed policies based on an unrealistic and dated vision of the internet.”

The think tank said Tuesday that the United States should confront the reality that U.S. policies promoting an open, global internet have failed but should bring together a coalition of allies around these ideals.

The government will be unable to stop or reverse the trend toward global fragmentation, said Gordon Goldstein, CFR adjunct senior fellow. “The environment is just fundamentally different than it was even just a decade ago… it is time to confront reality.”

Global fragmentation of the internet occurs as nation-states exert a control over the internet to block and moderate content, in direct contrast with the U.S. ideal of an open access internet of free data flow, according to the CFR.

By partnering with its allies, argues the CFR, the U.S. can address security threats and provide economic and political inducements for states to allow free flow of data. It should work with its partners to promote a norm regarding cyberattacks and respond and prevent destructive attacks on elections worldwide, the CFR said.

The CFR also urged the government to balance more targeted diplomatic and economic pressure on hostile states. This would include creating an international cybercrime center and a focused program for cyber aid.

Finally, the think tank urges the United States to include digital competition as a pillar of the national security strategy. The national security strategy should recognize that the cyberspace is indisputably a central domain of interacting with adversaries and should acknowledge the leverage that the U.S. has to punish hostile cyber actors.

The State Department in April established the Bureau of Cyberspace and Digital Policy that intends to prevent cyber-attacks that put American people, networks, and companies at risk.