8 Min Read

A new Task Force report on Confronting Reality in Cyber Space has been published by the Council for Foreign Relations

Read more

By Hans Allnutt & Pavan Trivedi

|

Published 30 August 2022

Overview

The Council for Foreign Relations is a US policy think tank founded in 1921. It has sponsored its latest Task force to produce a report on the state of Cyberspace and foreign policy. Entitled, “Confronting Reality in Cyberspace”, the report includes analysis, recommendations, and in-depth exploration into the current global cyber landscape.

We have summarised key sections and recommendations posed by the Task Force within their report, and the full report can be found here.

Rising Risks in Cyberspace

With the world’s accelerated dependence on digital infrastructure following the shift to online working, threat actors have seized this opportunity to exploit vulnerabilities across virtually all sectors of both economic and political organisations. The shift to online working has increased the risk of ransomware over the last three years and this risk to organisations is not just financial.

Following Russia’s invasion of Ukraine in February 2022, many jurisdictions justifiably implemented severe financial sanctions on Russia and threat actors who were previously known to have ties to Russia, such as Conti, were left having to re-brand or join with new groups in order to keep the money flowing in. Research from Chainanalysis reported that more than $400m USD worth of payments in cryptocurrency were sent to threat actor groups that were “highly likely” to be affiliated with Russia in 2021. As a result of the sanctions imposed on Russia, threat actor groups are marketing themselves in ways which are similar to Silicon Valley start-ups. These groups have become initial access brokers and will attempt to initiate a foothold into an organisation and sell that access to ransomware operators who may not be named under any current sanction regime, in order to provide them with access to deploy encryption malware. They are essentially operating a ransomware-as-a-service business and cryptocurrencies have fuelled the threat actor’s ability to monetise such breaches throughout an organisations network.

Although Ransomware did predate the emergence of cryptocurrencies, threat actor groups previously found it difficult to extract significant volumes of payment through the traditional financial systems due to increased scrutiny and security measures. However, with cryptocurrency as the payment vehicle, threat actor groups have found it much easier to monetise ransomware attacks and as a result, more and more threat actor groups are emerging. In the first six months of 2021, approximately $600m USD in ransom payments were made with cryptocurrency, nearly surpassing the combined total of 2019 and 2020. With greater ransoms being paid year over year, threat actor groups are able to recruit and pay handsomely for talent. In response to the growing amount of ransom payments, the US has passed know-your-customer provisions for cryptocurrency payments.

Recommendations

Interoperability with GDPR and resolving US & EU data transfers

Individuals around the world are increasingly concerned about how their personal data is handled and the report suggests that the US, the EU and like-minded nations should forge a clear consensus on privacy goals. The GDPR has been the baseline template that many US states and numerous countries have used to established their own privacy legislation, but since the GDPR’s inception in 2018, little action has been taken against Big Tech with regard to their highly controversial data collection practices (i.e. Meta and Amazon). Furthermore, the GDPR has introduced ‘cookie consent fatigue’, which is prominently displayed by many users worldwide who are flooded with endless pop-ups. The GDPR is certainly not perfect, but it provides nations who currently have inadequate data privacy legislation with a base to develop common privacy principles that are interoperable.

An ongoing issue between the US and the EU relates to that fact that personal data held in the US is accessible by US law enforcement and national security agencies. The main issue here is that the protection to personal data offered by the US to EU citizens is not essentially equivalent to those protections offered by the GDPR. However, in March 2022, President Biden and European Commission President Ursula von de Leyen, announced a new agreement between the EU and the US on international data flows. The commitment from the US will come via an executive order which could be reversed by a future administration and will likely face legal challenges from European privacy groups, including noyb (a non-profit led by Maximillian Schrems).

Creating an international cybercrime centre

In order to expand digital trade across the world and deal with malicious cyber activity, the report posits that future trade agreements should require a standalone institution to monitor threats for violations. This could create operational control between international law enforcement to assist with coordinated takedown actions or even multi-jurisdictional servers infected with ransomware. Additionally, an international crime centre could assist with tracking and reclaiming cryptocurrency that fund such criminal activity. Financial regulators and national law enforcement agencies would be closely tied together with incident response teams, internet service providers and cloud hosting platforms, with the goal of providing international support.

Increasing cyber infrastructure development

The world’s reliance on China to provide cheaper prices and the reliability of Chinese technology could pose a cybersecurity risk in relation to data collection. China, with its Belt and Road Initiative (BRI), will implement 5G technology, create smart cities, and utilise the Beidou satellite system to provide participating countries with a leading digital infrastructure, but will likely be in control of all of the data that passes through its network. The approximately 147 countries designated as part of the BRI will have access to cloud services, mobile payments, and social media from various Chinese companies.

The report recommends that the US and its coalition partners such as the UK, Canada and Australia, work together to create funding mechanisms for the development of a digital infrastructure in order to compete in the race to provide global internet access to the approximately 2.9bn people in the world who are currently without connectivity. The report recommends that continuing the expansion of undersea cables to connect rural and urban parts of the world could lead to the development of a diverse network. These efforts may also provide capacity to counter malicious activity as the coalition of digital infrastructure must also include defensive tools in order to deter threat actor groups from compromising networks of developing countries.

Commentary

When comparing the report to the current position in the UK, we have seen ransomware attacks severely affect local councils, governments, security companies, medical organisations and universities, and the impact spreads across the organisations entire business. We agree with the findings of the report that recent trends have shown that the increase in digitalisation is directly correlated to the increase in an organisations’ vulnerability to cybercrime, ransomware, disruption and theft.

The report’s recommendations for countries to ensure the interoperability with the GDPR and their own Data privacy legalisation is relevant as later this year, the UK is set to pass the Data Protection and Digital Information Bill, which aims to simplify the data protection and privacy framework in the UK. The UK’s proposed Bill will still maintain a majority of the provisions currently implemented within the UK GDPR, but there will be certain areas of diversion which the Government believes should reduce some of the burdens organisations are currently facing.

Regarding the report’s analysis of ransom payments, UK policy is evolving but progressing. For example, the ICO and NCSC recently issued joint guidance to law firms in relation to ransom payments. Whilst, the position under English law remains is that singular act of paying a ransom is not in itself illegal or unlawful, ancillary laws may be broken. The recent Economic Crime (Transparency and Enforcement) Act 2022 was not specifically targeted at ransomware but has increased the legal risk associated with doing so.

If you have further questions in relation to the Task Force report and what it means for the global cyberspace, please do get in touch with DAC Beachcroft’s Cyber and Data Risk team.

Authors