The full damage of the average ransomware attack can extend well beyond the cost of the ransom payment itself, a GetApp survey found. The software recommendation platform canvassed 300 ransomware victims in May, finding only 11% who said the ransomware payment “was the most consequential impact of the ransomware attack,” it said. Six in 10 survey respondents reported suffering a “multifaceted extortion attack” in which the victim’s files are encrypted and a separate attack is launched to pressure victims to pay the ransom, it said. The survey found 58% of multifaceted extortion victims reported they paid the ransom, compared with only 31% of standard ransomware attack victims, it said. “The complex nature of multifaceted attacks can bring normal business functions to a standstill,” said GetApp. Among companies that paid the ransom, 70% said the attack made a major impact on productivity, it said. More than a third of victims cited productivity losses “as the single most consequential impact of a ransomware attack, more than any other effect surveyed,” it said.
President Joe Biden signed two pieces of cyber legislation into law Tuesday, the White House announced. The Federal Rotational Cyber Workforce Program Act (S-1097) establishes a federal rotational cyber workforce program. The State and Local Government Cybersecurity Act (S-2520) directs the Department of Homeland Security to “increase collaboration with state, local, tribal and territorial governments on cybersecurity issues.”
A former tech employee was convicted Friday of wire fraud and other federal crimes for hacking into Amazon Web Services cloud computing accounts and stealing data and computer power for her own benefit. Seattle resident Paige Thompson, 36, used a tool she built to scan AWS records in search of “misconfigured accounts,” said DOJ. She then used those accounts to hack and download the data of more than 30 entities, including Capital One bank, which alerted the FBI, it said. Thompson's intrusions affected more than 100 million Capital One customers, said DOJ. “With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet,” it said. “Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.” A jury in U.S. District Court in Seattle deliberated for more than 10 hours before finding her guilty on seven counts, while acquitting her of access device fraud and aggravated identity theft, said DOJ. Wire fraud is punishable by up to 20 years in prison, it said. Thompson faces sentencing on Sept. 15. Attempts to reach her lawyers for comment were unsuccessful.
President Joe Biden intends to nominate Arati Prabhakar to be director of the Office of Science and Technology Policy, the White House announced Tuesday. Prabhakar led the National Institute of Standards and Technology 1993-1997 after unanimous Senate confirmation. She directed the Defense Advanced Research Projects Agency 2012-2017. Prabhakar will “leverage her exceptional experience” as an applied physicist and engineer, said Senate Commerce Committee Chair Maria Cantwell, D-Wash. She’s the “right person at the right time to support the U.S. innovation ecosystem.”
The U.S. District Court in Washington should allow DOJ 45 days to reopen depositions in an antitrust suit against Google because the platform has finally shared deprivileged documents, the department argued Thursday in a joint filing with the company in docket 1:20-cv-03010 (see 2204130068). DOJ claims Google misused attorney-client privilege to hide business documents relevant to the antitrust lawsuit (see 2203210054 and 2204070065). Google has since produced some 37,000 “deprivileged” documents. New depositions with employees may be in order “due to Google’s late productions of deprivileged documents,” DOJ said. The U.S. Court of Appeals for the D.C. Circuit on Friday announced oral argument for Sept. 19 in a separate antitrust lawsuit against Facebook in docket 21-7078. Nearly 50 state attorneys general sued Facebook for allegedly abusing its market dominance, forcing smaller rivals out of business and reducing competition.
Implementing zero-trust architecture (ZTA) in the federal government, per executive order 14028 by President Joe Biden last year (see 2204080039), won’t be easy and will require a different approach in different agencies, said a Center for Strategic and International Studies report released Thursday. “Shifting from perimeter defense to ZTA is not as easy as flipping a switch; it is a complex undertaking,” the paper argues: “It involves more than procuring new hardware and software. Making such a shift requires adopting new policies, processes, and structures.” CSIS said a top barrier is what it calls “tech debt.” The federal government spends about $90 billion each year on IT, with most of the money dedicated to maintaining “legacy, often antiquated systems,” the report said: “Departments and agencies often find it challenging to secure funding and authorization for new large-scale IT modernization efforts and relatively easier to obtain funding for existing systems. This dynamic often motivates agencies to focus on operating and maintaining existing systems rather than pursuing new capital investments.” Another concern is a lack of urgency by government leaders, CSIS said. “The federal government, as a whole, really needs to understand the why and commit to the how,” said Emily Harding, CSIS deputy director, during a webcast. “ZTA can create friction for the user, but that’s OK,” she said. “U.S. government employees need to understand why they should make the effort, why the friction is worth it,” she said. The federal government needs to become “as efficient as a Google or an Amazon” but “we’re a ways from there,” said James Lewis, CSIS senior vice president. New infrastructure relies more on AI, the cloud and other new technologies, he said. “The old approach to cybersecurity isn’t going to work,” he said. Getting the federal government to change won’t be easy, Lewis said. “It’s a huge entity,” he said: “It has thousands, sometimes millions of parts. The parts don’t always want to cooperate.” The attitude can be “I can just wait 18 months and these political appointees will go away, and I can go back to what I've been doing,” he said. Legislative mandates, budget directions and standards can help move the government, he said.
Though more than half of consumers canvassed globally said they have been a victim of online fraud or know someone who has, most respondents say they expect their online activity will increase in the next three months, reported Experian Thursday. The information services company polled more than 6,000 consumers in 20 countries, including the U.S., finding nearly three-quarters “expect businesses to take the necessary security steps to protect them online,” it said. More than eight in 10 consumers canvassed said security “is their most important factor of the online experience,” it said. More than 95% of baby boomers cited security as the most important aspect of their online experience, 10 points more than their Generation Z counterparts, it said.
The White House launched a task force Thursday for addressing online harassment and abuse in response to mass shootings, misogyny and other online-related harms. President Joe Biden signed a presidential memorandum to address harms that “disproportionately affect women, girls, people of color, and LGBTQI+ individuals,” the White House said. Vice President Kamala Harris launched the task force with a survivor and expert roundtable Thursday. “The tragic events in Buffalo and Uvalde have underscored a fact known all too well by many Americans: the internet can fuel hate, misogyny, and abuse with spillover effects that threaten our communities and safety offline,” the White House said. The task force will be co-chaired by the Gender Policy Council and the National Security Council and will include the attorney general, the secretary of Health and Human Services and other agency heads.
ICANN's 2023 annual general meeting will be Oct. 21-26 in Hamburg, Germany, it announced. Hosts are eco-Association, Denic eG, which manages the .de country-code top -level domain name, and the city of Hamburg.
Amazon should permanently ban private policing agencies from joining its Neighbors Public Safety Service, Sen. Ed Markey, D-Mass., wrote the company Tuesday, citing privacy invasions from Amazon Ring. Markey noted more than 2,100 “policing agencies have apparently joined” NPSS, a platform “on which participating police departments may request footage from Ring users.” That’s a 500% increase since 2019, he said: “Reports indicate that multiple police departments have attempted to bypass Ring’s video request process, including by gaining direct access to user footage in real time.” Ring previously placed a moratorium on onboarding private policing agencies onto NPSS. The company didn’t comment.