Cyber Monthly Wrap-up (UK, EMEA and the US) – April 2024

Welcome to HSF’s April wrap up which features our top picks for cyber-related news in the UK, EMEA and US.

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.

Open source foundations unite on common standards for EU's Cyber Resilience Act

Tech Crunch 2 – April 2024

The use of open source software tools is becoming increasingly common, with estimates that between 70% and 90% of software today is made up of open source components.

However, this rise has presented issues for regulation, including for Europe's Cyber Resilience Act ('CRA'). The CRA was first released in draft nearly two years ago with a view toward codifying best cybersecurity practices for both hardware and software products sold in the EU.

However, the draft regulation garnered significant criticism from various third parties, including a host of open source industry bodies that feared the Act could have a “chilling effect” on software development. Criticisms particularly centred on how “upstream” open source developers – many of whom devote their free time and money to such projects – could be held liable (and face hefty penalties) for security defects in downstream products, thus deterring volunteer developers from working on critical components.

Whilst the CRA did originally aim to protect developers who had no financial incentive for releasing their work, the language was open to interpretation in terms of what exactly fell under the “commercial activity” banner, particularly for developers creating software under a grant or sponsorship.

Now, a group of seven open source foundations have united to create more suitable guidelines for open source projects and, as a result, the revised legislation substantively addresses the concerns through clarifying open source project exclusions and carving out a specific role for “open source stewards".

The group of open source organisations comprises the Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation.

UK Parliament publishes new research briefing on cybersecurity in the UK

UK Parliament House of Commons Library – 19 April 2024

On Friday, 19 April 2024, the UK Parliament published a new research briefing providing an overview of cybersecurity in the UK. It begins by explaining the nature of the cyber threat, including how cyber-attacks work, before focusing on recent and proposed policy and legislative efforts to improve the UK’s cybersecurity.

Proposed reforms highlighted in the report include:

• Increasing the scope of the NIS regulations by including more organisations and requiring a broader range of incidents to be reported;
• Introducing a ‘cyber duty to protect’, which would see greater responsibility placed on organisations who manage online personal accounts; and
• Increasing corporate responsibility by requiring large organisations to include a ‘resilience statement’ in their annual reports describing how they manage threats, including from cyber-attacks.

The research briefing also calls for reform on the topic of 'ethical hackers'; legitimate cybersecurity researchers who use illegitimate hacking techniques. Campaign group CyberUp argues that the Computer Misuse Act 1990 does not provide sufficient protection for legitimate cybersecurity research, and it has called on the government to amend the legislation to introduce an explicit public interest defence. Similarly, Which?, the consumer charity, has also called for a defence for researchers where their actions “can be proven to be in the fair public interest of raising concern over a clear risk to civil society that the company has failed to act on”.

ICO joins global data protection and privacy enforcement programme

Information Commissioner's Office – 4 April 2024

The Information Commissioner’s Office ('ICO') – the UK's data protection and privacy regular – has signed a new international multilateral agreement to cooperate with other countries in cross-border data protection and privacy enforcement.

By joining the Global Cooperation Arrangement for Privacy Enforcement ('Global CAPE'), the UK can now assist with investigations and share information with member countries without having to enter separate memorandums of understanding. Global CAPE was established to supplement the Asian Pacific Economic Cooperation cross-border privacy rules by enabling participation by countries outside the Asia Pacific area.

Other members of Global CAPE include the US, Australia, Canada, Mexico, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei.

Vote on EU cybersecurity label delayed to May

The Economic Times – 17 April 2024

A vote on the EU's cybersecurity certification scheme ('EUCS') has been postponed until May. The EU aims to implement the scheme to ensure the security of cloud services, thereby aiding governments and businesses in selecting trustworthy vendors. However, this delay allows US tech giants like Amazon, Google, and Microsoft to continue bidding for sensitive EU cloud computing contracts.

The postponement arose over disagreements about whether strict requirements should be imposed on such major tech companies to qualify for the highest level of the EU cybersecurity label. The latest version has scrapped so-called sovereignty requirements that previously obliged the US tech companies to set up a joint venture or cooperate with an EU-based company to store and process customer data in order to qualify for the highest level of the EU cybersecurity label.

Whilst the major tech firms have obviously welcomed this change, criticism has been levied by EU-based cloud vendors and businesses like Deutsche Telekom, Orange, and Airbus, who argue that the removal of these requirements poses a risk of unauthorised data access by non-EU governments under their respective laws.

The next steps involve input from EU countries before the European Commission making the final decision.

National Institute of Standards and Technology ('NIST') release initial public draft of latest Product Development Cybersecurity Handbook

National Institute of Standards and Technology – 3 April 2024

On Wednesday, 3 April 2024, NIST released the initial public draft of its latest Product Development Cybersecurity Handbook in a white paper. The handbook broadly describes relevant considerations for developing and deploying secure Internet of Things ('Iot') products across various sectors and use cases.

The handbook expands upon prior work issued by NIST relating to IoT manufacturing and holistically considers the cybersecurity of IoT product components beyond the IoT device. Particularly, cybersecurity concerns in newly network-connected sectors such as energy services, water/waste-water services, automobiles, consumer electronics, and government are considered within the following topics:

• How IoT product components can vary and be assembled into IoT products
• Cybersecurity considerations for IoT product component hardware and software
• How IoT product components use internet infrastructure and other equipment to communicate
• The multiple parties that may have a role in supporting a secure IoT product life cycle
• Standards and guidance related to cybersecurity outcomes for IoT products
• IoT product architecture, deployment, roles, and cybersecurity perspectives
• Approaches to cybersecurity in IoT products, including several IoT product deployment and instantiation examples with related informative references

This comes as the wider Product Security and Telecommunications Infrastructure ('PSTI') regime enters into force in the UK on Monday, 29 April 2024. The PSTI regime mandates that internet-connected smart devices meet minimum-security standards by law, in an effort to improve the UK's resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.

UK National Cyber Security Centre ('NCSC') releases new version of the Cyber Assessment Framework

National Cyber Security Centre – 18 April 2024

The NCSC has released Cyber Assessment Framework ('CAF') 3.2 in response to increased threat levels to critical national infrastructure ('CNI').

Announcing the framework, the NCSC stated that it had been two years since the previous update and that the landscape has changed dramatically in that time. Following an analysis of attacks on critical national infrastructure around the world,  the NCSC determined the need for “significant changes” to CAF policy towards remote access, privileged operations, user access level and multi-factor authentication.

Alignment with the Cyber Essentials requirements – a Government backed scheme helping to protect organisations against the most common cyber attacks – has also been included in the update.

The latest framework reflects the rise of artificial intelligence, particularly in the sections dealing with automated functions and automated decision-making technologies.

High Court partly dismisses a claim for misuse of private information and UK GDPR breach after pension statements sent to wrong addresses

British and Irish Legal Information Institute – 23 February 2024

In Farley (formerly CR) and others v Paymaster (1836) Ltd [2024] EWHC 383 (KB), the High Court partially dismissed a claim for misuse of private information and breach of the UK General Data Protection Regulation ('UK GDPR') and Data Protection Act 2018 when annual pension benefit statements containing personal details of over 450 current and former police officers were erroneously sent to out-of-date addresses in August 2019 by the defendant, the administrator of Sussex Police's pension scheme.

Nicklin J decided:

• That to have a viable claim for misuse of private information or data protection, a claimant must show that they have a real prospect of demonstrating that the statement was opened and read by a third party.
• Where a claimant ultimately received their statement unopened or it had been returned unopened to the sender, they could not have such a claim.
• In respect of the allegation regarding data protection, that there had not been any unlawful processing unless the statement had been opened or read by a third party.
• Lastly, a claimant could not advance a claim on the basis that their privacy had been "in danger" or "at risk". The tort of misuse of private information requires more than an apprehension.

As a result, only 14 claims will proceed to trial, where they will have to satisfy the threshold of seriousness for misuse of private information as well as the threshold of seriousness which applies in relation to the data protection claims.

MITRE states nation-state hackers breached its R&D network 'NERVE'

MITRE – 19 April 2024

MITRE, the US federally funded R&D centre focussing on cybersecurity research has announced that a nation-state threat actor breached its Networked Experimentation, Research, and Virtualization Environment ('NERVE') network.

An investigation with the support of in-house and third-party experts revealed that the threat actor exploited two Ivanti Connect Secure zero-day vulnerabilities to target MITRE's Virtual Private Networks, before moving laterally into the organisation's VMware infrastructure using a compromised administrator account.

NERVE is an unclassified collaborative network that provides storage, computing, and networking resources. Whilst MITRE state that there is currently no indication that its core enterprise network or partner systems were impacted, the incident should serve as a call to arms for the industry.

CISA to issue list of software products critical to agency security identified in response to cyber Executive Order

Inside Cybersecurity – 19 April 2024

The US Cybersecurity and Infrastructure Security Agency ('CISA') is targeting the end of September to provide federal agencies a list of example software products deemed critical for the federal government following a recent oversight report examining the implementation of a major 2021 cybersecurity executive order.

The 'EO-critical software' must meet 11 criteria defined by NIST and have the ability to manage privileges on a system, perform actions related to network protections, and control operational technology (amongst other things).

Federal agencies are a regular target for threat actors as they are both data-rich whilst often lacking the necessary on-site cyber protections to detect and protect against hackers. However, the list should aid agencies to understand potential cyber vulnerabilities in the products they rely on the most; CISA frequently touts a “secure by design” approach, where manufacturers and vendors ensure that their products are built and sold with off-the-shelf and adaptable security.

Joint guidance on deploying AI systems securely

U.S. Department of Defense – 15 April 2024

Staying with CISA, on 15 April, joint guidance on Deploying AI Systems Securely was published in collaboration with the National Security Agency’s Artificial Intelligence Security Center ('NSA AISC'), the FBI, the Australian Signals Directorate’s Australian Cyber Security Centre ('ASD ACSC'), the Canadian Centre for Cyber Security ('CCCS'), the New Zealand National Cyber Security Centre ('NCSC-NZ'), and the United Kingdom’s National Cyber Security Centre ('NCSC-UK').

The guidance provides best practices for deploying and operating externally developed AI systems and aims to:

• "Improve the confidentiality, integrity, and availability of AI systems.
• Ensure there are appropriate mitigations for known vulnerabilities in AI systems.

Provide methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services."

Change Healthcare ransomware attack costs creep towards $1bn

Wired – 22 April 2024

In its results for the first quarter of 2024, UnitedHealth – parent company of ransomware-hacked Change Healthcare – revealed that the total impact on the company from the attack was $0.74 per share, or $872 million in sum. This figure does not include the amount in advance funding and interest-free loans UnitedHealth had to provide in support of care providers struggling from the disruption, a sum thought to exceed $6 billion.

Remediation efforts to recover from the attack are ongoing, so the total costs related to business disruption and repairs will almost inevitably exceed $1 billion, including the reported 350 bitcoins (or approximately $22 million) ransom payment made to the ALPHV/BlackCat-affiliated criminals behind the attack.

Absence of adequate remote access authentication has emerged as the probable cause of the attack. Multi-factor authentication controls were absent on the application — contrary to industry best practice — leaving the vulnerable application exposed, and the threat actors subsequently lingered on the systems for nine days before stealing data and launching the attack.

More than just financial loss, the attack has and sadly continues to interrupt patient care. When surveyed, over 85% of the College of Healthcare Information Management Executives membership (including health system CIOs and other senior IT leaders) stated that they were at least somewhat impacted by the incident.

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

The Register – 17 April 2024

In a recently released paper, University of Illinois computer scientists report that large language models ('LLMs') such as OpenAI's GPT-4 can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw, building on previous work showing that LLMs can be used to automate attacks on websites in a sandboxed environment.

In the study, GPT-4 successfully exploited 87% of tested one-day vulnerabilities (i.e., vulnerabilities that have been disclosed but not yet patched); a significant step forward compared to other models and traditional vulnerability scanners.

However, the research has raised concerns over security practices and the team emphasised the importance of proactive security measures, as restricting access to vulnerability descriptions proved largely ineffective.

Cybersecurity, Audit and the Board: how oversight impacts enterprise level cybersecurity

Diligent Institute – March 2024

According to a new report from Diligent Institute and Bitsight, entitled ' Cybersecurity, Audit and the Board', companies with advanced cyber security performance create 372% higher shareholder returns compared to their peers with basic cyber security performance. The report also shows that companies with either a specialised risk committee or an audit committee achieve better cyber security performance compared to those with neither, and that only 5% of companies have cyber security experts on their boards.

The report analyses more than 4,000 mid to large-cap companies in public indices globally. Other key findings include:

1. Companies with measurably stronger cyber security performance deliver higher financial performance than their peers. The average total shareholder return ('TSR') for companies with advanced security performance ratings over a five-year and three-year period was 71% and 67%, respectively, whilst the range for companies with basic security performance ratings was just 37% and 14% TSR over the same time frames.
2. The mean cyber security rating for companies with cyber security experts on either audit or specialised risk committees was 700, whilst companies with cyber security experts on the general board, but not on either committee attain a security rating of 580. As such, it appears that having a cyber security expert on the general board is not enough – those experts need to be directly involved with cyber oversight for significant benefits to be realised.

RUSI hosts important debate on banning ransomware payments

The Royal United Services Institute – 17 April 2024

On 17 April 2024, the Royal United Services Institute ('RUSI') convened an expert panel to discuss the pros and cons of a ban on ransomware payments, how such a ban might be implemented, and what other options are available to policymakers to reduce the profitability of ransomware for cybercriminals.

1. Proponents say that ransomware is a financially motivated crime, so – logically – fewer payments would result in fewer ransomware attacks. Businesses may regard paying ransoms as the ‘easy way out’, especially if it is covered by insurance. However, whilst paying off cyber criminals may be the rational response for an individual firm, it is argued to be collectively irrational because it encourages further attacks.
2. An underlying theme, agreed on all sides of the debate, is that there is currently insufficient data to conclusively and effectively predict the effects of a ban.
   1. Whilst some countries, including Australia and the United States, have considered banning ransom payments, to date, no government has undertaken a formal analysis of the consequences of a ban, particularly for critically important infrastructure held privately.
   2. For example, in the 2021 Colonial Pipeline ransomware attack, all pipeline operations were ceased to contain the attack and ultimately, in a strategy overseen by the FBI, the company paid 75 bitcoin ($4.4 million USD) within several hours. In the event such ransom payments were made illegal, the effects of a similar attack could be catastrophic.
   3. Of course, a ban could include a waiver covering cases where, for example, a ransomware attack is preventing the delivery of critical services.
3. Critics of the proposal argue that banning ransom payments would criminalise victims, including those who have invested in appropriate cybersecurity measures. A ban could leave directors with an impossible choice: keep the business viable by paying a ransom (whilst breaking the law), or let the company fail and breach their fiduciary duties?
4. It is also suggested that organisations (particularly critical infrastructure and SMEs) simply do not have sufficient resilience in place, such as functional backups and business continuity workarounds, to confidently not pay ransoms. A blanket ban needs to be worked towards, with governments establishing additional recovery and support mechanisms for the private sector.