Government Intervention on Cyber Risk: Change is Afoot!
9–5–2023 (Tuesday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, September 5, 2023, and we’re back in the office after the Labor Day Holiday here in the US and Canada, and the sprint towards the end of the year is about to begin, just after we clear out a few more items from our inbox.
This week, a theme emerged around government intervention, but it may not be what you’re thinking. Let’s dive in and see how government actions on cybersecurity have changed, have helped, and have some room to improve.
Government Intervention
One of the big stories from the last week here in the US was the FBI’s announcement that they’d taken down the Qakbot malware network. This is news for a few different reasons.
First, it wasn’t all that long ago that there was a tremendous amount of handwringing from government folks and policy folks alike around the potential for risk and impact in operations like this - how actions of the government might disrupt or otherwise hurt private company operations.
Those days appear to be over, with the calculus shifting from the potential for harm in proactive operations like this being compared with the known impact of ransomware.
This particular piece of malware, Qakbot, “has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.”
In doing so, “Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims.”
In addition to sink holing their operation, the FBI also used the malware to push an uninstaller down to infected computers, and recovered “almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization.”
This is a tremendous change in approach - and isn’t something the FBI did alone. They worked with colleagues from France, Germany, the Netherlands, the UK, Romania, and Latvia to carry out this operations.
We’ve seen this type of international partnership becoming more and more common, including earlier this year when “US Cyber Command’s Cyber National Mission Force deployed a hunt forward team to conduct defensive cyber operations alongside partner cyber forces” for three months in Lithuania - with an obvious emphasis in the Baltic region.
We’ve also seen domestic partnerships coming together to continue to reduce risk - including the Vulnerability Disclosure Policy Platform from CISA - whose first annual report was released this past week. They noted “the VDP Platform has onboarded 40 agency programs and has received over 1,300 valid disclosures, approximately 85% of which have been remediated” - which is pretty damn good. If you’re not familiar with their stated mission statement, CISA’s mission is to “lead the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.”
There was also a good story in The Record last week around a UK effort from NCSC - part of GCHQ - helping UK organizations get Early Warning on their potential for being exploited by ransomware or other malware. The piece noted that “Last year more than 5,900 of the service’s user organizations were alerted about events detected by the Early Warning system and over 2,200 warned about vulnerabilities on their networks.” That’s an average of about one warning every hour, 24/7/365 - which should give you a sense of the magnitude of this problem.
We also saw a little drop heading into the long weekend about another Five Eyes Operations (US, UK, Canada, New Zealand, and Australia) outing the technical specifics of a piece of sophisticated ransomware that Russia’s GRU is using in Ukraine.
Taking all of this together, it does feel like a sea change in approach towards cyber risk from western governments - and for the better. We’re facing a scale of problem that individual businesses are struggling to address, and even just securing their own infrastructure, much less issues around third party risk or digital supply chain risk (which we’ve talked about extensively over the past few months here).
These problems weren’t created overnight, and certainly won’t be solved overnight either, but we are now seeing definite steps in the right direction from government partners in the US and abroad, which will be a key part of making progress agains this acute challenge.
Fundraising
Very quiet fundraising week heading into the long weekend - again, not a surprise to anyone. Only about $1B of newly committed capital announced this week, the smallest week I can remember in the past couple of years. Don’t over index this, though. We should see the numbers come back as we look to close out the month, quarter, and then year.
We’re also seeing more movement in the IPO market, with rumors becoming news articles around another tech unicorn - Rubrik - looking at that exit timing as early as next month.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a
https://www.cisa.gov/sites/default/files/2023-08/2023-8-21_VDP_Platform_Annual_Report_508c.pdf
https://therecord.media/gchq-ncsc-tipping-off-ransomware-targets-early-warning