Welcome to the first edition of Citizen Tech, InformationWeek’s monthly policy brief! Every month we’ll be looking at the biggest political stories about technology and cybersecurity of the month, in the United States and abroad, to keep you in the loop. Here’s your wrap-up for October.

White House Hosts International Anti-Ransomware Conference

The White House National Security Council (NSC) hosted a virtual counter-ransomware event on Oct. 13 and 14. Representatives from some 30 countries, as well as the European Union (EU) as a bloc, attended. The conference covered topics like network resilience, illicit uses of cryptocurrency, how ransomware is financed, and ways to disrupt the ransomware ecosystem through law enforcement and diplomacy.

Virtual currency and its abuses received the attendees’ special attention. Anne Neuberger, deputy national security advisor to President Biden, underscored the international nature of a ransom paid in crypto, which may involve half a dozen countries between the location of the attackers, the location of the target, a third country to host the exchange, and others to launder the money.

“It takes a network to fight a network,” Neuberger told press post-event. “It takes a network of countries connecting the individual elements within the country across diplomacy, law enforcement, financial regulators … and then connecting globally to fight the network of ransomware actors’ infrastructure and illicit use of virtual currency. And indeed, the mix of experts that were in the room from areas that traditionally operate in parallel channels will be core to disrupting that ecosystem.”

Notably, the NSC declined to invite any Russian or Chinese representatives to the conference. Said Neuberger, “The US has a candid, professional, and very direct set of conversations with Russia about criminal activity, ransomware activity coming from within Russia.”

There is no international ban on ransomware, given its protean operation schemes and especially its geopolitical complications: at a certain point the matter devolves into endless, fruitless shouting about rule of law on the one hand and sovereignty on the other. A White House fact sheet, put out ahead of the conference, cited $400 million worldwide in ransoms paid last year, and $81 million in the first quarter of 2021 alone.

California Issues Cybersecurity Roadmap

On Oct. 22, California governor Gavin Newsom released a five-year plan to consolidate the state’s cybersecurity efforts and “address critical gaps.” Called Cal-Secure, the plan is comprehensive, and will apply to federal, state, municipal, tribal, and private sector bodies operating in California. The state’s Cybersecurity Integration Center, the state’s executive infosec hub, drafted the plan with the help of various other state agencies, including law enforcement and defense.

According to a press release, Newsom has advanced some $260 million to the Department of Technology, as well as “$11.3 million one-time and $38.8 million ongoing to mature the state’s overall security posture, improve statewide information security initiatives, analyze cyber threat intelligence and mitigate potential threats.”

Cal-Secure’s central concern is a unified standard of training and security governance. Many questions remain open, from the details of rollout to the ambiguity of Cal-Secure’s phrasing: When are “recommendations” recommendations, and when are they mandates?

Incident reporting is another open question. Cal-Secure does seem to establish a standardized notification protocol, but the wording of the report is unclear.

But GovReport notes that such a program is long overdue, and that, to the comfort of the doubtful, Louisiana consolidated their cybersecurity efforts in a similar scheme in 2015; the state saved $75 million in IT services by doing so.

California is a crucial cog in the international digital economy, so Cal-Secure may well inspire similar top-down consolidation models in other states and eventually other countries. Newsom’s office issued a visual guide to the plan but be warned: It’s completely unreadable.

European Parliament Calls for Joint Cyber Unit

On Oct. 7, the European Parliament voted in favor of a “dual use,” military and civilian Joint Cyber Unit for the European Union. The proposed would coordinate responses by EU member states to major cyber attacks, as well as facilitate information sharing between governments. The vote is indicative of a growing concern among European governments about the EU’s strategic and technological autonomy, particularly in the face of cyberattacks from the bloc’s geopolitical rivals. 

MEPs specifically cited the Pegasus spyware scandal as an example of the dangers member states face. At the moment, the EU has no unified cybersecurity policy. This month’s vote was a crucial step toward making one.

A unified EU cybersecurity regime could potentially make waves in the US. The resolution cited European dependence on private, implicitly American third parties as a major strategic vulnerability. This could augur more protracted legal battles between European courts and American tech companies, plus more regulatory hurdles to clear à la GDPR (General Data Protection Regulation, the EU's rigorous, landmark data privacy law that impacts businesses across the globe). Politically, the resolution is ambiguous: it seems like part of a growing European discontent with Atlanticism, but specifically calls for “enhanced cooperation” with NATO and the US.

Said Urmas Paet, MEP of Estonia, “In the past few years, there has been a continuous growth in malicious cyber operations. The EU and its Member States must step up their defence capabilities in order to successfully respond to these cyber threats. Therefore it is of key importance to enhance cooperation between EU Member States and institutions, NATO, the US and with other strategic partners.”

This is a story to watch, however slowly it develops. Read the press release here.

Biden Signs K-12 Cybersecurity Act

President Biden signed the K-12 Cybersecurity Act into law on Oct. 8, in response to cyber attacks on American schools. The law gives the Cybersecurity and Infrastructure Security Administration (CISA) 120 days to produce a study on the specific cybersecurity needs of elementary, middle, and high schools; a further 60 days for CISA to create guidelines to “prevent, detect, and respond to cyber events” and 120 days after the issuance of the guidelines to develop an online training toolkit for school officials.

The Act cites some several broad areas of concern, mostly the disclosure of confidential student grade records, medical records, family records, and personally identifiable information.

According to the nonprofit K-12 Cybersecurity Resource Center, public K-12 education in the United States is a formidable sector, worth about $760 billion and serving over 50 million students. The Center tracked 408 publicly disclosed incidents in 2020 (an 18-point rise over 2019); most of these were denial of service attacks (45%) and data breaches (36%). Thefts from school funds through cyber attacks ranged from $206,000 to a staggering $9.8 million.

POLITICO noted that one of the major headaches for CISA will be notification. As there is no federal notification protocol, CISA will have to negotiate 50 separate state protocols, some of which (including California’s) do not stipulate a reporting timeline. The lack of IT training for school staff also threatens to slow down implementation.