Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
The Department of Homeland Security plans to apply the lessons it learned from the 2018 midterm elections on cybersecurity to other critical infrastructure, and will be helped by the imminent elevation of its responsibility for civilian cybersecurity throughout the government.
“That serves as a model for how we’re going to partner to protect the grid, to protect the banks,” DHS cybersecurity chief Chris Krebs told private industry leaders on Thursday. “We’ve made a significant amount of progress, and going forward we have to look to how we can replicate those sorts of engagements.”
Krebs’s comments come as he is expected to take over as director of the Cybersecurity and Infrastructure Security Agency [CISA]. Congress passed a bill earlier this week that will create the new unit within DHS — which will cement the agency's leadership on civilian cybersecurity and rank on the same level within the department as the Federal Emergency Management Agency or Secret Service. President Trump is expected to sign the bill into law as early as Friday.
The new agency will elevate the cybersecurity mission within DHS, Krebs said, and it will be responsible for coordinating with other government entities and the private sector on cybersecurity and critical infrastructure programs. The legislation is intended to make it easier for the private sector to work with government on cybersecurity threats. DHS's cybersecurity work is currently housed under the National Protection and Programs Directorate. Krebs told the Cybersecurity 202 earlier this year that the unit needed to be rebranded to reflect what it actually does.
"It was one of my top priorities since I came to DHS," Krebs told me in an interview yesterday.
Krebs’s remarks came at a meeting with members of the Charter of Trust, an initiative including global companies such as Siemens and IBM. DHS also hosted the first supply-chain security task force uniting government entities with technology and communications companies.
CISA is the result of a long-fought battle to consolidate DHS’s authority on cybersecurity matters. An effort to create such an agency has been underway since the Obama administration, but it was hampered by lawmakers who felt the 14-year-old agency was not as equipped to deal with cyber threats as the National Security Agency or FBI. Earlier this week, the bill moved through the House with unanimous support — signaling lawmakers’ view on DHS’s role in handling civilian cybersecurity is evolving.
Edna Conway, Cisco’s chief security officer for its global value chain, said thinks CISA will help companies and federal agencies with collaborate better on cybersecurity.
“It’s almost as if DHS is now becoming that clearinghouse,” she said.
Conway said this is part of a broader effort for government and the private sector to come together on cybersecurity issues.
But such efforts have not always seen equal contributions from both sides. Two years ago, Congress passed legislation that was intended to incentivize companies to share information about cyber threats with the government. But Nextgov’s Joseph Marks reported that as of July, only six companies and other nonfederal entities had shared that data with the government. A much greater number are able to receive cyber threat data from DHS — 190 private entities and about 60 federal institutions, at the time of the Nextgov report.
Krebs said the federal government has made a bigger push on cybersecurity since the Russian hacking campaign to influence the 2016 election in favor of Donald Trump. He said those revelations have galvanized government to focus more on this issue than ever.
During the midterm elections, DHS undertook an unprecedented effort to secure the country’s fragmented election systems, which required coordination and threat-sharing among various agencies, state and local election officials and technology companies. Yet for months leading up to the elections, many lawmakers were skeptical that the Trump administration was doing enough.
So far, Krebs said there has been no evidence of interference with election equipment in 2018. The agency is expected to publish a report on the outcome of its security efforts within 45 days of the midterms.
“We made more progress in 18 months in these interagency partnerships, in sharing information, in sharing threats, co-location capabilities, than I think in the preceding decade,” Krebs said. “Sometimes it does take these moments.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sen. Mark R. Warner (D-Va.) said the Trump administration deserves “some credit” for its efforts to initiate a U.S. cyber doctrine, in particular through adoption of a directive updating the rules governing the launch of cyber operations. The directive, called National Security Presidential Memorandum 13, eases the process for setting cyber operations in motion. “They have changed their executive order about the willingness of America to use its cyber capabilities — both on a defense and offensive capability,” Warner said during a speech at the Center for Strategic and International Studies.
Warner, who serves as vice chairman of the Senate Intelligence Committee, also said the United States lacked a cyber doctrine through the George W. Bush and Obama administrations. “We have ignored the reemergence of a near-peer adversary like Russia and the emergence of China, to the point where it’s been open season in terms of these nations either interfering in our elections — in the case of Russia — stealing our intellectual property — in the case of China — and doing so with no fear of retribution from the United States,” Warner said. He added that the development of a cyber doctrine ought to include international rules. “We desperately need an articulated cyber doctrine where there are norms — hopefully international norms — across the way so that we can respond as need be,” Warner said.
PATCHED: “Facebook said Thursday it had removed more than a billion fake accounts and taken action against millions of posts, photos and other forms of content that violated its prohibition against hate speech, terrorist propaganda and child exploitation, the latest sign that the social-networking giant faces an onslaught of online abuse as it builds new tools to spot it,” The Washington Post's Tony Romm and Elizabeth Dwoskin reported. “The report shows that Facebook still struggles to identify hate speech and bullying, in particular, even at a time when social media companies are grappling with the rising tide of racist, sexist and anti-Semitic content online and the United States is experiencing a rise in hate crimes.”
Facebook said its ability to identify content that runs afoul of its community standards before such content is flagged by users is improving. “The company said that it catches more than 95 percent of nudity, fake accounts and graphic violence before users report it to Facebook,” Tony and Elizabeth wrote. “But for hate speech and a related category, bullying, the company catches 51.6 percent and 14.9 percent of incidents before they are flagged by Facebook users.”
Additionally, Facebook released some figures on government requests for user data. The company received 103,815 government requests for user data worldwide during the first half of 2018, Chris Sonderby, vice president and deputy general counsel at Facebook, said in a post. Such requests stood at 82,341 during the second half of 2017, amounting to about a 26 percent increase. Government requests in the United States rose by about 30 percent, “of which 56% included a non-disclosure order prohibiting Facebook from notifying the user,” Sonderby said.
PWNED: “China’s chief cyber censor is raising the regulatory pressure on internet companies to police online speech, requiring them to keep extensive records about users and alert authorities about the spread of what the government deems harmful content,” the Wall Street Journal's Yoko Kubota reported. “New rules issued Thursday by the Cyberspace Administration of China targets operators of online services from chat sites to video livestreaming — any platforms where people can ‘express opinions or that have the ability to mobilize society.’” The Journal added that multiple companies in China already provide authorities with data on their users. “Under the new rules, which come into effect Nov. 30, online-service providers must keep records of user information, including real names, log-in and log-off times, network source addresses and types of hardware used,” Kubota wrote.
Chinese authorities have increased their control over the Internet since 2016, Reuters's Cate Cadell reported. “In Chinese cyber policy, content that ‘undermines’ social stability, manipulates history or runs counter to the government line is deemed a cybersecurity risk, comparable to financial and terrorist cyber threats,” Cadell wrote. “According to the terms and conditions of social media services, including the Twitter-like service Weibo and Tencent’s WeChat, tech companies are already required to share information with the government on request, though there is little transparency on the exact process.”
— “WikiLeaks founder Julian Assange has been charged under seal, prosecutors inadvertently revealed in a recently unsealed court filing — a development that could significantly advance the probe into Russian interference in the 2016 election and have major implications for those who publish government secrets,” The Post's Matt Zapotosky and Devlin Barrett reported. “The disclosure came in a filing in a case unrelated to Assange. Assistant U.S. Attorney Kellen S. Dwyer, urging a judge to keep the matter sealed, wrote that ‘due to the sophistication of the defendant and the publicity surrounding the case, no other procedure is likely to keep confidential the fact that Assange has been charged.’ Later, Dwyer wrote the charges would ‘need to remain sealed until Assange is arrested.’ Dwyer is also assigned to the WikiLeaks case. People familiar with the matter said what Dwyer was disclosing was true, but unintentional.”
— “A federal judge refused Thursday to dismiss the indictment of a Russian firm accused by special counsel Robert S. Mueller III of funding part of a Russian effort to influence the 2016 U.S. election,” The Post's Spencer S. Hsu and Josh Dawsey reported. “Concord Management and Consulting — owned by Yevgeniy Prigozhin, a Russian businessman known as ‘Putin’s chef’ because of his ties to Russian President Vladimir Putin — had asked that the case be dismissed, saying prosecutors ‘made up a crime’ to criminalize election trolling and political speech.”
— “The government’s lead contracting agency plans to formalize how and when contractors are required to disclose data breaches and to mandate better government visibility into how serious those breaches are,” Nextgov's Joseph Marks reported. “The proposed rule will mandate that the General Services Administration and the agency that’s being served by the contract have access to breached contractor systems, according to a regulatory roadmap set to be published in Friday’s Federal Register. Contractors will also be required to preserve images of the affected systems for the government to review, the roadmap states.”
— More cybersecurity news from the public sector:
— “German prosecutors are pressing criminal charges against a former employee of chemicals maker Lanxess for allegedly stealing trade secrets to set up a Chinese copycat chemical reactor,” Reuters's Patricia Weiss and Ludwig Burger reported. “The case underscores fears among German officials and executives about industrial espionage in Europe’s largest manufacturing nation. State prosecutors in the city of Cologne, where the company is headquartered, told Reuters they had brought criminal charges in June against a Chinese-born German national based on a complaint filed with police by Lanxess about two years ago.”
— More cybersecurity news from abroad:
- The U.S. Chamber of Commerce hosts a conference, titled “Critical Infrastructure Risk Management: A Path Forward,” in Washington.
- CyberwarCon in Arlington, Va., on Nov. 28.
Fact-checking Trump's claims on voter fraud:
On bullying, Trump and Melania strike a different tone:
Bei Bei plays in D.C.'s first snow of the season: