The Department of Homeland Security is releasing today a list of 55 things the government most needs to protect from digital attacks.
The government believes that a cyberattack on any of these government or private sector services or functions could have a “debilitating effect” on national security, the U.S. economy or public health.
On the list, provided first to The Cybersecurity 202, are some obvious things -- such as supplying water or generating electricity. But the list also delves into some broader categories, including preserving Constitutional rights, protecting sensitive information, and enforcing the law. The list includes everything from providing internet access to supporting community health and conducting elections. You can read the full list here.
The U.S. has long relied on a system that prioritized protecting industry sectors -- such as transportation, financial services and energy -- as part of its critical infrastructure. But these broad categories are proving far too imprecise in an age when, say, North Korea launched a destructive attack on a film studio and Russia orchestrated a sweeping election inferference campaign.
The plan is part of a broader DHS effort to shift to a “risk-based” approach to cybersecurity — in other words, devoting more time and money to threats that could do the most damage.
"If everything’s a priority, then nothing’s a priority,” Director of DHS’s Cybersecurity and Infrastructure Security Agency Chris Krebs told me. “This allows us to really drill down into those things we need to care about.”
A main benefit of the new system is that it will allow government and industry to map out how a single digital threat — say an attack on the Global Positioning System or Internet routing services — might ricochet across numerous industries, Krebs said.
DHS’s previous system for categorizing digital threats focused on 16 critical infrastructure sectors but didn’t deal with the complex web of interdependence between them. And it didn't distinguish between truly vital systems, like those that deliver electricity, versus less vital ones, such as that electric utility's public-facing website.
“[Now] we can focus on … the gaps and overlays between [industry] sectors,” Krebs said. “We want to back out from these artificial economic sectors into something more focused on what [industries] actually deliver at the end of the day.”
Instead of listing the healthcare sector, for example, the new critical functions list includes systems that “maintain access to medical records” and that “support community health.” And instead of transportation, it lists transporting cargo and passengers by air, rail, road, mass transit and vessels -- and materials by pipeline.
The department also plans to work with industry to identify which functions are the most critical of the critical. The department will use that prioritized list — which it may or may not make public — to frame conversations with industry about cybersecurity tactics and to guide DHS’s budget requests to Congress, Krebs said.
“Not all  functions are created equal in terms of priority, so you can start triaging, putting the most critical ones at the top, figuring out where do we want to put our scarce resources,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: President Trump’s lack of interest in election security and his unwillingness to condemn Russian hackers “has made it tougher for government officials to implement a more comprehensive approach to preserving the integrity of the electoral process,” my colleagues Josh Dawsey, Ellen Nakashima and Shane Harris report.
“For more than two years…Trump has recoiled when aides broached Russia’s 2016 theft and dissemination of Democratic emails and its manipulation of social media in an effort to sway the election,” my colleagues report.
During one 2017 meeting with advisers, Trump called the hacking operation – which the intelligence community attributed to Russia – “a goddamn hoax,” my colleagues reported.
The president also regularly conflates discussions about Russia’s interference in the election with attacks on the legitimacy of his election, current and former officials said.
“In one meeting in late summer 2018 in the Situation Room, aides told Trump that they wanted to talk publicly to raise voters’ awareness of the interference ahead of the midterm,” my colleagues reported. “According to an official familiar with the meeting, Trump placed a condition on any public statements: The aides must also make clear that Russia didn’t influence his win.”
PATCHED: Washington doesn’t believe there’s any safe way to allow Huawei inside next-generation 5G wireless networks without enabling Chinese spying, the State Department’s top cybersecurity diplomat Robert Strayer told reporters in Brussels on Monday, the Wall Street Journal’s Parmy Olson reported.
The statement comes less than a week after the United Kingdom decided to let Huawei construct noncore portions of its 5G networks.
Strayer didn’t directly address the U.K. decision, the Journal reported. “But asked about whether the U.S. and the U.K. were aligned on what constitutes vulnerable parts of a network, he said: ‘no part of a 5G network should have parts or software coming from a vendor that could be under the control of an authoritarian government,’” the Journal reported.
The United States has lobbied numerous allies to ban Huawei from their 5G networks but with limited success. Only Australia has fully barred the Chinese telecom so far. The Trump administration has also not yet released its own order barring Huawei from U.S. 5G networks.
PWNED: A jailed former CIA computer engineer who’s accused of leaking a massive trove of hacking tools made a series of claims in a legal filing asking to be released from federal detention that many on Twitter noted were outlandish.
Joshua Schulte, who’s accused of passing the documents known as Vault 7 to WikiLeaks, claimed he’s lost $50 billion during his incarceration, according to independent journalist Marcy Wheeler.
Here's the logic behind Schulte's claim of $50B in lost income: Basically, his incarceration is preventing him from becoming the next Bill Gates. pic.twitter.com/FbIsfI8kOS— emptywheel (@emptywheel) April 26, 2019
Schulte also “lost time mentoring and teaching my youngest brother programming as he attends college and most likely learns the wrong way to align braces and indent,” according to the filing quoted by Cyberscoop’s Jeff Stone.
He’s “also a huge movie buff and I’ve already missed major blockbuster releases that I would have reserved in advance at Alamo Drafthouse and enjoyed with family and friends,” the filing states.
Schulte was first charged with storing child pornography in 2017. He was later charged with the Vault 7 leak under the Espionage Act.
Here's more on that from Wheeler:
Along with Espionage for leaking live hacking tool, Schulte is accused of possessing child porn and (in VA state charges) sexual assault.— emptywheel (@emptywheel) April 26, 2019
He says he is accused of a victimless crime. pic.twitter.com/GTM3Wqr6WX
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: