Lawmakers have pushed for greater funding for the agency in the wake of a massive Russian hack that infiltrated nine federal agencies, a Chinese hacking campaign that left thousands of small businesses and local governments vulnerable and a surge of ransomware attacks. (Both China and Russia have denied involvement in the hacking campaigns.)
“It is imperative that we put CISA on track to be a $5 billion agency within the next five years — to fully live up to its mandate as the nation’s lead civilian cybersecurity agency,” Katko said in his request. “A 25 [percent] annual increase will continue this rightful trajectory. With this funding will naturally come enhanced scrutiny and oversight to ensure that Congress sees a robust [return on investment] in this critical investment.”
The request also doubles resources for engaging with state and local governments and the private sector, something that cybersecurity experts say is crucial to combating the ransomware crisis.
“It is very encouraging to see Rep. Katko’s call for additional resources to strengthen CISA’s capabilities in defending our nation’s infrastructure and building greater resilience,” Kiersten Todt, managing director of the Cyber Readiness Institute, wrote in an email. CRI recently released a white paper urging the Biden administration to take a number of steps to protect small businesses from hackers, including launching a public awareness campaign.
Katko is just one of many House leaders calling for an increase in funding for the agency.
Last month Reps. Jim Langevin (D-R.I.) and Rep. Mike Gallagher (R-Wis.), members of the Cyberspace Solarium Commission, sent a letter urging leaders of the House Appropriations Committee to increase CISA's funding by at least $400 million.
“The importance of CISA’s role in protecting our nation’s cyber infrastructure cannot be overstated,” Gallagher said in the letter. “Congress was right to give the agency new authorities that allow it to better defend our interests in cyberspace, but without requisite funding, we’re setting CISA up for failure. It’s imperative we ensure CISA has the additional $400 million it needs to fulfill its mission in the coming year.”
The keys
The U.S. government and Apple traced hacks of Uighurs back to a Chinese hacking competition.
A hack that won $200,000 at a Chinese competition was used in the same way by Chinese government-linked hackers to spy on Uighurs, MIT Technology Review’s Patrick Howell O’Neill reports.
“I think it is not only a venue for China to get zero days but it’s also a big recruiting venue,” Scott Henderson, an analyst at FireEye, said, referring to previously unknown vulnerabilities in well-known software.
The Chinese competition and Chinese cybersecurity firm Qihoo 360, whose researcher won the competition, did not respond to requests for comment. The researcher, Qixun Zhao, denied any involvement in Twitter messages.
But Howell O’Neill and Motherboard’s Joseph Cox both wrote on Twitter that they had been told that the code was identical — even down to the comments:
A White House official did legal work for a company linked to an Israeli surveillance firm.
Dan Jacobson, the White House Office of Administration’s general counsel, provided “legal services” to Q Cyber Technologies, a firm in Luxembourg, when he worked at law firm Arnold & Porter before entering the Biden administration, according to a financial disclosure filing obtained by The Cybersecurity 202's Aaron Schaffer. Q Cyber Technologies paid more than $5,000 for Jacobson's services, according to the disclosure.
In court filings last year, lawyers representing the Israeli surveillance company NSO Group and a separate firm, an Israel-based Q Cyber, disclosed the Israel-based Q Cyber was NSO's parent company. As of 2019, both Q Cybers were owned by Luxembourg-based OSY Technologies, according to that firm's most recent corporate filings in Luxembourg. Q Cyber’s U.S. media team and NSO Group did not respond to a question about the relationship between NSO and Q Cyber.
Amnesty International and WhatsApp say NSO’s spyware has been used to target journalists and activists around the world. NSO says it sells its technology to “licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
“Working for a foreign espionage company that acts on behalf of foreign states, and claims immunity from U.S. law, should raise eyebrows and trigger close scrutiny during any vetting process,” said John Scott-Railton, a senior researcher at CitizenLab at the University of Toronto's Munk School.
A White House official said in his current role, Jacobson “has no involvement with Q Cyber and adheres to all recusals required by the Biden Ethics Pledge, as well as government ethics rules.” The official also noted that Jacobson’s “practice at the firm focused on civil litigation.” Arnold & Porter’s work for Q Cyber was not previously known. The firm, NSO Group and Q Cyber did not respond to requests for comment on Arnold & Porter's work for the firm.
Facebook removed a campaign of inauthentic posts attempting to sway Ukrainian politics.
The campaign appears to have been run by Andriy Derkach, who was sanctioned by the Treasury Department for his alleged interference in the U.S. elections. The campaign targeting Ukrainian politics was unrelated to the campaign targeting U.S. elections, Facebook said.
The company also took down eight other influence networks including operations from Palestinian territories, Azerbaijan, the Central African Republic, Mexico, Peru and Ukraine. Many of the campaigns relied on “for-hire ops” in which actors paid for third-parties to run the operations.
“From a global trend analysis, we’ve seen the burgeoning industry of what we call IO-for-hire that offers media and social media services involving inauthentic assets and deceptive amplification across the Internet,” Ben Nimmo, global threat intelligence lead for influence operations at Facebook, said in an email. “The good news is despite this trend, these campaigns are still getting caught.”
Facebook's top security policy official says that regulators could do more to deter the activity.
“We have been tracking and disrupting these IO-for-hire ops for some time,” Nathaniel Gleicher, head of Facebook security policy, said in a tweet. “Public disruptions by industry & civil society have made it harder for them, but we would all benefit from regulatory regimes that more strongly deter this type of behavior.”
Google is stepping up its rollout of two-factor authentication.
Google will begin to automatically enroll users in two-factor authentication, the company announced in a blog post. The effort’s goal is to “get everyone into a more protected and secure state by default,” Mark Risher, Google's Director of Product Management, Identity and User Security, told Motherboard.
“We’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results,” Risher said. The company also plans to ask users who have already signed up for two-factor authentication to verify their identities.
Chat room
SocialProof Security CEO Rachel Tobac found a flaw in Twitter's new “Tip Jar” feature that allows users who receive tips via PayPal to see the sender's address. Twitter product lead Kayvon Beykpour noted that it was partly out of the company's control:
Tobac thanked the company for taking action:
Morning Brew executive editor Josh Sternberg:
Writer Lauren Chanel Allen:
Daybook
- Rep. Mike Gallagher (R-Wis.) speaks at a Heritage Foundation event on defense supply chains on May 10 at 1 p.m.
- Deputy national security adviser for cyber and emerging technology Anne Neuberger speaks at the 2021 Future Strategy Forum on May 10 at 3:45 p.m.
- Erin M. Joe, the director of the Cyber Threat Intelligence Integration Center, speaks at the CyberSatDigital conference at 9:20 a.m. on May 11.
- Brandon Wales, the acting director of the Cybersecurity and Information Security Agency, testifies at a Senate Homeland Security and Governmental Affairs Committee hearing on improving federal cybersecurity in the wake of the cyberattack on SolarWinds and other software on May 11 at 10 a.m.
- Reps. Jim Langevin (D-R.I.) and Don Bacon (R-Neb.) speak at a Hudson Institute event on the U.S. military and the electromagnetic spectrum on May 11 at noon.
- Lt. Gen. Vincent Stewart, the former director of the Defense Intelligence Agency and former deputy commander of U.S. Cyber Command, speaks at an event hosted by the Intelligence and National Security Alliance on May 12 at 4:30 p.m.
- Morgan Adamski, who leads the National Security Agency’s Cybersecurity Collaboration Center, speaks at the GovConWire Defense Cybersecurity Forum on May 12 at 2 p.m.
- Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang on May 14 at 11 a.m.