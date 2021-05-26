DHS plans to go even further in coming weeks, releasing mandatory cybersecurity protections that pipeline companies must implement and steps they must take if they’re hacked. The companies would face financial penalties if they fall short on those cyber protections.
That’s a bold move the agency has shied away from in the past. It was made far more urgent by the devastating Colonial Pipeline ransomware attack, which roiled the energy sector and consumers, creating gas shortages and price spikes across the southeastern United States.
The move would place pipelines among just a handful of industry sectors where the government requires specific cybersecurity protections.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Richard Glick, chairman of the Federal Energy Regulatory Commission, told my colleagues.
The effort comes, however, as the federal government is still struggling to improve its own cybersecurity protections.
Federal agencies are still far behind in protecting against cyberattacks that tunnel in through their web of IT contractors, a government auditor yesterday told lawmakers on the House Committee on Science Space and Technology.
That assessment comes more than five months after news broke that Russia had used just such a “supply-chain hack” into the network management contractor Solar Winds to steal reams of information from a host of federal agencies, including the Defense, Treasury, Justice and Homeland Security departments.
A government auditor found in December that none of the 23 major federal agencies had fully implemented protections against such attacks. And 14 of those agencies hadn’t put in place any of the seven protections recommended by the Government Accountability Office.
Six agencies have updated the GAO on their protections since then, but there are still no agencies that are fully protected, Vijay D’Souza, GAO’s director of information technology and cybersecurity, told the committee.
“It's not going to be easy to address IT supply-chain issues, and what we do is going to change as we continue to learn more about threats ... But if we want to be prepared for the next SolarWinds-type incident it's important for federal agencies to immediately begin addressing this issue,” D’Souza said.
Lawmakers were quick to endorse the forthcoming pipeline rules.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.):
Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus:
Rep. Robin Kelly (D-Ill.), vice chair of the House Energy and Commerce Committee:
Some cybersecurity experts were skeptical the rules could be effective. Maurice Turner, cybersecurity fellow at the Alliance for Securing Democracy, feared companies would wiggle out of the rules.
The keys
U.K. spy agency’s mass surveillance broke the law, a top European court ruled.
GCHQ’s bulk surveillance program violated citizens’ freedom of expression and didn’t have sufficient protections for confidential materials used by journalists, the European Court of Human Rights’ final appeals court ruled, the Guardian’s Haroon Siddique reports. The decision to operate a bulk surveillance program in itself was not a violation of Europe’s human rights convention, the court said.
The ruling “vindicates” former National Security Agency contractor Edward Snowden, whose release of sensitive surveillance documents prompted the legal challenge, according to Big Brother Watch, one of the plaintiffs in the case. Snowden revealed that GCHQ scooped up massive amounts of information through fiber-optic cables.
The program Snowden exposed was largely replaced by a new U.K. surveillance law in 2016. The European ruling will allow a separate case challenging U.K. surveillance to proceed in British courts.
“We welcome the judgment that the UK’s surveillance regime was unlawful, but the missed opportunity for the Court to prescribe clearer limitations and safeguards mean that risk is current and real,” Silkie Carlo, the group’s director, said in a statement.
A partisan election audit in Maricopa County is switching a major contractor partway through.
Wake TSI, a subcontractor to cybersecurity firm Cyber Ninjas, was in charge of running the hand recount in Maricopa County, the Arizona Republic’s Jen Fifield and Andrew Oxford report. The company opted not to stick around after its original contract ended May 14.
The unusual midstream switch comes amid intense criticism of the GOP-led audit, which critics say has ignored cybersecurity and auditing best practices and is a partisan exercise aimed at raising doubts about Joe Biden’s election victory.
“They were done,” audit spokesman and former state GOP chairman Randy Pullen said. “They didn't want to come back.”
StratTech Solutions, an Arizona-based company, has taken over for Wake TSI. Pullen said the company, which focuses on cybersecurity and IT technology, has been involved in the recount since the beginning, including by setting up the technology used for hand- counting ballots. It is not clear whether the firm has election or auditing experience.
Michigan’s top election official is warning against Maricopa-style audits.
Such audits, which activists are pushing for across the country, would violate Michigan law, Secretary of State Jocelyn Benson (D) said, Amy Gardner reports.
They would also void the warranties of Dominion voting machines, according to a Dominion letter to Michigan counties. Recertifying voting machines would be expensive and that cost would fall on local governments, the company warned.
“Remember, your voting system is deemed critical infrastructure by the U.S. government and should be utilized, maintained and protected as such,” the letter, which was sent in early May, says. Former president Donald Trump and his allies baselessly claimed that Dominion machines flipped votes from Trump to President Biden.
Calls for outside audits in Michigan have grown loudest in Antrim and Cheboygan counties. Benson said in separate letters that those counties’ boards have “no authority” to order audits. She told election clerks to deny access to unaccredited outside examiners of the machines.
National security watch
The world’s largest maker of surveillance technology has links to China’s military, according to a report.
Hikvision has sold drone technology to China’s air force and has worked with Chinese weapons experts, according to a report by surveillance research company IPVM that was corroborated by the Wall Street Journal’s Dan Strumpf. The new details about the ties between Hikvision and the Chinese military follow years of claims by U.S. officials that the company had deep ties to the Chinese military. The company has disputed the claims.
“Not now, and not ever, has Hikvision conducted research and development work for Chinese military applications,” a Hikvision spokesman said, asserting that “any instances of such by any of our employees were done so in a personal capacity and not at the direction of the company.” The Chinese Communist Party’s Central Military Commission and the Pentagon did not respond to requests for comment.
Global Cyberspace
Government scan
Chat room
One of the most famous cyberattacks in history may have used four, five or seven previously unknown cyber vulnerabilities known as “zero days.” It depends on how you look at it. Journalist Kim Zetter explains:
Dragos's K. Reid Wightman:
Daybook
- Secretary of Homeland Security Alejandro Mayorkas testifies before House and Senate Appropriations Committee panels at 10 a.m. and 2 p.m. today.
- Former Director of National Intelligence Adm. Dennis Blair and former Homeland Security Secretary Michael Chertoff speak at a Center for Strategic and International Studies launch event for the Multilateral Cybersecurity Action Committee on May 26 at 2 p.m.
- The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security on Thursday at 10:15 a.m.
- Retired Adm. Michael Rogers, the former commander of U.S. Cyber Command and director of the NSA, discusses critical infrastructure supply chain security at an event hosted by the Israeli Economic Missions to North America and Team8 on Thursday at noon.
- Anne Neuberger, the deputy national security adviser for cyber and emerging technology, and Jeffrey Greene, the National Security Council’s acting senior director for cybersecurity, speak at a Center for Strategic and International Studies event on Thursday at 2 p.m.