with Aaron Schaffer
The response to the wave of costly and disruptive attacks — in which hackers lock up victims' computers and demand payment to free them — involves nearly every facet of the federal government. It was spurred most recently by high-profile ransomware attacks against the energy and food sectors but also by a drip, drip series of hits on schools, hospitals and local governments that collectively demonstrate an unacceptable level of vulnerability across the nation’s vital infrastructure.
Here’s a rundown of what the federal government is doing:
The Justice Department has elevated ransomware investigations to the same level as terrorism probes. The White House has begun issuing a raft of new cybersecurity requirements for gas pipelines. And President Biden has pledged to confront Russian President Vladimir Putin during their summit this month about ransomware gangs operating on Russian territory and to rally U.S. allies to address the problem.
Top government officials are also bluntly warning companies they must increase their digital protections to prevent a wave of similar attacks and pushing them to level with the government when they do pay hackers ransoms.
The government effort is far broader than previous responses to major hacks, even to blockbuster ones such as the Kremlin-linked SolarWinds breach that compromised a slew of government agencies or the Office of Personnel Management hack that compromised personnel records of more than 20 million federal employees and typically is attributed to China.
It reflects a shift from treating ransomware as a pesky criminal problem to one of vital national security.
Indeed, White House officials are increasingly arguing that ransomware attacks against critical industries could become so disruptive they have global implications, Ellen Nakashima, Hamza Shaban and Rachel Lerman report.
Among their efforts, officials are trying to convince U.S. allies to force more transparency from cryptocurrency exchanges operating on their territory and that process ransomware payments, a senior administration official told my colleagues.
The goal is to force those exchanges to reveal the recipients of especially large exchanges of cryptocurrency, making it easier for law enforcement to track likely ransom recipients.
“There are cryptocurrency exchanges all around the world, and we want to ensure that there’s a common threshold of ‘know your customer’ rules, which are in place and implemented so there aren’t places to hide funds,” the official said.
The Justice Department also is urging U.S. companies to proactively tell the government when they pay ransoms — even as they urge companies not to pay those ransoms if at all possible.
On NBC’s Meet the Press, Senate Intelligence Committee Chairman Mark Warner (D-Va.) pushed for legislation mandating that companies tell the government when they pay ransoms. He stopped short of endorsing a ban on ransomware payments, which some cybersecurity experts have promoted.
“There's going to be a debate about whether these companies should pay ransomware,” he said. “But there ought to be more transparency, if a company does pay, so we can go after the bad guys.”
The keys
U.S. authorities announced the first charges under the banner of a new Ransomware and Digital Extortion Task Force.
Prosecutors say Alla Witte, also known as “Max,” helped develop Trickbot malware, which they say infected millions of computers, stole banking credentials and delivered ransomware. She was arrested in February, according to the Justice Department. Witte was born in Russia and had been living in Latvia, officials said.
“These charges serve as a warning to would-be cybercriminals that the Department of Justice … will use all the tools at our disposal to disrupt the cybercriminal ecosystem,” Deputy Attorney General Lisa Monaco said.
Trump and Giuliani personally pushed for a partisan Arizona audit investigating baseless election fraud claims.
Former president Donald Trump and his lawyer Rudolph W. Giuliani personally contacted Republican lawmakers in Arizona to urge them to conduct the partisan audit in Maricopa County, Amy B Wang reports. The machinations were revealed in emails sent to and from Arizona lawmakers that were obtained by American Oversight, a nonprofit legal watchdog group.
“The more we learn, the more it becomes clear that this is not an audit, it’s a sham partisan crusade carried out by some of the most cynical actors our democracy has ever known,” said Austin Evers, the group’s executive director.
In a separate development, new evidence is emerging about the pressure former White House chief of staff Mark Meadows put on acting attorney general Jeffrey Rosen to investigate unfounded fraud claims as Trump’s presidency wound down, Karoun Demirjian and Josh Dawsey report. Meadows asked Rosen to look into fraud claims in New Mexico and baseless theories that the election was stolen from Trump, including one that votes were switched by people in Italy manipulating satellites, according to portions of the emails obtained by the New York Times.
The Supreme Court handed a major victory to cybersecurity researchers in its biggest ruling to date in a hacking case.
The ruling places limits on what counts as hacking under the government’s main anti-hacking law, the 1986 Computer Fraud and Abuse Act. Under the court’s interpretation, the law still would criminalize breaking into a computer or database by stealing a password. But prosecutors generally could not use the law to pursue people who simply break the rules for a computer system, such as violating a website’s terms of service or a workplace's rules.
A majority of justices said the government’s “breathtaking” interpretation of the statute could make criminals of “millions of otherwise law-abiding citizens,” Robert Barnes reports. The decision was also notable because the three justices nominated by former president Donald Trump joined with the three liberals on the court to form the majority.
The ruling was welcomed by cybersecurity researchers who frequently fell afoul of the law when searching for bugs in digital consumer products. Digital rights and civil liberties groups also praised the ruling.
“Although the high court did not narrow the CFAA as much as EFF would have liked … it provided good language that should help protect researchers, investigative journalists, and others,” the Electronic Frontier Foundation said.
The ACLU agreed. “The Supreme Court’s decision will allow researchers and journalists to use common investigative techniques online without fear of CFAA liability,” Esha Bhandari, the deputy director of the ACLU’s Speech, Privacy and Technology Project, said.
Chat room
Here's a deep dive on the high court's ruling from University of California-Berkeley School of Law professor Orin Kerr:
As I read the new decision, the Court says yes -- exceeding authorized access also requires some breaking in. The court agrees with the defendant's claim that the two prohibitions are similar -- at just different stages. The Court calls this a "gates-up-or-down" inquiry. pic.twitter.com/gwkr8voItJ
— Orin Kerr (@OrinKerr) June 3, 2021
But there's a big caveat to that. In a different footnote, the Court says it is *not* reaching whether that "gate" can be imposed only by technology, or by a contract or policy. pic.twitter.com/XsRYVrY7Sf
— Orin Kerr (@OrinKerr) June 3, 2021
I may be too close to this to see it clearly right now, but I would have thought the issue in Van Buren is what counts as a "gate." Does there need to be a technological gate, or can a gate of words ("do not access this computer for a bad purpose") suffice?
— Orin Kerr (@OrinKerr) June 3, 2021
Government scan
The Biden administration expanded a ban on U.S. investment in Chinese companies to those in the surveillance sector.
The executive order issued Thursday “prevents U.S. investment from supporting the Chinese defense sector, while also expanding the U.S. government’s ability to address the threat of Chinese surveillance technology firms that contribute — both inside and outside China — to the surveillance of religious or ethnic minorities or otherwise facilitate repression and serious human rights abuses,” according to a White House fact sheet.
The order also moves the authority for the ban from the Pentagon to the Treasury Department, Jeanne Whalen and Ellen Nakashima report.
Industry report
Global cyberspace
Cyber insecurity
Securing the ballot
Daybook
- Colonial Pipeline CEO Joseph Blount testifies before the Senate Homeland Security and Governmental Affairs Committee on Tuesday at 10 a.m.
- Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, and former FBI deputy director Sean Joyce discuss ransomware at an Aspen Institute event on Tuesday at noon.
- The Middle East Institute hosts its annual cyber conference on Wednesday.
- Quinn Carman, the director of operations of the NSA’s Red Team, speaks at the Silicon Valley Cyber Security Summit on Wednesday at 10:50 a.m.
- The Senate Intelligence Committee holds a confirmation hearing for Christine Abizaid, President Biden’s pick to lead the National Counterterrorism Center, and Robin Ashton, who he nominated to be the CIA’s inspector general, on Wednesday at 2:30 p.m.
- Colonial Pipeline CEO Joseph Blount testifies before the House Homeland Security Committee on Wednesday at noon.
- Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event on Friday at 10 a.m.
- Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence & Security Ronald Moultrie on Friday at 11 a.m.
Secure log off
Jimmy & Dave Grohl battle to see who can identify songs that are just a little bit off in Off Songs, Song Off! pic.twitter.com/Fn5oPAYUAa
— The Tonight Show (@FallonTonight) June 6, 2021