The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The race is on to make hacked companies more accountable to government.

with Aaron Schaffer

Correction: This newsletter has been updated to make clear that Suzanne Spaulding's comments referred to a bill's chances of passage, not it's underlying merits. It's also been updated to make clear that a CISA spokeswoman's comments about cooperation with the water sector were limited to the rough number of facilities that have used CISA services. 

Lawmakers are taking their first stab at requiring far more companies to tell the government when they’re hacked. 

A draft bill being circulated by Democratic and Republican senators would require companies in critical industry sectors to notify the Department of Homeland Security within 24 hours of a hack. It would apply to companies in energy, transportation, telecommunications and emergency services as well as a dozen other sectors. 

The bill, sponsored by Sens. Mark Warner (D-Va.), Marco Rubio (R-Fla.) and Susan Collins (R-Maine), would also apply to federal agencies, government contractors and to companies that respond to cybersecurity incidents. 

It comes after a rash of cyberattacks that shut down operations at gas pipelines, meat processing plants and schools and amid rising concerns such hacks could seriously disrupt the national economy or public safety.

It also comes after the massive SolarWinds breach, which officials have tied to the Kremlin and that compromised hundreds of companies and several government agencies. The scope of that attack might never have been known if not for the fact that the cybersecurity company FireEye discovered that it was a victim and notified the government, prompting a broader investigation. 

If that breach had gone unnoticed and Russia had decided to lock or damage computers rather than simply steal information from them, “they could have brought our economy to a grinding halt,” Warner warned in a Washington Post Live event this week. 

He added, “We need to pass domestic legislation to require when these cyber incidents take place that you report them to the government.” 

The bill’s purpose is twofold. 

First, it would give DHS’s Cybersecurity and Infrastructure Security Agency a better chance of piecing the clues together if and when there's another SolarWinds-level hack that affects national and economic security.

The Transportation Security Administration implemented a similar mandate for pipelines in the wake of the Colonial Pipeline ransomware attack, which disrupted gas supplies in the southeastern United States. 

Second, the program would give CISA a far better sense of how common ransomware and other cyberattacks are. That’s a question that is largely opaque because companies aren’t always required to disclose when they’re breached and the rules for doing so vary from state to state. 

The bill would impose fines on critical infrastructure companies that don't report breaches to CISA. It threatens to bar government contractors from future contracts if they fail to disclose breaches. 

The bill may face a rocky path, however. 

Warner and Rubio are chairman and ranking Republican on the Senate Intelligence Committee, which is a good perch to work on cybersecurity issues.

But because the bill deals with CISA, it probably would move through the Senate Homeland Security Committee. There, the top Republican, Sen. Rob Portman (Ohio), is working on his own incident-reporting legislation, CyberScoop’s Tim Starks reports

Some former cyber officials are also concerned the legislation is too broad. 

The bill would have a better chance of passing if it applied to a narrower set of companies that are truly critical to national or economic security or public health or safety, Suzanne Spaulding, told me. Spaulding led the Obama-era version of CISA, called the National Protection and Programs Directorate.

The current bill draft refers to an official government list of 16 critical infrastructure sectors developed after Sept. 11, 2001. In practice, that list scoops up lots of companies that aren’t truly critical to national security and misses many that are. DHS has been working on a more complex system focused on “critical functions.”   

Sticking with the current scope would probably prompt blowback from companies that think they’re being unfairly burdened and a deluge of hacking reports that CISA doesn’t have the resources to make sense of, Spaulding said.

The requirement to notify CISA within 24 hours of a hack could also be problematic. It probably will produce a barrage of confusing reports from companies that might have been hacked and don’t want to fall afoul of the law but know next to nothing about what has actually happened, another Obama-era cybersecurity official warned me.

The official, who wasn’t authorized to speak by his current employer, suggested a narrower category of major hacks requiring notification within 24 hours and a looser reporting requirement for more run-of-the-mill breaches. 

“We’ve definitely seen from both the government contractor side and the critical infrastructure side that government needs need more information and needs to get it earlier, so this is generally a good idea,” the former official said of the bill. “But this is too fast.”

The keys

It’s official. Chris Inglis will be the nation’s first national cyber director.

Inglis was confirmed by the Senate on a voice vote. He’ll become the government's top cyber official during a high-profile ransomware epidemic and after waves of hacks on the U.S. government.

As the first national cyber czar, he will be responsible for coordinating the government’s civilian cyber defenses and reviewing government agency cybersecurity budgets. Inglis worked at the National Security Agency for nearly three decades, including as deputy director.

President Barack Obama created a similar cyber coordinator role in the White House, but the position was discontinued under President Donald Trump. Congress voted last year to create the new role and to make it a Senate-confirmed position. 

Sen. Angus King (I-Maine) called Inglis’s confirmation an “historic step toward confronting this [cybersecurity] challenge.” King co-led a major cybersecurity commission that recommended and lobbied for creating the cyber director position. 

Biden’s nominee to lead CISA, Jen Easterly, is still awaiting confirmation. 

U.S. water infrastructure has been plagued by hacks and vulnerable software.

Many of those cyberattacks were never reported, including a January hack targeting a water system in the San Francisco area, NBC News’s Kevin Collier reports

Rural areas in particular are at risk, said industrial cybersecurity consultant Bryson Bort. “If you could imagine a community center run by two old guys who are plumbers, that's your average water plant,” he said.

Water officials aren’t doing enough to make their computer systems better defended. Only “several hundred” water facilities nationwide have chosen to use services offered by CISA, spokeswoman Anne Cutler said. That's compared to more than 50,000 water facilities nationwide, Kevin reports. 

Ten percent of those facilities had critical cybersecurity vulnerabilities, many of which were years old, according to a CISA survey conducted this year. Here are more details on the survey from FCW's Justin Katz. 

The FCC is moving toward banning Chinese tech companies including Huawei.

The proposed ban also would apply to surveillance camera giant Hikvision and three other companies that the Federal Communications Commission says shouldn’t be trusted, Bloomberg News’s Todd Shields reports. The commission voted unanimously on a draft of the ban, which will go through a review process and another vote before it’s final. 

The FCC previously barred purchases of suspect Chinese tech by telecoms that receive federal subsidies to work in rural and low-income areas. Lawmakers tucked a $1.9 billion fund to subsidize replacing existing Chinese-built communications systems into a coronavirus relief package that passed in December.

Cameras made by Hikvision and Dahua, another company that would be banned, have been bought by more than 100 towns, counties and cities across the United States. 

Huawei called the vote “misguided and unnecessarily punitive.” Hikvision said it “strongly opposes” the measure. Dahua said the company “does not and never has represented any type of threat to U.S. national security” and said the FCC actions were “unwarranted.”

Hill happenings

House lawmakers roll out legislation to protect schools against hackers (The Hill)

There are no laws restricting “Stingray” use. This new bill would help. (BuzzFeed News)

Cyber insecurity

Cruise operator Carnival discloses personal data breach, shares down (Reuters)

This Agency’s Computers Hold Secrets. Hackers Got In With One Password. (New York Times)

Google’s own Android app—with 5 billion installs—was vulnerable to a privacy-destroying hack (Forbes)

Encryption wars

Bombshell report finds phone network encryption was deliberately weakened (Motherboard)

Global Cyberspace

EXCLUSIVE Pacific undersea cable project sinks after U.S. warns against Chinese bid (Reuters)

Mentions

  • CIA veteran David Marlowe has been named the agency’s deputy director of operations.
  • Erik Moser has joined Resolute CyberStrategies as vice president. He previously worked at Edelman.

Chat room

Cyber’s moment in the diplomatic spotlight this week is already the subject of Twitter jokes. Recorded Future co-founder and CEO Christopher Ahlberg pointed out the number of times President Biden mentioned cyber in his post-summit press conference: 

California Chief Technology Innovation Officer Rick Klau:

Daybook

  • Mieke Eoyang, the Pentagon’s Deputy Assistant Secretary of Defense for Cyber Policy, speaks at the Brussels Forum today at 9:30 a.m.
  • The R Street Institute hosts an event on the implementation of President Biden’s cybersecurity executive order on June 21 at 3:15 p.m.
  • The Senate Armed Services Committee’s cyber panel holds a hearing on ransomware on June 23 at 2 p.m.
  • The House Small Business Committee holds a hearing on CMMC cybersecurity implementation on June 24 at 10 a.m.
  • Cybersecurity and Infrastructure Security Agency officials discuss ransomware at an Infosec webinar on June 24 at noon.

Secure log off

Loading...