with Aaron Schaffer

President Biden will today announce a major program outlining how critical industry sectors such as energy, transportation and agriculture should be protecting themselves against cyberattacks. 

The requirements, which will be detailed in a new national security memorandum, will be voluntary to start. But administration officials are signaling they’re ready to work with Congress to make them mandatory if necessary.

“Short of legislation, there isn't a comprehensive way to require deployment of security technologies and practices that address really the threat environment that we face,” a senior administration official told reporters before the announcement. 

The big-picture goal: To shift the way government deals with critical industries’ cybersecurity from a patchwork of different requirements and authorities to one set of rules, with the federal government as the rulemaker. 

Our current posture is woefully insufficient given the evolving threat we face,” the senior administration official said.

The move comes amid a wave of devastating ransomware attacks that has disrupted the gas and meat sectors and thousands of small businesses. 

The attacks have also shown that voluntary cybersecurity programs that government has offered to critical industry aren’t sufficient. So, the administration will likely take some flak for recommending yet another voluntary program

The Transportation Security Administration offered voluntary cybersecurity reviews for pipelines, for example. But Colonial Pipeline never took advantage of the program before it was hit by a major ransomware attack that disrupted gas supplies in the Southeast and set off panic buying.

The TSA moved last week to impose mandatory cyber protections for pipelines. But officials say they lack the authority to impose such requirements across the board for industries vital to U.S. economic and national security

“The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability we have today,” the senior administration official said. “We're committed to addressing it. We're starting with voluntary as much as we can because we want to do this in full partnership. But we're also pursuing all options we have in order to make [the] rapid progress we need.”

The new guidelines will be developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Commerce Department’s National Institute of Standards and Technology. 

A separate part of the memorandum will formalize a Biden administration program aimed at improving the cybersecurity of industrial control systems that operate pipelines, dams and some manufacturing. 

One goal of the program is to prevent hackers that breach those organizations’ front-end computer systems from jumping to mechanized industrial systems that would allow them to open dams, shut down electric grids and cause other havoc. 

If the administration wants more authority for cyber mandates, Congress may be receptive. 

Lawmakers yesterday pressed for a stronger government role in companies’ cybersecurity during a Senate Judiciary Committee hearing. 

Sen. Sheldon Whitehouse (D-R.I.) went further than most of his colleagues, specifically calling for cyber mandates for critical infrastructure. 

We don't have to regulate everybody in the world, but if you're critical infrastructure we should no longer tolerate this voluntary regime with big companies who know that their infrastructure is critical and who fail,” he said. 

Whitehouse called the voluntary standards imposed on pipelines before the Colonial Pipeline hack “a total face-plant failure.” 

Other lawmakers were less bullish but called for new requirements that would mandate critical infrastructure companies report to the government anytime they’re hacked. A bill that would do that has already been introduced in the Senate. 

Witnesses from the FBI, the Justice Department and CISA all backed such proposals though not the specific legislation, as my colleague Gerrit De Vynck reported

Such reporting would give the government a far better sense of the scope of cyberattacks against critical companies, which often go unreported. It would also make it easier for the government to share information with companies about cyber threats. 

“The government and Congress does not have a full picture of the threat facing companies. Congress should enact legislation to require victims to report,” said Richard Downing, a deputy assistant attorney general at Justice.

The keys

Biden slammed Russian disinformation efforts ahead of 2022 elections. 

The president criticized “what Russia is doing already about the 2022 elections and misinformation” but it isn't clear whether he was briefed on a specific threat targeting the midterm elections. 

Biden called the efforts a “pure violation of our sovereignty” during a speech at the Office of the Director of National Intelligence. A senior administration official declined to clarify the president's comments.

Biden also warned that cyber conflict could escalate into traditional warfare

“We’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and destruction in the real world,” he said. “I can’t guarantee this, and you’re as informed as I am, but I think it’s more likely we’re going to end up, if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence.”

NSO Group’s owner is in disarray, raising questions about the spyware company’s future.

Investors in private equity firm Novalpina voted to take control of the fund that includes NSO Group from its managers this month. The fund could be liquidated or handed over to a third party by Aug. 6, Kaye Wiggins and Anna Gross of the Financial Times report. The firm has reportedly grappled with an internal power struggle for months.

The news comes as NSO Group is facing fallout from reports by The Washington Post and16 media partners that its Pegasus spyware targeted journalists and human rights advocates. The Novalpina conflict isn’t related to the Pegasus Project investigation but could be a consideration for potential owners of the Israeli spyware company. Novalpina did not respond to a request for comment.

Israeli Defense Minister Benny Gantz is set to discuss the spyware reports today with his French counterpart, Reuters reports. French President Emmanuel Macron’s phone number was on a list of 50,000 phone numbers that included Pegasus targets, our colleagues reported. NSO Group has repeatedly disputed the findings.

A high-ranking Republican in Wisconsin is pushing against a Maricopa County-style audit in his state. 

Wisconsin Assembly Speaker Robin Vos declined to commit to providing resources for a “comprehensive, forensic examination” that another Republican lawmaker is calling for, Scott Bauer of the Associated Press reports. Vos said two ongoing reviews of the state’s election results are sufficient.

The disagreement comes as allies of former president Donald Trump are pressuring Republican lawmakers around the country to review 2020 election results. Wisconsin’s nonpartisan Legislative Audit Bureau is conducting one of the reviews. Vos also hired two retired police officers to review the election results along with a former judge. Taxpayers are footing the bill.

The cost of data breaches hit a record high from May 2020 to March 2021, IBM says.

The average cost of data breaches has increased by 10 percent since last year, IBM Security said in its annual Cost of a Data Breach Report. It's the largest increase in seven years.

The health-care industry has faced the most costly data breaches for the past 11 years, according to the report. Ransomware breaches cost organizations an average of $4.62 million, around $400,000 more than the average across all breaches, the report found. 

The report was conducted with the Ponemon Institute and looked at more than 500 organizations. 

Industry report

Cybersecurity firms excluded Colorado applicants from remote work positions after the state mandated pay transparency.

At least five technology and cybersecurity firms posted security-related jobs that excluded remote workers from Colorado, CyberScoop’s Tonya Riley reports. The move came after Colorado's 2019 Equal Pay For Equal Work Act, which required employers to be transparent about pay in job listings.

Advocates for pay transparency say opacity perpetuates systems in which women and minorities earn less than White men. 

Government scan

National security watch

Cyber insecurity

Mentions

  • The Semiconductors in America Coalition, which is made up of major companies that manufacture and use chips, is calling for congressional leaders to ensure that $52 billion in funding for the CHIPS for America Act makes it to President Biden’s desk for his signature.

Daybook

  • Homeland Security and cybersecurity officials are set to speak on the second day of the Building Resilience Through Private-Public Partnerships Conference today.
  • Deputy national security adviser Anne Neuberger and top Australian, Indian and Japanese officials speak at the Quad Open RAN Forum today at 8 a.m.
  • The House Armed Services Committee’s cybersecurity subcommittee discusses the annual defense authorization bill today at 10 a.m.
  • The House Committee on House Administration holds a hearing on election subversion and integrity today at noon.
  • Palo Alto Networks hosts an event on the Technology Modernization Fund today at 2 p.m.
  • A House Homeland Security Committee panel holds a hearing on the cybersecurity workforce on Thursday at 10 a.m. 
  • Former CISA director Chris Krebs speaks at a Washington Post Live event on Thursday at 3:30 p.m.
  • The Atlantic Council holds an event on why the United States needs a Bureau of Cyber Statistics on Aug. 2 at 2:30 p.m.
  • Neuberger speaks at the Aspen Security Forum on Aug. 4.

Secure log off