Welcome to The Cybersecurity 202! We’re relaunching with a new look today, including more useful visuals and easier sharing. Here’s what’s not changing: Our focus on bringing you the best cyber news and analysis every weekday morning. 

Let the team know what you think here. You can hit me up on Twitter as always. 

Our other 202 newsletters are getting a new look as well. Check out The Early 202, previously Power Up, from Jacqueline Alemany and Theodoric Meyer for an early-morning roundup of the best political reporting from Capitol Hill to K Street. 

Below: A mysterious Trump-era cyber program has ended. Hackers are publishing reams of schoolchildrens information.

Some in the GOP are joining Democrats to try to shield CISA from partisan politics

The government’s top cybersecurity office became a political football in the final days of Donald Trump’s presidency.

Now a bipartisan group of lawmakers is proposing a five-year term for its director, as a way of lessening political influence.

The typically nonpolitical Cybersecurity and Infrastructure Security Agency was caught in a fierce battle late in the Trump administration, as Trump repeatedly disputed his election loss without any hard evidence.

Trump fired CISA Director Chris Krebs by tweet less than two weeks after Joe Biden was declared the winner and after Krebs joined other top government officials in declaring the election to be the “most secure in history.” Legislation to cement the CISA director's term was already in the works before Krebs's firing, but lawmakers said the incident exemplified why it's needed.

"Trump’s firing of Chris Krebs screams loud and clear why the CISA director needs to be insulated from politics,” Rep. Jim Langevin (D-R.I.), a sponsor of the House version of the bill, told me. “It should raise everybody’s eyebrows if a CISA director is removed in that way.” 

The bill wouldn’t prevent such a firing in the future. But it sets down a marker that Congress doesn’t want a president’s political interests interfering with the government’s cybersecurity mission. 

Office overlap

It would also ensure that a CISA director appointed by one president would end up serving his or her successor

“A five-year term strikes the right balance of providing stability and continuity across administrations,” Rep. Andrew R. Garbarino (R-N.Y.), lead sponsor of the House bill, told me. “Cybersecurity is critical to our national security so we can’t afford sudden turnover at the helm of our nation’s lead federal civilian cybersecurity agency.” 

  • The House bill is also sponsored by House Homeland Security Chairman Bennie Thompson (D-Miss.), the committee’s top Republican John Katko (N.Y.), Rep. Yvette Clark (D-N.Y.), chairwoman of the committee’s cyber panel, and Reps. Ralph Norman (R-S.C.), and Mike Gallagher (R-Wis.).
  • A bipartisan Senate bill introduced in July would also give the CISA director a five-year term, among several other provisions. 
Becoming law?

A similar measure failed to become law last year but the sponsors are hopeful the strong bipartisan backing will help push it through this year. Plus, the measure is less politically loaded than last year, when it came up for a vote after Trump had already fired Krebs and was disputing the election results. 

Sponsors of both the House and Senate bills served last year on the Cyberspace Solarium Commission, a congressionally led group that advocated a major overhaul of how the government manages cyber threats – and included a five-year term for the CISA director among its recommendations.

CISA influence

For years before the election, CISA had helped state and local governments improve their election security. The agency also ran a “rumor control” website that debunked some of the false election-fraud claims made by Trump and his supporters.

Now CISA is taking on an ever-larger slate of responsibilities — spurred by a wave of damaging cyberattacks against government and industry.

  • The agency is partnering with the Transportation Security Administration to impose new cybersecurity requirements on oil and gas pipelines. 
  • It’s also playing a lead role developing voluntary cybersecurity standards for more than a dozen other industry sectors that the Department of Homeland Security has deemed “critical infrastructure.” 

CISA, launched in 2018, has been broadly popular among Democrats and Republicans alike

That bipartisan support could change, however, as the agency’s responsibilities multiply and if it wades into more controversial territory.

Election security, for example, was a major point of contention before the 2020 election, with Democrats pushing mandated security measures that Republicans said would violate states’ authorities to run elections. 

CISA managed mostly to steer clear of that conflict by avoiding the most partisan aspects and rarely directly contradicting Trump’s baseless speculation about election fraud. Since then, Krebs has become an outspoken critic of Republican-led partisan election reviews in Arizona and elsewhere.

“Cybersecurity is an issue that impacts all Americans and is inherently bipartisan,” Garbarino told me. “The goal of this bill is to provide stability and continuity across administrations.” 

The keys

A mysterious Pentagon program that handed over 6 percent of the Internet on Trump’s last day in office has ended

The program ended as mysteriously as it began, with the Pentagon retaking control of 175 million IP addresses from a Florida company, Craig Timberg reports. The addresses are now being overseen by two Pentagon divisions, the Department of Defense Information Network and part of U.S. Cyber Command, according to the Pentagon.

The addresses are valuable Internet real estate. It’s not clear what the pilot program did or why it ended. Global Resource Systems, the Florida company that got control of the IP addresses, was just a few months old at the time of the handover. The company has not responded to requests for comment.

The Pentagon previously said the program was designed to detect “vulnerabilities” and “prevent unauthorized use of DoD IP address space.” Pentagon spokesman Russell Goemaere said the transfer on Jan. 20 was “agnostic of administration change” and launched “when the required infrastructure was in place.”

Hackers have published the personal information of millions of schoolchildren

Ransomware groups have published some of the data they acquired from waves of breaches on U.S. schools, Kevin Collier of NBC News reports. Some schools are often unaware of the extent of the leaks — and parents can do little to limit the damage.

Leaked data has included information such as Social Security numbers, which can make children vulnerable to identity theft. The data also includes sensitive information such as whether students have been homeless, economically disadvantaged or flagged as potentially dyslexic.

WhatsApp will allow users to encrypt their backups

The move closes a loophole that had made the otherwise encrypted chats accessible to hackers or to law enforcement with a warrant once they’re backed up in a third-party system. Facebook-owned WhatsApp will begin making the feature available on Apple and Android devices in coming weeks, CyberScoop’s Tonya Riley reports

Law enforcement agencies have seized unencrypted WhatsApp backups to get access to messages that would otherwise be more difficult to obtain. For example, investigators in 2018 got a trove of messages belonging to former Trump presidential campaign chairman Paul Manafort that Manafort had backed up to iCloud.

Chat room

James Lewis has convinced us that a contest is, indeed, called for. 

Please tweet me your best and/or most outrageous cyber-analogies in the mold of “cyber 9/11” or “cyber Pearl Harbor.” The best entries will get bragging rights and appear in this space next week. 

The rules: Entries must use the prefix “cyber” and must refer to an event or problem that could happen in the real world. An explanation of that real-world situation must appear next to the definition. E.g.: “‘The cyber-assassination of a cyber-Franz Ferdinand.’ A comparatively innocuous cyber event that snowballs into something far more cataclysmic.” 

Industry report

Moody’s is trying to make it easier for investors to pick companies based on cybersecurity risk

The company will invest $250 million in cybersecurity risk-rating firm BitSight and BitSight will acquire VisibleRisk, a joint venture it started with Team8. The investments come as ransomware and other cyberattacks are increasingly hitting major companies in an ecosystem with sparse data for investors to weigh those risks.

Correction: This item has been updated to state that Bitsight is acquiring VisibleRisk. 

Global cyberspace

A think tank is calling on the U.S. government to step up the security of undersea cables

The cables that carry large amounts of Internet traffic between nations have cybersecurity risks that make them vulnerable to hacking and spying, the Atlantic Council’s Justin Sherman writes. Chinese companies manage some cables, raising the risks of spying or hacking by Beijing, he warns. Companies are also using increasingly complex technology to monitor and control the cables. That software makes the cables more vulnerable to hacks or other disruptions, Sherman writes. He recommends that:

  • The Biden administration set up and promote baseline cybersecurity requirements and best practices for the cables
  • The FCC boost the resources it puts into cable security 
  • The State Department work with allies to promote cable resilience and promote norms that countries shouldn’t disrupt cables
  • Cable owners set up groups to share information on cyber threats
  • Major technology companies publish strategies for protecting cables

Government scan

National security watch

Encryption wars

Daybook

  • Director of National Intelligence ​​Avril Haines, Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command, National Cyber Director Chris Inglis and others speak at the two-day Intelligence and National Security Summit, which begins today.
  • Chris Krebs, former head of the Cybersecurity and Infrastructure Security Agency, keynotes the Insider Risk Summit on Tuesday.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, and Google executive Jeanette Manfra, a former CISA official, discuss cybersecurity at a Washington Post Live event on Tuesday at 12:30 p.m.
  • Stanford University’s Program on Democracy and the Internet hosts a webinar on E.U. technology and cybersecurity proposals on Thursday at noon.
  • Rep. Jim Langevin (D-R.I.), Southern Company chief executive Tom Fanning and others discuss cyber threats to critical infrastructure at a Carnegie Endowment for International Peace event on Friday at 12:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.