Welcome to The Cybersecurity 202! The last time I wrote about a security incident in my home state of Iowa, everyone was angry at a company named Shadow and no one had any idea who won the caucuses. Seems like a decade ago. 

Below: Senators want answers about an FBI delay in helping ransomware victims and CISA is out with its first set of cybersecurity guidelines for critical infrastructure.

Russian hackers are defining for themselves what counts as “critical” industry

During a June faceoff with Russian President Vladimir Putin, President Biden threatened retaliation if Russian hacking gangs don't steer clear of U.S. critical infrastructure.

Now Biden's commitment is being debated amid a ransomware attack gumming up operations at an Iowa grain cooperative – an operation that's small, yet still part of the critical agriculture sector.

And Blackmatter, the Russian criminal hacking gang that hacked New Cooperative in Fort Dodge, Iowa, has even appeared to mock the cooperative's claim it counted as critical infrastructure in an online chat, warning “everyone will incur losses.” (Analysts at Recorded Future observed and screenshotted the chats.) Agriculture is one of 16 sectors the Department of Homeland Security has officially listed as critical. Others include health care, financial services and energy. 

Little guy

But here’s the problem: New Cooperative doesn’t look particularly critical to the casual observer. It manages only a small portion of the Iowa corn market. And the cooperative quickly developed workarounds such as using paper sale tickets that limited any broader impacts that might affect food prices, as Jacob Bogage reports

That puts the Biden administration in an awkward spot. 

On one hand: The attack is less damaging than dozens of other ransomware hacks that have hit schools and small businesses in recent months without prompting any significant attention from the federal government. 

On the other hand: It represents a direct provocation from one of the United States’ toughest adversaries. U.S. officials say Russia-based ransomware gangs don’t work on behalf of the Russian state but operate with the Kremlin’s tacit approval. 

“A lot of people probably had the same reaction, that New Cooperative doesn’t really look like critical infrastructure. But it’s not my call. The government has declared it critical infrastructure,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, told me.

The threat could also grow quickly, Liska noted, pointing to a ransomware hack against another agriculture cooperative this weekend in Mankato, Minn. 

“If you start seeing many of these small coops get hit, that could have a big impact on the food chain,” he said. It's unclear at this point if there's any connection between the two hacks. 

Dmitry Smilyanets, a cyber threat analyst at Recorded Future, with leaked communication between the hackers and New Cooperative:

Where's CISA?

The government’s reaction so far has been muted

The Cybersecurity and Infrastructure Security Agency, which helps private companies recover from cyberattacks, said in a statement that it was in “close contact” with New Cooperative and had offered assistance.

Agriculture Secretary Tom Vilsack urged other agriculture cooperatives to harden their defenses against cyberattacks during a speech.

“We want to make sure during this harvest that we don’t have any additional disruptions as a result of systems being hacked,” he said, per Bloomberg.

Changing definitions

BlackMatter, the group that hacked New Cooperative, has been far more verbose

As we noted earlier, its online chat appeared to mock the cooperative’s claim that it counted as critical infrastructure. BlackMatter and some other ransomware groups have periodically pledged to steer clear of critical infrastructure — or of particular components of it, such as hospitals. But they invariably apply their own definition of what’s critical rather than the U.S. government’s. 

“Ransomware actors are liars. They’ll hit whatever they can,” Liska told me. “Maybe they’ll say they don’t hit hospitals, but they’ll hit clinics and things like that.”

BlackMatter has a particularly checkered past on the topic.

Cybersecurity analysts say the group is effectively a reconstituted version of the DarkSide gang, which disbanded after its ransomware attack against Colonial Pipeline prompted huge U.S. government blowback. Pipelines are another critical infrastructure sector. 

The attack caused brief fuel shortages in the southeastern United States and was a key instigator for Biden’s warning to Putin in June. 

In the wake of the attacks, CISA imposed new cybersecurity standards on pipeline operators and the FBI launched an operation to claw back more than $2 million of the ransom Colonial paid. 

Our colleagues are launching a new initiative to provide trusted advice about personal technology: Help Desk.

They’ll be writing how-tos, step-by-step guides, deep dives on your data and truly independent reviews to “answer the important questions: How does tech impact your privacy, your security, your family, your health, the environment and — yes — even democracy?,” technology columnist Geoffrey A. Fowler writes. 

The Help Desk team’s first reports are essential:

  • The iPhone’s antitracking protections are nowhere near as comprehensive as Apple’s marketing suggests. An investigation by researchers at privacy software firm Lockdown and The Washington Post shows that apps continue to send data to third-party trackers even when you tap the “ask app not to track” feature. Read more here.
  • Confused about the settings you should change to stay on top of your privacy? Our colleagues have you covered here.

The keys

Senators to probe FBI’s decision to delay helping victims in the Kaseya ransomware hack

The FBI waited almost three week to share a decryption key with those victims while it planned an operation against the hacking group REvil, our colleagues Ellen Nakashima and Rachel Lerman reported. Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) will call for “a better understanding” of how the U.S. government balances investigations about hackers and needs of victims, according to Peters’s opening statement, which The Cybersecurity 202 obtained ahead of this morning’s hearing

Rep. Jim Langevin (D-R.I.), pressed FBI Director Christopher A. Wray on the delay during a House Homeland Security Committee hearing Wednesday:

Peters will also promote legislation to require more companies to alert the government when they're hacked

And he will stress the need to update cybersecurity laws clarifying CISA’s authority responding to hacks on federal networks. Peters is working on both pieces of legislation with the committee’s top Republican, Sen. Rob Portman (R-Ohio).

Cybersecurity officials plan to discuss the implementation of President Biden’s cybersecurity executive order during the hearing:

  • CISA Director Jen Easterly will talk about workforce issues and the agency’s Joint Cyber Defense Collaborative, according to a CISA official.
  • Federal Chief Information Security Officer Chris DeRusha will talk about implementing “zero trust” principles in federal technology, a term for presuming all network activity is malicious until users prove it isn't.

The Biden administration issued new cyber guidance for critical infrastructure firms

The voluntary guidance is aimed at ensuring companies in energy, transportation and other vital industries all meet minimum baseline cybersecurity standards. It comes amid a surge in ransomware attacks and concern that such attacks could do major damage to the economy or national security. 

The White House has signaled it may push to make the new standards mandatory if companies remain under protected. But that would require authorizing legislation from Congress, officials say. Biden ordered agencies to develop the security goals  in a July national security memorandum.

The guidance itself is described as preliminary and was issued by the departments of Commerce and Homeland Security. It’s comprised of nine big-picture security goals and a series of related objectives, which are mostly culled from existing federal cybersecurity recommendations.

Election security advocates want to speed up new standards for voting machines

The fight centers on new Election Assistance Commission voluntary voting machine security standards that have been in development for years. Major election vendors say new machines that meet those upgraded standards  won’t be ready until 2024 or later.

The security advocates say the EAC should “reject policies that would…continue to delay the transition," according to a letter shared with The Cybersecurity 202. The letter comes amid widespread scrutiny of voting machine security after the 2016 and 2020 elections and a crush of partisan, baseless claims about election fraud that have lowered public confidence.

“History shows that the EAC is only too willing to cave to the voting system vendors and allow the vendors to successfully avoid testing their systems to more rigorous standards, while still obtaining a ‘federally certified’ designation,” said Free Speech For People Senior Advisor on Election Security Susan Greenhalgh.

Signatories of the letter include, among others:

  • Princeton University Prof. Andrew W. Appel
  • Georgia Tech Prof. Richard A. DeMillo
  • University of Michigan Prof. J. Alex Halderman
  • New York State Board of Elections co-chair Doug Kellner
  • Technologist Bruce Schneier

Global cyberspace

Lithuanian cybersecurity experts warned against using phones made by Huawei and Xiaomi

The country’s National Cyber Security Center said it found four major privacy and cybersecurity issues with devices made by the two Chinese companies, the Associated Press’s Liudas Dapkus reports. The cybersecurity center also warned that Xiaomi apps get lists of words to censor, though the feature was disabled on phones that they inspected.

The U.S. government has long pushed allies to restrict use of Huawei and other Chinese companies’ technology, citing their ties to Beijing. 

Xiaomi said its devices “do not censor communications to or from its users” and comply with European privacy regulations. A Huawei spokesperson in the country denied the allegations.

Securing the ballot

National security watch

Cyber insecurity

Government scan

Hill happenings

On the move

  • President Biden has named Google Cloud Chief Information Security Officer Phil Venables as a member of the President’s Council of Advisors on Science and Technology. 

Daybook

  • National Cyber Director Chris Inglis and International Telecommunication Union official Doreen Bogdan-Martin participate in an American University event today at 9 a.m.
  • Inglis, CISA Director Jen Easterly and Federal Chief Information Security Officer Chris DeRusha testify before the Homeland Security and Governmental Affairs Committee today at 10:15 a.m.
  • The Silverado Policy Accelerator hosts an event on the United States’ Russia policy today at 1 p.m.
  • The Pentagon’s cyber commanders participate in the Joint Service Academy Cybersecurity Summit today at 3 p.m.
  • Easterly and others speak at the Aspen Cyber Summit on Sept. 29.

Secure log off

Democracy sure can be messy. Thanks for reading. See you tomorrow.