The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Congress is finally going big on cyber

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! There's something strange about this edition. 

Below: A partisan audit in Maricopa County doesn't show the election was stolen and French government officials were targeted with Pegasus spyware. 

Cybersecurity legislation is all the rage these days

After years of minimal effort on major cyber legislation, Congress is suddenly champing at the bit to get big, bold things done.

And the government’s top cyber officials are cheering them on

Members of the Senate Homeland Security Committee jawboned over two major forthcoming pieces of cyber legislation during a hearing yesterday. 

  • A bill requiring companies in critical sectors to promptly alert the Cybersecurity and Infrastructure Agency (CISA) when they’re hacked — CISA would then share that information with other companies that might be in danger
  • And a full rewrite of the major law governing federal information security requirements and procedures

They both have a solid chance of becoming law and would be among the most consequential cyber bills to make it through Congress in half a decade. 

The reason: A wave of economy-rattling ransomware attacks has created a greater sense of urgency about cybersecurity in Washington than ever before. 

Momentum

It’s a palpable shift from recent years

The last time Congress significantly expanded government involvement in private sector cybersecurity was in 2015. That law merely gave companies cover to voluntarily share cyberthreat information with the government without risking extra legal liability — and it took more than two years of haggling and wrangling before it finally became law. 

Leaders of the Homeland Security Committee had pushed a bill that mandated some cyber information sharing in 2012, which crashed and burned in the Senate. In the years since, the idea of such a bold bill was nearly unthinkable — until now.

Even a comparatively meek 2018 law that gave CISA its current name and some elevated authorities took more than a year of effort before passage. 

Thumbs-up

CISA Director Jen Easterly and National Cyber Director Chris Inglis full-throatedly endorsed all the legislative proposals.

“This is about a paradigm shift in how we protect the federal cyber ecosystem,” Easterly declared during the hearing. 

They were also eager to dig into the nitty-gritty of the bills. 

On the bill requiring industry to report cyber incidents, Easterly urged Homeland Security Chairman Gary Peters (D-Mich.) and ranking Republican Rob Portman (Ohio) to give CISA extra leeway in determining how quickly companies must report hacks and what information they need to share. 

Cyber analysts have warned that asking industry to report too much information about hacks too quickly can lead to reports with little valuable information for CISA to pass on to other companies that might be in danger. 

“What we don't want is to have CISA overburdened with erroneous reporting. And we don't want to burden a company under duress when they're trying to actually manage a live incident,” Easterly said. “Erroneous noise is not what we need. We need signal.”

Inglis and Easterly also urged imposing fines on companies that fail to report cyber incidents. 

Easterly had a checklist of advice for committee leaders as they rewrite the federal government’s cybersecurity rules. The Federal Information Security Management Act dates back initially to 2002. It was last updated in 2014. 

Per Easterly, the bill should:

  • State clearly that CISA is the lead civilian cybersecurity agency
  • Ramp up accountability for federal agencies to invest in cybersecurity protections and qualified cyber staff
  • Create more rigorous cybersecurity standards that go beyond box checking

The keys

Partisan Arizona audit doesn't show a stolen election 

Drafts of the report on the partisan audit in Maricopa County, Ariz., show the auditors did not find any votes stolen from former President Donald Trump, The New York Times's Jack Healy, Michael Wines and Nick Corasiniti report

In fact, the auditors tallied 99 additional votes for President Biden and 261 fewer for Trump. 

But take those tallies with a big grain of salt. Election experts have skewered the audit for poor methodology, inadequate chains of custody for ballots and voting machines and abysmal cybersecurity practices. The CEO of the the firm running the audit, Cyber Ninjas, had openly embraced conspiracy theories touted by Trump and his supporters that the election was stolen. 

The results will be formally presented to the Arizona Senate, which hired Cyber Ninjas, this afternoon. The New York Times obtained advance copies being circulated among Arizona lawmakers. 

The report's release will close one chapter in the saga, but its findings are bound to raise additional questions about the Cyber Ninja’s dubious methodology and questionable procedures. Despite the criticisms, imitators of the Cyber Ninjas have popped up across numerous battleground states. 

The phones of five French government ministers were infected with NSO Group’s Pegasus spyware

The spyware would have allowed one NSO Group's government and law enforcement client to turn the phones into remote eavesdropping devices. It comes on the heels of revelations that the spyware infected dozens of phones belonging to journalists, human rights activists, business executives and others across the globe.

The news is bound to increase scrutiny of NSO and other private cybersurveillance firms in Europe and elsewhere, Michael Birnbaum reports. All five of the ministers’ phone numbers were on a list of more than 50,000 numbers obtained by The Washington Post and 16 media partners and reviewed for evidence of hacking.

The ministers of education, territorial cohesion, agriculture, housing and overseas were all infected. None held those positions at the time they were added to the list, though they were all in the cabinet.

France’s security agencies found traces of the spyware on the ministers’ phones, according to France’s Mediapart news outlet. It’s not clear who targeted them. The ministers, France’s presidential palace and digital security agency all declined to comment.

A hacking group is targeting hotels and other victims in an espionage campaign

The FamousSparrow hacking group has targeted victims since 2019, the Record’s Catalin Cimpanu reports. The group has also targeted governments, international organizations, and engineering and law firms, cybersecurity firm ESET said.

It’s not clear who is behind the hacking gang, which used sophisticated techniques normally attributed to state-sponsored groups.

The group launched cyberattacks on Microsoft email servers soon after Microsoft announced a vulnerability in their software. It was one of the first major hacking groups to do so.

Hill happenings

The House passed a defense bill teeming with cybersecurity measures

The bill has dozens of cybersecurity and related provisions, including one to shield the CISA director from politics with a five-year term. The Senate is considering its own version of the mammoth annual bill. 

Other notable provisions include:

  • A requirement that the State Department produce an annual report on sales of hacking tools to foreign governments with questionable human rights records
  • A ban on federal agencies weakening encryption or getting companies to add back doors to software
  • A measure boosting transparency about the government’s decision-making process about saving or disclosing software vulnerabilities
  • The establishment of a National Cyber Exercise Program at CISA
  • Changes at the Department of Homeland Security and CISA, including a State and Local Cybersecurity Grant Program and potential bug bounty programs
  • A requirement that potential DHS contractors provide lists of software components that their contracts rely upon
  • A once-per-three-year assessment for CISA to provide Congress showing that its programs are innovative and ahead of threats

More on the defense bill here from Karoun Demirjian.

Government scan

U.S. intelligence agencies use ad blockers

The intelligence community is using ad blocking software on a vast scale, a top intelligence official told Sen. Ron Wyden (D-Ore.), according to a letter obtained by Motherboard’s Joseph Cox. It comes amid concerns about the security risks in some ads. Some ads are used to deliver malware. Advertisers and data brokers can also collect data on and track Americans through online ads. 

NSA Cybersecurity Director Rob Joyce confirmed the report:

CISA release draft guidance for agencies’ transition to IPv6 (NextGov)

Cyber insecurity

Hackers breached computer network at key US port but did not disrupt operations (CNN)

He escaped the Dark Web's biggest bust. Now he's back (Wired)

2021 has broken the record for zero-day hacking attacks (MIT Technology Review)

Industry report

ExpressVPN employees question company about exec working for UAE spy unit (Motherboard)

Hikvision, HWG deceive FCC about new critical vulnerability (IPVM)

Global cyberspace

Quad leaders to deliver on vaccines, infrastructure, tech -U.S. official (Reuters)

On the move

  • Edward Perez will be launching a new team at Twitter focused on protecting healthy Twitter conversations about elections and civic life. He was previously global director of technology development at OSET Institute, a nonprofit election technology organization. Perez will also be joining OSET’s board. 
  • Camille François is stepping down as chief innovation at Graphika for her “next professional adventures.” She will chair the firm’s advisory board.

Chat room

A chat log between a ransomware group and unidentified third party went semiviral. Rep. Jim Langevin (D-R.I.):

CISA's Anne Cutler:

Former CISA Director Chris Krebs:

Strangely, it was a double Ghostbusters day in CISA Twitter. CISA Director Jen Easterly:

Yes, there's a backstory from yesterday's hearing.

Daybook

  • Verizon senior vice president and Chief Information Security Officer Nasrin Rezai and McKinsey & Company senior partner Steve Van Kuiken discuss cloud computing and cybersecurity at a Washington Post Live event on Sept. 27 at 12:30 p.m.
  • The Senate Homeland Security and Governmental Affairs Committee holds a hearing on replacing legacy government IT systems on Sept. 28 at 2:30 p.m.
  • CISA Director Jen Easterly and others speak at the Aspen Cyber Summit on Sept. 29.
  • Customs and Border Protection and Department of Homeland Security officials discuss facial recognition technology at a Center for Strategic and International Studies event on Sept. 29 at 3 p.m. 
  • Department of Homeland Security officials testify before the House Homeland Security Committee on Sept. 30 at 2 p.m.

Secure log off

Empty your heads. Don't think of anything. Thanks for reading. See you Monday.

Loading...