Welcome to The Cybersecurity 202! This must be a particularly French way to protest. 

Below: Apple's sorry about long waits on bug reports and California is the latest state to offer mail voting by default. 

Companies fear overbearing cybersecurity regulations

The tech industry association ITI laid out a softer vision yesterday of how companies should have to report cyberattacks to the federal government.

Its goal: to rein in a bipartisan congressional effort to require companies to alert the government when they’re hacked, which would amount to one of the most significant increases in cybersecurity requirements for industry in years.

The various pieces of legislation share a primary goal: To give the Cybersecurity and Infrastructure Security Agency (CISA), which would receive the reports, better insights about a wave of blistering cyberattacks that have hit critical industry sectors and U.S. government agencies in recent months. CISA would share information from those reports back to industry to help better protect them against future hacks. 

There are two versions of the bills and at least one more in the works. They vary widely, however, in the sorts of cyber incidents companies would have to report to CISA and how quickly the reports would have to come in. 

Industry asks

ITI laid down a marker yesterday for less onorous requirements. The group, which represents Amazon, Google and a slew of other top companies, is pushing for:

  • Only reporting incidents in which companies have verified hackers breached their networks.
  • Giving at least a 72-hour window before those reports must come in.

The list of recommendations is a frontal assault on the first Senate bill, which was sponsored by Intelligence Committee Chairman Mark Warner (D-Va.) and the committee’s top Republican, Marco Rubio (Fla.), among others. That bill called for reports within 24 hours and would require companies to make such reports even if they aren’t sure hackers actually penetrated their computer networks.

The strict requirements have given heartburn to some in the industry who say a time frame of 24 hours is too fast for companies to have useful information about a breach. They warn the requirement could end up stealing valuable time from cyber workers that would be better spent investigating. 

It could also flood CISA with half-baked reports that don’t actually illuminate anything about cyber threats, they warn. 

“I understand why there’s a push to get more information, but getting too much information could be even worse if it places too much burden on industry,” Ari Schwartz, an Obama-era White House cybersecurity official who now works for the law firm Venable, told me. “They need to get to the right balance.”

Warner’s office didn’t respond to a request for comment about the ITI recommendations. 

Uh-oh

The dispute could spell trouble for the bill. Previous efforts to expand government's role in cybersecurity have gotten bogged down for years or scuttled entirely by fights over how much government should require of industry and how to protect company and customer privacy. 

The House version of the bill is far less proscriptive

It would kick most of the big questions about which cyber incidents should be reported to CISA. But it would block the agency from requiring reports faster than 72 hours after a company verifies that a breach occurred.

That bill, sponsored by Rep. Yvette Clarke (D-N.Y.), passed the House last week as part of a major defense policy measure. 

The Warner bill would apply to companies in critical infrastructure sectors, such as energy and finance, and to government contractors and cybersecurity companies. The House bill would focus on critical infrastructure. 

The big wild card

Senate Homeland Security Chairman Gary Peters (D-Mich.) and the committee’s top Republican, Rob Portman (Ohio), are working their own version of the bill. Details of that bill aren’t out yet. 

CISA Director Jen Easterly urged something like a compromise position in testimony before that committee last week. 

She said reports should come in “ideally within 24 hours of detection.” But she also pushed for flexibility for CISA to change requirements based on what the agency learns works best. 

She stressed the agency doesn’t want to put undue burdens on industry or to gather information that’s not ultimately useful. “What we don't want is to have CISA overburdened with erroneous reporting,” she said. “And we don't want to burden a company under duress when they're trying to actually manage a live incident.”

The keys

Apple apologized to a security researcher who said the company “ignored” his reports about iPhone bugs

The company told Denis Tokarev in an email that it’s “still investigating” the iPhone security vulnerabilities he wrote about in a blog post last week, Motherboard’s Lorenzo Franceschi-Bicchierai reports. Tokarev went public about the three vulnerabilities after months of waiting for the company to fix them.

Apple declined to comment.

The high-profile dispute comes just days after Apple publicly released the latest iteration of its iPhone operating system. Security researchers say Apple is slow to fix bugs and doesn’t always pay what they believe they’re owed, my colleague Reed Albergotti reported this month.

Twitter analysis from Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy:

CISA is mulling “guerrilla marketing” and working with social media influencers 

The cybersecurity agency is thinking about participating in Comic-Con and South by Southwest in an effort to promote its cybersecurity graphic novels, Politico’s Sam Sabin reports.

“We need interesting content, we need to be compelling,” National Risk Management Center Director Bob Kolasky said.

The marketing blitz is part of an effort to educate the public about disinformation and Russian Internet trolls in the lead up to the 2022 election. The agency released its first graphic novel in the run up to the 2020 contest.

Details from CISA:

California will become the eighth state to have mail-in voting by default

All the state’s registered voters will automatically receive a mail ballot in 2022 and future elections under a bill signed into law by Gov. Gavin Newsom (D). A surge in mail voting was widely credited with helping voters cast ballots safely and securely in 2020, but many states that temporarily expanded mail voting have limited it again since the election. 

California's move stands in stark contrast to Republican leaning states that have passed additional voting restrictions since the election, such as Florida, Texas, Georgia and Arizona. 

The California bill also expands the use of software that helps voters track their ballots, the Los Angeles Times’s John Myers reports

The law will go into effect in January. It applies to both statewide and local elections in California, the largest state by population.

Securing the ballot

CISA wants to see a sealed report on Georgia voting vulnerabilities 

The expert report was submitted as part of a long-running lawsuit challenging the state’s use of voting machines known as ballot marking devices (BMDs). The federal judge in the case sealed the report out of apparent concern it could fuel conspiracy theorists who falsely claim the 2020 election was rigged against former President Donald Trump, The Daily Beast’s Shannon Vavra reports.

The report only focuses on potential future election interference.

But the sealed report has drawn interest from CISA, which helps states protect their elections against hacking, and from states that also use BMD voting machines.  

The author of the sealed report, University of Michigan computer science professor J. Alex Halderman, has corresponded with CISA about it and asked the court’s permission to share it with federal officials, Shannon reports. 

Election security advocates are generally split on BMDs. Some argue they create additional opportunities for hacking that don’t exist with hand-marked paper ballots because they introduce more machines into the voting process. Others argue the benefits of BMDs outweigh those risks, including making voting easier for people with disabilities. 

Global cyberspace

Hill happenings

Privacy patch

Daybook

  • Cybersecurity officials speak on the second day of the four-day International Wireless Communications Expo today.
  • The Senate Homeland Security and Governmental Affairs Committee holds a hearing on replacing legacy government IT systems today at 2:30 p.m.
  • The Federal School Safety Clearinghouse holds a webinar on cybersecurity for K-12 schools today at 3 p.m.
  • CISA Director Jen Easterly, FBI Deputy Director Paul Abbate, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, NSA Cybersecurity Director Rob Joyce and others speak at the Aspen Cyber Summit on Wednesday.
  • TSA Administrator David Pekoske testifies before the House Homeland Security Committee on Wednesday at 9:30 a.m.
  • The Senate Commerce Committee holds a hearing on consumer privacy on Wednesday at 10 a.m.
  • Customs and Border Protection and Department of Homeland Security officials discuss facial recognition technology at a Center for Strategic and International Studies event on Wednesday at 3 p.m.
  • Department of Homeland Security officials testify before the House Homeland Security Committee on Thursday at 2 p.m.

Secure log off

If George W. Bush was there, would they have thrown a choux? Thanks for reading. See you tomorrow.