Welcome to The Cybersecurity 202! I, for one, think the last thing James Bond needs is more cyber content.

Below: There's a new cyber incident reporting bill and a jailed Russian hacker was sent home.  

Bipartisan criticism grows over the FBI delaying aid to Kaseya ransomware victims

Lawmakers from both sides of the aisle are raising concerns about the FBI’s decision to withhold assistance from hundreds of ransomware victims while it planned to punch back at the Russia-based gang that launched the attack.

Republican and Democratic leaders of the House Oversight Committee plan to send a strongly worded letter to the bureau this morning. It demands a briefing about the FBI's rationale for withholding a decryption key that could have sped up recovery from the Kaseya ransomware attack, which was the largest ever to hit U.S. companies. 

“Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend,” states the letter, which was shared exclusively with The Cybersecurity 202. It’s signed by Chairwoman Carolyn Maloney (D-N.Y.) and the committee’s top Republican, James Comer (Ky.). 

“The growing threat of ransomware attacks requires our federal government agencies — especially the FBI — to respond quickly and effectively to prevent or minimize the damage from these attacks,” the lawmakers warn.

Growing chorus of criticism

The letter is part of a growing chorus of lawmakers who say the incident shows poor judgment and little concern for the devastating toll ransomware has exacted from U.S. companies

The Kaseya attack, which was launched over the Fourth of July weekend, affected between 800 and 1,500 businesses. Thousands more have been hit just this year by the ransomware hacking groups that lock up victims’ computers and demand payments to unlock them that can reach into the millions of dollars. 

The Kaseya attack was especially far reaching because the ransomware gang REvil was able to jump from the software provider Kaseya to infect the computers of its clients and then to infect their clients in turn. 

Other lawmakers have used harsher language: Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, told the Daily Beast that the FBI’s actions were “inexcusable.” Speaking to FBI Director Chris Wray during a House Homeland Security Committee hearing, he compared the bureau’s decision to a fire department letting a fire burn because it was focused on catching the arsonist. 

“I don't think anyone here would suggest we should not put out the fire even if it does not maximize your impact against an adversary,” Langevin said. 

Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) also asked Wray for a briefing on the bureau’s decision-making during a separate hearing last week. 

The controversy centers on a digital key the FBI had access to. It could have helped Kaseya victims unlock computers that had been encrypted by REvil and perhaps avoid millions of dollars in recovery costs. 

The bureau held onto the key for about three weeks because it was planning an operation to disrupt REvil and didn’t want to tip off the hackers that it had secret access to their servers, as my colleagues Ellen Nakashima and Rachel Lerman were first to report

The decision reflects a difficult balancing act for government — between helping hacking victims and imposing consequences on cybercriminals that might disincentivize future hacks

The bureau’s plans were ultimately scuttled because REvil shut itself down before the bureau could strike. The gang later reconstituted under the name BlackMatter and launched a ransomware attack against an Iowa grain cooperative earlier this month.

The FBI declined to comment on congressional criticism. 

Wray declined to speak directly about Kaseya during last week’s Senate Homeland Security Committee hearing. But he noted the FBI must rigorously test decryption keys and other digital tools before giving them to hacking victims to make sure they won’t do more harm than good. 

A cybersecurity firm that developed a REvil decryption key said that process should take a matter of hours, not days or weeks. 

It also takes a lot of time to make unified plans with other government agencies, Wray said. 

Sometimes we have to make calculations about how best to help the most people because maximizing the impact is always the goal,” he said. 

Cybersecurity and Infrastructure Security Agency Director Jen Easterly was not yet in office when the Kaseya decision-making was taking place. In future incidents, CISA’s role would be to advocate for helping victims, she said during a separate Senate Homeland Security Committee hearing.

“I would be advocating for doing everything that we can to ensure that victims have the tools that they need to recover, remediate and get their businesses back up and running,” she said. 

The keys

Senate Homeland Security leaders released their version of a bill mandating critical infrastructure firms to report breaches

The bipartisan legislation would require critical infrastructure companies to report hacks within 72 hours to a new Cyber Incident Review Office within CISA. It would also require most organizations to report paying ransoms to hackers within 24 hours. 

Chairman Peters (D-Mich.) and Sen. Rob Portman (R-Ohio), the committee’s top Republican, sponsored the bill. Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) said he hopes to merge a similar bill he introduced in July with the Peters-Portman measure and include it in the Senate’s version of an annual defense policy bill. 

If the lawmakers unify, that will dramatically increase the chances of the bill becoming law. It would mark the largest expansion in years in government cyber mandates imposed on industry. 

The House passed its version of the defense bill last week with a similar provision to the Peters-Portman measure.

The United States deported a convicted Russian hacker, a rarity given that the two countries don’t have an extradition treaty

Police detained Aleksei Burkov when he arrived in Moscow, Russian Interior Ministry spokeswoman Irina Volk told the Tass news agency. He'd been sentenced in absentia there for hacking crimes. 

Israeli authorities arrested Burkov in 2015 and extradited him to the United States, where he later pleaded guilty to charges that included running websites that helped hackers trade stolen credit cards. Burkov was serving a nine-year sentence in U.S. federal prison, my colleague Miriam Berger reports.

Burkov was at the center of high-stakes geopolitical drama. Russian authorities sentenced an Israeli American backpacker to seven years in prison after Russian authorities said they found drugs in her bag. Israeli officials linked the arrest to Russia’s desire to bring Burkov back. Russian President Vladimir Putin later pardoned the backpacker, Na’ama Issachar, in January 2020.

A vaccination passport app may have exposed information from more than 600,000 Canadians

The PORTpass app exposed personal information such as birthdays and photo IDs through its insecure website, the Canadian Broadcasting Corporation’s Sarah Rieger reports. The app has as many as 650,000 users in Canada.

CEO Zakir Hussein denied that the app had security issues before the company took it offline. He later acknowledged the site had some “holes” that needed to be patched. 

"There's holes, and what I'm realizing is I think there are some things that we need to fix here,” he said. “And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are."

It’s not clear how long the data was exposed. Hussein claimed that it lasted for minutes, but the Canadian Broadcasting Corp. said it was able to access the data for more than an hour.

Cyber insecurity

Major companies are vulnerable to phishing and online impersonation, a study finds

The report by domain service firm CSC looked at web domains that resemble those belonging to Fortune 2000 companies but are slightly different. That's a common tactic for luring people to phony sites where their computers can be infected with malicious software. 

It found 70 percent of such sites were owned by third-parties rather than the company itself. About 60 percent of those domains have been registered since the beginning of 2020, according to the report, a potential sign that cyberattacks impersonating domains are on the rise.

Securing the ballot

Government scan

Global cyberspace

Daybook

  • Cybersecurity officials speak on the third day of the four-day International Wireless Communications Expo today.
  • CISA Director Jen Easterly, FBI Deputy Director Paul Abbate, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, NSA Cybersecurity Director Rob Joyce and others speak at the Aspen Cyber Summit today.
  • TSA Administrator David Pekoske testifies before the House Homeland Security Committee today at 9:30 a.m.
  • The Senate Commerce Committee holds a hearing on consumer privacy today at 10 a.m.
  • Customs and Border Protection and Department of Homeland Security officials discuss facial recognition technology at a Center for Strategic and International Studies event today at 3 p.m. 
  • Department of Homeland Security officials testify before the House Homeland Security Committee on Thursday at 2 p.m.

Secure log off

A martini — hashed, not salted. Thanks for reading. See you tomorrow.