Welcome to The Cybersecurity 202! CISA's “war on pineapple,” which became a popular model for divisive disinformation campaigns before the 2020 election, is no more. Now maybe we can finally do something about green peppers on pizza.
A narrowly averted shutdown still harms government cybersecurity
Democratic lawmakers seem prepared to avert a government shutdown, but the damage to government cybersecurity may already be done.
The House and Senate plan to vote today on a bill funding government operations through December, narrowly preventing a lapse in appropriations and a furloughing of tens of thousands of workers at midnight. The funding was tied up in a legislative brawl over two massive Democratic spending bills also imperiling Congress's ability to raise the debt ceiling.
But the image of an institution veering from crisis to crisis in which workers can't count on a steady paycheck is sure to hurt the government's ability to compete with the private sector for top-flight cyber talent.
The near-miss comes less than two years after the longest government shutdown in U.S. history. It also comes as the Cybersecurity and Infrastructure Security Agency is embarking on a major initiative to improve the skills and diversity of the cyber workforce, including by offering salaries outside the typical government range for such positions.
“It’s a very competitive marketplace for cyber talent now, and if you have to worry about your organization being shut down or being required to work without pay, that is not what you want to lead with," Max Stier, president of the nonprofit Partnership for Public Service, told me. “The federal government is already behind the curve in cybersecurity and a shutdown would be the proverbial pulling of the emergency brake.”
A shutdown would have a big impact at CISA.
How big? Nearly 84 percent of the agency's roughly 2,400-person workforce would be forced to stop working, according to a Department of Homeland Security planning document updated this week.
That would be a massive hit to the agency’s efforts to revamp the government’s protections against hacking and to help critical industries defend against ransomware and other threats.
It doesn't end there. If a shutdown happened, there would be furloughs similar to CISA’s among civilian cyber workers across the government. The National Institute of Standards and Technology, which conducts cybersecurity research and develops cyber protocols would be whittled down to just a handful of cyber employees.
“Cyber activity is occurring in every entity across the federal government so the disruption would go far beyond just CISA,” Stier said.
The agency told me it was ready for a shutdown if one came.
“The agency has continuity of operations, and we’re ready,” CISA Chief of Staff Kiersten Todt said. “Everyone is prepared if that’s what happens, but we certainly hope it won’t happen.”
But such a severe drop in staff would make it exceptionally difficult to manage a major cyber incident, such as a Russian or Chinese hack hitting government agencies or a ransomware attack against industry that disrupted energy supplies, health care or the financial system.
We’ve been here before: CISA had been officially operating for less than six months when the government went through the longest shutdown in U.S. history from mid-December 2018 to late January 2019. There’s no evidence the government suffered any major digital breaches during that time, but it fell far behind on a lot of basic cyber hygiene.
Numerous security certificates for government websites lapsed during the shutdown. When that happens, it’s far easier for hackers to trick people into visiting phony versions of the site where they might download malicious software or be conned into sharing personal information that can be used for identity theft.
Morale may be the biggest concern.
There was widespread fear in 2019 the extended shutdown — during which employees either were forced to stop working or continued to work without pay — would send employee morale into a tailspin and convince government cyber workers to move to the private sector.
There’s no evidence of a mass exodus after that shutdown, according to numbers provided to me by Partnership for Public Service. The group found a roughly consistent number of government cyber and IT workers quitting or retiring in the months before and after the pandemic.
But those numbers may mask a longer trend of top-flight cyber talent being less interested in working for the federal government.
“It’s hard to show direct causation, but it’s logically inescapable that if you make it this hard to do your job in government, you’re going to turn a lot of people off,” Stier said.
Russian authorities arrested a cybersecurity executive on treason charges
Group-IB founder Ilya Sachkov is suspected of “handing over classified information on cybersecurity to foreign intelligence agencies,” a law enforcement official told Russia’s Tass news agency. Sachkov denied the charges, according to the outlet. A court has ordered the executive to be in custody for the next two months.
Sachkov was a rising star in Russia’s cybersecurity community. He had been photographed at least twice alongside Russian President Vladimir Putin, Forbes’s Thomas Brewster reports.
Hackers published more stolen data from Epik, a popular Internet company among far-right groups
The newly released data includes copies of the company’s servers and log-in information for its corporate accounts on Coinbase, PayPal and Twitter, the Daily Dot’s Mikael Thalen reports. It comes just two weeks after a group identifying itself as hacker collective “Anonymous” said it had hacked Epik and released a first tranche of damaging and embarrassing information.
The latest leak amounts to 300 gigabytes of data, according to freelance journalist Steven Monacelli. That would be around double the size of the first tranche.
Nearly every national government now boasts cyber capabilities, a top NSA official says
Most of those programs are aimed at intelligence-gathering rather than launching cyberattacks against adversaries, said Rob Joyce, director of the NSA’s Cybersecurity Directorate.
The top nation-state hacking threats remain Russia, China, Iran and North Korea, Joyce said.
Here’s his rundown:
- Russia: Russian state hackers are “disruptive” and are doing intelligence-gathering on critical infrastructure and governments.
- China: Hackers backed by Beijing are “off the charts” in terms of their scope and scale.
- Iran: Hackers are “often very focused on regional things right now,” but they’re “dangerous because they’re less judicious in what they decide is a reasonable action.”
- North Korea: They’re “still active, still a threat, very capable but mostly focused on crypto exchanges and creating money.”
CISA will announce a new partnership with Girls Who Code
CISA will work with the nonprofit to boost awareness of cybersecurity and technology careers, and offer training and pathways to cybersecurity careers for girls, women and people identifying as nonbinary, according to a statement shared early with the Cybersecurity 202. CISA Director Jen Easterly said one of her “top priorities at CISA is to inspire more women and girls to pursue careers in cybersecurity and technology.”
Industry and advocacy groups are pushing a new manifesto on cybercrime
The Multistakeholder Manifesto on Cybercrime lays out principles the groups believe should guide any updated international agreement on the topic.
A main goal is to ensure any agreement focuses on actually protecting cybercrime victims rather than as a subterfuge for increasing government’s control over the internet through censorship and surveillance.
Other principles include pushing governments to make it more difficult for cybercriminals to operate inside their territories and avoiding locking in language that will be quickly outpaced by the evolving cyber threat landscape.
Signatories include the Cybersecurity Tech Accord, an industry group that includes Microsoft, and the CyberPeace Institute.
The House passed two cybersecurity bills
- An education bill, which has also passed the Senate, directs CISA to study the cybersecurity challenges that K-12 schools face and develop recommendations and voluntary tools for schools to boost their cybersecurity. It goes to President Biden’s desk for his signature.
- The other bill would set up a program to allow technology experts in the private sector to rotate throughout the federal government. FedScoop’s Jackson Barnett has details.
Does CISA want a new cyber incident reporting bill to require companies to alert about hacks within 24 hours? It's not clear. CyberScoop's Tim Starks has the details:
In her written testimony before HSGAC last week, she said of such legislation: "To that end, cyber incident reporting must be timely, ideally within 24 hours of detection."— Tim Starks (@timstarks) September 29, 2021
Answer from CISA spokesperson, such as it is: “CISA continues to engage Congress and industry on needed incident reporting legislation that effectively balances getting information in a timely manner with ensuring that information is meaningful and actionable...— Tim Starks (@timstarks) September 29, 2021
This answer leaves me still uncertain of the CISA position. The bills don't all have the same triggering threshold.— Tim Starks (@timstarks) September 29, 2021
- Cybersecurity officials speak on the last day of the four-day International Wireless Communications Expo today.
- Department of Homeland Security officials testify before the House Homeland Security Committee today at 2 p.m.
- John Costello, National Cyber Director Chris Inglis’s chief of staff, speaks at a Center for Strategic and International Studies event on Oct. 4 at 9:30 a.m.
- Chris Fonzone, the top lawyer in the Office of the Director of National Intelligence, and former senator Russ Feingold, a Democrat who represented Wisconsin, participate in a Center for Democracy and Technology event on the Patriot Act on Oct. 5 at noon.
- The R Street Institute hosts an event on diversity in cybersecurity on Oct. 5 at 1 p.m.
- Easterly speaks at a Washington Post Live event on Oct. 5 at 3 p.m.
- U.S. Cyber Command Commander and NSA Director Gen. Paul Nakasone and deputy national security adviser Anne Neuberger speak at the Mandiant Cyber Defense Summit on Oct. 5.
- CISA holds the first session of its four-week annual National Cybersecurity Summit on Oct. 6.
- Inglis; Deputy Attorney General Lisa Monaco; Deputy Energy Secretary David Turk; Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity panel; Rep. John Katko (R-N.Y.), the top Republican on the committee; and Sen. Angus King (I-Maine) participate in the Aspen Cyber Summit on Oct. 6.
- The Center for Strategic and International Studies hosts an event on sixth-generation network standards on Oct. 6 at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas, Easterly, Inglis and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins Oct. 6.
Secure log off
1. Olives, 2. pepperoni, 3. mushrooms. Thanks for reading. See you tomorrow.