Welcome to The Cybersecurity 202! Looking for a Halloween horror film that's meta but less meta than Scream? Consider 1994's Wes Craven's New Nightmare

Below: Hackers hit Iran's gas stations and a dark web drug bust produced 50 arrests. 

A key Senate Democrat is open to new cyber regulations

New cyber regulations could be coming for critical industries if they don’t raise protections on their own, Senate Homeland Security Chairman Gary Peters (D-Mich.) tells me. 

Peters is open to Congress imposing such mandates, but he wants government to do everything it can to help raise industry cyber standards in a voluntary way first, he said during a Washington Post Live interview. 

In sync

The comments place one of the most powerful cyber lawmakers in a united front with the White House. Officials there have floated the possibility of mandating minimum cybersecurity requirements in vital industry sectors such as agriculture and transportation if companies don’t take the initiative to protect themselves against a wave of blistering ransomware attacks.

“There’s no question that when it comes to critical infrastructure, there need to be standards in place to make sure that they are taking every measure necessary to protect those systems,” Peters said. 

He added: “I think it’s also important that these regulations are flexible, understanding that the nature of these attacks, the technology used in these attacks, all of these things are going to be constantly changing.”

The Department of Homeland Security has already mandated minimum cyber protections for pipelines and is planning similar requirements in the rail sector. But officials believe they need congressional authorization to impose mandates more widely. 

Regulate?

Peters' comments also reflect a major inflection point in cyber policy

Lawmakers and executive branch officials hoped for years that market forces would compel companies to better protect themselves against hacking. But, amid a surge in attacks that’s threatening the economy and national security, they’re beginning to consider a more active government role.

“Ransomware has changed the equation,” Peters said. “It’s very easy to wrap your head around a ransomware attack. It's really pretty much like a bank robbery, good old-fashioned crime, where you’re bringing basically a gun in the cyber world … and saying give me your money and I'll give you your data back.”

Peters also held out the possibility of banning or restricting companies from paying ransomware hackers in the future — though his main priority now is making it easier for companies to choose not to pay ransoms, he said. 

“It’s a possibility that we ban it. I’m not closing the door on that,” he told me. “But I think we have to, right now, be focused on working with companies to understand that there are alternatives to paying a ransom, particularly if they get assistance from the federal government.”

“It’s a possibility that we ban [ransomware payments], I’m not closing the door on that. But I think it’s something we have to right now be focused on working with companies to understand there are alternatives to paying a ransom.” – Sen. Gary Peters (D-Mich.) (Washington Post Live)

The FBI and other federal agencies recommend against paying ransomware hackers, but companies frequently pay anyway. In cases where they don’t have an uninfected back up of their data, paying might be companies’ only hope of staying in business. 

Recovering

There's some help coming

Peters sponsored a bill with Sen. Rob Portman (Ohio), the top Republican on the Homeland Security Committee, that would create a fund to help pay businesses’ recovery costs after a cyberattack. The money would be available if the Department of Homeland Security decides the attack could harm national security, economic security or government operations. 

Lawmakers included the measure and $100 million for the fund in a bipartisan infrastructure bill that’s passed the Senate and is expected to pass the House this week. 

But it will take a lot more than that to cover the cost of ransomware, which cost companies more than $400 million in 2020, according to an estimate from the research firm Chainalysis.

There’s one potential new mandate for companies that many lawmakers are ready to endorse right now. It’s a requirement for companies in critical sectors to alert DHS when they suffer cyber incidents. 

Peters and Portman sponsored a version of that bill that requires reports from companies within three days of a hack. Some other lawmakers and the Cybersecurity and Infrastructure Security Agency are pushing for reports within one day. The argument centers on getting information out as quickly as possible, but not so fast that the victim doesn't really understand what's going on and can't pass along anything useful. 

Peters stressed he views the three-day window as a maximum. Some regulators may require shorter windows in particular business sectors, he said. 

“The main goal of this is just to get a sense of what exactly is happening,” he said. “If you live in a neighborhood and two of your neighbors had a burglary, that's really great information for neighbors to know.”

The keys

Hackers disrupted Iran’s gas stations, officials say

The alleged cyberattack targeted a system that allows Iranians to buy subsidized fuel, officials said. No hacking groups have claimed responsibility for the attack, Kareem Fahim reports.

But the hackers appeared eager to criticize the Iranian government. In Isfahan, they hacked billboards to display the message, “Khamenei, where is our gas,” Kareem writes, a reference to the country’s supreme leader, Ayatollah Ali Khamenei.

The cyberattack comes after months of hacks on major Iranian systems. In July, hackers targeted the country’s rail system posting fake delay messages. The cybersecurity firm Check Point attributed that attack to the Iranian opposition group Indra.

The following month, a group calling itself the “Justice of Ali” released footage of guards beating prisoners inside the notorious Evin Prison, leading to a rare official apology.

Law enforcement agencies arrested 150 people worldwide for dealing drugs on the “dark net” 

A dozen law enforcement agencies around the world worked on the operation, which stretched across three continents and lasted 10 months, CyberScoop’s Tonya Riley writes. U.S. law enforcement agencies made three dozen arrests, officials said. 

The “dark web” is a portion of the internet that's not on the World Wide Web, which frequently hosts markets for illegal drugs and hacking tools. 

Authorities seized:

  • 200,000 pills
  • $31.6 million
  • 45 guns
  • More than 500 pounds of drugs

 

“Since the onset of the covid-19 pandemic, more people have turned to the dark net than ever before to buy drugs,” Deputy Attorney General Lisa Monaco said. “Already a billion-dollar illicit drug industry, dark net drug revenue has surpassed pre-pandemic levels.”

The operation comes nearly 10 months after German authorities arrested the operator of the marketplace DarkMarket. Authorities seized more than 20 servers from that bust that provided “a trove of evidence” for this week’s operation, according to European officials.

North Korean hackers targeted an Indonesian bank last year, researchers say

Researchers suspect that the hackers were working for North Korea’s military intelligence agency, the Daily Beast’s Shannon Vavra reports. The hacking tools used against Bank Rakyat Indonesia are similar to tools North Korean hackers used to steal $81 million from Bangladesh Bank in 2016.

It’s not clear whether the hackers got away with any money. The Indonesian bank did not respond to a request for comment from the Daily Beast.

“From 2019 to November 2020, the time that encompasses the Indonesia incident, Kim [Jong-Un]’s regime hacked into financial institutions and cryptocurrency exchanges both to bolster the regime’s weapons of mass destruction and ballistic missile programs,” Vavra writes, citing a report published by the U.N.’s North Korea Panel of Experts.

On the move

  • Karen S. Evans will be the Cyber Readiness Institute nonprofit’s new managing director. Evans served as assistant secretary of energy for Cybersecurity, Energy Security and Emergency Response in the Trump administration. She also worked as federal IT chief in the George W. Bush administration. 
  • Washington Secretary of State Kim Wyman (R) will lead CISA’s election security efforts, the agency officially announced. Wyman said she will step down as Washington’s top election official on Nov. 19:

From Wyman:

National security watch

Seagate violated export rules by selling hard drives to Huawei, Senate Republicans say

The company did not have a license authorizing it to continue sending hard drives to Huawei after the Trump administration restricted semiconductor exports to the company last year, Senate Commerce Committee Republicans said in a report

Huawei’s $800 million budget for hard drives was “prospectively met in large part by Seagate’s monopolization of the market after the rule went into effect,” the lawmakers said.

A Seagate spokesman told the Wall Street Journal, which first reported on the report, that it “complies with all laws applicable to its business and operations, including export control regulations.” The spokesman declined to comment on the company’s relationship with Huawei. 

A Commerce Department spokeswoman told the Wall Street Journal that its enforcement team is “committed to fully investigating any allegation” of export violations.

Global cyberspace

  • A newly discovered hacking group is impersonating Philippine government agencies and Saudi Arabia’s Manila embassy, researchers from Proofpoint say. The group is probably trying to gain access to computers belonging to target organizations in Southeast Asia, Europe and North America, the researchers say.

Cyber insecurity

Hill happenings

Daybook

  • CISA Chief of Staff Kiersten Todt speaks at the CSA Fed Summit on Thursday.
  • Deputy Treasury Secretary Wally Adeyemo, Deputy Assistant Treasury Secretary Rahul Prabhakar, Todt and cybersecurity experts participate in a Carnegie Endowment for International Peace event on the U.S. cybersecurity workforce on Thursday at 10 a.m.
  • National Cyber Director Chris Inglis and deputy national security adviser Anne Neuberger speak at a Center for Strategic and International Studies event on Thursday at noon.
  • CISA Director Jen Easterly and Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, speak at a Center for Strategic and International Studies event on critical infrastructure cybersecurity on Friday at 1 p.m.
  • Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, speaks at an event hosted by American University’s Tech, Law & Security Program on Friday at 3 p.m.

Secure log off

Three four, better lock your door. Thanks for reading. See you tomorrow.