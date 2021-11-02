A cybersecurity funding infusion hangs on whether Democrats can move their big spending bills
The largest-ever investment in the nation's cybersecurity is hanging in the balance as Democrats continue to spar over two mammoth spending bills.
The bipartisan infrastructure bill and the Democrats’ $1.75 trillion social spending deal together would commit about $2.5 billion to cybersecurity. Provisions would boost federal government cyber operations and raise protections against ransomware and other cyberattacks for state and local governments and critical infrastructure, such as the energy grid.
The spending would effectively reverse course on a decade of inadequate cyber spending that’s been out of step with the surging threats to government and industry. But that investment is in limbo as moderate and progressive Democrats tangle over the size of the spending package.
“We have significantly underinvested in cybersecurity for decades at this point, and this would be the first time in a long time that we’re really upping our investment and perhaps meeting the need in some areas,” Ari Schwartz, a former top White House cyber official during the Obama administration, told me.
What if one or both bills fail to make it into law? “We’d just continue to do this in an underfunded way,” Schwartz said. “That just means the investment we’d have to make in the future is going to have to be bigger. You wouldn’t get the benefit of having the right people in the workforce and the right tools in place.”
The standoff
- Sen. Joe Manchin (D-W.V.), a key moderate, announced yesterday he won’t support the spending bill until he’s had more time to examine its details and its possible effect on inflation. Lawmakers had already whittled the bill down from $3.5 trillion to assuage many of Manchin’s concerns.
- That effectively stalls the spending bill’s chances in the Senate, where the infrastructure bill has already passed.
- It jeopardized a vote on both bills in the House, where progressives have refused to vote on the infrastructure measure until there’s a deal to pass the larger spending bill.
- The infrastructure bill delivers funding to traditional infrastructure, such as roads and bridges, while also expanding Internet access. It has widespread support even among some Republicans. The spending bill would enact more Democratic priorities such as expanding Medicare and offering universal prekindergarten.
Here are the gory details from Tony Romm, Mike DeBonis and Marianna Sotomayor.
The takeaway
U.S. intelligence officials have for years treated the danger from cyber threats as at least on a par with threats from foreign terrorism. But Washington has never invested in protecting the nation's critical infrastructure against cyberattacks in the way it surged funding to terrorism protections after 9/11.
“It took 9/11 happening to get a lot of funding for anti-terrorism efforts that we continue to invest in,” Schwartz said. “It’s unlikely we’re going to have an event that huge in cybersecurity, but we’ve had many many big events. At some point we’re going to get the funding we need in this space because incidents are going to continue until that happens.”
Details
The cyber funding in the bills falls into two major buckets.
Some of it goes to spending at the Cybersecurity and Infrastructure Security Agency and elsewhere in government for priorities that are already underway, such as improving the government’s own cybersecurity and developing systems to detect hackers in the computer networks of vital industry sectors. Those priorities will likely get funded some other way if these bills fall by the wayside.
But other cyber provisions may get scrapped entirely if these bills don’t make it into law.
The top of that list: A $1 billion cash infusion to raise cyber protections for states and localities that have been battered by ransomware and is included in the infrastructure bill.
“When you look at state and local cybersecurity, it needs some help from the federal government,” Michael Daniel, White House cyber coordinator during the Obama administration, told me. “We have a national interest in helping state and local governments do a better job protecting themselves.”
Daniel added: “It’s legitimate to have policy differences, but eventually we need to make these investments that everyone has agreed on.” Daniel now leads the Cyber Threat Alliance industry group.
Also in the infrastructure bill:
- A $100 million fund to help pay businesses’ recovery costs after a cyberattack that threatens the economy or national security.
- A plan to help transportation authorities better detect and respond to cyberattacks, such as ransomware attacks on transportation departments or hacks of traffic lights and road signs.
- Emergency funding to respond to digital attacks on public water systems and grants to help some water systems gird themselves against cyberattacks.
Big-ticket items in the spending bill include:
- $100 million for CISA to improve federal computer systems that aren’t national security systems
- $100 million for CISA to boost cybersecurity awareness
- $80 million for the Federal Emergency Management Agency to help local governments boost cybersecurity recruitment and training
The keys
CISA says there's ‘no specific, credible threat to election infrastructure’ in today's contests
The agency is nevertheless hosting an “election situational awareness room” as voters head to the polls to elect governors and legislators in Virginia and New Jersey, CISA said. Local elections are also taking place in numerous other jurisdictions.
Those election awareness rooms typically gather interested parties including federal, state and local election officials, law enforcement, election machine vendors and social media companies that might battle disinformation campaigns so they can hash out any election threats in real time. CISA has held virtual and sometimes in-person versions of the operation since 2018.
Rumor control: The agency is also directing voters to its rumor control page, which was launched in the run up to the 2020 contest and knocks back conspiracy theories and misinformation about election security.
On the ballot today: Election security advocates are eyeing the Virginia governor's race. Republican gubernatorial candidate Glenn Youngkin has tried to toe the line on former president Donald Trump’s baseless election fraud claims. He has repeated calls to audit 2020 election results while not saying that the election was stolen.
A ransomware attack hit a major Canadian transit system
The cyberattack hit internal systems like the Toronto Transit Commission’s email and external systems like a booking platform for disabled riders. However, public transportation operations in Toronto weren’t affected by the attack, the Record’s Catalin Cimpanu reports.
The attack comes as the Biden administration prepares to impose new cybersecurity regulations on major U.S. rail and subway systems as part of a push to beef up the cybersecurity of critical infrastructure sectors. The administration imposed similar regulations on pipelines in the wake of a ransomware attack on the Colonial Pipeline.
Another “possible cyberattack” hit a Canadian health-care system. The incident in Newfoundland and Labrador — Canada’s easternmost province — took down the “brain center” behind the province’s health-care system, provincial health minister John Haggie said. Haggie said he couldn’t confirm whether the attack was ransomware, as reported by the Canadian Broadcasting Corporation.
A newfound computer bug could affect nearly every computer system, researchers warn
The bug affects compilers, which help translate human-readable computer languages into code that’s only read by machines, Krebs on Security’s Brian Krebs reports. It exploits systems that help display text in different languages, such as English and Arabic, to hide extra code that could contain malware.
“You can use them in source code that appears innocuous to a human reviewer [but] can actually do something nasty,” Ross Anderson, a professor at the University of Cambridge who co-wrote the research, told Krebs. The vulnerability is “bad news” for open-source projects that solicit contributions from the public and are manually reviewed, Anderson said.
“This vulnerability is, as far as I know, the first one to affect almost everything,” he said.
The researchers told software companies and organizations, as well as a CISA-sponsored vulnerability coordination center, about the vulnerability before publication.
Hill happenings
Lawmakers introduced a measure to boost the federal government's cloud cybersecurity
Four senators want to update the government's Federal Risk and Authorization Management Program and make it permanent. FedRAMP is essentially a security rating tool the government uses for cloud providers to determine the sensitivity of data they can house.
The bill would also authorize $20 million for the program. The legislation was introduced by Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) along with Sens. Josh Hawley (R-Mo.), Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.). Similar legislation passed the House in January.
Government scan
Ransomware groups use company announcements to target victims, the FBI warns
The groups are probably timing their attacks during mergers, acquisitions and other “significant, time-sensitive financial events” to hit companies when they’re most likely to pay up, the FBI said in an alert to private industry.
On the move
The Institute for Security and Technology has brought on Megan Stifel and Yael Eisenstat.
- Stifel will be the group’s chief strategy officer. She was previously the Global Cyber Alliance’s global policy officer and an Obama administration cyber official.
- Eisenstat will co-lead the institute's Digitally Influenced Democracy Initiative. She was previously a Future of Democracy Fellow at the Berggruen Institute.
Securing the ballot
Global cyberspace
Cyber insecurity
Privacy patch
Daybook
- Keith Alexander, the former director of the National Security Agency and commander of U.S. Cyber Command, discusses cyber threats at a Washington Post Live event today at 10 a.m.
- National Cyber Director Chris Inglis and CISA Director Jen Easterly testify before the House Homeland Security Committee on Wednesday at 10 a.m.
- The House Financial Services Committee holds a cybersecurity hearing on Wednesday at 10 a.m.
- The House Transportation and Infrastructure Committee holds a hearing on infrastructure cybersecurity on Thursday at 10 a.m.
Secure log off
“Can you say, ‘Love on the rise?’ ” Thanks for reading. See you tomorrow.