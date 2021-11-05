Their opposition complicates the Biden administration’s plans to raise the nation’s protections against a barrage of ransomware attacks.
Fireworks came during a more-than-three-hour hearing of the House Transportation Committee yesterday. GOP lawmakers described recent cyber regulations as rushed, overly prescriptive and poorly tailored to the threats facing industry. They expressed skepticism that Congress and federal agencies can effectively regulate cybersecurity and not make a mess of it.
Here’s Rep. Thomas Massie (R-Ky.): “Asking this committee to come up with standards for platforms in cybersecurity is a little bit like asking my cattle to write a term paper on one of Shakespeare’s works. We’re just not qualified to do it.”
Context
The administration mandated minimum cyber protections for pipelines in July and required the industry to alert the government about cyber incidents. The move came in the wake of the Colonial Pipeline ransomware attack, which squeezed U.S. gas supplies and prompted panic buying.
Regulations for the air and rail sectors are expected in the coming weeks. They’ll require companies to report cyber incidents to the government, name a chief cyber official and draft a recovery plan for when breaches occur.
The big picture
The complaints could mark the start of a greater fissure in the bipartisan consensus that cyber policy and the agencies that enact it have enjoyed for most of the past decade.
- That bipartisan backing has set cyber policy apart from issues like health care and immigration where government officials are frequently battered by political fights and strategies change from administration to administration.
- One reason for the bipartisanship: government cyber officials’ modus operandi was to help businesses protect themselves from hacking without imposing new mandates that would turn off regulation-wary Republicans.
- With regulations already imposed in one sector and being discussed in others, partisan cracks are starting to emerge.
- Senate Republicans on the Homeland Security Committee were the first to express concern. They sent a letter asking the Department of Homeland Security inspector general to investigate the pipeline regulation process and warning the mandates could be “unnecessarily burdensome” and “shift resources away from responding to cyberattacks to regulatory compliance.”
Here’s Rep. Brian Babin (R-Tex.): “Cyber intrusions are very hard to track. We’ve got to be careful as lawmakers that we don’t meddle in something that we don’t properly understand and unintentionally cause bloated regulation or stifle innovation with overly burdensome requirements that don’t truly secure our infrastructure.”
Industry response
House GOP critics of cyber regulations got some assists from industry witnesses during the hearing.
Tom Farmer, assistant vice president for security at the Association of American Railroads, warned that the proposed rail regulations require alerting government about hacks too quickly. They also define what counts as a hack too broadly, he said. The result: important cyber threat information will likely be drowned out by rushed data that’s only partly accurate.
Here’s Michael Stephens, general counsel at Tampa International Airport: “The TSA-proposed guidance that we have been providing comments to is very, very broad-based in terms of what is being required to be reported. And information just for the sake of information is not necessarily a good thing because it leads to information overload and white noise and a lot of times gets ignored.”
Stephens said he doesn’t object in general to alerting government about cyber incidents, just to the way the proposed regulations are written.
Counter arguments
Democrats shot back at some of the criticism. The proposed requirements for rail and air systems aren’t especially burdensome when compared to the threat of a major hack that disrupts either industry, they said.
“We have an administration that's moving in the right direction,” Chairman Peter A. DeFazio (D-Ore.) said. “We need to do more. No single technology policy or other action will completely eliminate all cyber threats. But every step could help close the gaps and make success for cyber criminals and cyber terrorists harder.”
The Transportation Security Administration said in a statement that the agency “has continued to work with its rail industry partners on this and other issues related to cybersecurity. The goal remains that we ensure our transportation system is resilient against any cyber event in the future.”
There’s some hope for continued bipartisanship.
Republican Sens. Rob Portman (Ohio) and Susan Collins (Maine) joined with Democratic Sens. Gary Peters (Mich.) and Mark Warner (Va.) in a measure last night that would mandate cyber incident reporting across critical infrastructure sectors, such as energy and transportation. They’re trying to ensure the bill becomes law by including it in a must-pass annual defense policy bill.
That measure stops short of some of the stricter regulations that were imposed on the pipeline sector. But it would still represent one of the largest cyber mandates ever imposed on industry.
The measure has two big goals:
- Giving government a clearer picture of the scale and nature of cyber threats facing industry
- Making it easier for government to share information back with industry sectors about hacking threats they’re likely to face and protections they should implement
Biden administration officials have treaded lightly on the regulation question.
National Cyber Director Chris Inglis and Cybersecurity and Information Security Agency Director Jen Easterly have repeatedly touted government-industry collaboration as their chief goal.
Inglis has also said regulation will likely be necessary as a last resort in cases where industry sectors are both under-secured and vital to U.S. national security or the economy.
“You can’t rule that out,” he’s said. “I’m confident that at some point we’ll get to that bridge and have to cross it.”
The keys
The Biden administration is offering millions for DarkSide intel
The ransomware gang was famously behind a cyberattack targeting Colonial Pipeline that pinched U.S. gas supplies and prompted panic buying. In addition to offering up to $10 million for information about its leaders, the State Department is also offering up to $5 million for information leading to the arrest or conviction of anyone working with the group.
DarkSide shut down shortly after the Colonial cyberattack because of attention from U.S. law enforcement. But it may have reorganized as BlackMatter, a hacking group that has targeted U.S. organizations like farming cooperatives, according to the U.S. government and researchers. BlackMatter reportedly shut down this week because of “certain unsolvable circumstances associated with pressure from the authorities.”
It’s the second time this year that authorities have offered rewards for information about ransomware groups. In July, the State Department’s Rewards for Justice program offered up to $10 million for information leading to the identification of hackers launching “malicious cyber activities against U.S. critical infrastructure.”
Ukraine exposed five Russian hackers behind thousands of cyberattacks
It's rare for governments to expose the identities of individual government hackers from adversary nations unless they appear in indictments.
In the years since Russia’s annexation of Crimea in 2014, “this unit has carried out over 5,000 cyber attacks and attempted to infect over 1,500 government computer systems,” Ukrainian authorities said. The hackers tried to steal information and targeted critical power plants, heat systems and water supply systems, officials said.
Ukrainian authorities also published intercepts of communications between the hackers:
Russia hasn’t significantly curbed ransomware, a top Justice Department official said
The U.S. government has not “seen a material change in the [ransomware] landscape,” and “only time will tell as to what Russia may do on this front,” Deputy Attorney General Lisa Monaco told the Associated Press’s Eric Tucker.
U.S. government officials have split on the issue. Monaco's comments mirror similar statements by CISA Director Jen Easterly but stand in contrast to National Cyber Director Chris Inglis’s congressional testimony this week that the U.S. government has seen a “discernible decrease” in the attacks.
The comments come months after President Biden demanded that Russian President Vladimir Putin act to disrupt Russia-based ransomware groups.
Monaco also previewed impending law enforcement actions against hackers. “In the days and weeks to come, you’re going to see more arrests,” ransom seizures and law enforcement operations, she said.
Monaco added: “If you come for us, we’re going to come for you."
Hill happenings
The House will vote as soon as today on a mammoth spending bill full of cyber goodies
The Democratic spending plan includes about $500 million in cyber funding, Tony Romm, Marianna Sotomayor and Mike DeBonis report. It's still unclear if House and Senate Democrats have reached agreement on two major progressive bills that would collectively commit about $2.5 billion to cyber priorities.
Government scan
The Pentagon is revamping its cybersecurity compliance program
The Cybersecurity Maturity Model Certification 2.0 program gets rid of compliance tiers and reduces the role that third-party assessments play, FCW's Adam Mazmanian writes. It comes “after a nine-month internal review and complaints from vendors large and small over the cost and complexity of the requirements,” he writes. The CMMC Accreditation Body is set to hold a town hall meeting on the changes next week.
