Welcome to The Cybersecurity 202! It's getting colder in Washington. Here's Robert Frost on the changing seasons.
For example: A hack that disrupted satellite-assisted navigation could jam up things from shipping and trucking to farms that rely on precision navigation tools, wreaking havoc on the economy.
“Almost every critical function ... is dependent on space,” said Sam Visner, a technical fellow at the MITRE Corp., speaking on a panel focused on cyberthreats to space that I moderated at the Aspen Security Forum. “Other countries see this as an advantage for themselves. … They see our vulnerabilities in space and space systems as a way of gaining an advantage over us amid great power competition.”
The danger has escalated as the number of space systems has proliferated and as more of it is being run by private companies such as Elon Musk’s SpaceX and Jeff Bezos’s Blue Origin. (Bezos owns The Washington Post).
The IT that run most space systems is complex and requires specialized knowledge that few hackers have. But those back-end systems are increasingly linked (sometimes intentionally) with commercial front-end systems that hackers are expert at cracking into.
- Such hacks could be launched by criminal gangs that demand a ransom to unlock them or by adversary nations looking to damage the U.S. economy.
- A worst case scenario: Hackers might disrupt the command and control of satellites themselves, forcing them to crash into each other with ripple effects across industry sectors.
The big ask
Visner and others want DHS to declare space the 17th official critical infrastructure sector, joining others such as energy, transportation and water. That would essentially make it easier for government and industry to work together on developing cyber standards and sharing information about threats.
There’s some steam behind the idea.
Reps. Ted Lieu (D-Calif.) and Ken Calvert (R-Calif.) introduced a bill in June that would mandate such a designation. The lawmakers are co-chairs of the California Aerospace Caucus. There’s no indication the bill will become law anytime soon, but it sets down a marker that Congress is interested in the issue.
The government is also taking cyberthreats to space more seriously. About nine months after establishing the Space Force, President Donald Trump signed an order directing the government to work with the space industry to develop cybersecurity best practices.
The Intelligence and National Security Alliance, a trade group filled with former national security officials, put out a white paper this month urging the designation.
From the white paper: “Designation would … make clear to U.S. adversaries that the United States is committed to defending its space infrastructure, contribute to the establishment of global norms regarding the safety and security of space systems, and accelerate development of best practices and technologies for ensuring space security and resilience.”
There are some big roadblocks, too.
National Cyber Director Chris Inglis isn’t keen on the idea, ReadMe’s Shaun Waterman reports.
- A lot of space systems are already part of other critical infrastructure sectors, such information technology and the defense industrial base.
- Using critical infrastructure sectors to assess risks started soon after the Sept. 11, 2001, terrorist attacks and has proved unwieldy as cyberthreats have proliferated. The Biden administration has been working toward a more nuanced system that identifies particular functions and systems as critical rather than whole industry sectors. One version of that effort focuses on 55 “critical functions.”
- Government is also struggling to improve protections for existing critical infrastructure sectors, many of which have been bombarded with ransomware attacks.
“Risk does not neatly align to sector boundaries,” Inglis told ReadMe. “So we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”
Supporters, however, say space deserves special treatment because it affects so many other vital industries.
Here’s John Galer, assistant vice president for national security space at the Aerospace Industry Association and another panelist at the Aspen summit: “There are 55 national critical functions and space either has dependencies or uses in all those things. … Absent the critical infrastructure designation, whether that happens or not, we've got a challenge here and we have to get after it.”
There’s about $2 billion in cyber funding in the infrastructure bill
The funding is almost certainly the biggest-ever government investment in cybersecurity.
The biggest ticket item: $1 billion in cyberdefense grants for state and local governments that have been battered by ransomware and other cyberattacks.
The House passed the $1 trillion bipartisan bill Friday, sending it to the White House for Biden’s signature. The Senate had passed the bill in August, but it stalled in the House amid Democratic infighting.
The bill also includes:
- $100 million for the Department of Homeland Security to help groups responding to major hacks
- $21 million for National Cyber Director Chris Inglis’s office
Waiting in the wings: Democrats are still battling over a $1.75 trillion social spending bill that has around $500 million in cybersecurity funding. That bill has support from most Democrats, but Sen. Joe Manchin (D-W.V.) is stalling action in the Senate over concerns it hasn't been sufficiently thought through and could damage the economy. The House could take up the measure next week.
Israel’s foreign minister distanced the government from NSO Group
The U.S. Commerce Department action, which has restricted exports to the spyware company, “has nothing to do with the policies of the Israeli government,” Foreign Minister Yair Lapid said. Lapid’s comments were the first by a top Israeli government official since the U.S. government added NSO Group to its “entity list,” Reuters’s Maayan Lubell reports.
NSO critics argue that the company would not have been able to operate without at least tacit approval by Israel’s government. The Washington Post and 16 media partners that found Pegasus was routinely used to target journalists and human rights activists.
Lapid sought to portray Israel as a leader in regulating hacking technology. “I don't think there is another country in the world which has such strict rules according to cyberwarfare and that is imposing those rules more than Israel and we will continue to do so,” he said.
SolarWinds faces a new investor lawsuit over Russian cyberattack
The lawsuit “appears to be the first based on records shareholders demanded from the company” in the wake of a cyberattack that spread to multiple companies and government agencies, Reuters’s Jody Godoy reports. SolarWinds investors filed the lawsuit in Delaware state court.
Government officials attributed the SolarWinds hack to Russia’s foreign intelligence service. The White House called the scale of the breach a “national security and public safety concern.”
A SolarWinds spokesperson declined to comment on the lawsuit to Reuters but said the company is focused on “deepening” its relationships with customers.
Investors have also sued SolarWinds in federal court. The company has sought to dismiss that suit.
Federal agencies are expected to fall short of meeting a big provision in Biden’s cybersecurity executive order
The order gave agencies until today to boost their encryption and set up multi-factor authentication, CyberScoop’s Tim Starks reports. It’s widely presumed many agencies will fall short of the goal, largely because of the difficulty in implementing the technology across so many systems.
It's not clear how many systems still lack such protections. Agencies will have to send the White House formal explanations for the shortfalls.
The White House has touted the measures as key to preventing many cyberattacks from being successful. Multi-factor authentication alone would prevent 80 percent to 90 percent of successful cyberattacks, according to deputy national security adviser Anne Neuberger.
China-linked hackers breached at least nine organizations this autumn
The victims were in the technology, defense, health-care, energy and education industries, researchers from Palo Alto Networks’s Unit 42 said.
Some of the techniques used by the group have also been used by Chinese government-linked hacking groups dubbed Emissary Panda and APT27, the researchers said. But the researchers didn’t directly link the group to the Chinese government and said they’re still in the process of working on attributing the group.
The National Security Agency and Cybersecurity and Information Security Agency are also tracking the threat, CNN’s Sean Lyngaas reports.
A hacker stole $55 million from a cryptocurrency site
It’s one of the largest thefts of cryptocurrency this year, The Record’s Catalin Cimpanu reports. The hacker was able to steal the funds from the decentralized finance company bZx by sending a phishing email to a personal email address belonging to one of its employees, the site said.
The company put out a message on Twitter:
...for everyone. This is not about one project against another. It's about crypto in general against the rest of the world. Any failure goes to the expense of the entire crypto community.— bZx - Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 6, 2021
Let's stand together and show the world that we are capable of shaping the future.
- Former NSA director Keith Alexander discusses cyberthreats at a Washington Post Live event today at 9 a.m.
- Palo Alto Networks chief cloud security officer Matt Chiodi discusses cloud supply chain cyberattacks at a Cyber Threat Alliance event on Nov. 9 at 2 p.m.
- Former undersecretary of defense Michele Flournoy, former Google CEO Eric Schmidt and Shield AI co-founder Brandon Tseng discuss the U.S. military's digital transformation at a Washington Post Live event on Thursday at noon.
Secure log off
“Ah, when to the heart of man / Was it ever less than a treason / To go with the drift of things, / To yield with a grace to reason, / And bow and accept the end / Of a love or a season?” Thanks for reading. See you tomorrow.