“Sometimes we put the cart before the horse when we’re talking about implementing regulations at the same time we’re setting up the process for figuring out what the needs are,” Rep. John Katko (R-N.Y.) told me in an interview.
The Transportation Security Administration already imposed new cyber regulations on pipeline operators in the wake of the Colonial Pipeline hack, which briefly disrupted gas supplies. New requirements are in the works for the rail and air sectors as the Biden administration pushes to raise the nation’s cyber posture amid a wave of ransomware attacks.
But those regulations are raising concerns for Katko and other Republicans who fear they’re too quick, too messy and constructed without enough input from industry.
“I definitely appreciate that TSA is attempting to take the cyber threat head on, but we’ve got to do it with careful input from industry stakeholders before any more directives are implemented,” he said.
The big picture: Katko’s words of warning are another sign of trouble for the Biden administration as it struggles to raise cyber defenses across a string of vital industry sectors where companies don’t have sufficient market incentives to improve their own protections and government officials lack the tools to compel them.
If Katko is wary of further cyber regulation, other Republicans are almost certainly out of reach. After all, Katko has been a vocal champion of Biden administration cyber officials including National Cyber Director Chris Inglis and Cybersecurity and Infrastructure Security Agency Director Jen Easterly. He’s also co-sponsored a slew of cyber bills with committee Democrats.
Republicans on the Senate Homeland Security Committee have already criticized the new mandates, warning they could be “unnecessarily burdensome” and “shift resources away from responding to cyberattacks to regulatory compliance.” They’ve asked the Department of Homeland Security inspector general to investigate the pipeline regulation process and whether industry was sufficiently consulted.
What Katko likes
Katko doesn't oppose all new cyber requirements from government.
- He co-sponsored a bill with committee Democrats that would require companies in critical infrastructure sectors to alert the government when they’re hacked. The measure has a high chance of becoming law because versions of it were included in House and Senate drafts of a must-pass defense policy bill.
- Katko is also open to additional requirements that are narrowly tailored to the most critical systems and developed in cooperation with the companies that run those systems, he told me.
- He sponsored a bill with Rep. Abigail Spanberger (D-Va.) that he described as the first step in that process. It would identify “strategically important critical infrastructure” and direct the government to deliver extra cyber aid to the organizations that manage it.
“I think sometimes an incremental approach is better than implementing a broad-based regulatory scheme without getting input from stakeholders,” he said. “My opinion is you’ve got to define the market before you start putting regulations into the market.”
Keeping cyber bipartisan
Katko said he doesn’t want disagreements about regulation to undermine the bipartisanship that has generally separated cyber from other hot button issues like health care and immigration.
“[Cybersecurity] is far too important an issue,” he said. “If we start quibbling over things in the cyber realm, it will be a disservice to the country. So we have to keep having these discussions about the length and breadth of regulation and what it should look like and when it should come.”
Officials inside the Biden administration have also expressed skepticism about shifting from cooperating with companies on cybersecurity to compelling them — even as they've warned compulsion may be necessary in some cases.
Easterly said she doesn’t want CISA to be viewed as a regulator in an interview with Bloomberg Government’s Rebecca Kern. “I think that becoming seen as a regulator fundamentally changes the magic of CISA, which is the collaborative partnerships that make us so effective in the space,” she said.
The keys
The Biden administration is belatedly joining a three-year-old coalition supporting cyber norms
Vice President Harris announced the United States is endorsing the “Paris Call” after meeting with French President Emmanuel Macron. The international pledge generally commits nations and other signatories to combat significant cyberattacks, online intellectual property theft and election interference.
The Trump administration declined to sign the pledge. A State Department official in 2019 said the administration had “significant reservations” about the text and the way it was drafted. Several U.S. states and cities did sign the pledge.
The Biden administration is touting the move as an advance in U.S. cyberdiplomacy. It’s a reflection of the Biden administration’s “priority to renew and strengthen America’s engagement with the international community on cyber issues,” a White House fact sheet states.
Analysis from Chris Painter, top State Department cyber official during the Obama administration:
Sen. Jeanne Shaheen (D-N.H.):
Harris’s move was part of a cyberdiplomacy blitz for administration officials. Also this week, Anne Neuberger, the White House's deputy national security adviser for cyber, met with NATO officials in Brussels. She discussed “areas where NATO Allies can work, both independently and collectively, to defend against, deter, and respond to the full spectrum of cyber threats,” the White House said.
A newly discovered group of Russian-speaking cyber mercenaries targeted journalists, activists and politicians
Researchers identified more than 3,500 targets of the Void Balaur cybermercenary group, Trend Micro’s Feike Hacquebord writes. The group advertised sensitive data for sale like Russian phone records, footage from traffic cameras and border crossing data.
“Some of Void Balaur’s campaigns are quite brazen,” Hacquebord writes. In September, the group targeted personal email addresses belonging to the former head of an intelligence agency, two members of an eastern European parliament and five current government ministers. The group also targeted at least 25 journalists and two Belarusian presidential candidates.
The report comes amid increased scrutiny of cybermercenary and private hacking companies by the United States and other governments. On Nov. 3, the Biden administration blacklisted four companies that specialize in hacking tools, including Israel’s NSO Group.
The hackers who breached Robinhood had access to a powerful internal security tool
The tool allows employees of the online investing firm to change users’ security settings, including removing multifactor authentication protections, according to screenshots of the tool provided to Motherboard’s Joseph Cox. That could have made it far easier to take over accounts by removing a step for users to verify that accounts belong to them.
There’s no evidence hackers made any changes to user accounts, Robinhood said. The company told Cox that the tool is a common one among financial institutions.
The breach “highlights the potential risks that hackers can pose beyond simply stealing sensitive data,” Cox writes. “The screenshots of the tool also show buttons for logging a user out of their account, adding a trusted device and blocking certain sessions from accessing the Robinhood account.”
The hackers obtained email addresses of around 5 million Robinhood customers, the company said Monday. Additional personal information of 310 users was exposed, and 10 customers had “more extensive account details revealed,” the company said.
Privacy patch
A data broker shared billions of “highly sensitive” phone location records with the D.C. government
The company Veraset provided the data as part of a free trial, according to internal emails that the Electronic Frontier Foundation (EFF) obtained through a Freedom of Information Act request. Washington D.C. officials reviewed the data but decided not to renew the partnership after the end of the trial, Drew Harwell reports.
D.C. officials had considered using the data to help track coronavirus cases. It did not include personal information like people’s names. EFF researchers didn’t find evidence the data was misused.
Data brokers generally have a bad reputation for collecting data in unscrupulous ways. But they tried to make inroads with government clients during the pandemic.
Government scan
Cyber insecurity
Securing the ballot
Global cyberspace
Daybook
- Former undersecretary of defense Michèle Flournoy, former Google CEO Eric Schmidt and Shield AI co-founder Brandon Tseng discuss the U.S. military's digital transformation at a Washington Post Live event today at noon.
- CISA chief of staff Kiersten Todt speaks at a Charter of Trust event on critical infrastructure resilience on Nov. 15 at 11 a.m.
- The Aspen Institute’s Commission on Information Disorder launches its final set of recommendations for addressing misinformation and disinformation on Nov. 15 at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Judiciary Committee on Nov. 16 at 10 a.m.
- The House Oversight and Reform Committee holds a hearing on ways to disrupt ransomware groups on Nov. 16 at 10 a.m.
- The House Homeland Security Committee hosts a hearing on the Department of Homeland Security’s role in combating ransomware on Nov. 17 at 10 a.m.
- National Cyber Director Chris Inglis, Deputy Assistant Secretary of Defense Mieke Eoyang, member of the European Parliament Bart Groothuis and House Armed Services Committee cybersecurity subcommittee chairman Rep. Jim Langevin (D-R.I.) speak at the CyberNextDC conference on Nov. 18.
- CISA Director Jen Easterly; Gen. Paul M. Nakasone, who leads the National Security Agency and U.S. Cyber Command; Senate Homeland Security Committee Chairman Gary Peters (D-Mich.); and Federal Chief Information Security Officer Chris DeRusha speak at Palo Alto Networks’s Public Sector Ignite ‘21 conference on Nov. 18.
Secure log off
