Welcome to The Cybersecurity 202! Does the 202 crew have some delightful cats or what?

Below: The FBI doesn't want to be shut out of mandatory hacking alerts, and researchers released a slew of new findings at the CYBERWARCON conference.

Sacking a top cyber official didn't give Trump what he wanted

One year ago today, President Donald Trump blasted out a bombshell tweet firing Chris Krebs, the head of a minor federal agency that was defending the integrity of an election Trump claimed was rigged. 

With a year of hindsight, it’s clear Trump’s action backfired.

The Cybersecurity and Infrastructure Security Agency never reversed its position that the 2020 election was the most secure in history. Nor did it take down a rumor control page that had drawn the president’s ire because it knocked back many of the phony election conspiracy theories he’d embraced. 

And one year later, the agency has grown immensely in stature and importance, guiding the government through a string of cyber crises, including a wave of ransomware attacks that have threatened the economy and national security. 

CISA has strong support from both parties. There’s even a bipartisan bill aimed at shielding the agency from similar political interventions by giving the director a five-year term.  

Stronger CISA

Krebs’s firing was undoubtedly traumatic for CISA employees who had to soldier on without their leader and amid fear of political retribution from the White House. After Krebs’s high-profile ouster, several CISA political appointees were terminated more quietly in the succeeding days. 

But in the following months it became a galvanizing event, agency insiders and observers say. 

“It steeled our resolve. We saw what happened to Chris. We doubled down on the work and supporting election officials,” Matt Masterson, who was CISA’s senior adviser for election security at the time, told me. 

“It was something people could point to and say ‘we did a great job under tremendous pressure and this agency stood up for what was right,” Phil Reitinger, a former DHS cybersecurity official during the Obama administration, told me. 

Reitinger, who now leads the Global Cyber Alliance, compared it to the Saturday Night Massacre in which a series of Justice Department officials resigned rather than fire Watergate special prosecutor Archibald Cox, thus paving the way for President Richard Nixon’s resignation. The events have become a symbol of pride for the agency for resisting political interference in its work. 

“Ultimately it gave CISA much more prominence. It’s seen as a more important and influential organization,” he said. 

‘Fired by tweet’

Krebs has fared well since the firing

He was a brief media celebrity, appearing on “60 Minutes” and “The Late Show with Stephen Colbert” in the weeks between his firing and President Biden’s inauguration. That gave added prominence to CISA’s work and gave him a larger platform to debunk false claims of election interference. 

“As Krebs stayed in the spotlight, as he continued to talk about the importance of election security, CISA became a household name, which was what Krebs was trying to do the entire time he was there,” Tatyana Bolton, a former CISA official, told me. “It elevated his voice and that’s a little ironic. It’s certainly not what Trump intended.” 

Bolton was cyber policy lead in CISA’s Office of Strategy, Policy, and Plans during the Trump administration, but at the point Krebs was fired, she was temporarily assigned to serve on the Cyberspace Solarium Commission. She’s now policy director for R Street Institute’s Cybersecurity and Emerging Threats team.

Krebs continues to speak regularly about election security and misinformation and co-chaired an Aspen Institute panel on information disorder. He runs a consulting group with former Facebook chief security officer Alex Stamos

Cybersecurity pros commemorated the anniversary at the CYBERWARCON conference in Washington yesterday by presenting him with a jacket that read “Fired by tweet” on the back. 

Via Bryson Bort, founder of the cybersecurity firm Scythe: 

Kumbaya

Finally, the firing solidified the bond between CISA and state and local election officials of both parties.

That relationship started off very rocky after the 2016 election when the Department of Homeland Security expanded the federal role in securing elections despite the unanimous objection of state election officials who feared a federal power grab. 

It improved over the years as CISA demonstrated a nonpartisan commitment to ensuring elections were run safely and securely. The agency endorsed increasing mail voting during the pandemic, for example, even as Trump was sowing distrust in the system. 

“Krebs standing up for the integrity of the election despite potential personal consequences including losing his job I think fits perfectly with the ethos of election officials,” Noah Praetz, a former election official who consults on election security with state and local governments and CISA, told me. 

The keys

The FBI wants to be included in mandatory cyber incident reporting legislation

The House and Senate are both considering bills requiring critical infrastructure owners and operators to report major hacks to CISA but with no explicit reporting requirement to the FBI. FBI Assistant Director Bryan Vorndran criticized that model during a hearing Tuesday, Politico’s Betsy Woodruff Swan and Eric Geller report. Excluding the FBI from that process would be akin to benching a top athlete “in the first quarter of the Super Bowl,” Vorndran told the House Oversight Committee: 

“Cyber is the team sport, and the Department of Justice and the FBI are a key player,” Vorndran told the committee in his written testimony. “It is time for legislation to reflect this reality.”

The criticism reflects years of jockeying over which government agency should take the lead on cyber matters — one that's intensified as cyber threats have grown more severe and as CISA has grown in prominence. 

It comes as lawmakers are pushing to include a version of the cyber incident reporting requirement in a massive defense policy bill:

  • The House has already passed its version of the National Defense Authorization Act, which includes the reporting provision.
  • Senators have proposed adding similar language to their version of the bill, which the full Senate has yet to vote on.

Researchers unveiled a slew of new findings at CYBERWARCON

The one-day annual conference in Washington D.C. has become a prime venue for revealing major new findings. Here's some of the most eye-catching research:

  • Mandiant formally linked the Ghostwriter disinformation operation to Belarus’s government. Ghostwriter spread disruptive narratives across Eastern Europe and in Germany, researchers say. Germany’s government previously attributed Ghostwriter to Russia’s military intelligence service after the group targeted German politicians ahead of elections this year.
  • Hackers linked with the Israeli spyware firm Candiru put malicious software on a Middle East news website and sites belonging to regional governments, ESET researchers found. The Biden administration recently sanctioned Candiru and another Israeli firm, NSO Group, after finding that their sales of hacking tools let authoritarian governments target dissidents, journalists and activists. 
  • Researchers at Microsoft published new information about Iranian ransomware groups. The groups use aggressive tactics like trying to force their way onto victim networks, the researchers said.

Hackers in Pakistan set up fake profiles and a fake app store to target Afghan government-linked officials

The campaign targeted people “with links to the Afghan government, military and law enforcement in Kabul,” researchers from Facebook parent Meta said. The campaign ramped up in the months before the U.S. military’s withdrawal from the country, the researchers said.

The hackers tried to attract their targets with romance. They set up accounts posing as young women, using “romantic lures” that tried to trick their targets into clicking links that would steal their information or download fake apps, the report said. 

A Pakistan-based hacking group called SideCopy was behind the campaign, Meta said. In its operations, SideCopy has used techniques similar to a Pakistan government-linked hacking group. SideCopy has not been definitively linked to Pakistan’s government.

Chat room

As if we need another anniversary, yesterday was CISA’s third anniversary as a federal agency. It was formed out of the National Protection and Programs Directorate, which had existed for roughly a decade at that point. 

NSA Cybersecurity Director Rob Joyce:

Privacy patch

Inside the world of burner accounts

“Fake names and throwaway phones used to be the stuff of spies. Now, they’re for everyone, thanks to concerns about digital surveillance,” our colleague Tatum Hunter writes, rounding up all of the burner options.

The Washington Post's Tatum Hunter shows how tools thieves used to hide from the law can help you protect your privacy, money and data from being stolen. (Jonathan Baran/The Washington Post)

On the move

  • MITRE’s board of trustees has selected former House Intelligence Committee chairman Mike Rogers (R-Mich.) to be its chairman.
  • President Biden nominated Sharon Bradford Franklin, the co-director of the Center for Democracy and Technology’s Security and Surveillance Project, to chair the Privacy and Civil Liberties Oversight Board. Biden nominated former assistant attorney general Beth Williams to be a member of the board.
  • Former U.K. National Cyber Security Center CEO Ciaran Martin; retired vice admiral TJ White, who led U.S. Fleet Cyber Command/U.S. 10th Fleet; former NASA chief information officer Renee P. Wynn; and former Schlumberger chief security officer Mario Chiock are joining Palo Alto Networks’s Public Sector Advisory Council.

Global cyberspace

Cyber insecurity

Daybook

  • The House Homeland Security Committee hosts a hearing on the Department of Homeland Security’s role in combating ransomware on Wednesday at 10 a.m.
  • House Intelligence Committee Chairman Adam B. Schiff (D-Calif.) and former Facebook executive Katie Harbath discuss social media misinformation at a Washington Post Live event on Wednesday at 4:30 p.m.
  • National Cyber Director Chris Inglis, Deputy Assistant Secretary of Defense Mieke Eoyang, Member of the European Parliament Bart Groothuis and Rep. Jim Langevin (D-R.I.) speak at the CyberNextDC conference on Thursday.
  • CISA Director Jen Easterly; Gen. Paul M. Nakasone, who leads the National Security Agency and U.S. Cyber Command; Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) and Federal Chief Information Security Officer Chris DeRusha speak at Palo Alto Networks’s Public Sector Ignite ‘21 conference on Thursday.
  • Mayorkas, European Commissioner for Home Affairs Ylva Johansson, Europol Executive Director Catherine De Bolle and Jeremy C. Sheridan, the assistant director of the Secret Service’s investigations office, discuss E.U.-U.S. ransomware cooperation at an event hosted by the German Marshall Fund of the United States on Thursday at 11 a.m.
  • Suresh Venkatasubramanian, the White House Office of Science and Technology Policy’s assistant director of science and justice, speaks at a New America event on an AI Bill of Rights on Thursday at 2 p.m.

Secure log off

Thanks for reading. See you tomorrow.