The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Rail and air have new cyber requirements -- but they're minor

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Somehow yesterday was one of the most 202 days of the year and The Cybersecurity 202 failed to note it. It was a palindrome day to boot. My apologies. 

Below: Missouri's governor thwarted the education department's intention of thanking a reporter for alerting it to a website bug, and Georgia election officials are suing a far right conspiracy site. 

The administration stopped short of mandating specific cyber standards for rail and air

The Biden administration made another move toward securing critical industries against cyberattacks yesterday. 

But it's a baby step.

The Department of Homeland Security’s new rules require most freight and passenger rail operators and larger airports and airlines to designate a cyber point person, assess their cyber vulnerabilities and write an incident response plan for when they get hacked. 

They must also notify the Cybersecurity and Infrastructure Security Agency within 24 hours if they suffer a cyber incident. DHS Secretary Alejandro Mayorkas first floated the new rules in October. 

Here’s what’s not in the new rules: Any requirements to implement specific cyber protections or to meet basic standards. 

Not enough?

Without more stringent cyber requirements, most experts say it’s unlikely critical industries will be able to fend off a wave of damaging ransomware attacks that are increasingly threatening national security and the economy. 

“I think this is a good set of things to start with as long as they don’t stop here,” Phil Reitinger, a former top DHS cyber official who now leads the Global Cyber Alliance, told me. “If DHS doesn’t go beyond this, then some criticism will be justified. But I have no reason to believe this is anything other than a super good first step.”

The administration does seem interested in going further.

Here’s what a senior DHS official told reporters: “The requirements that we've gone out with at this point, we feel, are very much baseline requirements that industry should be doing anyway as a matter of best practice and cyber hygiene. … We thought it was important to go out and establish that baseline now, and we will continue to evaluate going forward, necessary and appropriate next steps.”

DHS didn’t respond to a request for comment about what those next steps might be and how soon they might come.

Doing hard stuff

But complications could lie ahead

  • The one industry where DHS has imposed significant cyber requirements in recent months was on pipelines after the Colonial Pipeline ransomware attack threatened to disrupt U.S. gas supplies. Those rules drew criticism from some industry experts who said they were overly prescriptive and didn’t take into account industry-specific cyber concerns.
  • There’s also been pushback from Republican lawmakers who say the government hasn’t done enough homework to impose cyber regulations smartly. Those lawmakers generally support legislative proposals that would mandate companies in critical industry sectors alert the government when they’re hacked, but are more skeptical about the government dictating how those companies secure themselves.

Even cyber experts who support more stringent rules warn against going too quickly. 

More from Reitinger: “There’s huge urgency here, but urgency can’t trump rational steps. I get taking baby steps with these sectors. This is a crawl, walk, run, so I’m happy to see a crawl rather than a run and fall in a pit.”

Railroad operators pushed back on the comparatively meager new rules when Mayorkas first floated them. Officials with the Association of American Railroads (AAR) argued they were already doing most of what the government asked for and said DHS sprung the proposal on them with little notice.

The association took a more measured tone when the final rules came down yesterday, noting it had engaged in “productive consultations” with government officials to revise some details that would have made implementing the rules difficult. 

“Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe,” AAR President and CEO Ian Jefferies said.

Context matters

If the pace of imposing new cyber regulations seems slow, it’s still a leap from previous years

Before the recent wave of ransomware attacks, cyber officials were wary of imposing any mandates on industry at all and industry leaders typically argued cyber threats moved too fast for government to regulate effectively. 

That notion is slowly changing with experts pointing to a handful of practices that are highly effective at preventing hacking across most industries. 

Reitinger pointed to a series of cyber requirements CISA has imposed on government agencies in recent years, saying most of them would translate effectively to industry. Examples include adopting technology that makes it harder to spoof emails from the organization and making it easier for security researchers to alert the organization about cyber vulnerabilities in public-facing websites. 

“It’s not ridiculous to say that every critical infrastructure sector should be doing what the federal government requires of the post office,” he said. 

The keys

Missouri was going to thank a reporter but the governor called him a ‘hacker’ instead

Missouri’s Department of Elementary and Secondary Education initially planned to thank the reporter who discovered and responsibly disclosed a vulnerability in a government website that exposed Social Security numbers of teachers, the St. Louis Post-Dispatch’s Jack Suntrup reports

But Missouri Gov. Mike Parson’s (R) office took a different tack, referring the case to prosecutors and describing the reporter as a hacker in a news release. An investigation of the case by the Missouri State Highway Patrol is ongoing. 

Context: The reporter followed what cyber experts consider best practices by alerting the government to the vulnerability and making sure it was fixed before reporting anything publicly. If he hadn't alerted the education department, as the governor's office seems to prefer, that would have left the teachers' personal information vulnerable to theft by malicious hackers. 

Two Georgia election workers sued far-right conspiracy site Gateway Pundit

Video pushed by President Trump fails to support the claims of voter fraud it alleges happened on Election Day in Fulton County, Ga. (Video: Adriana Usero/The Washington Post)

The case stems from a misleading video that a volunteer Trump campaign attorney presented at a December hearing. They falsely claimed it showed election officials including one of the plaintiffs Ruby Freeman manipulating votes. 

In their defamation lawsuit, Freeman and her daughter, Shaye Moss, argue that Gateway Pundit knowingly published false stories that “have not only devastated their personal and professional reputations but instigated a deluge of intimidation, harassment and threats that has forced them to change their phone numbers, delete their online accounts and fear for their physical safety,” Felicia Sonmez reports

At one point, Freeman had to leave her home for two months at the advice of the FBI, the lawsuit states.

The suit does not name former president Donald Trump, who later used the video to argue that there was election fraud. But it does note that Trump called Freeman “a professional vote scammer” and “hustler” in a Jan. 2 call where he pressured Georgia Secretary of State Brad Raffensperger to overturn his defeat.

There is no evidence that widespread fraud occurred in the 2020 election. 

The Biden administration plans to work with allies to restrict export of surveillance tools to authoritarian governments

The nations will work together to “establish a code of conduct for coordinating export-licensing policies,” the Wall Street Journal’s Yuka Hayashi and Alex Leary write. They will also share information on technologies used to target journalists, dissidents and activists.

“The technologies to be covered by the new initiative will be similar to those already targeted by domestic U.S. policies linked to sensitive technologies that are used for legitimate law-enforcement and intelligence operations but are also increasingly deployed by nondemocratic actors,” Hayashi and Leary write.

The Biden administration will formally announce the initiative at a virtual Summit for Democracy that it’s hosting next week. China and Russia aren’t invited.

Hill happenings

Another government shutdown averted, but the cyber damage is still mounting

Lawmakers cut a last-minute deal to avert a government shutdown last night after Republicans had threatened to withhold funding to kill Biden's coronavirus vaccine mandates. The move prevented a near-disaster for government cyber protections, which would have seen nearly 84 percent of CISA's 2,400-person workforce furloughed.

There would have been similar furloughs among civilian cyber workers across the government, as I wrote in September.

But even shutdowns that don't happen can damage the government's cyber posture. The image of an institution veering from crisis to crisis in which workers can't count on a steady paycheck is also sure to hurt the government's ability to compete with the private sector for top-tier cyber talent. 

Global cyberspace

Suspected Chinese hackers breach more US defense and tech firms (CNN)

Israeli spyware maker NSO's new secret op (Haaretz)

Australia passes bill allowing it to impose sanctions for cyber-attacks (The Record)

Cyber insecurity

Hackers steal $120 million from Badger DeFi platform (The Record)

Hackers are spamming businesses’ receipt printers with ‘antiwork’ manifestos (Motherboard)

Encryption wars

A peek inside Anom, the phone company secretly used in an FBI honeypot (Motherboard)

Securing the ballot

Sidney Powell, team ordered to pay $175,250 in fees for Michigan election case (The Detroit News)

National security watch

The US crackdown on Chinese economic espionage is a mess. We have the data to show it. (MIT Technology Review)

Industry report

Facebook will force more at-risk accounts to use two-factor (Wired)

Government scan

Federal watchdog warns security of US infrastructure 'in jeopardy' without action (The Hill)


  • Michele Markoff, the State Department's deputy coordinator for cyber issues, and Andrey Krutskikh, who leads the Russian foreign ministry’s international information security department, speak at a United Nations Institute for Disarmament Research conference today at 11 a.m.
  • Robert Cardillo, the former director of the National Geospatial-Intelligence Agency, speaks at a Center for Strategic and International Studies event on open-source intelligence today at 2 p.m.
  • NATO Assistant Secretary General for Emerging Security Challenges David van Weel discusses artificial intelligence cooperation at an American Enterprise Institute event on Dec. 7 at 9:30 a.m.
  • The House Energy and Commerce Committee holds a hearing on pipeline security and reliability on Dec. 7 at 10:30 a.m.
  • Victoria Nuland, a top State Department official, testifies on U.S.-Russia relations at a Senate Foreign Relations Committee hearing on Dec. 7 at 2:30 p.m.
  • Jennifer Ewbank, the CIA’s deputy director for digital innovation, discusses the intelligence agency’s cybersecurity innovations at a Billington Cybersecurity event on Dec. 9 at 9 a.m.
  • Michael Morell, the former deputy director of the CIA, discusses Asia and the Korean Peninsula at a Center for Strategic and International Studies event on Dec. 9 at 9:30 a.m.
  • Assistant Secretary of Defense Mara Karlin discusses the upcoming national defense strategy at a Center for a New American Security event on Dec. 9 at 2 p.m.

Secure log off

Egad, a base life defiles a bad age. Thanks for reading. See you Monday.