Welcome to The Cybersecurity 202! I've been enjoying Fresh Air's three-part retrospective on the late Stephen Sondheim. Check it out here.
That’s a nearly resounding endorsement for the biggest expansion of government cyber requirements for industry in years. It's effectively a vote of no confidence in the government's years-long effort to get companies to share such information voluntarily.
Context: The legislative effort comes amid a series of battering ransomware attacks that have threatened to throttle gas supplies and otherwise upend daily life. The new requirements may nevertheless fail to become law as lawmakers squabble over details and struggle to insert them into a must-pass defense policy bill.
The bottom line
Unless industry starts sharing more information about hacking threats with government, criminal hackers and those backed by adversary governments will always have the upper hand, many of the professionals said.
“If we don't know how our most critical industries are vulnerable, we are always going to be one step behind the bad guys,” said Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official.
“We've had this debate for over a decade now. The stakes are beyond clear, the benefit wide and the burden not onerous. It is long past overdue,” said Peter Singer, a fellow at the New America think tank.
Some experts argued that the current system in which industry voluntarily reports hacks to government simply isn’t working.
Tatyana Bolton, a former official with the Cybersecurity and Infrastructure Security Agency, put it this way: “We have tried for years to do reporting voluntarily. For all those years, voluntary reporting has failed.”
Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, agreed: “For years, we have relied on critical infrastructure operators to voluntarily improve their cybersecurity and share information with the government. That approach has failed.”
Other experts argued that government is effectively hobbled in making cyber policy because it doesn’t understand the scope or nature of the threats facing industry. Mandating hacking reports would be the first step to changing that, they said.
“How can you regulate a sector if you don’t know how big the problem is?” asked Jeff Moss, founder of the Black Hat cybersecurity conference.
Josephine Wolff, an assistant professor of cybersecurity policy at Tufts University, called it “truly absurd … that there remains so little mandatory reporting of cybersecurity incidents. … That lack of information about the frequency, scale and nature of cyberattacks has been a huge obstacle to making significant, systematic progress in protecting against similar incidents.”
Even some supporters of the reporting mandates warned they could come with complications.
- Government will have to be careful about specifying what kind of cyber incident should trigger a warning, so they don’t end up with a deluge of reports that drown out useful information, warned Elizabeth Wharton, vice president for operations at the cybersecurity firm SCYTHE. “We need a common definition for ‘incident’ and to determine how far down the supply chain [an incident] should require reporting,” she said.
- Tight reporting timeframes may also produce difficulties, warned Luta Security CEO Katie Moussouris. Senators are pushing for companies to report incidents within 72 hours, but the government has imposed 24-hour timeframes on some industries. “Smaller organizations will struggle to comply within the timeframes,” she said. “Larger organizations may struggle to comply based on complexity of the investigation.”
A handful of experts opposed the reporting mandates.
Cindy Cohn, executive director of the Electronic Frontier Foundation, warned the notifications could end up violating the privacy of hacked companies’ customers. “We definitely need more accountability for security problems — I just do not agree that required governmental notification is the right step,” she said.
Jamil Jaffer, senior vice president at IronNet Cybersecurity, argued the mandates will “just make companies call their lawyers and limit the information they provide.”
“The government should instead incentivize companies to broadly share cyber threat information before the damage is done, creating a more robust collective defense capability and helping us get ahead of key threats,” he said.
More responses to our Network survey:
(All respondents listed here answered yes)
“To ensure that the information that is reported is in fact used effectively, the government should also establish a bureau of cyber statistics to analyze the data and provide actionable information to the public, business, and domestic and allied government entities.” — Suzanne Spaulding, who led DHS cyber operations during the Obama administration
“It is like reporting a chemical spill if you manufacture hazardous materials. Your breach has a public health (read broad) impact.” — Bruce McConnell, a former top DHS cybersecurity official
“The purpose of the notification should be to ensure other companies are aware and can do their own investigation to mitigate broader impact. ... If the notification is simply a hammer for the government to beat up victims a second time it will be incredibly unpopular.” — Mark Weatherford, a former top DHS cybersecurity official
“Too many companies have covered up major information security breaches to allow private industry to self-regulate on this issue.” — Tor Ekeland, a lawyer who represents hackers
“Of all the regulatory proposals, this is the one to which there is no reasonable counterargument.” — Ciaran Martin, the former CEO of the U.K. National Cyber Security Centre
Biden and Putin are set to discuss cyber issues Tuesday
Cybersecurity is on a list of issues the leaders will discuss on a video call, the Associated Press’s Dasha Litvinova, Aamer Madhani and Colleen Long report. It comes days after our colleagues reported on a U.S. intelligence warning that Russia is planning a military offensive on Ukraine involving as many as 175,000 troops.
The leaders’ last known call in July was centered around ransomware and cybersecurity. Biden threatened consequences if Russian President Vladimir Putin failed to disrupt ransomware groups operating from Russian territory, my colleagues Ellen Nakashima and Eugene Scott reported. That echoed a similar warning Biden delivered to Putin in person three weeks earlier.
At the time, Biden said he was “optimistic.” But in the months since that call, CISA Director Jen Easterly and other U.S. officials have said they haven’t seen significant decreases in cyberattacks from Russia.
Apple told 11 U.S. Embassy employees that their iPhones were hacked by NSO Group’s Pegasus spyware
The hacked devices were concentrated at the U.S. Embassy in Kampala, Uganda, my colleagues Craig Timberg, Drew Harwell and Ellen Nakashima report, citing people familiar with Apple’s notifications. This marks the first confirmed cases of Pegasus spyware targeting U.S. officials. They come as the Biden administration ramps up its pressure on NSO and other firms that specialize in cybersurveillance.
NSO has said U.S.-based phone numbers can’t be targeted by Pegasus. However, embassy officials with foreign phone numbers have been at risk, an investigation earlier this year by The Washington Post and 16 news organizations found. It’s not clear whether the diplomats who were hacked had phone numbers based in the United States or abroad.
“We have been acutely concerned that commercial spyware like NSO Group’s software poses a serious counterintelligence and security risk to U.S. personnel, which is one of the reasons the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce’s Entity List,” the National Security Council said. NSO Group was among the companies the Biden administration added to that blacklist.
U.S. military has “taken actions” against ransomware groups, top official says
The comments by Gen. Paul M. Nakasone are the first public acknowledgment that the U.S. government has gone on the offensive to disrupt criminal ransomware groups operating abroad, the New York Times’s Julian E. Barnes reports. Nakasone is director of the National Security Agency and leads U.S. Cyber Command.
Nakasone did not describe the offensive measures or disrupted groups. The U.S. military’s major goal is to “impose costs” on the groups, making it more difficult for them to go after U.S. targets, he said. Nakasone’s comments come a month after our colleagues reported on bold operations by Cybercom and a foreign government against the ransomware gang REvil, which had targeted meat processing giant JBS and IT firm Kaseya.
The White House is eyeing a plan to boost cybersecurity of water companies
The administration is considering adding the water sector to a voluntary initiative to boost the cybersecurity of critical sectors, the Wall Street Journal’s David Uberti reports. The move comes amid deep concern about the damage hackers could do to critical infrastructure, with an attack that damages or contaminates water supplies being extremely dangerous.
The National Security Council floated the plan last month, Michael Arceneaux, the managing director of industry cybersecurity nonprofit WaterISAC told Uberti.
Water utilities are especially vulnerable because their cybersecurity often depends on the resources of their jurisdictions. In October, U.S. agencies highlighted cyberattacks on the water sector in a cybersecurity alert. That came months after a hacker tried to poison the water supply of Oldsmar, Fla., in a breach detected by a plant operator.
- Jennifer Ewbank, the CIA’s deputy director for digital innovation, discusses the intelligence agency’s cybersecurity innovations at a Billington Cybersecurity event on Thursday at 9 a.m.
- Assistant Secretary of Defense Mara Karlin discusses the upcoming national defense strategy at a Center for a New American Security event on Thursday at 2 p.m.
- Morgan Adamski, who leads the NSA's Cybersecurity Collaboration Center, discusses industry collaboration at an event hosted by Intelligence and National Security Alliance and the Fort Meade Alliance on Thursday at 4 p.m.
Secure log off
“Look, I made a hat.” Thanks for reading. See you tomorrow.