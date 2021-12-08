Congress has nixed major new cyber regs
Expansive new cyber reporting requirements now appear dead in Congress.
Congress has cut requirements for companies to share cyber threat information with the government from its must-pass defense bill, which passed the House last night and is expected to pass the Senate shortly.
The failure of such a popular and bipartisan effort – which would have marked the largest expansion of government involvement in private-sector cybersecurity in years – raises questions about whether Congress is up to the task of responding to a wave of ransomware and other attacks that have battered industry in recent years.
- It would have required companies in critical industry sectors such as energy and transportation to alert the Cybersecurity and Infrastructure Security Agency whenever they’re hacked or hit with other significant cyber incidents.
- It would have required disclosures from a far broader group of companies if they paid ransoms to hackers.
But the measure also looked meager given the hacking threats facing industry.
More than 90 percent of cyber experts and current and former officials supported the changes in a recent Cybersecurity 202 poll. The government has already imposed far more stringent cyber requirements on several key industry sectors in just the past few months.
“This result is beyond disappointing and undermines national security,” said House Homeland Security Chairman Bennie G. Thompson (D-Miss.) and Rep. Yvette Clarke (D-N.Y.), chair of the committee’s cyber panel and a sponsor of the House version of the bill.
Details
The dispute centered on the ransomware provision, which Sen. Rick Scott (R-Fla.) considered too broad, Senate aides told me. Scott wanted to substitute a provision that would have limited ransomware reports to just critical infrastructure — that’s a group of 16 industry sectors that includes financial services, health care and chemical facilities among others.
The fight over the provision lasted so long that by the time they’d reached a compromise, House and Senate negotiators who were putting together the final bill ended up leaving it out entirely, as Tim Starks reports for CyberScoop.
The fine print
Because of some peculiarities about how the bill came together this year, lawmakers could still try to add amendments in the Senate, including the cyber reporting provisions. But leaders of the House and Senate Armed Services Committees are begging them not to out of fear one or more of those amendments will prevent the bill from passing entirely.
If that happens, it would mark the first time in more than five decades Congress has failed to pass the bill, known as the National Defense Authorization Act.
The blame game: Thompson and Clarke laid the blame for provision being cut at the feet of Senate Republican leaders as did Senate Homeland Security Chairman Gary Peters (D-Mich.).
“I am disappointed Senate Republican leaders blocked these common sense provisions that have broad bipartisan support — including from the bipartisan leaders of the Senate Homeland Security and Intelligence Committees,” Peters said. “Cyberattacks, including ransomware attacks, are one of the greatest threats to our national and economic security.”
An aide for Scott told The Hill’s Maggie Miller that Scott was disappointed the full provision got left out of the NDAA and that he’d only wanted to limit its scope. He denied Republicans were to blame.
From Politico’s Eric Geller:
The provision had two main goals.
- It would have allowed CISA to cull information from industry hacking reports and share back relevant details to make other companies more secure.
- It also would have given the agency a far clearer picture about the scope of the ransomware threat targeting everything from schools and small businesses to major pipelines and meat processors. Because there’s no obligation for companies to disclose many ransomware attacks, officials say they likely know about only a fraction of the problem.
In the absence of its passage, CISA will remain at least partly in the dark.
“This flies in the face of every responsible [lawmaker] saying in the last year that we’ve got to do something about this,” Mark Montgomery, executive director of the congressionally led Cyberspace Solarium Commission, which recommended the provision, told me.
Montgomery said he’s hopeful the provision will pass in the coming months — possibly as a stand-alone bill or as part of another big legislative package. But with Congress closely divided and gripped by fits of partisan rancor, there may be few opportunities for the measure.
A number of other cyber provisions did make it into the compromise bill. They include provisions that:
- Expand CISA’s capabilities to protect major industrial systems
- Broaden authorities for the National Guard to provide cyber assistance to state and local governments and other critical infrastructure
- Require more regular updates on the government’s cyber incident response plan
Here are some more responses to the cyber reporting provision being scrapped:
Chris Painter, the top cyber diplomat during the Obama administration, called it a triumph “of the untenable status quo.”
Peter Singer, a fellow at the New America think tank:
Suzanne Spaulding, former DHS cyber lead:
The keys
A government auditor raised serious concerns about the National Institutes of Health's cybersecurity
The Government Accountability Office gave NIH hundreds of recommendations to boost the security of its systems, the auditor said in a report. The NIH has played a key role during the U.S. government’s response to the coronavirus pandemic, including in the production of tests and vaccines.
The problems could make key research vulnerable to hackers. “These deficiencies increased the risk that sensitive research and health-related information could be disclosed or disrupted,” GAO said.
Among other things, the auditor called out NIH for:
- Not installing “26 updates since September 2016 on 175 network devices.” That put NIH at an increased risk “that individuals could exploit known vulnerabilities to gain unauthorized access to its computing resources,” the GAO said.
- Not collecting and analyzing incident-related data during two of the 10 most severe cyber incidents in 2018 and 2019. By not taking those steps before fixing and wiping those systems, NIH systems saw a “loss of data and artifacts.” The report didn’t provide more details on those incidents.
- Not having strong password requirements on some systems. Those systems “are at an increased risk of compromise and credential theft,” including from hackers backed by U.S. adversary nations, the GAO said.
In all three cases, NIH told the GAO that it hadn’t made cybersecurity steps because they negatively affect “functionality or business needs.”
The NIH has already completed around 80 percent of the auditor's cybersecurity recommendations, it said.
Top government cybersecurity officials met with industry leaders in Silicon Valley
Homeland Security Secretary Alejandro Mayorkas, CISA Director Jen Easterly, National Cyber Director Chris Inglis and other officials met with executives from 13 companies on their trip, Politico’s Eric Geller reports. Executives from AT&T, Cloudflare, Google, Juniper, Lumen, Mandiant and VMware also attended the meeting, Geller reports.
“Monday’s meeting is part of a charm offensive aimed at growing the ranks of the government’s industry allies and improving how efficiently they work together,” he writes.
The government officials used the meeting to get feedback on the Joint Cyber Defense Collaborative, an initiative aiming to boost industry-government cooperation on cybersecurity and get input on “our ideas for the future,” Mayorkas told Geller.
Canadian and U.S. authorities charge alleged cybercriminal over ransomware
Authorities accused Matthew Philbert of working with other cybercriminals to infect businesses and government agencies with ransomware, the Record’s Catalin Cimpanu reports. Among other victims, Philbert targeted an Alaska government computer in April 2018, according to a U.S. indictment. The indictment didn’t name the specific victim, but the charges suggested that it was connected to health care.
Philbert was charged in Canada with fraud and hacking an unauthorized system. In the United States, he was charged with hacking unauthorized systems and conspiring to hack those systems. U.S. prosecutors last year called him a “well-known if mid-level cybercriminal residing in Canada” in a court filing first spotted by George Washington University Program on Extremism’s Seamus Hughes.
President Biden's video call with Russian leader Vladimir Putin yesterday included some talk about ransomware but the White House was light on details. CNN's Sean Lyngaas:
