Welcome to The Cybersecurity 202! I recently learned that the doctor who treated President James Garfield′s gunshot wounds was actually named doctor. Unfortunately, he wasn't a very good doctor by modern standards.
Federal cybersecurity rules are out of date, lawmakers say
Congress is preparing to overhaul federal cybersecurity rules roughly a year after one of the worst breaches in government history.
That attack, in which Kremlin-backed hackers wormed their way in through the IT supplier SolarWinds and captured reams of data from federal agencies, highlighted the massive growth in the sophistication and danger of cyber threats since federal cyber rules were last updated eight years ago.
The top line: The Federal Information Security Management Act (FISMA), which initially dates to 2002, is too focused on checking boxes and not enough on being nimble about protecting against sophisticated hacking threats.
“[FISMA] is the best defense our federal information networks and supply chains have against cyberattacks. But the reality is that it’s simply not enough to protect us in its current form,” House Oversight Chairwoman Carolyn B. Maloney (D-N.Y.) said during a hearing on the rules yesterday.
“The mounting attacks by China, Russia and other bad actors are constantly changing. They are as dynamic as they are diabolical,” warned Maloney, who’s sponsoring a bill to update FISMA with the committee’s top Republican, Rep. James Comer (Ky.).
Out-of-date
FISMA rules are basically a series of cybersecurity benchmarks that federal agencies are graded against — both in annual reports they produce themselves and by internal watchdogs. Critics say those benchmarks — which agencies often aren’t meeting anyway — are too hidebound and poorly geared to current threats.
A draft version of the House Oversight update and a similar effort in the Senate Homeland Security Committee focus on:
- Pivoting from regular FISMA reports to continuously digitally monitoring for cyber threats
- Mandating higher-level reviews conducted by the Cybersecurity and Infrastructure Security Agency (CISA)
- Being more flexible with smaller agencies that don’t have the resources or know-how to fully defend themselves against sophisticated hackers and need more help from CISA or elsewhere
FISMA rules have also fallen dramatically out of step with the growth of the government’s cyber bureaucracy.
Two of the agencies now most responsible for government cyber protections — CISA and the White House’s national cyber director — didn’t even exist when the rules were last updated in 2014.
But the update is also raising questions about whether Congress has the wherewithal to impose reasonable cyber rules when the pace of new threats so far exceeds the pace of legislation.
“We in Congress have to take responsibility for the fact that, frankly, this is a much-neglected subject,” said Rep. Gerry Connolly (D-Va.), who has sponsored a large share of IT and cyber legislation in recent years. “I don’t think it speaks well about the legislative branch and the priority we put on information technology and its security.”
Rep. Jim Cooper (D-Tenn.) asked a panel of current and former federal IT and cyber officials whether Congress could simply delegate responsibility for keeping government cyber rules up to date, fretting “I’m worried we will always be late and slow.”
The drawing board
The response from former officials who were witnesses at the hearing: Go ahead and rewrite the rules. But don’t be too prescriptive and make sure the White House can change how rules are implemented as threats evolve.
For example: Grant Schneider, who was the government’s chief information security officer during the Trump administration, urged lawmakers against setting strict guidelines for when a cybersecurity incident at a government agency is bad enough that the agency must notify Congress. Such strict guidelines could end up overwhelming congressional committees with reports about incidents that aren’t truly serious, said Schneider, who’s now senior director for cybersecurity services at the law firm Venable.
One trigger for such alerts used to be when breaches compromise the personal information of more than 10,000 people. But that resulted in a deluge of reports and lawmakers quickly lost interests when the briefings were too frequent, Schneider and Ross Nodurft, another former White House cyber official said. The White House has since raised the bar to breaches that compromise records about more than 100,000 people.
Former officials also urged putting end dates on some cyber rules so Congress has to update them more frequently.
Here’s a rundown of more of the former officials’ recommendations from Politico’s Eric Geller on Twitter:
.@4DigInnovation's Ross Nodurft has similar recs, but adds:
— Eric Geller (@ericgeller) January 11, 2022
* Balance need for prompt congressional notification of major incidents with need to ensure agencies can respond to them effectively
* Encourage agencies to buy tech that reduces risk
* Modernize assessment metrics
The keys
New Russia sanctions legislation targets companies using secure messaging systems
The Post's Seung Min Kim reports: “Senior Democratic senators on Wednesday will unveil a fresh package of sanctions to punish Russian President Vladimir Putin if he invades Ukraine, an effort backed by the White House as the administration seeks to tamp down defections on a competing measure targeting Moscow set for a closely watched Senate vote this week.”
“The legislation, obtained by The Washington Post in advance of its release, would impose sweeping sanctions on top Russian military and government officials, including Putin and other leaders, as well as key banking institutions, if Moscow engages in hostilities against Ukraine. It would also target companies in Russia that offer secure messaging systems such as SWIFT, which banks use to exchange key information with other financial institutions.”
The U.S. government warned about possible Russian cyberattacks amid the high-stakes Ukraine talks
The FBI, CISA and NSA warned critical infrastructure companies to be on alert for Russian cyberattacks amid a flurry of tense meetings between Russian and U.S. officials over Russian troops massed along Ukraine′s border.
The alert appeared to serve as a warning about attacks that may come if U.S.-Russia relations further deteriorate. Former CISA Director Chris Krebs:
So here’s how I read this:
— Chris Krebs (@C_C_Krebs) January 11, 2022
“State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn’t work, you might want to prepare for badness and here’s how Russian cyber operators do business…” https://t.co/pE7QwG4vMO
The joint warning also outlined previous Russian hacks against Ukraine’s energy sector and other critical infrastructure organizations. An interagency group of officials is planning for the possibility that Russia could repeat such attacks, the New York Times reported Saturday.
Researchers spotted Chinese and Iranian hackers using the log4j bug
Officials have called the log4j vulnerability one of the most serious ever because it affects thousands of products and is so easy to exploit. Despite that, officials said they haven’t yet seen serious fallout in the month since it was publicly disclosed.
- The Iran-linked hacking group “Charming Kitten” began using the flaw just days after it was announced, analysts at the cybersecurity firm Check Point Research said. The vulnerability is “very attractive” to groups like Charming Kitten because of the “combination of its simplicity and the widespread number of vulnerable devices,” the researchers said.
- A China-based hacking group successfully infected victims with ransomware after using the log4j vulnerability, Microsoft said. The company said the hacks began around Jan. 4.
A ransomware attack hit an Albuquerque jail hard
The hack of Bernalillo County, N.M., took down security cameras, Internet access and a database that tracks violence at Albuquerque’s Metropolitan Detention Center, the Verge’s Corin Faife reports. The facility went on lockdown in response to the attack on Jan. 5.
“In the early morning of January 5, 2022, the automatic door mechanisms at MDC were unusable, meaning that staff had to use keys to manually open facility doors,” county attorney Taylor Rahn wrote in a court filing. “One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras. As of the evening of January 5th, there was no access to cameras within the facility.”
The conditions could put the facility at risk of violating a legal settlement requiring it to provide inmates with access to telephones and other services, Faife reports.
Securing the ballot
State election officials are launching an effort to combat disinformation in the 2022 elections
The National Association of Secretaries of State’s #TrustedInfo2022 effort urges citizens to look to state and local officials for information about elections rather than fall prey to misinformation and disinformation online. The association ran a similar campaign before the 2020 contest. The goal is to “increase voter confidence and reduce misinformation and disinformation by directing voters to election officials’ websites and verified social media pages,” the group said.
Hill happenings
House lawmakers want an update on government compliance with multi-factor authentication rules
Rep. Ritchie Torres (D-N.Y.) and Rep. Yvette D. Clarke (D-N.Y.), asked CISA Director Jen Easterly how agencies are faring with a portion of President Biden’s May executive order, which required them to use a security feature that requires an authenticating technique in addition to a password to access accounts and log on to computers and cellphones. Such techniques, which can include an authenticating app, biometric signature or SMS code, have been mandated before but government compliance has been imperfect.
Clarke chairs the House Homeland Security Committee’s cybersecurity panel.
Government scan
Global cyberspace
Cyber insecurity
Daybook
- The Senate Intelligence Committee holds a hearing on President Biden’s nomination of Kenneth Wainstein to be the Department of Homeland Security’s Undersecretary for Intelligence and Analysis on Wednesday at 2 p.m.
- Rep. Yvette D. Clarke (D-N.Y.), Rep. John Katko (R-N.Y.), the Department of Homeland Security’s Undersecretary for Policy Robert Silvers, and FBI Assistant Director Bryan Vorndran discuss 2022’s cybersecurity priorities at a Silverado Policy Accelerator event on Thursday at 9 a.m.
- Silverado Policy Accelerator chairman and co-founder Dmitri Alperovitch, U.S. Secret Service Assistant Director Jeremy Sheridan and FBI Deputy Assistant Director Tonya Ugoretz discuss cybersecurity threats at a Washington Post Live event on Thursday at 11 a.m.
Secure log off
Today’s fourth @washingtonpost TikTok features Russia-U.S. talks https://t.co/u1H8SLxX47 pic.twitter.com/9V5n6VcAyK
— Washington Post TikTok Guy 2022 (@davejorgenson) January 11, 2022
Thanks for reading. See you tomorrow.