The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Congress to update government cyber rules, one year after SolarWinds

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I recently learned that the doctor who treated President James Garfield′s gunshot wounds was actually named doctor. Unfortunately, he wasn't a very good doctor by modern standards. 

Below: U.S. officials are warning about Russian cyberattacks, and Senate Democrats have rolled out a new sanctions package against Russia if it invades Ukraine.

Federal cybersecurity rules are out of date, lawmakers say

Congress is preparing to overhaul federal cybersecurity rules roughly a year after one of the worst breaches in government history. 

That attack, in which Kremlin-backed hackers wormed their way in through the IT supplier SolarWinds and captured reams of data from federal agencies, highlighted the massive growth in the sophistication and danger of cyber threats since federal cyber rules were last updated eight years ago. 

The top line: The Federal Information Security Management Act (FISMA), which initially dates to 2002, is too focused on checking boxes and not enough on being nimble about protecting against sophisticated hacking threats. 

“[FISMA] is the best defense our federal information networks and supply chains have against cyberattacks. But the reality is that it’s simply not enough to protect us in its current form,” House Oversight Chairwoman Carolyn B. Maloney (D-N.Y.) said during a hearing on the rules yesterday. 

“The mounting attacks by China, Russia and other bad actors are constantly changing. They are as dynamic as they are diabolical,” warned Maloney, who’s sponsoring a bill to update FISMA with the committee’s top Republican, Rep. James Comer (Ky.).


FISMA rules are basically a series of cybersecurity benchmarks that federal agencies are graded against — both in annual reports they produce themselves and by internal watchdogs. Critics say those benchmarks — which agencies often aren’t meeting anyway — are too hidebound and poorly geared to current threats.

A draft version of the House Oversight update and a similar effort in the Senate Homeland Security Committee focus on:

  • Pivoting from regular FISMA reports to continuously digitally monitoring for cyber threats
  • Mandating higher-level reviews conducted by the Cybersecurity and Infrastructure Security Agency (CISA)
  • Being more flexible with smaller agencies that don’t have the resources or know-how to fully defend themselves against sophisticated hackers and need more help from CISA or elsewhere

FISMA rules have also fallen dramatically out of step with the growth of the government’s cyber bureaucracy. 

Two of the agencies now most responsible for government cyber protections — CISA and the White House’s national cyber director — didn’t even exist when the rules were last updated in 2014. 

But the update is also raising questions about whether Congress has the wherewithal to impose reasonable cyber rules when the pace of new threats so far exceeds the pace of legislation. 

“We in Congress have to take responsibility for the fact that, frankly, this is a much-neglected subject,” said Rep. Gerry Connolly (D-Va.), who has sponsored a large share of IT and cyber legislation in recent years. “I don’t think it speaks well about the legislative branch and the priority we put on information technology and its security.”

Rep. Jim Cooper (D-Tenn.) asked a panel of current and former federal IT and cyber officials whether Congress could simply delegate responsibility for keeping government cyber rules up to date, fretting “I’m worried we will always be late and slow.”

The drawing board

The response from former officials who were witnesses at the hearing: Go ahead and rewrite the rules. But don’t be too prescriptive and make sure the White House can change how rules are implemented as threats evolve. 

For example: Grant Schneider, who was the government’s chief information security officer during the Trump administration, urged lawmakers against setting strict guidelines for when a cybersecurity incident at a government agency is bad enough that the agency must notify Congress. Such strict guidelines could end up overwhelming congressional committees with reports about incidents that aren’t truly serious, said Schneider, who’s now senior director for cybersecurity services at the law firm Venable.  

One trigger for such alerts used to be when breaches compromise the personal information of more than 10,000 people. But that resulted in a deluge of reports and lawmakers quickly lost interests when the briefings were too frequent, Schneider and Ross Nodurft, another former White House cyber official said. The White House has since raised the bar to breaches that compromise records about more than 100,000 people. 

Former officials also urged putting end dates on some cyber rules so Congress has to update them more frequently. 

Here’s a rundown of more of the former officials’ recommendations from Politico’s Eric Geller on Twitter:

The keys

New Russia sanctions legislation targets companies using secure messaging systems

The Post's Seung Min Kim reports: “Senior Democratic senators on Wednesday will unveil a fresh package of sanctions to punish Russian President Vladimir Putin if he invades Ukraine, an effort backed by the White House as the administration seeks to tamp down defections on a competing measure targeting Moscow set for a closely watched Senate vote this week.”

“The legislation, obtained by The Washington Post in advance of its release, would impose sweeping sanctions on top Russian military and government officials, including Putin and other leaders, as well as key banking institutions, if Moscow engages in hostilities against Ukraine. It would also target companies in Russia that offer secure messaging systems such as SWIFT, which banks use to exchange key information with other financial institutions.”

The U.S. government warned about possible Russian cyberattacks amid the high-stakes Ukraine talks

The FBI, CISA and NSA warned critical infrastructure companies to be on alert for Russian cyberattacks amid a flurry of tense meetings between Russian and U.S. officials over Russian troops massed along Ukraine′s border. 

The alert appeared to serve as a warning about attacks that may come if U.S.-Russia relations further deteriorate. Former CISA Director Chris Krebs:

The joint warning also outlined previous Russian hacks against Ukraine’s energy sector and other critical infrastructure organizations. An interagency group of officials is planning for the possibility that Russia could repeat such attacks, the New York Times reported Saturday.

Researchers spotted Chinese and Iranian hackers using the log4j bug

Officials have called the log4j vulnerability one of the most serious ever because it affects thousands of products and is so easy to exploit. Despite that, officials said they haven’t yet seen serious fallout in the month since it was publicly disclosed.

  • The Iran-linked hacking group “Charming Kitten” began using the flaw just days after it was announced, analysts at the cybersecurity firm Check Point Research said. The vulnerability is “very attractive” to groups like Charming Kitten because of the “combination of its simplicity and the widespread number of vulnerable devices,” the researchers said.
  • A China-based hacking group successfully infected victims with ransomware after using the log4j vulnerability, Microsoft said. The company said the hacks began around Jan. 4.

A ransomware attack hit an Albuquerque jail hard

The hack of Bernalillo County, N.M., took down security cameras, Internet access and a database that tracks violence at Albuquerque’s Metropolitan Detention Center, the Verge’s Corin Faife reports. The facility went on lockdown in response to the attack on Jan. 5.

“In the early morning of January 5, 2022, the automatic door mechanisms at MDC were unusable, meaning that staff had to use keys to manually open facility doors,” county attorney Taylor Rahn wrote in a court filing. “One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras. As of the evening of January 5th, there was no access to cameras within the facility.”

The conditions could put the facility at risk of violating a legal settlement requiring it to provide inmates with access to telephones and other services, Faife reports.

Securing the ballot

State election officials are launching an effort to combat disinformation in the 2022 elections

The National Association of Secretaries of State’s #TrustedInfo2022 effort urges citizens to look to state and local officials for information about elections rather than fall prey to misinformation and disinformation online. The association ran a similar campaign before the 2020 contest. The goal is to “in­crease voter confidence and reduce misinformation and disinformation by directing voters to election officials’ websites and verified social media pages,” the group said.

Pressed on his election lies, former President Trump cuts NPR interview short (NPR)

Hill happenings

House lawmakers want an update on government compliance with multi-factor authentication rules

Rep. Ritchie Torres (D-N.Y.) and Rep. Yvette D. Clarke (D-N.Y.), asked CISA Director Jen Easterly how agencies are faring with a portion of President Biden’s May executive order, which required them to use a security feature that requires an authenticating technique in addition to a password to access accounts and log on to computers and cellphones. Such techniques, which can include an authenticating app, biometric signature or SMS code, have been mandated before but government compliance has been imperfect. 

Clarke chairs the House Homeland Security Committee’s cybersecurity panel.

Newly uncovered emails intensify Republican senator's unease about DOD’s cloud contracts (NextGov)

Government scan

How the Pentagon enlisted ethical hackers amid the Log4j crisis (The Record)

Global cyberspace

EU to stage large-scale cyberattack exercise on supply chains (Bloomberg)

Brazil's Localiza says systems partially affected by 'cyber incident' (Reuters)

Hack our spacecraft, says ESA (The Register)

EU banks concerned about cyber-risk, watchdog warns (Law360)

Cyber insecurity

Hackers can cut the lights with rogue code, researchers show (Bloomberg)


  • The Senate Intelligence Committee holds a hearing on President Biden’s nomination of Kenneth Wainstein to be the Department of Homeland Security’s Undersecretary for Intelligence and Analysis on Wednesday at 2 p.m.
  • Rep. Yvette D. Clarke (D-N.Y.), Rep. John Katko (R-N.Y.), the Department of Homeland Security’s Undersecretary for Policy Robert Silvers, and FBI Assistant Director Bryan Vorndran discuss 2022’s cybersecurity priorities at a Silverado Policy Accelerator event on Thursday at 9 a.m.
  • Silverado Policy Accelerator chairman and co-founder Dmitri Alperovitch, U.S. Secret Service Assistant Director Jeremy Sheridan and FBI Deputy Assistant Director Tonya Ugoretz discuss cybersecurity threats at a Washington Post Live event on Thursday at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.