Welcome to The Cybersecurity 202! Today's newsletter topic reminded me of “The Rime of the Ancient Mariner” — a different sort of water contamination. “Water, water, everywhere; And all the boards did shrink; Water, water, everywhere; Nor any drop to drink.”
New water security standards are coming – but they're voluntary
Water systems are highly vulnerable to hacks that could contaminate drinking water for thousands of people.
With that in mind, the Biden administration is launching a voluntary new cybersecurity initiative aimed at preventing hackers from contaminating or blocking access to drinking water and wastewater systems.
A warning shot came last year when a hacker briefly raised the amount of lye in the water system in Oldsmar, Fla., by a factor of more than 100. That could have caused widespread illness if plant operators hadn’t quickly caught and reversed it. Similar hacks could be conducted far too easily against water utilities across the nation, officials say.
“There is absolutely inadequate cyber resilience across the water sector. … The threshold of resilience is not what it needs to be to meet threats today,” a senior administration official told reporters describing the new program. The official spoke under the condition of anonymity as ground rules for the briefing.
Here’s the plan:
- Outfit water utilities with systems that alert about possible cyber activity targeting the industrial control systems that manage pumping, purification and other processes. Some utilities already have such systems, but many don’t.
- The Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency will surge efforts to share information with the utilities about cyber threats they should be protecting against.
- Start with a pilot focused on water systems that serve the largest populations such as those located in big cities.
The effort will be complicated by the sprawling array of U.S. water utilities. There are about 150,000 of them serving roughly 300 million Americans that are increasingly reliant on connected technology. They vary in size from serving a few hundred people to millions.
Cyber crackdown
The program is the latest in a string of efforts to ramp up cyber protections in vital industry sectors where hackers could cause widespread economic damage or even death.
The administration has launched similar cyber efforts for the pipeline, electricity and rail sectors — spurred largely by ransomware hacks at Colonial Pipeline, which briefly disrupted U.S. gas supplies, and at the meat processor JBS, which threatened meat supplies.
But the initiatives have often appeared minor compared with the scope of the threat. The official described the administration as working to reverse “decades” of the U.S. government “kicking the can down the road” on protecting critical infrastructure against hacking.
One big barrier: In many cases, the government lacks legal authority to make moves as aggressive as it would like to, officials say.
The White House would like to impose some mandatory cyber rules on water utilities, such as requiring them to report to the government when they’re hacked, but the EPA lacks the authority to issue such mandates, the senior official said.
Phoning Congress
The White House plans to ask Congress for extra cyber authority over water systems this year, the official said. But that may be a tough sell.
Congressional Republicans have expressed reservations about approving new cyber mandates for industry. An effort to merely require critical infrastructure companies to report when they’re hacked failed to become law last year despite having bipartisan support.
Water utilities have also historically resisted sharing information about cyber threats with the government, another senior administration official told reporters. The officials expressed optimism that would change as the government and the utilities worked together to make that sharing more convenient and useful.
The Transportation Security Agency, which has more regulatory authority, did impose some mandatory cyber rules on pipelines last year. Those included mandatory alerts about hacking, appointing a top cyber official and several more detailed rules that remain classified.
Those rules got mixed reviews from pipeline operators who said they were poorly tailored to pipeline’s specific operations.
The keys
Lawmakers targeted ransomware payments in a China competition bill
But cryptocurrency advocates say it goes too far.
Rep. Jim Himes (D-Conn.) pushed for the language in the House version of a China competitiveness package that has already passed the Senate. It would give the Treasury Department more power to monitor or freeze cryptocurrency accounts that are used for international crimes including ransomware attacks and money laundering, Politico’s Sam Sutton reports. But cryptocurrency advocates say it would give the federal government unchecked powers, with the Coin Center calling it a “dangerously authoritarian approach.”
Himes previously tried to attach a similar measure to the annual must-pass defense authorization bill, but it didn’t make it into the version that eventually landed on President Biden’s desk.
The nearly 3,000-page bill is a collection of measures aimed at making U.S. industries more competitive against their Chinese counterparts. It includes other cybersecurity-related provisions, including:
- Appropriating almost $400 million over the next five years for the CyberCorps Scholarship for Service, a U.S. government IT scholarship program
- Establishing an Office of Policy Development and Cybersecurity at the Commerce Department's National Telecommunications and Information Administration
- Creating an NTIA cybersecurity literacy campaign
- Directing the White House to create an interagency working group “on means to counter PRC cyber aggression” in China, including by countering disinformation and providing alternatives to Chinese telecom giant Huawei
- A proposal to set up a Federal Rotational Cyber Workforce Program
An apparent cyberattack took down North Korea’s Internet
It’s the second such Internet outage in recent weeks, Reuters’s Josh Smith reports. The most recent one took down the isolated country’s Internet for six hours Wednesday, a day after North Korea tested two suspected cruise missiles.
Email servers came back online hours after the outage began, but “some individual web servers of institutions such as the Air Koryo airline, North Korea's Ministry of Foreign Affairs, and Naenara, which is the official portal for the North Korean government, continued to experience stress and downtime,” Smith writes.
“When someone would try to connect to an IP address in North Korea, the Internet would literally be unable to route their data into the country,” cybersecurity researcher Junade Ali told Reuters.
Researchers suspect that a type of cyberattack where a barrage of web traffic overloads a network could be behind the outages. Access to the Internet in North Korea is “strictly limited,” Smith writes. Analysts estimate that a tiny fraction of the country has access to the global Internet.
Meanwhile, Iran’s state broadcaster said it was hacked for 10 seconds.
“During a period of 10 seconds, the faces and voices of hypocrites appeared on the state broadcaster’s channel one,” the Islamic Republic of Iran Broadcasting News Agency reported, per Reuters.
The IRS’s new facial recognition program is drawing complaints
The Internal Revenue Service contracted with the company ID.me on a new service being rolled out this summer that will require taxpayers to send videos of their faces to access their tax records, Drew Harwell reports. The $86 million contract has “raised the alarms of researchers and privacy advocates who say they worry about how Americans’ face images and personal data will be safeguarded in the years to come,” as there is no federal law regulating the data, Drew writes.
“The system itself also is drawing complaints,” Drew writes. “Some people have reported frustrating glitches and hours-long delays that have frozen them out from important benefits, and researchers have argued the company has overstated the abilities of a face-scanning technology that could wrongly flag people as frauds.” The IRS told Drew that the technology will “create a better user experience” and that it “takes any reports of inequities in service seriously.”
ID.me’s facial recognition technology works in part by searching for faces within vast databases, CEO Blake Hall said on LinkedIn on Wednesday. The admission came after the company said last week that it did not use the practice, which it said was “more complex and problematic” than comparing a selfie to an identification photo, CyberScoop’s Tonya Riley reports.
Global cyberspace
Securing the ballot
National security watch
Industry report
Daybook
- Sens. Ron Wyden (D-Ore.) and Marsha Blackburn (R-Tenn.) speak at an R Street Institute event about a future federal privacy law today at 2:30 p.m.
- CISA Senior Adviser Kris Rose and other cybersecurity experts speak at Out In Tech's Out in Cybersecurity event today at 5:30 p.m.
- FBI Director Christopher A. Wray speaks at the Reagan Library on Monday.
- The Brookings Institution hosts an event on ethical use of artificial intelligence on Monday at 11 a.m.
Secure log off
Today’s fourth @washingtonpost TikTok features $3 million spam https://t.co/s9RSsTRFYT pic.twitter.com/diBsTtycAR
— Washington Post TikTok Guy 🤹🏼♂️ (@davejorgenson) January 26, 2022
“The very deep did rot: O Christ!; That ever this should be!; Yea, slimy things did crawl with legs; Upon the slimy sea.” Thanks for reading. See you tomorrow.