Welcome to The Cybersecurity 202! Today I learned via Axios DC that you can earn a Ph.D. in urban rats studies.
The Securities and Exchange Commission is hopping on the cybersecurity bus
The government is inching toward requiring companies to have better cybersecurity after years of letting industry mostly police itself.
Yesterday the Securities and Exchange Commission started the process of imposing new rules on investment funds and advisers — requiring them to have basic cyber protections and to alert the SEC within 48 hours if they’re hacked. The preliminary rule, which passed on a 3-to-1 vote, will be open for public comment for 60 days before the SEC can make it final.
That’s just the first step in an overhaul of the commission’s cyber efforts that Chair Gary Gensler previewed last month and that could end up with significantly stricter requirements for when publicly traded companies have to announce breaches.
The SEC move is part of a gradual but unmistakable shift during the past year — from government treating cybersecurity as an issue that’s too complicated and fast moving for meaningful regulation to treating it more like auto safety, public health and other areas where tough regulation is in the public interest.
That shift is long overdue, according to many cybersecurity advocates, who warn that the nation’s cyber protections have fallen woefully behind amid a barrage of increasingly damaging attacks.
The tally: Government agencies have imposed new cyber rules on banks, pipelines, rail systems, airlines and airports during just the past six months. Those mostly require the companies to alert government about cyber incidents, along with a few other requirements.
Congress, meanwhile, is pushing a bipartisan bill to require companies in all the sectors deemed “critical infrastructure” to report to the Cybersecurity and Infrastructure Security Agency when they’re hacked — a bill that Senate Majority Leader Chuck Schumer (D-N.Y.) listed as one of his priorities. A similar bill narrowly failed last year amid Senate bickering.
But those efforts are also facing head winds from companies that say government is moving too fast — and could end up doing more harm than good by writing rules that are too onerous or ill-suited to the industries they regulate.
Commissioner Hester Peirce, the only SEC member to vote against the measure, said that she feared the process wasn’t collaborative enough. She said it could lead to unfair enforcement actions against firms, and end up being “a cybersecurity rule that’s styled as a cudgel.”
One big concern: Government may make companies report about hacks so quickly they don’t actually have much useful information. And many of the new rules aren’t very specific about how bad a cyber incident must be for a company to report it.
The proposed SEC rule for companies that trade securities has a 48-hour deadline to report hacks. A separate Federal Deposit Insurance Corp. rule for banks has a 36-hour window.
“In serious events, firms are going to share what’s going on with their regulators and share it across the industry so people can be aware of what’s out there. But the time frame has to be reasonable,” Kenneth E. Bentsen Jr., president of the Securities Industry and Financial Markets Association (SIFMA) industry trade group, told me.
Similar complaints have been made in other industries. But, rules that give companies too much leeway could lead to them not reporting serious incidents.
“Anyone who has dealt with a lot of incidents across different types of companies will tell you it’s always case by case,” Ari Schwartz, a former White House cybersecurity official who now does cyber work for the law firm Venable, told me. “Sometimes you can flag something right away. Other times you don’t know enough details even in 72 hours to report in a way that won’t confuse people down the road.”
Could SEC be hacked?
SIFMA is also raising concerns that the SEC’s own digital systems may be too vulnerable to hacks, further endangering any information companies share with the regulator. Those concerns are heightened in the wake of the SolarWinds breach, which was traced to Russia and compromised reams of data from numerous government agencies.
SIFMA spent about one-third of a statement responding to Gensler’s cyber proposals pointing out such concerns, including a 2016 hack of SEC's EDGAR system, which is a clearinghouse for public company filings.
“We’re sending a lot of very sensitive information up to regulatory authorities and government agencies,” Tom Wagner, managing director of SIFMA’s financial services operations, told me. “The question is, do they have the capacity to keep this data secure.”
The EARN IT Act is up on the Hill today, pitting cyber protections against battling child pornography
“Under the Earn It Act, tech companies would lose some long-standing protections they enjoy under a legal shield called Section 230, opening them up to more lawsuits over posts of child sexual abuse material on their platforms,” Cat Zakrzewski reports.
Yet, “technologists and advocates have warned that the bill could be used to harm strong encryption, security technology that shields the contents of communications from the platform hosting the messages,” Cat writes. That could make it far easier for hackers to access the communications and personal data of regular citizens.
The Judiciary Committee advanced a similar bill in 2020 amid harsh criticism from encryption advocates, but it didn't advance to the full Senate.
This time, the bill’s authors wanted to allay concerns about encryption but not allow companies to use it as a “get-out-of-jail-free card,” Sen. Richard Blumenthal (D-Conn.), a co-sponsor, told Cat. The revised bill states that companies can't be held liable simply because they offer encryption to customers who then use it to share illegal content.
But critics say it also opens the door to states passing stricter laws. “He wants to pave the way for 50 state attorneys general to go after encryption,” said Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory.
The European Parliament is launching an investigation into NSO Group
The investigation could last for up to 12 months, involving testimony from key figures and fact-finding missions, EUobserver’s Eszter Zalan reports.
“Such an inquiry could uncover the extent to which other EU governments use Pegasus, which was originally designed to track criminals and terrorists, against critics and political opponents,” Zalan writes.
NSO’s government clients reportedly used its Pegasus spyware to snoop on journalists and government officials across the European Union. Officials in Hungary and Poland, two European Union member countries, have admitted that their governments purchased Pegasus, traces of which were found on devices belonging to Hungarian journalists and Polish opposition figures. Hungary and Pegasus haven’t admitted to hacking those devices.
The committee is expected to be set up next week, Zalan reports. European lawmakers also plan to debate Pegasus on Tuesday.
Giuliani asked a Michigan prosecutor to give voting machines to Trump
Antrim County prosecutor James Rossiter (R) declined the request, Jon Swaine, Emma Brown and Jacqueline Alemany report. The call was part of an effort by Trump’s legal team to twist an election night blunder into supposed proof that the election was stolen.
Such a move could have corrupted the machines so much they had to be replaced because of cybersecurity concerns and created problems for legitimate vote audits.
Giuliani's move came “after the county initially misreported its election results,” they write. “The inaccurate tallies meant that Joe Biden appeared to have beaten Trump by 3,000 votes in a Republican stronghold, an error that soon placed Antrim at the center of false claims by Trump that the election had been stolen.”
Giuliani declined to comment, his lawyer said. Two Trump allies who Rossiter said were on the call — former Overstock chief executive Patrick Byrne and former New York City police commissioner Bernard Kerik — said they didn’t recall the phone call.
ID.me is dropping a facial recognition requirement for state and federal agencies
The decision to drop the requirement in identity-verification software used by 30 states and 10 federal agencies is a major reversal, Drew Harwell reports. The company also said that anyone will be able to delete their photo data starting March 1.
The announcement came one day after the Internal Revenue Service said it would no longer seek to require people trying to access their tax records online to submit a “video selfie” to the contractor, bowing to widespread cybersecurity and privacy concerns. Around two dozen lawmakers had slammed the IRS’s planned deployment of the technology before it announced that it would seek alternatives.
- Spotted at the White House: Chief executives of electric utility companies who met with President Biden at the White House on Wednesday later attended a meeting focused on cyber threats to the nation’s energy infrastructure, our Climate 202 colleague Maxine Joselow reports. The meeting included National Cyber Director Chris Inglis and Energy Secretary Jennifer Granholm, two participants said.
Securing the ballot
- The Senate Judiciary Committee will discuss the EARN IT Act at a meeting Thursday at 9 a.m.
- INSF and WCAPS host an event on challenges and opportunities for Black women in the intelligence community Thursday at 11 a.m.
- Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity on Monday at 1 p.m.
Secure log off
“The Northeast megalopolis is ‘the rattiest’ part of the United States, according to Corrigan, who is officially known as an urban rodentologist,” Axios reports surprising no one. Thanks for reading. See you tomorrow.