The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The Senate is finally passing big cyber bills

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Check out this great photo of Ukrainian flags flying up and down Pennsylvania Avenue in advance of last night’s State of the Union address. 

Below: Ukraine wants to cut Russia off from the Internet and the D.C. Council is cracking down on government workers using encrypted messaging apps. 

Despite Biden's cyber-free SOTU, it was a big day for cybersecurity on the Hill

Correction: This post has been updated to correct the reporting deadline for cyber incidents.

The big cyber energy wasn’t at the State of the Union address last night but rather in the Senate. 

A few hours before President Biden’s speech, the chamber passed the most significant cyber legislation in history — including a mandate for companies in critical sectors to alert the government when they’re hacked or when they pay ransoms to hackers.

That measure narrowly failed to become law last year amid senatorial squabbling. But it zipped over the finish line this time — spurred partly by rising anxiety about Russian cyberattacks following the invasion of Ukraine and punishing sanctions imposed by the United States and its allies. 

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyberattacks from the Russian government,” Senate Homeland Security Chairman Gary Peters (D-Mich.), a lead sponsor of the bill, warned. 

He called the bill “a significant step forward to ensuring the United States can fight back against cybercriminals and foreign adversaries.” Peters co-sponsored the bill with the committee's top Republican Sen. Rob Portman (R-Ohio). 

Also in the bill:

  • A measure that updates the 20-year-old rules for how government agencies manage their information security
  • Another measure that updates how the government assesses and manages the cybersecurity of cloud computing systems federal agencies use
Its prospects

The House has not yet passed its version of the cyber reporting measure, but the chances seem good. The chamber easily included a version of the measure as an amendment to a must-pass defense policy bill last year, when the Senate fumbled it at the finish line. 

The measure marks a sea change for how government deals with cyberthreats. It’s the first time Congress has imposed a cyber mandate across a broad range of critical infrastructure firms — a category that includes companies in energy, transportation, financial services, health care and a variety of other fields. 

It comes after years of trying to manage cybersecurity almost entirely with companies’ voluntary cooperation. That model has led to significant improvements but not kept pace with the incredible growth of cyberthreats, most cyber and policy pros say. 

How big a change?: The last cyber bill with this broad of an impact on the private sector passed back in 2015 and it merely gave companies legal cover to voluntarily share cyberthreat information with the government. The bill still passed only narrowly, and the idea of stronger measures were basically unthinkable for years after. 

There are two big goals for the bill

First, the Cybersecurity and Infrastructure Security Agency (CISA) wants to rapidly share big insights from the reports with other companies that might face similar cyberattacks. That can be especially critical during fast-moving events, such as a wave of Russian cyberattacks. 

  • “At a time when we are facing significant threats of Russian cyberattacks against our institutions and our allies, it’s more important than ever that the government have an idea of what those threats are,” said Sen. Mark Warner (D-Va.), a supporter of the bill.

Second, the bill will give CISA broad insights into how many and what sort of cyberattacks are hitting U.S. companies each day. Those are questions that are frustratingly difficult to answer right now because of major gaps in data breach reporting laws. 

  • The measure passed despite opposition from some critical infrastructure sectors. They complained that the definition of a “substantial cyber incident” in the bill is too vague and that the 72-hour deadline for reports is often too quick to share useful information.
  • Senate Majority Leader Chuck Schumer (D-N.Y.) claimed those companies have “come to see the light,” on the Senate floor, but there’s little evidence their concerns have been completely assuaged.

Here’s more from Schumer, via Politico’s Eric Geller on Twitter:

Chat room

Despite skyrocketing cyber tensions between Russia and the West, Biden made no mention of cybersecurity during his speech last night. Would you like a roundup of cyber reporters complaining about it? Of course you would. 

The Wall Street Journal’s Dustin Volz:

Politico’s Sam Sabin:

The Record’s Martin Matishak:

CyberScoop’s Joe Warminsky:

The keys

Ukraine’s volunteer cyber army is targeting Russian critical infrastructure

The volunteer group of cyber pros, which formed in the wake of Russia’s invasion, plans to launch disruptive hacks aimed at railroads, the electric grid and other services that could help Russia move troops and weapons into Ukraine, Reuters’s Joel Schechtman, Christopher Bing and James Pearson report.

That’s a significant escalation from the website takedowns and defacements that the group has primarily focused on so far. But it’s far from clear the band of cyber patriots will be capable of causing much damage in Russia, which has relatively advanced digital protections. 

Targets include "everything that might stop war," Yegor Aushev, a Ukrainian businessman and cybersecurity expert who’s helping organize the effort, told Reuters. 

Experts fear the proliferation of outside groups launching digital attacks in the Ukraine conflict could raise the chances of dangerous errors that might harm civilians or escalate cyber tensions between Russia and the West. 

Ukraine wants to cut Russia off from the Internet. Experts say that’s a bad idea.

Ukrainian officials asked Internet governance organization ICANN to shut down use of the “.ru” country code, revoke certificates for those domains and shut down some Russian servers to prevent Russian propaganda from spreading. Those moves would effectively prevent people outside Russia from accessing Russian websites and make it more difficult for people within Russia to access sites outside of the country.

But such actions would make ordinary Russians more vulnerable to hackers, experts warn. In particular, it would be easier to surreptitiously spy on their web traffic and harvest any personal information they enter, CyberScoop’s Tonya Riley reports.

The move would also politicize the fragile balancing act of ICANN, a global group of volunteers who administer the Internet and work mostly by consensus. 

“It’s the complete opposite of what we need,” security researcher Runa Sandvik told Tonya. “We should make sure that the Russian people are seeing what is happening and what their government is doing.”

Ukraine also said it would ask a regional Internet registry to restrict Russian members from using IP addresses. The registry declined and said it will remain neutral, its executive board said:

D.C. Council passes bill to regulate government employee use of messaging apps

The legislation is designed to make sure officials’ communications on WhatsApp and other messaging apps are subject to public disclosure laws, Michael Brice-Saddler reports. The bill was spurred by a February report by Axios D.C. that found D.C. Mayor Muriel E. Bowser’s (D) administration “widely” uses WhatsApp for government communications.

After learning of the use of encrypted messaging apps by members of the executive branch, it is an urgent matter that we boost transparency in District government,” said D.C. Council chairman Phil Mendelson (D) when he introduced the legislation. “I get it that many in government would like to conduct their business in private. But that is contrary to long-standing policy. We value open government. We don’t value auto-delete.”

Bowser said she supported efforts to ensure that records are retained ahead of the Council’s unanimous vote on the measure. But she criticized the Council for not applying the bill to itself, calling that discrepancy the “height of hypocrisy.” 

Mendelson referenced rules that already require council members to preserve their messages on nongovernment devices. A Bowser spokesperson did not respond to a request for comment about the bill.

Securing the ballot

Replacing outdated voting machines around the country would cost hundreds of millions of dollars

It would cost more than $350 million to replace voting equipment that is now more than a decade old and likelier to suffer from cyber weaknesses, according to a report from New York University’s Brennan Center and the group Verified Voting. 

GOP investigator: Wisconsin should weigh decertifying vote (Associated Press)

‘Multiple’ Jan. 6 calls between Trump and lawyer on Texas election lawsuit, panel reveals (Politico)

Global cyberspace

Russia space agency head says satellite hacking would justify war -report (Reuters)

Conti ransomware group diaries, part I: Evasion (Krebs on Security)

Industry report

As Ukraine misinformation rages, Twitter’s fact-checking tool is a no-show (Will Oremus and Jeremy B. Merrill)

Russian cybersecurity giant Kaspersky tries to maintain neutrality during Ukraine war (Motherboard)

Nvidia says hackers are leaking company data after ransomware attack (TechCrunch)

Government scan

Russia’s cyber tactics are prompting the FCC to address Internet routing security (NextGov)


  • Top intelligence and law enforcement officials testify before the House Intelligence Committee on worldwide threats on Tuesday at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.