The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

New hacking disclosure requirements could make cyberspace less opaque

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Two years ago today, covid-19 was declared a pandemic. 

Below: E.U. lawmakers plan a committee to investigate Pegasus spyware, and senators pressed intel officials on Chinese hacking and spyware. 

Pulling back the curtain on the costs and damage done by hacks

The shadowy world of cyberspace could be getting less opaque soon.

Traditionally, government and the public have only had a hazy sense of how many companies are hacked each year and the severity of the damage. The rules requiring companies to disclose hacks vary from state to state and are unevenly enforced. Big questions like the annual cost of cybercrime can only be answered with educated guesses.  

That could change with two big measures on their way to implementation. 

  • The first is a law that would require companies in critical sectors such as finance, energy and health care to alert the Cybersecurity and Infrastructure Security Agency (CISA) within three days when they’re hacked. It’s the most expansive cyber reporting requirement government has ever placed on industry. The Senate passed it last night as part of a sweeping $1.5 trillion government funding bill that will soon be signed into law by President Biden.
  • The second is a new Securities and Exchange Commission regulation that sets firmer rules for how and when publicly traded companies must disclose significant cyber breaches to the public. The SEC is gathering public feedback now and could finalize the rule within two months.

Taken together, the moves would dramatically increase the amount of data government and industry officials have to work with when they assess cyberthreats. They might even allow a more data-driven approach to tackling cyberthreats, similar to the way the government deals with the threats of fire and flooding. 

“The analogy I’d use is resolution on a photograph,” Michael Daniel, White House cyber czar during the Obama administration, told me. “The broad contours of what’s going on are known. But this will give us a much finer grained, higher resolution picture. It will allow us to differentiate between different industry sectors and see what the threat level really is.”

For example: The cyber incident reporting bill could make CISA far more adept at channeling resources to industry sectors that are the hardest hit by cyberattacks, said Daniel, who’s now president of the Cyber Threat Alliance industry group.

It could also help the government figure out which cybersecurity protections are actually helping prevent attacks and which aren’t, Ari Schwartz, a former White House cyber official who now leads cybersecurity work at the law firm Venable, told me. 

“It’s going to take a while to get to the point of having that kind of data, but it’s very useful once you get there,” he said. 

The SEC rule doesn’t technically change which breaches companies are supposed to disclose. But it speeds up the process and is likely to make companies more diligent about ensuring breaches that need to be disclosed are reported quickly up the chain of command, Haimavathi Marlier, a partner at the Morrison & Foerster law firm and a former SEC attorney, told me. 

There’s still a long way to go. The SEC rule could face a fight from industry worrying its timelines are too tight. It requires companies to publicly disclose a cyber incident within four days of determining the incident might significantly affect its business. The U.S. Chamber of Commerce released a relatively benign statement urging the SEC to work with CISA on any regulation.

The CISA program will soon become law, but implementation could take a long time. 

Advocates applauded its passage last night. 

Here's Department of Homeland Security Secretary Alejandro Mayorkas:

The bill’s Senate sponsors tied its passage to the elevated Russian cyber threat following the invasion of Ukraine.   

  • Senate Homeland Security Committee Chair Gary Peters (D-Mich.): “Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses.”
  • The committee’s GOP leader Sen. Rob Portman (R-Ohio): “As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase.  The federal government must be able to quickly coordinate a response and hold these bad actors accountable,”

The CISA measure withstood many months of complaints by industry — a lot of it focused around the three-day reporting deadline, which companies say is too fast. 

The FBI and Justice Department also pushed relentlessly for the measure to be rewritten to send hacking reports to them as well. That would have aided some criminal investigations but raised hackles among companies wary of sharing data with law enforcement. 

The keys

European lawmakers set up committee to investigate use of Pegasus and other spyware

The committee will look into surveillance laws and alleged spyware use by E.U. member countries Hungary and Poland, said the European Parliament, the E.U.’s legislative body. It overwhelmingly approved creating the committee, with more than 630 of its nearly 700 lawmakers voting in favor of it. 

NSO clients used Pegasus to target activists, business executives and journalists, The Post and 16 media partners found. Hungary and Poland have acknowledged using Pegasus, but officials insisted that they didn’t use it in a way that was illegal or violated privacy.

However, researchers have found traces of Pegasus on devices belonging to Polish opposition figures and Hungarian journalists. Europe’s data protection authority last month warned that broad use of Pegasus could violate E.U. privacy laws.

Senators press intelligence chiefs on Chinese hacking and spyware

The intelligence and law enforcement chiefs wrapped up a week of Capitol Hill testimony at the Senate Intelligence Committee. Here are highlights:

  • China: The FBI has seen a roughly 1,300 percent increase in economic espionage investigations tied to the Chinese government compared with a decade ago, FBI Director Christopher A. Wray said.
  • Threats to allies: Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command, suggested that U.S. allies in Eastern Europe need to be on high alert for cyberattacks. Officials are looking at a potential scenario in which hackers launch a “disruptive or destructive attack on a country in Eastern Europe,” he said.
  • Surveillance: Director of National Intelligence Avril Haines told Sen. Ron Wyden (D-Ore.) that the intelligence community wants to “explore” updates to phone roaming technology that would cut Russia off from being able to see activity on U.S. phone networks. 
  • Wyden also pressed Wray on the FBI’s purchase of NSO spyware, which the bureau said it tested but never used for investigations. Wyden wants to know if the FBI told any other agencies about the findings from its tests and if it determined whether it would have been legal to use the spyware if it had opted to do so. Wray said he’d respond during a classified session.

Russia is using a workaround to keep its websites running despite sanctions

Russia has begun creating its own digital certificates that verify data is traveling securely between the country's websites and computers that visit them, Bleeping Computer’s Bill Toulas reports. The move comes after major Western tech firms cut ties with Russia amid a wave of severe U.S. and European sanctions that have crippled Russia’s economy.

Web browsers typically block sites with expired certificates, which could effectively cut Russian websites off from the Internet. 

Ukraine has pushed for more severe restrictions on Russian sites. The country asked Internet governance nonprofit ICANN to suspend use of Russia’s “.ru” domains. ICANN declined last week. More recently, Internet experts have proposed more targeted “tech sanctions” against Russian military and propaganda sites while leaving civilian sites intact.

Government scan

Judge seeks to defuse legal fight that raised Trump’s ire (Devlin Barrett and Matt Zapotosky)

Securing the ballot

Judge orders Speaker Robin Vos to produce deleted emails (Associated Press)

National security watch

NSA chief trumpets intelligence sharing with Ukraine, American public (The Record)

Cyber Command chief tells Congress chip shortage has national security implications (CyberScoop)

Global cyberspace

As Russia invaded, hackers broke into a Ukrainian Internet provider. Then did it again as bombs rained down (Forbes)

Pro-Russia rebels are still using Facebook to recruit fighters, spread propaganda (Cat Zakrzewski, Elizabeth Dwoskin and Craig Timberg)

Ex Canadian government worker extradited to U.S. to face more ransomware charges (CBC News)

Transparency Org Releases Alleged Leak of Russian Censorship Agency (Vice)

Commercial satellites test the rules of war in Russia-Ukraine conflict (Christian Davenport)

China says U.S. addresses used its computers to launch cyberattacks on Russia, Ukraine (Reuters)

The biggest cyber risk in Ukraine? (Foreign Affairs)

Cyber insecurity

Hacking poses risks for artificial intelligence (Signal Magazine)

Justice Department reports more than $8 billion in alleged fraud tied to federal coronavirus aid programs (Tony Romm)


  • Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) and Chris Painter, the Obama administration’s top cyber diplomat, discuss cybersecurity and Russia’s invasion of Ukraine at an event hosted by the Center for Strategic and International Studies on Monday at 11 a.m.
  • Cyberspace Solarium Commission executive director Mark Montgomery speaks at an American Enterprise Institute event on gray-zone warfare that begins Wednesday at 9:30 a.m.

Secure log off

Thanks for reading. See you Monday.