The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Sen. Gary Peters is overseeing a boom in cyber bills

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! It's World Password Day — a holiday created by Intel in 2013 that's now mostly celebrated with story pitches to cyber reporters. There’s no perfect film recommendation for World Password Day, but I suggest the final scene of “Escape from L.A.,” when Snake Plissken enters the “world code” and shuts down all technology on the planet. The fan favorite is this password scene from “Spaceballs” via New America’s Peter Singer

Below: DHS is still under fire over its disinformation governance board, and a data broker pledged to stop selling data that might identify women seeking abortions. 

People are paying more attention to hacks, and that's helping Congress pass more cybersecurity bills

Correction: This post has been updated to correct the scope of a new ransomware reporting law. 

This is shaping up to be the most productive congressional term for cybersecurity in history — in no small part because of the efforts of Senate Homeland Security Committee Chair Sen. Gary Peters (D-Mich.). 

Peters and the committee’s top Republican, Sen. Rob Portman (Ohio), shepherded the largest expansion of requirements for industry to share hacking information with government into law last year. 

Before the close of this term, they hope to get at least two more big cyber bills into law — one that would upgrade the government’s aging and clunky information security requirements and another that would make it easier for government agencies to securely use cloud-computing systems. Both have already passed in the Senate. 

That’s on top of other legislation Congress has passed surging funding to cyber offices including the Cybersecurity and Infrastructure Security Agency and expanding those agencies’ mandates. 

Mounting threats

The efforts have gone a long way toward upgrading the government's cyber posture to meet the current threat — though there's still a long way to go, most cyber analysts agree.

“If we're going to be effective in fighting cybercriminals and cyberattacks, we have to be able to fight in a coordinated fashion and this puts the framework in place where we can do that,” Peters told me in an interview. “We’ve come a long way, but we can’t stop there.”

There were two big enabling factors for this burst of cyber legislation

First: There was immense public pressure to get something done quickly — especially in the wake of a series of cyber crises including ransomware attacks against the oil, IT and agricultural sectors and heightened fears of Kremlin hacking after Russia’s invasion of Ukraine. 

Peters described the results as a mix of legwork and timing.

  • “We did all the groundwork to have really good bills,” Peters told me. “So when something happens that really brings everybody's attention to an issue, we can act on it very quickly and provide a solution that people can immediately vote on and feel comfortable they're taking action.”

Indeed, the cyber incident reporting bill passed the Senate with unanimous support — as did the other two bills they hope to get over the finish line. 

  • “That gives me a lot of leverage talking to my friends in the House that we've got 100 senators in support of the bills as written here in the Senate,” he said.

Second: Congress has slow-rolled cyber legislation for so long that even pretty common-sense measures seem like super big deals at this point. 

  • The cyber reporting bill that passed last year requires companies in critical infrastructure sectors, such as energy, transportation and manufacturing, to alert the government about significant cybersecurity incidents. It also requires those companies to alert the government when they pay ransoms to hackers.
  • But it doesn’t require companies to meet any particular cyber standards. That’s a move many experts say is long past due — but it would probably take an even greater cyber crisis to impose such rules more broadly. The executive branch has imposed minimum cyber standards on a handful of sectors where it has the regulatory authority, such as pipelines
  • By contrast: The last time Congress passed a big cyber bill affecting industry in 2015 it merely gave companies the option of sharing hacking information with the government without any legal jeopardy. Even that measure was highly controversial and barely made it into law.
Next up

Peters’s next big cyber target is legislation aimed at helping make small businesses more resilient against ransomware and other hacks. Small businesses are a frequent target for ransomware hackers because they tend to have far weaker defenses than larger firms. But it’s proven difficult to get government cyber resources out to small businesses because they’re so diverse and widespread. 

  • “It is absolutely an existential threat to small businesses if they’re hit with a ransomware attack. So we’re thinking through how do we help small businesses defend themselves? How do we leverage federal cyber resources to work with small businesses?” Peters said. “It’s not an easy problem, but it’s one that we have to address.”

The keys

Senators grill DHS chief over disinformation board

Republican senators hammered Homeland Security Secretary Alejandro Mayorkas about the department’s planned Disinformation Governance Board during a Wednesday hearing, charging that it would be a government “thought police” that would try to combat opinions officials don't like.

Mayorkas defended the board, saying it has limited powers and important priorities:

  • DHS has explained that it would focus on disinformation threatening critical organizations in the wake of Russia’s invasion of Ukraine and by human smugglers at the U.S.-Mexico border.
  • Mayorkas has said the board won’t have “operational authority.”
  • He also reiterated that DHS has long focused on disinformation, and the board would “establish what should have been established years ago: standards, definitions, guidelines and policies.”

Yet, the department has struggled to respond to criticism or to answer basic questions about the board. 

On Friday, DHS held a call with congressional staffers and Nina Jankowicz, the board’s executive director. Jankowicz didn’t give specific answers to some questions, the AP reported. Some staffers on Capitol Hill “say they know little about the board or how it’s being funded beyond the spare public announcements made by the department’s leadership,” the outlet wrote.

DHS has faced criticism for how it rolled out the board, which was first reported in a three-sentence write-up in Politico's Playbook newsletter. The board “quietly began work two months ago,” the New York Times’s Steven Lee Myers and Zolan Kanno-Youngs wrote this week.

Data broker says it will stop selling location data of women visiting abortion clinics

The firm SafeGraph announced it won’t let its clients search for location data related to family planning centers to “curtail any potential misuse of its data,” Motherboard’s Joseph Cox reports. SafeGraph announced the change a day after Motherboard reported that it had purchased a week’s worth of location data on visitors to Planned Parenthood facilities for around $160.

Some cybersecurity experts fear that such data could be used to track women going to abortion centers in the wake of a leaked draft of a majority Supreme Court decision to overturn the 1973 Roe v. Wade ruling that made abortion legal nationwide. 

While the SafeGraph data doesn’t include names of users, such data has been used in the past to identify individuals by analyzing patterns of movement and behavior. 

  • Here’s a deep dive from Geoffrey A. Fowler and Tatum Hunter about how data tracking on your phone can reveal if you’ve had an abortion.

Biden releases next generation secure encryption plan

President Biden signed an executive order and national security memorandum focused on speeding up the U.S. development of quantum computing — and making sure encryption standards are ready for the shift, the Record’s Joe Warminsky reports

The challenge: The U.S. government is concerned that a future generation of super powerful computers will be able to crack into files that are encrypted to current standards. So, officials want to make sure the United States is first to develop the new quantum computers — which are expected to revolutionize science and engineering — and first to develop encryption that can withstand them. 

The Commerce Department's National Institute of Standards and Technology is already several years into developing the updated encryption algorithms. 

"This is not an insurmountable problem,”  a senior Biden administration official said. 

Biden also directed NIST and the CISA to work closely with the private sector and critical organizations like pipelines and hospitals so their systems can defend against quantum computers trying to undermine their encryption.

Global cyberspace

Hackers stole data undetected from US, European orgs since 2019 (Bleeping Computer)

Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop)

Privacy patch

Connecticut becomes fifth state with data privacy law (The Record)

National security watch

Nakasone says Cyber Command did nine 'hunt forward' ops last year, including in Ukraine (CyberScoop)

Cyber Command sent a 'hunt forward' team to help Lithuania harden its systems (The Record)

NSA Chief: Cyber Command did 9 cyber defense missions last year (NextGov)

Daybook

  • CISA Executive Director Brandon Wales and Keith Alexander, who led the NSA and U.S. Cyber Command, discuss critical infrastructure cybersecurity at an event hosted by the Advanced Technology Academic Research Center today at 1:30 p.m. 

Secure log off

Thanks for reading. See you tomorrow.

Loading...