Welcome to The Cybersecurity 202! This week brought the five-year anniversary of the North Korea-backed WannaCry cyberattack, the first anniversary of President Biden's cybersecurity executive order and Homer Simpson's 66th birthday. What a doozy!
A policy update aims to raise White House and State Department visibility into military cyber operations
The Biden administration has refined a Trump-era cyber order known as NSPM 13 to ensure the White House and State Department have more visibility into sensitive military cyber operations.
The move marks the latest effort to ensure military cyber operators can move fast and effectively — but with enough review that they don’t accidentally complicate other government cyber priorities or create tensions with allies. That’s especially important given that such operations generally run through other countries, officials say.
To defense officials’ relief, the revisions don't roll back flexibility granted by NSPM 13. It still protects Cyber Command’s ability to conduct timely operations against foreign adversaries, according to administration officials familiar with the changes, who spoke on the condition of anonymity because the order itself is classified.
- “They were very concerned that the thing would be undone, and it wasn’t,” said one senior U.S. official. “When it was all said and done, it’s a tweaking — not radical surgery.”
The revisions are largely procedural and do not pare back or confer new authorities, officials said.
What’s new: The key change, officials said, is that in the past the Pentagon could override the State Department’s objection to an operation without explanation and without the White House’s knowledge.
- Now, the Defense Department will have to keep both the White House and State Department apprised of Cyber Command’s rationale for proceeding.
- Though not stated in the document, White House officials can raise concerns to the president.
Cyberscoop earlier reported that the update would expand State Department visibility into some military cyber operations.
The prime goal: Making sure an operation against an adversary that runs through third-party countries does not conflict with or undermine other agencies’ operations or initiatives. Those could include a CIA operation to gather intelligence or State Department’s desire to preserve diplomatic relations.
“The core goal really was ensuring that offensive cyber operations are an effective tool of national policy,” a second administration official said.
Cabinet officials, including the defense secretary, Joint Chiefs chairman and Secretary of State, all approved the update in a “principals” meeting last month, officials said. CIA Director William J. Burns and NSA/Cyber Command head Gen. Paul Nakasone also concurred.
The review, co-led by deputy national security adviser Jonathan Finer and deputy national security adviser for cyber and emerging technologies Anne Neuberger, began last year. President Biden is expected to sign off on the changes.
A National Security Council spokeswoman, Saloni Sharma, declined to comment.
The revisions do not require a partner country to sign off on an operation, but they are expected to lead to more consultation with allies in advance of operations. It remains to be seen whether such consultation will impede operations. “Such notification does have implications,” said one military official.
The Biden administration review also added new timelines for coordination on operations.
- The timelines depend on operations’ sensitivity and requirement for speed because some operations have quick turnarounds while others take months to plan and execute.
- Those that need to be carried out more quickly come with a tighter timeline for coordination, officials said.
President Donald Trump signed NSPM 13 in September 2018, streamlining the approval process for such operations, which up to then could be halted by objections raised at lower levels.
- The Trump-era order created a set of approved categories of operations against major adversaries — Russia, Iran, North Korea and China, which no longer required specific approval by a variety of agencies or continuous oversight by other agencies.
- NSPM 13, in tandem with a 2018 law that clarified Cyber Command’s authorities to conduct cyber operations, is credited with a series of successes, including the defense of the 2018 midterm elections against Russian Internet trolls. More operations followed, including in the 2020 election cycle.
- “NSPM 13 made all the difference in the world — as far as the things we were able to detect and the things we were able to do about them,” said Thomas Wingfield, who was the deputy assistant secretary of defense for cyber policy. He did not elaborate on what those operations were.
Yet some former military officials remain skeptical the Biden revisions won’t harm agility.
- “If there’s an increased requirement to notify third-party countries that operations are moving through their cybersphere then that could hurt the success of future operations,” said Mark Montgomery, former director of operations at U.S. Indo-Pacific Command and former executive director of the Cyberspace Solarium Commission.
There has long been a natural tension between the Defense and State departments over the issue, which involves perceived trade-offs between operational agility and diplomacy.
One administration official put the Defense Department’s perspective on the NSPM 13 review process this way: “I don’t know what problem we’re trying to fix.”
Other officials said the long-term issue is figuring out what role foreign policy concerns play in the evaluation of risk and reward in cyber operations.
For example: One official pointed to the ongoing war in Ukraine and the prospect that a U.S. cyber operation could escalate tensions. “Is the risk really worth the benefit?” the official asked.
So far, though, Cyber Command has been cautious about taking escalatory actions, and Russia seems to have its hands full fending off attacks from hacktivists and other nongovernment digital assailants.
Another insider jeopardized election systems security — this time in Georgia
A former elections supervisor in Coffee County, Ga., opened her offices to a group of skeptics pursuing baseless claims the 2020 election was stolen, she told my colleagues Emma Brown and Amy Gardner. Trump carried rural Coffee County by 40 points but elections supervisor Misty Hampton was suspicious of Biden’s victory in the state overall.
Hampton “said she could not remember when the visit occurred or what [bail bondsman and prominent election denier Scott] Hall and the others did when they were there,” Emma and Amy write. They didn’t go into the room that houses the county’s voting machines, she said. But she said she didn’t know whether they entered a room with the server that is used to tally election results.
“I’m not a babysitter,” she told The Post.
The case highlights growing concerns that local officials sympathetic to baseless claims and conspiracy theories about election security and voter fraud “might be persuaded to undermine election security in the name of protecting it,” Emma and Amy write.
“Insider threat, while always part of the threat matrix, is now a reality in elections,” said Matt Masterson, a former top U.S. cybersecurity official who tracked 2020 election integrity at the Cybersecurity and Infrastructure Security Agency. Hall didn’t respond to requests for comment.
The Drug Enforcement Administration is investigating an apparent hack of one of its databases
It’s a potentially staggering breach because the system in question lets its users search across more than a dozen law enforcement databases, Krebs on Security’s Brian Krebs reports.
An administrator of an online community that publishes people’s personal information shared documentation of the breach with Krebs. The community’s previous leader runs LAPSUS$, a hacking group known for “doxing” victims by publishing personal information they’ve stolen.
The databases could let hackers search for property that federal agents believe was purchased with criminal proceeds. They could also allow them to post phony records in the databases as a method to harass adversaries and confuse law enforcement.
“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Nicholas Weaver, a researcher at the University of California, Berkeley’s International Computer Science Institute, told Krebs. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”
The DEA declined to comment to Krebs on claims that the system had been breached. The agency said it “takes cybersecurity and information of intrusions seriously and investigates all such reports to the fullest extent.”
The U.S. government signed an update to an international cybercrime treaty
The update to the Budapest Convention is an attempt to make it easier for countries to get electronic evidence for cyber investigations. It comes almost 16 years after the Senate ratified the original Budapest Convention.
The update is “specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies,” the Justice Department said.
The department adds: "All these tools are subject to a system of human rights and rule of law safeguards.”
Limits: The Budapest Convention has made combating international cybercrimes far easier, but it has severe limits. Russia, which is one of the largest havens for cybercrime, is not a member. Nor is China.
The 202, right?
- Jonah Force Hill, the director for cybersecurity and emerging technology policy at the National Security Council, discusses quantum innovation and cybersecurity at a Center for Strategic and International Studies event Monday at 3 p.m.
- The House Homeland Security Committee’s cybersecurity subcommittee holds a hearing on the cybersecurity of federal networks Tuesday at 2 p.m.
- The Senate Health, Education, Labor and Pensions Committee holds a hearing on the cybersecurity of the health and education sectors Wednesday at 10 a.m.
- Rep. Michael McCaul (R-Tex.), Rep. Elissa Slotkin (D-Mich.) and Bob Kolasky, a senior vice president for critical infrastructure at Exiger who previously led CISA’s National Risk Management Center, discuss cybersecurity at a Washington Post Live event Wednesday at 2:30 p.m.
- The U.S. Chamber of Commerce hosts a briefing on Russian cyberthreats with FBI and CISA officials on Thursday at 2 p.m.
Secure log off
Thanks for reading. See you tomorrow.