Welcome to The Cybersecurity 202! British King Henry VIII had his second wife Ann Boleyn beheaded on this day in 1536. So, your day’s going better than hers already.
The U.S. lacks tools to enforce good cyber-behavior from other countries
The United States needs a broader set of options to punch back at nations that violate norms of good behavior in cyberspace, according to a Republican and a Democratic lawmaker I spoke with.
The most severe options could include blocking nations from the international financial system or dramatically restricting trade with them, Rep. Elissa Slotkin (D-Mich.) told me during a Washington Post live discussion.
The comments reflect a long simmering frustration in Washington that nations far inferior to the United States in military and economic might can nevertheless batter us in the cyber domain. Indeed, the United States is among the most vulnerable nations in cyberspace because our institutions are far more reliant on the Internet than other nations.
- U.S. officials have tried indicting government-backed hackers and imposing limited sanctions on the companies that support them as well as naming and shaming nations it believes have stepped out of bounds in cyberspace.
- But none of that has made much of a dent in the willingness of Russia, China and other U.S. adversaries to hack U.S. companies and government agencies.
If the United States wants to compel better behavior it will likely have to get far more aggressive, Slotkin said.
“There's a lot of tools left in the toolbox, but it means the United States doing something that we don't do a lot — or we don't like to do — which is mixing our military policy with our economic policy, making sure…we have consequences and built-in deterrence on cyber threats.”
Slotkin worked at the CIA and Pentagon before running for Congress. Here’s more from her remarks via Twitter:
.@RepSlotkin tells @Joseph_Marks_: “If we want to have consequences... on cyber threats, those consequences are not just about a military response… maybe your access to the international financial system is in question, maybe the free trade… they don’t have access to.” pic.twitter.com/svAsWFYiwj— Washington Post Live (@PostLive) May 18, 2022
During the same discussion, Rep. Michael McCaul (R-Tex.) urged more robust work with U.S. allies to establish rules of the road in cyberspace and the consequences for nations that violate them.
“With my children, if there’s bad behavior and no consequences then the bad behavior continues,” he said. “[U.S. cyber adversaries] have been getting away with this for a very long time. And it's because … there are no consequences today. I think there will be tomorrow.”
- McCaul, who co-founded the Congressional Cybersecurity Caucus in 2008, is among the sponsors of a bill that would create a new State Department position focused exclusively on negotiating such agreements. It’s passed the House but not the Senate. The Biden administration has also pledged to create such a position but has not filled it yet.
But there are also big drawbacks to getting tough on adversaries.
Beijing-backed hackers, for example, are by far the biggest stealer of U.S. companies’ intellectual property and trade secrets — leading to a slew of indictments since 2014. But U.S. officials have stopped short of the most damaging economic retaliation out of concerns about disrupting Chinese trade relations, which greatly benefit U.S. companies and consumers.
McCaul warned during our discussion that it would be exceptionally difficult to impose sanctions on China.
.@RepMcCaul tells @Joseph_Marks_: “It’s a lot easier to sanction Russia than it is China… We’re not intertwined with their economy the way we are with China, and we are so dependent on supply chains coming out of China.” #PostLive pic.twitter.com/hALWuxaQbP— Washington Post Live (@PostLive) May 18, 2022
U.S. adversaries have also become proficient at tailoring their cyber operations at a level just beneath one that would prompt serious U.S. retaliation.
Even Russian President Vladimir Putin, who flouted global norms by invading Ukraine, has generally kept Russian cyber operations against the United States within bounds that will not escalate to a conventional military conflict.
Such fear of escalation is likely one reason the Kremlin has not launched a serious cyberattack against the United States or one of its NATO allies since the Ukraine invasion — a move that might trigger NATO’s Article 5 commitment to mutual defense.
“They don't want to further globalize the conflict and potentially risk us getting it in a more serious way. But the [cyber] capability is there. It’s not for want of capability,” Slotkin said.
More from Slotkin:
.@RepSlotkin says, “We have zero deterrence in the cybersecurity fight… We need to be treating it as a five alarm homeland security issue… At some point, we’re going to have our cyber 9/11 and it's going to wake everyone up.” #PostLive pic.twitter.com/QEb2i64fx9— Washington Post Live (@PostLive) May 18, 2022
DHS is ‘pausing’ its Disinformation Governance Board amid conservative criticism
Disinformation expert Nina Jankowicz, who was named as the Disinformation Governance Board’s executive director, has resigned and the board could be shut down pending the Homeland Security Advisory Council’s review, Taylor Lorenz reports. The dramatic implosion of the board came just three weeks after DHS announced its creation.
“The board itself and DHS received criticism for both its somewhat ominous name and scant details of specific mission … but Jankowicz was on the receiving end of the harshest attacks, with her role mischaracterized as she became a primary target on the right-wing Internet,” Taylor writes.
- DHS previously said the board would coordinate countering disinformation spread by human smugglers to attempted migrants and Russian disinformation threatening critical organizations.
- Homeland Security Secretary Alejandro Mayorkas told lawmakers this month that the board would “develop guidelines, standards, guardrails to ensure that the work that has been ongoing for nearly 10 years does not infringe on people’s free speech rights, rights of privacy, civil rights and civil liberties.”
The board’s pause comes at a critical time. Experts are gearing up for midterm elections, which are expected to be a major source of foreign disinformation. And lawmakers have pressed the U.S. government for answers about how it will defend against potential Russian disinformation efforts amid the war in Ukraine, the Wall Street Journal reported.
Staffers at DHS are growing frustrated. The agency has suspended its intra-departmental working groups focused on misinformation and disinformation, which some officials said was an overreaction to right-wing outrage.
The disastrous rollout of the board could hamper DHS efforts to recruit top talent, some staffers worry. “We’re going to need another Nina down the road,” a DHS staffer told Taylor. “And anyone who takes that position is going to be vulnerable to a disinformation campaign or attack.”
Here's Slotkin on the board and it's implosion, which she said both caught Congress by surprise.
.@RepSlotkin on the pause of the disinformation governance board: “I’m on the homeland security committee and this thing kind of popped in the press and was reported to have been suspended… before we even got a formal brief on it.” #PostLive pic.twitter.com/GTYwZ68ZYs— Washington Post Live (@PostLive) May 18, 2022
More from Bob, Kolasky, who previously worked on DHS disinformation efforts at the Cybersecurity and Infrastructure Security Agency.
.@BobKolasky says, “Particular areas that I think DHS still needs to do more work on… is what is our strategy for making sure that disinformation does not lead to violent activity and cause attacks on the homeland… I don’t think the department has enough attention on that.” pic.twitter.com/b8zmzYm8e8— Washington Post Live (@PostLive) May 18, 2022
Senators want the FTC to investigate identity verification firm ID.me
Sen. Ron Wyden (D-Ore.) and three other Democratic senators asked the FTC to investigate whether ID.me misled consumers and government agencies about the type of facial recognition technology it uses, Bloomberg News’s Shawn Donnan and Dina Bass report.
At issue are the company’s claims last year that it doesn’t use technology that can search for faces across vast databases of saved images. Those systems are more controversial than technology that tries to detect whether two images — like a selfie and a passport — show the same person.
- Last year, ID.me said in a news release that it doesn’t use the database system, which it said “is more complex and problematic.” But chief executive Blake Hall contradicted that in a LinkedIn post, CyberScoop's Tonya Riley previously reported.
The IRS’s use of ID.me’s technology came under a torrent of criticism from lawmakers and privacy advocates earlier this year — leading the agency to abandon its plan to require taxpayers to submit selfies to verify their identities.
House lawmakers have separately launched an investigation into ID.me’s technology.
The call for the FTC investigation comes a week after surveillance critic Alvaro Bedoya was confirmed to a seat on the commission, giving Democrats a majority. Bedoya, who has studied the harms of facial recognition technology, could be critical for the FTC to launch such an investigation.
ID.me spokesman Patrick Dorton told Bloomberg News that “we look forward to cooperating with all relevant government bodies to clear up any misunderstandings.” He declined to address the issues raised by the senators but said that the company’s technology had helped government agencies combat unemployment fraud.
CISA orders federal agencies to patch or remove vulnerable VMware software
Agencies have until next week to determine how many vulnerable products are on their networks and either update or remove them, CISA said.
The rare directive to agencies came the same day VMware alerted about two new vulnerabilities in its products. Hackers could “quickly develop a capability to exploit newly released vulnerabilities” in those products, CISA said.
- CISA has previously used such directives to speed remediation of devastating vulnerabilities, including SolarWinds, Microsoft Exchange and Log4j.
CISA has seen multiple instances of hackers exploiting other vulnerabilities in VMware products at large organizations, it said. Some of the hackers who have exploited those older vulnerabilities include advanced groups that could be linked to foreign governments or spy services, CISA said.
Rep. Jim Langevin (D-R.I.) reflected on the more than a decade since he and Rep. Michael McCaul (R-Tex.) founded the House Cybersecurity Caucus — and dropped a new cyber analogy.
Former DNI urges a ‘cyber Manhattan Project’
Former Director of National Intelligence John Ratcliffe argues for a major revamp of U.S. cyber efforts in a joint Newsweek op ed with Abraham Wagner.
The op ed urges a “cyber Manhattan Project” to funnel money and resources into countering cyber threats as well as enlarging the NSA’s role in cyber defense.
Securing the ballot
- The Senate Rules Committee holds a hearing on election administration today at 11 a.m.
- The U.S. Chamber of Commerce hosts a briefing on Russian cyberthreats with FBI and CISA officials today at 2 p.m.
- The Association for Computing Machinery’s U.S. Technology Policy Committee hosts a panel on online data collection today at 5 p.m.
- Deputy Attorney General Lisa Monaco, National Cyber Director Chris Inglis and CISA Director Jen Easterly speak at an Institute for Security and Technology event on the first year of the Ransomware Task Force on Friday at 10:30 a.m.
Secure log off
Thanks for reading. See you tomorrow.