Welcome to The Cybersecurity 202! I’m light on chatter today, so chat amongst yourselves. I’ll give you a topic: The firewall is neither fire nor a wall. Discuss.
Angus King wants transparency on election threats with regular reports from Cybercom
Sen. Angus King (I-Maine) wants U.S. Cyber Command to keep an eye on the security of U.S. elections.
King, who was a co-chair of the U.S. Cyberspace Solarium Commission, is pushing a new plan for Cybercom to produce two unclassified reports connected with each biennial election, he told me.
The first will highlight foreign threats to the election beforehand and detail what Cybercom and the rest of the government is doing about them. The second will provide an overall assessment of election security after the election is concluded.
King inserted a provision requiring those reports in the Senate’s version of an annual must-pass defense policy bill where there were no objections from Republicans or Democrats, he told me. That gives the measure a strong chance of becoming law when the House and Senate hash out their competing versions of the bill, known as the National Defense Authorization Act (NDAA), later this year.
The bill language has not been made public and the Cybercom provision has not been previously reported.
King’s measure marks the latest effort to ramp up transparency about election threats and security.
It comes in the wake of increased alarm about foreign interference in elections and diminishing public faith in the integrity of the voting process — both of which were sparked by Russian interference in the 2016 contest and driven down further by false election fraud and hacking claims propagated by former president Donald Trump and his allies after the 2020 contest.
“We want to be kept informed of what the threats are, how they're developing, what direction they're taking. We also want to be able to reassure people about the security of our elections,” King told me in an interview.
An added advantage: The reports could trade on the popularity and perceived trustworthiness of the military to gain broader public acceptance about what’s true and untrue when it comes to election security.
That could be especially useful in knocking back many of the phony election security concerns boosted by Trump and his allies.
“We're in an unprecedented place in terms of public confidence in elections, and that's due largely to the fact that the former president and many of his followers have just repeated and repeated and repeated assertions about election security in 2020 that just aren't true,” King told me. “Part of what we have to do is rebuild confidence. And one way to do that is to have trusted agencies like Cybercom … provide an independent assessment of these issues.”
Context: Public trust in the military has declined in recent years, but remains far higher than trust in elected officials, journalists and other groups that traditionally talk about election security, according to a recent Pew Research Center poll.
A big goal
The report will only be produced in an unclassified version and the goal will be to make it as transparent and accessible to the public as possible, King told me.
If the report ends up too bland or vague to be useful, King said, he expects Congress to push back until Cybercom shares more.
The Office of the Director of National Intelligence also produces a post-election security report as required by a Trump-era executive order — but it’s produced as a classified document that’s later converted into a declassified version and is not particularly accessible to a general audience.
Cybercom has historically been closelipped about its work, but it has become more transparent in recent years — especially about efforts to punch back against interference in U.S. elections.
In one major example, the command blocked internet access at a Kremlin-backed troll farm, the Internet Research Agency, in advance of the 2018 midterm elections.
The Internet Research Agency had played a major role in spreading Kremlin disinformation in advance of the 2016 election. Kremlin hackers also probed election systems in multiple states and penetrated voter rolls in at least two states before that election, but there’s no evidence they changed any votes.
Meanwhile, in the House
The House version of the NDAA could also include a raft of cyber provisions, Rep. Jim Langevin (D-R.I.) told Aaron. Many of those are recommendations from the Cyberspace Solarium Commission, a congressionally led effort to boost cybersecurity that King co-chaired with Rep. Mike Gallagher (R-Wis.) and which Langevin served on.
- A program to designate and protect the most critical digital systems in the government and private sector
- A Bureau of Cyber Statistics to hammer down the actual damage caused by cyberattacks, which is often opaque
- Mandating creation of a cyber bureau in the State Department with a presidentially appointed ambassador as its lead
- Making it easier for government to share cyberthreat information with the most critical industry sectors
Russian hackers are aiming far outside Ukraine, Microsoft says
Russian hackers have targeted more than 120 organizations in 42 countries outside Ukraine since the war began, Microsoft said in a report. Nearly two-thirds of the attacks were aimed at countries in the NATO alliance, and attacks on U.S. targets represented 12 percent of the global total.
Details: The targets have spanned government agencies, which amounted to nearly half of the attacks, as well as think tanks, humanitarian groups and even critical infrastructure organizations, according to the company.
“Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time,” Microsoft said.
Microsoft is also shifting its focus to foreign disinformation. The company says it’s using more data and staff to analyze how Russia is spreading phony stories, Joseph Menn reports.
A new Russian Propaganda Index found that the “proportion of propaganda seen by users in Ukraine tripled in the first weeks of the war and rose by 86 percent in the United States,” Joseph writes. The index is designed to measure the online traffic going to “Russian state-controlled and -sponsored news outlets and amplifiers” as a proportion of all online news traffic,” the company said.
A bipartisan privacy bill is imperiled without support from a key senator
Senate Commerce Committee Chair Maria Cantwell (D-Wash.) says she isn’t close to supporting the legislation, which would let users opt out of targeted ads and sue firms that improperly sell their data, Cristiano Lima reports. Cantwell’s committee controls the fate of the bill in the Senate, and her opposition deals a significant blow to its likelihood of becoming law.
- Cantwell said the bill has “major enforcement holes.” That problem is compounded because the bill might override stronger state privacy laws, such as the landmark bill in California.
- The question of whether a federal law would override state laws is a major point of contention. Democrats are reluctant to preempt potentially stronger state laws, while Republicans worry that a patchwork of laws across the country could make it difficult for businesses to comply. “People who want to get a bill know that you can’t preempt states with a weak federal standard, so hopefully they’ll come back to the table,” Cantwell said.
- There won't be a floor vote without Cantwell's support. Senate Majority Leader Charles E. Schumer (D-N.Y.) said he won't bring the bill up for a vote in the upper chamber, Cantwell said. Schumer spokesman Alex Nguyen said Schumer “supports a bipartisan bicameral privacy bill that all four corners agree to,” referring to Cantwell, Rep. Frank Pallone Jr. (D-N.J.), Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.).
Coming up: House lawmakers have scheduled a subcommittee markup, the first step for advancing the legislation, for today.
Facebook and WhatsApp parent Meta blast U.K. online safety bill over surveillance concerns
The U.K. legislation would require platforms to quickly report illegal activity, such as child pornography, and enforce new rules around content that isn't illegal but is still deemed harmful, my colleague Cristiano Lima reported in March. But Meta says the bill could force companies to scan all private messages, and ultimately “risks people’s private messages being constantly surveilled and censored,” Bloomberg News’s Thomas Seal reports.
A major concern is that the bill might force platforms like Facebook and WhatsApp, which encrypt messages so that only the sender and recipient can read them, to undermine encryption to scan messages, according to Meta.
U.K. policymakers have threatened to force messaging apps to scan messages — but only as a last resort. “Tech firms have failed to tackle child abuse and end-to-end encryption could blind them to it on their sites while hampering efforts to catch the perpetrators,” a spokesperson for the U.K. Department for Digital, Culture, Media and Sport told Bloomberg News.
Dozens of organizations and people have submitted feedback on the legislation. Google’s U.K. subsidiary argued that the bill “could force services to rely excessively on automated tools to identify illegal content, and significant amounts of legitimate content will be removed as a result.”
Stateside: The U.S. Congress has mulled a bill in recent years that would force tech firms to do more to prevent sharing child pornography on their platforms and that critics fear would imperil end-to-end encryption. That bill, dubbed the EARN IT Act, passed the Senate Judiciary Committee but hasn't been taken up by the full House or Senate.
- Microsoft President Brad Smith discusses disinformation and foreign information operations at a Washington Post Live event on Thursday at 9 a.m.
- A House Energy and Commerce Committee panel discusses privacy and cybersecurity legislation on Thursday at 10:30 a.m.
- A House Appropriations Committee panel discusses homeland security funding on Friday at 9 a.m.
- U.S. Cyber Command Executive Director Dave Frederick speaks at a Billington CyberSecurity event on Monday at noon.
Secure log off
Thanks for reading. See you tomorrow.