Welcome to The Cybersecurity 202! Sorry to start things on a somber note, but … RIP, Choco Taco.
The requirements have roiled tensions within the private sector, and sometimes even within the administration, as government officials try to de-conflict the growing web of established and forthcoming regulations.
The National Credit Union Administration published its proposed rule this morning, laying out a 72-hour notification window for federally insured credit unions to notify the agency when, for instance, hackers illegally access, modify or destroy sensitive data.
- “Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears,” NCUA Board Chairman Todd Harper said last week after the board advanced the proposal. “When credit unions report these types of incidents, they may very well be helping to keep our nation secure from similar cyberattacks elsewhere.”
But some who are on the receiving end of such regulations say they can have downsides.
“This is part of a trend toward shorter and shorter notification time frames when regulators want to be told about something,” Luke Dembosky — who co-chairs the Debevoise & Plimpton law firm’s data strategy and security practice, which has financial services industry clients — told me. Added fellow co-chair Avi Gesser: “As you shrink the timelines, and you increase the number of regulators who have to be notified, that can take resources away from the response.”
Following last summer’s hack of Colonial Pipeline — an incident that led the company to shut down the nation's largest gas pipeline and spurred a fuel panic — feds have begun implementing or exploring mandates on reporting incidents to regulators as cyber experts say there needs to be more cyber regulation. Among the efforts:
- The Transportation Security Administration is requiring major pipeline owners as well as high-risk rail operators to provide notifications within 24 hours.
- Four financial services industry regulators last winter finalized a rule mandating that banks report incidents within 36 hours.
- The Securities and Exchange Commission this spring proposed a four-day window for public companies to notify the SEC of major breaches, and has approved more rules for others.
- The Federal Communications Commission earlier this year said it was contemplating rules for telecommunications carriers to report significant incidents, but didn’t specify a time frame.
- As a result of legislation signed into law this year, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) is writing regulations spelling out that critical infrastructure owners and operators must report big hacks within 72 hours.
In many cases, industry pushback prompted the agencies (or lawmakers) to ease those rules. And the legislation ruffled feathers at the Department of Justice, which wanted lawmakers to write the FBI into receiving those notifications at the same time CISA would get them. (CISA Director Jen Easterly ultimately said the agency would work to ensure that reports are “immediately shared” with the FBI.)
It’s not the only area where agencies are running into potential conflicts. Asked last week at a Fordham University cybersecurity conference about the proposed SEC regulation, the FBI’s Bryan Vorndran said his bureau and the Justice Department were “tracking it very, very closely.
“Those discussions are being had at the most senior levels of the FBI, DOJ and the SEC, about the implication … I wouldn’t say on law enforcement, but on national security,” said Vorndran, assistant director of the cyber division, per my colleague Ellen Nakashima. “It’s very much an ongoing, relevant discussion. Should there or should there not be a national security delay option in there to prevent public disclosure?”
To avoid “tripping the firefighters,” said Dembosky, a former deputy assistant attorney general for national security at the Justice Department, “law enforcement is someone a company often needs and should go to very early on. Regulators are there for compliance and enforcement purposes. That, frankly, can usually wait a bit.”
The thicket of federal, state and international rules sometimes means a company that suffers a hack might have to provide 70 different notifications to regulators, Gesser said. That and the reporting time frames can be a burden, but Gesser said it makes “perfect sense” to require swift notification to federal agencies “if there’s some systemic risk.”
Easterly told me Monday that she’s cognizant of the need to harmonize the reporting regulations her agency is writing with existing and forthcoming rules from other agencies. She had hoped to speed up the regulations, which are due in 2024 under the legislation Congress passed, but getting them right requires ample consultation with the private sector.
On Monday, a DHS-led council charged with coordinating federal cyber notification rules met for the first time. Among its members are the Justice Department and several agencies establishing their own regulations.
“My aim is that we will be able to leverage that to really focus on harmonizing because we don't want to place a burden on industry,” Easterly said.
For its part, the Credit Union National Association considers “cybersecurity a top priority” but is “currently gathering feedback” in response to the NCUA’s proposal, said Madison Rose, its director of advocacy and counsel for payments and technology.
European lawmaker files complaint after finding he was targeted with spyware
Nikos Androulakis, the president of Greece’s socialist party who is a member of the European Parliament, probably wasn’t hacked because he didn’t click a malicious link tied to Cytrox’s Predator spyware, Haaretz’s Omer Benjakob reports, citing Greek newspaper Kathimerini. Androulakis isn’t the first European to have been targeted with the spyware; in April, researchers confirmed that CNN Greece reporter Thanasis Koukakis had been hacked with Predator spyware, Haaretz previously reported.
Investigators looked at phones belonging to about 200 members of the European Parliament after The Washington Post and 16 media partners reported last year that NSO Group’s Pegasus spyware was used to target journalists, activists and executives. Androulakis’s phone was the only one to have been targeted, Haaretz reports.
Predator is similar to Pegasus, but it requires targets to click on malicious links for them to get infected, Haaretz reports. Cytrox is owned by Greece-based firm Intellexa, which didn’t respond to Haaretz’s request for comment.
“It is unclear if Cytrox is under Israeli defense oversight and whether the firm and others linked to Intellexa sell only to states — as NSO does — or also provide their services to private entities,” Benjakob writes. “The body in charge of overseeing defense exports did not respond to Haaretz’s questions regarding Cytrox for this report.”
ByteDance’s defunct news app promoted pro-China content and censored posts, ex-employees say
Four former ByteDance employees who worked on its TopBuzz app claim that “ByteDance instructed members of its staff to place specific pieces of pro-China messaging in the app,” BuzzFeed News’s Emily Baker-White reports. The allegations, which ByteDance denies, come amid years of scrutiny on ByteDance-owned social media app TikTok and its connections to China. ByteDance shuttered TopBuzz in 2020.
- The former employees described staff posting and pinning videos of pandas and a man discussing the advantages of moving a start-up to China — not overtly political videos. Still, the article amounts to the “first report alleging that TikTok’s parent company at one point intentionally used one of its apps to distribute pro-China messages to Americans,” Baker-White writes.
“The operations of TopBuzz provide a rare window into how ByteDance previously balanced its relationship with the Chinese government and its desire to dominate the international market for news and entertainment,” Baker-White writes. “Interviews with 15 former ByteDance employees who worked on TopBuzz also suggest efforts to censor content critical of the Chinese government, an operation to scrape and republish content from news publishers without permission, and an emphasis on featuring sensationalist, often inaccurate news to drive engagement.”
ByteDance denies the allegations. ByteDance spokesperson Billy Kenny told BuzzFeed News that the “claim that TopBuzz — which was discontinued years ago — pinned pro-Chinese government content to the top of the app or worked to promote it is false and ridiculous. TopBuzz had over two dozen top tier U.S. and U.K. media publishing partners, including BuzzFeed, which clearly did not find anything of concern when performing due diligence.” (BuzzFeed News corroborated its sources by using other sources and viewing screenshots, Baker-White reports.) A BuzzFeed spokesperson told Baker-White that “BuzzFeed Inc. reaches its audience on all the major platforms — including those owned by ByteDance — while continuing to report on those platforms with rigorous journalism.”
Over the years, European officials have helped 1.5 million people unlock files, save $1.5 billion
European law enforcement agency Europol announced the figures on the sixth anniversary of its initiative to help ransomware victims decrypt their files without paying cybercriminals, Motherboard’s Lorenzo Franceschi-Bicchierai reports. The project lets people use 136 tools to unlock 165 types of ransomware, he reports.
“Too many organizations are afraid to reach out to law enforcement when they have been hit by ransomware, often out of a misplaced fear that law enforcement is going to make it worse,” Recorded Future’s Allan Liska told Motherboard. “But, there are many things that law enforcement does, through channels such as No More Ransom, to help victims.”
National security watch
On the move
- Anne Cutler has joined Keeper Security as its head of global communications. Cutler was previously a media strategist at CISA.
- The House Intelligence Committee holds a hearing on the national security risks of spyware today at 10 a.m.
- The Committee on House Administration holds a hearing on disinformation today at 10 a.m.
- A House Homeland Security Committee panel holds a hearing on U.S. Customs and Border Protection’s use of facial recognition technology today at 2 p.m.
- Deputy national security adviser Anne Neuberger speaks at an event hosted by the Center for a New American Security on Thursday at 11:30 a.m.
- A House Science Committee panel holds a hearing on cybersecurity of space systems Thursday at 10 a.m.
- The House Judiciary Committee holds a hearing on the Justice Department’s National Security Division on Thursday at 10 a.m.
Secure log off
Thanks for reading. See you tomorrow.