Welcome to The Cybersecurity 202! I had a particularly tasty grilled Beyond Burger yesterday. I make them at home sometimes and not very well, but even then they’re still good. Nom.
Below: The hackers who apparently breached Riot Games are demanding $10 million, and CISA publishes a long-awaited report on cybersecurity for K-12 schools. First:
In a Q&A, Sen. Mark Warner stresses more cybersecurity in health care, describes his broadening TikTok concerns
Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) is one of the leading cybersecurity lawmakers on the Hill, and he’s long been on our list of folks to interview.
Co-founder of the Senate Cybersecurity Caucus, he was one of the earliest proponents for requiring businesses to disclose to the federal government when they suffered a major hack in the wake of the massive SolarWinds hack that erupted in late 2020. Some of his ideas made it into the cyber incident reporting bill that became law last year.
I interviewed him Tuesday morning in a discussion that touched on that law, but mostly looked ahead to his immediate agenda.
This interview has been edited for length and clarity.
The Cybersecurity 202: What are your cyber priorities for 2023?
Warner: My top agenda item for 2023 is this white paper I put out last year, cybersecurity in health care, where over the last few years we’ve seen on the ransomware side [that] nothing is more valuable to cybercriminals than health-care information, even more than personal financial information.
Cybersecurity in health care has always been bolted on to existing systems. We have to figure out a way, even though it’ll be a patchwork system at first, that we build cybersecurity in at the front end of health care. I don't know if you saw the white paper, but there’s a great chart early on in there. It referenced 16 different entities, four different Cabinet secretaries, that grapple with this, and nobody’s in charge.
We’ve put out the white paper, and we’ve received about 60 different submissions from industry and experts. We're sifting through those, and there are other legislators like [Sens.] Bill Cassidy [R-La.] and Jacky Rosen [D-Nev.], they’ve got some legislation. I’ve got some ideas and maybe will come up with a little more of a comprehensive approach.
My second priority is continuing to look at how we go after national security cyber risks. I'm still surprised in many ways that we have not seen more draconian actions from Russia in light of the Ukraine war. I absolutely expected, and I think most of the intel community expected, we would see more vicious NotPetya-type attacks against Ukraine or attacks potentially against America or European allies. There have been some attacks, but it’s not like we’ve seen the absolute A-team of the Russian services.
So I want us to continue to think about how we respond when it is a nation-state. The question I’ve been asked is, “Would it have been an Article 5 violation if Russia had attacked Ukrainian power systems, and that shut down power in an adjacent area in Poland, and that resulted in people dying in a hospital or something?”
C202: You mentioned no one being in charge. How would you address that?
Warner: I’ll try to be politically correct and say that we’ve gone from one extreme to the other, from the Trump administration to the Biden administration. Trump, the critique of many in both parties was that he took a cyber adviser out of the White House, and now we have an abundance of cyber advisers, all very talented people. And we’re actually adding more, for example, at the State Department level.
I still have some concern that we don’t know who’s in charge. Whether you assign this to one of the existing posts inside the White House, or whether you even create another, I’m still open on that. But I do fear that a person simply in charge, say, at HHS [Health and Human Services], I’m not even sure the HHS person would be able to get FDA [the Food and Drug Administration] for example, to fully adhere. Or how do you deal with, if somebody was at HHS, what’s their interaction with CISA [Cybersecurity and Infrastructure Security Agency]?
CISA has had a challenge in making sure we get the right talent, but I really think they earned a good reputation. But I’m not sure that CISA, as kind of a collaborative partner with industry, would be the right place to bring the oversight because health-care cyber Is so complex. It's easy to say you need somebody in charge, but how and where to place that person in, with the complexity we've already got, is easier said than done.
C202: You’ve talked about banning TikTok. What do you think of TikTok’s plans to alleviate concerns about Chinese ownership? And can you talk about what you mean about wanting to look at other tech, not just TikTok?
Warner: I do think TikTok is trying to sort this out. We’ve not seen what, if any, conclusion CFIUS [the Committee on Foreign Investment in the United States] has reached. I do think we have seen, whether intentional or not, TikTok represent [that] there would be no ability to have American data seen by Chinese engineers. They have just proven to be false, repeatedly.
I started with the privacy concerns, but I’ve more morphed to the concerns of TikTok as a communications medium. I’m not accusing TikTok of creating content itself. But boy, we sure as heck know that the algorithms that decide what you want to see or what you see is very driven by TikTok. And the best example of that is the TikTok that Chinese kids can see which emphasizes things like STEM [science, technology, engineering and mathematics], versus the TikTok that our kids and the rest of the world’s kids see, [which] is dramatically different. There’s a lot of creativity on TikTok, but I don’t know how — as long as that code is being written in Beijing — how you put the appropriate protections in place. Count me as skeptical about whether you can create these barriers.
When I think about Kaspersky, Huawei, TikTok, I’m trying to think about, is there a way that we can broadly look at foreign-based technology applications that raise serious national security concerns? And have a forum where this can be evaluated, rather than the kind of ad hoc basis that we’re looking at it now. I would even argue that for some of this, that even CFIUS may not be the right venue.
C202: How satisfied were you with the final cyber incident notification law, and to the degree you’ve followed it, how satisfied are you with the implementation process?
Warner: I was not that satisfied. I felt, to keep the Chamber [of Commerce]’s support or nonopposition, we had to water it down. I am concerned about the implementation process in terms of rulemaking. It could string out five years. I would very much not be surprised about having another major cyber event — like a Colonial Pipeline or a SolarWinds — having something where we have a “holy heck” moment and then rush the implementation. My hope would be, we could go back to some of our friends in industry and say, “Gosh, guys, you know, five years is just too long.”
One of the active debates in the health-care realm is, should our standards be voluntary, or should they be mandatory? And it’s been interesting in the comments, as you would expect, trade associations and the lobbying groups in town have all said “voluntary.” We’ve had individual hospital systems say, “If you don’t make it mandatory, we’re just not going to get it done.” So I think a little bit of that is the yin and yang we’re seeing on incident notification.
Riot Games hackers demand $10 million
The hackers say that if the gaming giant accepts their “small request,” the hackers will remove stolen computer code from their servers and “provide insight into how the breach occurred and offer advice on preventing future breaches,” Motherboard’s Joseph Cox and Matthew Gault report. This week, Riot Games said the source code for its “League of Legends” and “Teamfight Tactics” games had been stolen in the “social engineering attack,” along with “legacy” anti-cheat software. Here’s more from the company:
Today, we received a ransom email. Needless to say, we won’t pay.— Riot Games (@riotgames) January 24, 2023
While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.
The hackers taunted Riot Games in their note. “We also want to remind you that it would be a shame to see your company publicly exposed, especially when you take great pride in your security measures,” they wrote. “It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack.” Riot Games declined to comment to Motherboard beyond the company’s tweets.
Riot Games is the latest major video game company to be hacked. Last year, hackers breached Rockstar Games and released source code and videos from its highly anticipated “Grand Theft Auto VI” video game.
CISA gives schools cybersecurity recommendations
The Cybersecurity and Infrastructure Security Agency’s report is “a mix of achievable, individual to-do items and broader community calls for cultural change across school districts,” Axios’s Sam Sabin writes. CISA was required to produce the report after Congress passed a law in 2021.
Senate Homeland Security Committee Chairman Gary Peters (D-Mich.), who helped draft the law, hailed CISA’s report, saying in a statement that it’s “an important step to helping K-12 schools across the country protect themselves against [cyberattacks] that put the personal information of students and staff at risk.” Peters added that “K-12 schools are increasingly targeted by criminal hackers, and this new resource from CISA makes easy-to-understand guidance about cybersecurity risks readily available to the schools that need it most.”
After Analyst1's Jon DiMaggio wrote a report on ransomware gang LockBit, the group appears to have taken note. Here’s more from DiMaggio:
Secure log off
Thanks for reading. See you tomorrow.