The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

How CISA plans to get tech firms to bake security into their products

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Almost assuredly this week, LeBron James will break one of the records I never thought anyone would break in sports, scoring the most points in NBA history. For context, Kareem Abdul-Jabbar has held the record for almost 39 years. Amazing.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: A top U.S. cyber official says his personal Twitter account was hacked and Italy warns of a large-scale hacking campaign. First:

CISA has ideas for getting manufacturers to better secure products

The Cybersecurity and Infrastructure Security Agency (CISA) is pressing ahead on its push for technology manufacturers to make their products secure as they design them — and to make their default settings secure when consumers buy them.

The push comes as CISA leaders highlight what they consider a key problem in cybersecurity: For many technology makers, it’s more important to get a product out quickly than to develop it with security in mind.

  • CISA plans to identify what “secure-by-design” and “secure-by-default” means, so everyone can shoot for those goals, agency officials told me in an interview last week.
  • They also plan to hail success stories in the tech industry, they said.

“Really key to this model is specificity and clarity,” Eric Goldstein, executive assistant director for cybersecurity at CISA, told me. “We can't just say ‘secure-by-design and by-default,’ unless people know what they should be looking for.”

Goldstein spelled out some of this alongside CISA director Jen Easterly in a Foreign Affairs essay last week, but CISA leaders shared additional details with me. 

Specifics on the specifics

As part of spelling out what secure-by-design and secure-by-default mean — the latter of which refers to making security features and settings automatic, without requiring users to configure them that way — CISA is turning to two inspirations, Goldstein said.

One is the “secure software development framework,” which the National Institute of Standards and Technology (NIST) developed in response to President Biden’s 2021 cybersecurity executive order. The Office of Management and Budget (OMB) ordered federal agencies to comply with it last year. 

  • That document details a set of practices, such as protecting all components of software from tampering, accompanied by steps needed to meet the goal.

CISA will be “building on some of the work” from NIST and OMB “to really get clearer and more specific,” Goldstein said.

The second inspiration, Goldstein said, is the set of voluntary “performance goals” CISA has developed for critical infrastructure owners and operators. (CISA plans to produce industry sector-by-sector goals next.)

  • “The performance goals are that specific list of actions for an enterprise to secure their environment,” he said. “And the great thing about that is we can now point to the performance goals and say, ‘Listen, if you are a small, medium, large organization, do these things first to secure your enterprise.’ We need something parallel for designing and building secure technology.”

Another part of CISA’s plan is to praise companies that have demonstrated a commitment to secure-by-design and secure-by-default. In their essay, Easterly and Goldstein held up Amazon, Google and Salesforce as companies who “are moving in this direction.” (Amazon founder Jeff Bezos owns The Washington Post.)

The essay said the federal government “can also call out companies that continue to introduce insecurity into the fabric of the U.S. economy.”

  • But, Goldstein said, “We don’t need to be punitive if we can say, ‘Here is what good looks like. Here are companies that are doing it.’ We can help send those market signals to say, ‘Here’s what to ask for when you're buying technology.’ And we think that industry will follow suit.”

Goldstein also mentioned using federal procurement power as a lever, as the U.S. government is one of the world’s biggest buyers of information technology. 

CISA says it is focusing on this topic so much because much of the cost of hacks falls on the victim, not the manufacturer.

“It goes down to the third party,” Kiersten Todt, chief of staff at CISA, told me. “And right now that third party [is] individuals and small and medium-sized businesses. So there’s a real disparity … [It’s about] being much more forward leaning on identifying the actual cause of the problem, not, ‘How we are managing the symptoms?’”

  • “We accept unsafe code … and accept that patching is expected,” she said. “It would be as if we accepted regular recalls on a car all the time.”
What they’re not saying

CISA’s plans come as the U.S. government pushes ahead with parallel efforts to boost the cybersecurity of key industries. A forthcoming Biden administration national cybersecurity strategy will call for more security mandates on industry. And the White House has been advocating for the use of federal baseline requirements to shore up security among critical targets in critical infrastructure sectors. 

CISA, however, isn’t an agency with much regulatory authority. One exception is the power Congress gave the agency last year to require critical infrastructure owners to report to CISA shortly after they’ve suffered a major hack or paid ransomware attackers.

  • CISA is in the process of writing a detailed rule in response to that law, and seeking feedback from industry and others. Congress wants the rule finalized by late 2024. 

In their essay, Easterly and Goldstein notably did not call for additional rules, despite the agency having advocated for the incident reporting legislation.

The incident reporting law is “really about turbocharging our voluntary mission because it's about getting more information that we can then use to protect the ecosystem,” CISA executive director Brandon Wales told me. “Our ultimate goal is that no cybersecurity incident should happen more than once, because we can get that information and share it more broadly so that potential victims are protected.”

There’s a difference between the incident reporting law and other regulations, Easterly told me. “This is about getting the information so we can help and we can protect the larger ecosystem, which I do think is groundbreaking and really, really important,” she said. “Regulation has a place, but it's not a panacea.”

The keys

U.S. government is not investigating Musk’s Twitter purchase

U.S. officials on the Committee on Foreign Investment in the United States have decided not to investigate Elon Musk’s purchase of Twitter with help from foreign lenders, according to two people who were briefed on the committee’s decision and spoke on the condition of anonymity to reflect internal government deliberations, The Post’s Jeff Stein reports

The decision comes after Musk’s purchase of the site drew criticism for allegedly providing special privileges to access private data to large foreign investors, including a Saudi prince’s holding company and a cryptocurrency exchange founded in China. 

The committee, led by Treasury Secretary Janet L. Yellen, believes that at least for now it does not have the jurisdiction to launch such a probe because Musk is an American citizen and the panel is meant to examine acquisitions of U.S. companies by foreign owners. Plus, it can only probe potential data vulnerabilities from a purchase if the foreign investors acquire a big enough stake in the firm — which does not appear to be the case here. 

“Though the $44 billion deal relied on $2.5 billion from foreign backers and granted some of them unusual privileges, including special access to Twitter user data, investigators do not appear to think the circumstances meet the criteria for federal intervention, the people said,” Stein writes. 

Twitter officials did not respond to a request for comment, and a spokeswoman from the Treasury Department declined to comment.

A top cyber official says his personal Twitter account was hacked

Nate Fick, U.S. ambassador at large for cyberspace and digital policy, tweeted on Saturday that his personal Twitter account was hacked, writing that it was one of the “perils of the job.” 

Fick did not say who the attacker was or whether the hackers made any illegitimate posts on the account. His office did not immediately respond to a request for comment on Sunday from The Cybersecurity 202. 

It is also unclear whether this was an isolated event or if there were any broader consequences from the hack. Fick mostly uses an official State Department Bureau of Cyberspace and Digital Policy account to tweet updates or to promote the office, and uses his personal account rarely. Fick joined the administration in September as the nation’s first cyber envoy

CISA says it’s helping partners amid large-scale hacking campaign

Italy’s National Cybersecurity Agency (ACN) warned world leaders and private organizations to protect their systems on Sunday after identifying a ransomware hacking attack that is targeting thousands of VMWare ESXi computer servers around the world, Reuters reports.  

ACN director general Roberto Baldoni told the outlet that the massive attack was aimed at exploiting a software vulnerability. Compromised servers were found in other European countries, like France and Finland, and in the United States and Canada. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that it is “working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed.” VMWare told Reuters that the firm is aware of the reports, and that it updated its software in 2021 to fix the vulnerability. Customers should update their software if they haven’t already, the firm said.

Government scan

Biden’s State of the Union address to take aim at Silicon Valley ( Cat Zakrzewski and Tyler Pager)

New York attorney general orders stalkerware maker to notify hacked victims (TechCrunch)

Industry report

Ransomware gang in ION trading hack says ransom was paid (Bloomberg News )

National security watch

Pentagon reports past Chinese surveillance balloons near Florida, Texas (Dan Lamothe and Azi Paybarah)

Global cyberspace

Finland's most-wanted hacker nabbed in France (Krebson Security )

Microsoft: Iran unit behind Charlie Hebdo hack-and-leak op (the Associated Press )

Cyber insecurity

Apparent cyberattack forces Florida hospital system to divert some emergency patients to other facilities (CNN )

U.K. engineering company Vesuvius hit by cyberattack (Bloomberg News)


  • Stanford University hosts a discussion about the influence of China’s government on Chinese firms on Tuesday. The university also holds a seminar on China and digital sovereignty on Tuesday.
  • The House Intelligence Committee holds an open meeting with former national security officials on Wednesday at 10 a.m. 

Secure log off

Thanks for reading. See you tomorrow.