Here's why Biden's new cyber strategy is notable

Welcome to The Cybersecurity 202! What a busy Wednesday it was. You’ll see what I mean very soon. Just scroll on down.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Get the full experience.Choose your plan

Below: The GAO finds that the State Department should evaluate its efforts to combat cybercrime, and a prominent House panel advanced a bill that would give President Biden the authority to ban TikTok. First:

Five under-the-radar parts of Biden’s national security strategy

The long-awaited Biden administration national cybersecurity strategy is finally here.

The strategy calls for security regulations, moves to hold software manufacturers liable for insecurity and signals that the administration will stay on offense against malicious hackers, as I reported this morning. (You can read the strategy here for yourself.)

It stands out, as former White House cyber czar Michael Daniel told me, for its substance and ambition.

“The first thing that jumps out at me is that it actually has some substance to it,” said Daniel, now president and CEO of the Cyber Threat Alliance. “The other thing is that it really does cover a broad swath of policy areas and starts to take on some long-standing issues that we know that we have to do, but will generate potentially some opposition from industry and the Republican Party.”

In all, though, there are five pillars, and plenty of “strategic objectives” in each of them. Those pillars are:

“Defend critical infrastructure.”
“Disrupt and dismantle threat actors.”
“Shape market forces to drive security and resilience.”
“Invest in a resilient future.”
“Forge international partnerships to pursue shared goals.”

In the spirit of those five pillars, here are five other interesting parts of the strategy, some of which are less likely to get as much attention as the strategy’s headline ideas.

1: “Prevent abuse of U.S. infrastructure”

The strategy presents a plan for understanding the role of U.S. services in being used for foreign hacks.

“Malicious cyber actors exploit U.S.-based cloud infrastructure, domain registrars, hosting and email providers and other digital services to carry out criminal activity, malign influence operations and espionage against individual victims, businesses, governments, and other organizations in the United States and abroad,” the strategy reads. “Often, these services are leased through foreign resellers who have multiple degrees of separation from their U.S.-based providers, hindering the ability of those providers to address abuse complaints or respond to legal process from U.S. authorities.”

Notably, an early Hill hearing in 2021 about the massive SolarWinds cyberespionage campaign — where alleged Russian hackers exploited one of SolarWinds’s software updates to infiltrate U.S. agencies and companies — devoted attention to how those attackers made use of Amazon Web Services.

At the time, AWS upset senators for declining to appear. AWS responded by saying it wasn’t affected by the hack, and that it investigated and shared what it learned with law enforcement. (Amazon founder Jeff Bezos owns The Washington Post.)

The strategy said the administration will lean on one of the last executive orders of President Donald Trump’s tenure, which directed cloud companies to take additional steps to verify the identities of its users.

2: “Federal insurance backstop”

The idea of the federal government taking on some of the costs of a catastrophic cyberattack’s impact on the cyber insurance market has been around for more than a decade. It’s prompted plenty of debate around subtopics like whether it would help steady the cyber insurance industry or invite organizations to take greater risks.

The Treasury Department began examining the concept last year, and the strategy promises more. “The administration will assess the need for and possible structures of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market,” it reads.

3: “Secure the technical foundation of the internet”

This one’s for people who are interested in some of the more technical aspects of cybersecurity. Daniel said it was an example of how much the strategy gets into the nitty-gritty. For example, the strategy calls out “the slow adoption of IPv6,” a type of IP address that is considered better for security.

4: Legislative requests

The strategy specifies several areas where the administration needs legislative help. A sampling:

The executive branch has certain powers to regulate cybersecurity already, but not everything it wants. “Where federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the administration will work with Congress to close them,” the report says.
The administration created the Cyber Safety Review Board to evaluate major incidents, modeled on the National Transportation Safety Board that investigates accidents. The strategy says the administration will ask Congress to codify the board into law, and to “provide it the authorities it needs to carry out comprehensive reviews of significant incidents.”
“The administration supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer and maintain personal data and provide strong protections for sensitive data like geolocation and health information,” the strategy reads. That’s not proven an easy task on Capitol Hill.
There’s also the legislation on holding software companies liable for insecure products, which we wrote about earlier this week.

5: “Implementation”

The final section of the strategy says the Office of the National Cyber Director will work with other agencies to develop an implementation plan. It will use a “data-driven approach” that focuses on the lessons it learns from major incidents, and that will likely require working closely with Congress and asking lawmakers for more money.

“The implementation plan has been developed in parallel with the strategy,” said a senior administration official who spoke on the condition of anonymity to brief reporters before the strategy’s release. “We’ve already in fact begun to implement aspects of the strategy over the last few months, and so we anticipate that we will have a public snapshot … of the implementation plan out in the coming months.”

The keys

Study says key vulnerabilities most weaponized against IoT, web applications in 2022

A long list of software vulnerabilities detected last year were weaponized the most against operating systems, IoT devices, desktop applications and web browsers, according to a new report shared exclusively with The Cybersecurity 202.

A study released today of the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) list conducted by vulnerability intelligence company VulnCheck found that 122 of the newly added entries to the list were used in ransomware attacks last year.

The list, which outlines known vulnerabilities that have been exploited by hackers, began in 2022 with 311 common vulnerabilities and exposures and nearly tripled to 868 entries by year-end, the report said.

CISA launched the KEV catalogue in 2021. The agency says it rose to prominence in the cybersecurity community because it helps teams identify and remediate potential threats. Some critics say the list is often too vast, containing mentions of old vulnerabilities that no longer pose a threat to organizations. The new report says that some old vulnerabilities “have a lot of staying power,” with the oldest added vulnerability on the list coming from 2002.

Cybersecurity officials are discussing ways to get metrics from the list, as cybersecurity journalist Eric Geller notes:

Understanding KEV's effectiveness is "high on our list of things that we want to get better at tracking," DeRusha said. "We just need the data."
— Eric Geller (@ericgeller) March 1, 2023

State Department should evaluate efforts to combat global cybercrime, GAO says

The Departments of State, Justice, and Homeland Security are falling behind in helping foreign nations develop strategies to combat the growing threat of cybercrime, according to a report released Wednesday by the Government Accountability Office.

The report found that in particular the State Department — which is responsible for providing foreign assistance — has yet to evaluate whether existing collaboration activities, such as sharing information about current threats and offering cyber training to law enforcement agencies in other nations, are effective in combatting global digital crimes.

GAO blamed a lack of resources, difficulty to retain expert staff and inconsistent definitions of cybercrime for the agency’s slow-footed effort to evaluate federal initiatives to build worldwide capacity against cybercrime. The expert panel also said that global leaders have expressed challenges in working with the United States on cyber issues, including onerous obstacles in obtaining information, a lack of collaboration and limited funding streams. It recommended that the State Department conduct such an evaluation to maximize efforts as cyber risks grow in frequency and scale. The State Department wrote that it agreed with the recommendation.

House panel advances bill to allow Biden to ban TikTok

The House Foreign Affairs Committee on Wednesday voted 24-16 along party lines to advance a bill granting President Biden the authority to ban TikTok, setting the stage for a potentially far-reaching national restriction on a social media platform, David Shepardson reports for Reuters.

Republican lawmakers argue that the Chinese-owned app, which is used by over 100 million Americans, poses a national security risk. However, Democrats on the panel say the bill was rushed and that details regarding how a ban would be implemented remain unclear. Experts have also previously warned such a bill could set a precedent for banning any app the federal government deems a security risk.

The bill would need to be approved by the full House and the Democratic-controlled Senate before it lands on Biden’s desk. In a press briefing Wednesday, White House press secretary Karine Jean-Pierre said the administration has “concerns” about the app.

The bill’s opponents include the American Civil Liberties Union, which argued that it “would violate the First Amendment rights of millions of Americans who use TikTok to communicate, gather information, and express themselves daily.” TikTok, for its part, has also pushed back on the bill:

pic.twitter.com/zCHrWw1BH6
— TikTokComms (@TikTokComms) March 1, 2023

Daybook

GovCIO holds an event today discussing unintended insider threats to organizations that digitize their infrastructure beginning at 8 a.m., featuring remarks from CISA cybersecurity adviser Jason Burt and White House assistant national director for technology security Anjana Rajan.
The Krach Institute for Tech Diplomacy at Purdue University will hold a webinar about the security implications of Chinese telecommunications company Huawei’s investment in cloud computing services in Saudi Arabia today at 1 p.m.
The Center for Strategic and International Studies holds a discussion about the Biden administration’s soon to be released national cybersecurity strategy today at 2 p.m., with remarks from White House national security adviser Jake Sullivan, acting National Cyber Director Kembra Walden and deputy national security adviser for Cyber and Emerging Technologies Anne Neuberger.

Chat room

Secure log off

If you come across a bear, never push a slower friend down…even if you feel the friendship has run its course.⁣⁣
— National Park Service (@NatlParkService) February 28, 2023

Thanks for reading. See you tomorrow.