The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The Biden administration has a new cybersecurity strategy. Now comes the hard part.

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! TGIF.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The FTC reaches a settlement with BetterHelp over data-sharing allegations, and the White House asks for money to combat fraud. First:

Writing a cyber strategy was only the beginning for the Biden administration

First came the hard work to write a national cybersecurity strategy. Now comes the hard work of turning its vision into reality.

The strategy that the Biden administration rolled out Thursday poses a host of implementation challenges because of its breadth, complexity and willingness to press policy solutions that don’t have universal support, experts told The Cybersecurity 202.

Tom Bossert, a White House homeland security official under George W. Bush and Donald Trump, evoked the title of the Oscar-nominated film “Everything Everywhere All at Once.”

“It envisions a federal government role in almost every element of not just security, but by its own stated scope, any interconnected technology,” Bossert, now president at Trinity Cyber, told me.

  • “I’m happy to see definitions of roles and responsibilities. The last three or four cyber strategies have punted” on that, Bossert said. “So whether you agree with their definitions or not, they’ve at least taken a stab at defining the role of the federal government and the role of private industry.”

Said Suzanne Spaulding, senior adviser for the Center for Strategic and International Studies think tank and a DHS cyber leader under Barack Obama: “This is going to be harder because we’re now getting to the really hard issues. It’s got a lot of complexity and there’s going to be stronger industry pushback.”

Some of the challenges

Implementation challenges are scattered throughout the strategy. For instance, the document calls for legislation to codify and enhance the Cyber Safety Review Board (CSRB), a panel within the Department of Homeland Security that investigates major cyber incidents.

“One of the things that we’re looking at is, the CSRB right now operates, and very successfully so, on a voluntary basis,” DHS Secretary Alejandro Mayorkas told me. “It is not a body of accountability. … One of the things we’re looking at is to assess what if an organization declines to participate with the CSRB? … Should we have authorities of compulsion?”

But overall the Biden strategy differs from past strategies in many regards, especially in its advocacy for regulation to its endorsement of legislation making software makers liable for insecure products.

The first big push for cyber regulation came in Congress with Obama-backed legislation introduced in 2011 (and repeatedly amended) that aimed to create security standards for critical infrastructure. But the Senate narrowly voted it down in 2012 amid industry and GOP opposition.

“We haven’t really heard that so clearly from an administration since 2011, when it was tried and failed,” Spaulding said. “We’ve got a dysfunctional Congress and the bipartisan success that we’ve enjoyed over the last several years and getting important cybersecurity legislation through I think may be slowing.”

  • But, she said, “until industry feels some threat from legislation and/or from courts finding them liable from lawsuits, it's going to be hard to get them to the table.”

Speaking at a CSIS event on Thursday, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, suggested it won’t need very much help from Congress. “We have the vast majority of authorities we need,” she said.

One key to implementation will be how precisely those regulations are written, Bossert said. “The trillion-dollar devil is in the details,” he said — and he praised the strategy for saying it would at least take into account potential costs to industry. He said the administration would also have to be cognizant of evolving threats and innovations as it writes rules.

On the other hand, the lack of details on the regulations could be a positive because it allows the White House to leave open the option to collaborate with Congress without immediate mandates, said Jonathan Reiber, a former Obama administration official who worked to develop cyberdefense strategies at the Defense Department.

“I think what they’ve done is they’ve really set the narrative for what’s going to happen and made the argument [for regulations],” Reiber, now vice president for cybersecurity strategy and policy at AttackIQ, told David. He was more confident about the possibility of Congress embracing some of the administration’s views: “My expectation is that folks in Congress are going to be willing to see a modicum of regulation to prevent bad outcomes.”

The industry view

Industry groups largely took a positive or at least neutral approach in reacting to the strategy.

While the strategy thoughtfully states its commitment to regulatory answers, “What’s not as clearly stated is what outcomes [the regulations] would actually be associated with,” said John Miller, the Information Technology Industry Council’s senior vice president of policy, trust, data and technology and its general counsel. “Saying that we need more regulations is one thing, but closing the loop and saying ‘regulations to do what in what areas?’ is the other.”

  • “I don't know exactly how it's all going to shake out, but you’re going to need individual lines of effort and workstreams that need to be ticked off,” he told David. “And you’re going to have to involve industry in many of those workstreams as well.”

Here’s what other groups are saying:

  • The U.S. Chamber of Commerce offered a similar message to one it offered in January when we reported on details of the strategy, but it offered one additional piece. “The chamber looks forward to working with the administration throughout its implementation of the strategy to ensure that good intentions do not lead to undesirable policy outcomes,” said Christopher Roberti, the chamber’s senior vice president for cyber, space and national security policy.
  • The Bank Policy Institute’s president and CEO Greg Baer said the strategy “demonstrates a commitment” to long-standing priorities of the organization.
  • The Operational Technology Cybersecurity Coalition said it supports the government’s focus on cybersecurity, but added that “a vendor- and technology-neutral approach must be taken. The harmonization of regulations must be based on open standards, as there is no single solution that can solve all of the cybersecurity threats we collectively face.”
The strong opposition

House Republican leaders on the Homeland Security Committee offered the staunchest criticism even though they praised some elements of the strategy — like its recognition of threats from Russia and China, and its commitment to public-private partnerships and federal coordination.

“It’s no surprise that this administration’s desire for more regulation, bureaucracy and red tape is a consistent theme in the National Cybersecurity Strategy,” committee chairman Mark Green (R-Tenn.) and cybersecurity subpanel chair Andrew R. Garbarino (N.Y.) wrote in a statement. “We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government.” They also noted that they “plan to exercise strong oversight over the Administration’s operational implementation of the Strategy,” particularly with its sections relating to the Cybersecurity and Infrastructure Security Agency.

Still, Mayorkas, a member of Biden’s cabinet, hailed the strategy’s collaborative approach.

“We think this sets the stage for tremendous advancement in the nation’s cybersecurity because it’s not something that’s exclusive to the government,” he said. “It is not something that is exclusive to the private sector. This is an all-in effort for a threat vector that actually involves us all.”

The keys

FTC reaches settlement with BetterHelp over data-sharing allegations

Online therapy service BetterHelp agreed to pay around $7.8 million to settle allegations that it shared health data with firms like Facebook despite telling customers that it wouldn’t do so, Politico’s Josh Sisco and Ruth Reader report.

The FTC voted 4-0 to approve the settlement yesterday, according to an FTC official who spoke to Politico on the condition of anonymity. The company, which is owned by Teladoc, will give affected customers partial refunds.

“Since 2020, the FTC has taken several actions to protect consumer health data collected online and in apps,” Sisco and Reader write. “In addition to GoodRx, the agency brought cases against period tracking app Flo Health and data broker Kochava.”

In a statement provided to Politico, BetterHelp said the practice is routine in the health-care industry, adding that the company understands “the FTC’s desire to set new precedents.” The company said it didn’t share customer names or clinical information with third parties, and that it didn’t admit wrongdoing as part of the settlement.

White House asks for $1.6 billion to fight fraud

The Biden administration is calling on Congress to approve $1.6 billion to combat fraud, years after criminals started exploiting the government’s coronavirus aid programs, Tony Romm reports. President Biden plans to sign an executive order to combat identity theft relating to government benefits, senior Biden adviser Gene Sperling told reporters.

At the center of Biden’s latest proposal is $600 million in funding to “hire investigators, fund federal inspectors general and extend the statute of limitations on certain crimes,” Tony writes. The White House also called for $600 million for identity theft prevention and recovery, as well as $400 million to help aid victims.

Government scan

Secret Service, ICE carried out illegal stingray surveillance, government watchdog says (The Record)

Industry report

More automation, not just additional tech talent, is what is needed to stay ahead of cybersecurity risks (CNBC)

China trumps U.S. in key technology research, report says (The Wall Street Journal)

Global cyberspace

Polish mayor targeted by Pegasus spyware, Polish newspaper reports (Reuters)

Canada parliament panel seeks probe of alleged foreign meddling in elections (Reuters)

Cyber insecurity

Hatch Bank says hackers used Fortra bug to steal 140,000 customer Social Security numbers (TechCrunch)

Hackers steal gun owners' data from firearm auction website (Tech Crunch)

Chick-fil-A confirms accounts hacked in months-long "automated" attack (Bleeping Computer)

Encryption wars

A key post-quantum algorithm may be vulnerable to side-channel attacks (The Record)

The network

This hacker tool can pinpoint a DJI drone operator's exact location (Wired)

Secure log off

Thanks for reading. See you tomorrow.