Welcome to The Cybersecurity 202! Read the room, science. Maybe there’s some water-cooler TV show that would make all of us nervous about the idea of fusing humans and mushrooms.
Below: An inspector general report reveals that General Services Administration officials misled federal agencies for years about its identity proofing website, and Mexico reportedly used a powerful spyware tool to spy on a human rights activist. First:
TSA rolls out new cyber rules for airports and airline operators
The Transportation Security Administration unveiled cybersecurity rules on Tuesday for the largest, most vital airport and aircraft operators, the second time in less than a week that the Biden administration has acted on its push for cyber rules for critical infrastructure.
It also marks the latest set of cyber rules for the aviation sector imposed by TSA. The newer set of rules requires the pertinent airports and operators to develop security plans for defending things like who has access to networks, then seek TSA approval for them.
TSA Administrator David Pekoske said in a news release that “[p]rotecting our nation’s transportation system is our highest priority,” and TSA will work closely with industry to boost cybersecurity.
The latest mandates arrive after Friday’s Environmental Protection Agency rules for the water sector, and less than a week after the Biden administration released a national cybersecurity strategy that reflects the administration’s shift toward embracing regulation to secure critical infrastructure.
While the aviation rules already had been in the works, they follow a series of incidents in the sector in recent months that affected, airport websites, navigation and flight tools, passenger data and the TSA “no-fly” list.
The rules
TSA previously directed affected airports and airline operators to designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours, develop a plan for responding to cyber incidents and conduct a vulnerability assessment.
After a 2019 version of the no-fly list was left exposed on an unsecured server, TSA in January of this year told carriers to review their systems to ensure compliance with preexisting standards on handling sensitive security information. Rep. Dan Bishop (R-N.C.), a member of the House Homeland Security Committee, vowed to get answers from TSA about how the list leaked.
The entire US no-fly list - with 1.5 million+ entries - was found on an unsecured server by a Swiss hacker.
— Rep. Dan Bishop (@RepDanBishop) January 21, 2023
Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?
We’ll be coming for answers. https://t.co/9sN2AhucnM
The newest rules announced Tuesday require individual airports and airline operators to develop an implementation plan featuring a number of security precautions, like patching and continuous monitoring for threats.
- TSA has diluted some initial industry objections to cyber rules for other sectors it regulates by making them “performance-based,” meaning that the agency is less focused on how entities meet the goals than the final outcome.
The administration has said it extended existing TSA authorities to cover the writing of its cyber rules. In all, according to an administration breakdown, the existing powers could cover 80 airports, 21 passenger airlines and four cargo lines.
Industry response
One industry group, the International Air Transport Association, reportedly had some criticisms last year for the earlier set of cyber rules, saying it was unclear TSA listened to industry feedback. The association did not answer a request for comment late Tuesday, following TSA’s announcement on the directive later in the afternoon.
Other affected groups on Tuesday didn’t specifically raise objections to the new rules when asked for comment.
- “The aviation sector takes cyberthreats from all sources very seriously,” George Novak, CEO of the National Air Carrier Association, said via email. “NACA and its member airlines are working closely with our government colleagues, along with representatives from airports and other industry partners to increase our vigilance toward these threats. As cyberthreats are constantly evolving, it is not unusual for TSA to issue changes to regulated entities, such as our member airlines. TSA has worked aggressively to protect our nation's critical transportation infrastructure, and we appreciate their leadership and responsiveness in working with industry to develop effective countermeasures.”
- “The U.S. airline industry is committed to prioritizing safety and security and works collaboratively with the federal government to minimize risk,” Marli Collier, a spokesperson for Airlines for America, said via email. “A4A carriers have robust cybersecurity programs in place and continue to invest heavily in protecting our infrastructure.”
- The Regional Airline Association said in an unattributed emailed statement that “we are reviewing the requirements and so are our covered carriers. The emergency amendment is effective immediately with some lead time. Our covered carriers will be implementing requirements to assure compliance.”
Notably, the groups didn’t offer much in the way of value judgments on the new rules.
“It's not a question of liking or disliking the just-announced rules,” explained one industry insider, who spoke on the condition of anonymity to more candidly discuss the rule. “TSA clearly believes these rules are necessary, so we'll work with them on best practices for implementation.”
The keys
GSA officials misled agencies about its digital identity site for years, watchdog finds
General Services Administration employees misled federal agencies for years about its identity proofing website, Login.gov, meeting security guidelines put in place by the National Institute of Standards and Technology, according to an inspector general’s report released on Tuesday.
The report alleged that the GSA charged agencies more than $10 million to use the authentication site, despite it failing to comply with national regulations.
According to the watchdog, the agency also claimed in at least 18 interagency agreements between September 2018 and January 2022 that it met NIST digital identity proofing thresholds. However, to do so Login.gov would need to include a biometric tracker, like facial recognition, which it does not.
“The findings could have big implications for not only Login.gov’s business, which the White House is mulling a massive expansion of the service via executive order, but also for GSA itself,” FCW’s Natalie Alms writes. “The report blasts the agency for a ‘failure of leadership’ in the Technology Transformation Services and the Federal Acquisition Service.”
GSA Federal Acquisition Service Commissioner Sonny Hashmi told reporters in a call that the agency is “making sure that any individuals who are found to be in violation of the policy are being held accountable.” GSA “initiated an employee misconduct inquiry” and “[d]isciplinary actions are proceeding in accordance with GSA protocols and appropriate due process,” Hashimi wrote to the inspector general.
New Senate bill would give Commerce a more direct route to ban TikTok
A bipartisan group of 12 senators on Tuesday launched a bill that would give the Commerce Department the power to ban or significantly restrict TikTok and any other app found to be a risk to national security, our colleague Drew Harwell reports.
The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act has so far garnered broad support from the Senate and White House, which say that it would allow the nation to better tackle technology rooted in foreign countries that threatens to expose Americans’ data.
It comes after the Republican-controlled House Foreign Affairs Committee last week advanced a bill that would give President Biden the authority to ban TikTok outright.
Critics argue that banning the app, which has been downloaded on over 100 million people’s phones in the United States and is used to express interests or to consume news and opinions, could violate the First Amendment.
Commerce Secretary Gina Raimondo, who would lead the effort if such a bill is passed, has also cautioned against banning TikTok.
In the meantime, TikTok CEO Shou Zi Chew, who is set to testify before Congress about the app’s influence later this month, told Harwell last month it would be “a real shame if our users around the world are not able to hear” American TikTok users’ voices anymore.
Mexico’s military reportedly spied on citizens attempting to reveal injustices
Mexico’s armed forces spied on journalists and a human rights defender who were working to reveal military injustices, including allegations that soldiers had killed innocent people, according to documents initially released last year, the New York Times’s Natalie Kitroeff and Ronen Bergman report.
The documents show, for the first time, that the Mexican military illegally used powerful surveillance and spyware tools, including Pegasus, against civilians who were investigating the government’s misdeeds.
A 2020 Defense Ministry report, which was released last year after the country’s military was hacked, found that military officers discussed the details of private conversations between reporters and a human rights advocate, who alleged that the military had been engaged in unlawful killings.
The outlet determined that “the report contended that the advocate, Raymundo Ramos, was trying to ‘discredit the armed forces’” and “recommended that the military glean information from his private conversations, but not include it in official case files, perhaps in an attempt to keep its spying secret,” Kitroeff and Bergman write.
An analysis by Citizen Lab, a research institute at the University of Toronto, also found that Ramos’s cellphone had been infected with Pegasus around the same time that the military wrote the report about his conversations.
“The Ministry of Defense did not respond to requests for comment, but has said that its intelligence gathering is focused on fighting organized crime and has acknowledged using Pegasus only from 2011 to 2013,” Kitroeff and Bergman wrote.
Government scan
Hill happenings
Securing the ballot
Global cyberspace
Cyber insecurity
Daybook
- The House Judiciary subcommittee on courts, intellectual property and the internet will meet today at 10 a.m. for the first hearing in a series about intellectual property and competition with China.
- The Senate Homeland Security and Governmental Affairs Committee will meet today at 10 a.m. to “examine artificial intelligence, focusing on risks and opportunities.”
- The Senate Intelligence Select Committee will hold a hearing today at 10 a.m. to examine worldwide threats.
- The House Oversight and Accountability subcommittee on cybersecurity, information technology, and government innovation will hold a hearing today at 2 p.m. on artificial intelligence.
Secure log off
Please don't even look at me ♥️ https://t.co/IiMYDlK64h
— Victoria M. Walker (@vikkie) March 7, 2023
Thanks for reading. See you tomorrow.