The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

House cyber panel looks at CISA in first oversight hearing with new chairman

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! If you’re looking for a strangely uplifting rabbit hole, I recommend the subreddit “r/brushybrushy,” which is just cute animals getting brushed and being happy about it.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The CEO of TikTok testifies today, and Russian consumers try to get around international sanctions on the country. First:

House panel will look at the successes and failures of a top cyber agency today

A House cyber subcommittee will put a leading federal cybersecurity agency under the magnifying glass today in its first hearing since Republicans took over the chamber.

The House Homeland Security Committee’s subcommittee on cybersecurity and infrastructure protection will hear testimony this morning from witnesses who work with — but outside of — the Cybersecurity and Infrastructure Security Agency.

The panel’s chairman, Andrew R. Garbarino (R-N.Y.), told me he’s interested in “finding out, ‘What’s CISA doing right? What’s it doing wrong?’ A little bit of oversight.” He said he wanted to have CISA Director Jen Easterly testify, but the timing didn’t work and he hopes to have her appear before his panel in April. (Easterly is speaking at the Economic Club of New York today.)

It’s one hearing in a crowded calendar of cyber-related hearings today, with three of the four showcasing a similar dynamic: how House Republicans will approach the topic with control of committees.

A growing agency, but some worries

The subcommittee’s top Democrat, Rep. Eric Swalwell (Calif.), plans to point out in his opening remarks that Congress has nearly doubled the agency’s budget since 2019. President Biden is seeking another increase to $3.1 billion in fiscal 2024.

“CISA has matured rapidly, and is growing more capable of meeting the challenges of our complex and diverse threat environment,” Swalwell’s opening statement reads.

But Republicans worry about the agency — which prides itself on partnering with the private sector — becoming a “regulatory behemoth.” Garbarino said he wants to hear from the witnesses, three of whom are from industry, about the status of their relationship with CISA in light of the cyber strategy Biden released two weeks ago that calls for more mandates on the private sector.

“We’re interested to see here, now that the new National Cybersecurity Strategy is out, what CISA’s role is going to be or how does it fit into the new regulatory environment,” Garbarino said. “What we’ve heard from the private sector, and why they love working with CISA, is really that it’s a non-regulatory partner … they don’t have to worry about having a fine come later on.”

One program that’s intended to foster CISA’s relationship with the private sector is the Joint Cyber Defense Collaborative (JCDC), where a range of companies and CISA swap information on threats. There’s been some criticism of that initiative, and witnesses in their prepared testimony have some suggestions for improvements.

  • “As the group expands, JCDC leadership should account for the possibility that some members may become less willing to share details about sensitive issues,” reads the testimony from Drew Bagley, vice president and counsel for privacy and cyber policy at cybersecurity firm CrowdStrike. Bagley called the formation of JCDC “a key development,” but said CISA should “consider approaches that stratify or segment membership to maintain trust.”
  • The JCDC “was helpful in bringing together industry and government partners to improve visibility and communication in response to geopolitical tensions and the Russian invasion of Ukraine,” according to the testimony from Heather Hogsett, senior vice president of technology and strategy for BITS, the technology policy division of the Bank Policy Institute trade group. “This response-oriented focus, however, has not fulfilled the need for longer-term strategic planning across government agencies and the private sector.”

Garbarino plans to delve further into the JCDC during the hearing, and Swalwell said he would soon introduce legislation to clarify ambiguities with the initiative, like its lack of a charter or criteria for membership.

If Easterly were to have testified today, Garbarino said he would have asked her about progress on implementing the law Congress passed last year requiring critical infrastructure owners and operators to report when they suffer a major cyberattack within 72 hours. It’s important to keep the accompanying regulation-writing process — due for completion in 2025 — on schedule with other agencies’ regulatory proposals proliferating, he said.

What’s more, at CISA overall, “It seems that the rate of hires has been pretty unacceptable,” Garbarino said. “I know Director Easterly has been obsessed with workforce, too.”

Garbarino’s early legislative focus for his subcommittee is expected to be on that workforce topic, Garbarino said. He noted he would still like to enact legislation that’s stalled in the Senate to establish a five-year term for the CISA director so it would straddle more than one presidential term to make sure the post doesn’t get politicized.

“I don’t think the Senate will ever do it,” he said, then referred to the Senate’s responsibility for confirming nominees: “I don’t think they like giving up their ‘advise and consent’ role.”


The CISA hearing isn’t the only cyber show on the Hill today. 

Easterly, for her part, spent part of her day on Wednesday co-announcing an update to a handbook on corporate board cybersecurity practices. The update stemmed from work by the National Association of Corporate Directors and the Internet Security Alliance, along with CISA, the FBI and others. The key new section is about better withstanding cyberattacks and collaboration to defend against interconnected risks.

The work of the two groups on corporate cybersecurity “has been instrumental in moving the ball, but it’s never been more important or urgent than this moment,” Easterly said. 

The keys

TikTok CEO testifies today over data security, privacy and children’s safety concerns

TikTok CEO Shou Zi Chew and his company have mounted an aggressive lobbying campaign in Washington to assuage fears of TikTok. Now, his time in the hot seat has come, and there’s no telling if his prior efforts will help him.

Chew testifies before the House Energy and Commerce Committee today at 10 a.m., where he plans to tell lawmakers that the China-linked company will protect U.S. user data from unauthorized foreign access and “will remain a platform for free expression and will not be manipulated by any government,” according to prepared testimony released before the hearing.

  • TikTok scrutiny reached a boiling point in recent months following reports of parent company ByteDance spying on American citizens, including journalists. Concerns over the app have also flooded the realm of social media safety, where critics say that the viral challenges which have spread on the platform have endangered young people. 

Many lawmakers have called out TikTok’s possible connections to the Chinese government as a mechanism that may garner mass collection of American citizens’ data at a time when Chinese surveillance has become a global concern and U.S.-China tech competition is on the rise. TikTok has publicly said it has not previously shared data with the Chinese government, and that it would refuse to do so if ever asked.

The hearing comes as TikTok continues talks with U.S. national security officials about its future. TikTok in August pushed a plan to the Committee on Foreign Investment in the United States that would enable its American operations to be managed by Oracle, an American company. But the Biden administration recently threw its weight behind a plan that asks TikTok’s Chinese owners to divest their stake in the app or risk a total ejection of the platform from the United States.

Americans are more likely to support a TikTok ban than oppose one, our colleagues Heather Kelly, Cristiano Lima, Emily Guskin and Scott Clement report, citing findings from a Washington Post poll. But that data also largely depends on whether someone has previously used TikTok. 

  • “A small majority of people who did not use TikTok in the past month support banning the app, while an identical majority of daily TikTok users oppose it,” they write.

FTC requests info on cloud computing industry

The Federal Trade Commission is asking the public to submit comments on the business practices of cloud computing providers as the agency explores security risks, competition concerns and market power in the industry, the FTC announced Wednesday. The release says that cloud computing has become increasingly important in the economy and that the agency has previously brought cases against companies including Drizly and Chegg for failing to implement basic security safeguards.

“Large parts of the economy now rely on cloud computing services for a range of services,” FTC CTO Stephanie T. Nguyen said in prepared remarks. “The RFI is aimed at better understanding the impact of this reliance, the broader competitive dynamics in cloud computing, and potential security risks in the use of cloud.”

The FTC will take comments through May 22 on areas including cloud market segmentation, contract negotiations and security configurations, among other areas.

Following sanctions, Russian consumers find workarounds to obtain international goods

Russian consumers are resorting to workarounds for obtaining income and goods abroad as Russia deals with international sanctions levied by Western powers following its invasion of Ukraine, data out this morning show.

The findings from threat intelligence company Recorded Future show that ordinary Russians are mirroring the actions of cybercriminals to illegally bypass the sanctions. The company identified methods called “reshippers,” which include the use of prepaid virtual crypto credit cards as well as mail forwarding services involved in these workarounds.

The company warns that international financial institutions that serve as intermediaries in the illegal exchanges risk falling under additional sanctions. Mail forwarding services allow Russians to purchase items abroad, while the prepaid cryptocurrency credit cards can be enabled without verification, which easily allows for sanction evasion, the report says.

“It is likely that additional financial institutions and merchants are also being enlisted as unwitting participants in sanctions evasion schemes that involve prepaid VCCs and mail forwarding services,” the report highlights in key findings.

Recorded Future recommended the implementation of stricter verification features for merchants, including anti-money laundering requirements for crypto card issuances and investigating order inventory irregularities.

Hill happenings

House Intel working group formed to push for surveillance statute’s renewal (The Hill)

Republican Rep. Jim Jordan issues sweeping information requests to universities researching disinformation (ProPublica)

Industry report

The spy law that big tech wants to limit (Bloomberg News)

Global cyberspace

Rio Tinto staff's personal data may have been hacked - memo (Reuters)

A propaganda group is using fake emails to target Ukrainian refugees (Bloomberg News)

Fact or fiction, hacktivists' claims of industrial sabotage in Russia or Ukraine get attention online (CyberScoop)

Cyber insecurity

New victims come forward after mass-ransomware attack (TechCrunch)

Oakland finds no evidence of second ransomware attack despite LockBit claims (The Record)


Secure log off

Thanks for reading. See you tomorrow.