The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Everything you need to know about Thursday’s four cyber hearings

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Spring, keep on springin'. Spring and summer are the months of life; fall and winter are the months of everything dying or being dead. I prefer life, all you death-worshipping fall/winter weirdos.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Cybersecurity and Infrastructure Security Agency Director Jen Easterly has concerns about AI, and CISA rolls out a new ransomware warning system. First:

TikTok, energy cybersecurity, CISA and the National Cybersecurity Strategy all graced the congressional agenda in a single day

Thursday brought one of the busiest days for cyber on Capitol Hill in recent memory.

Across both chambers and four different committees, lawmakers scrutinized energy cybersecurity, a national cybersecurity strategy unveiled this month, the Cybersecurity and Infrastructure Security Agency and TikTok.

I hereby bring you the greatest hits of each.

National Cybersecurity Strategy

Acting National Cyber Director Kemba Walden and Rep. Nancy Mace (R-S.C.) were in agreement that, in Walden’s words, “a strategy is only as good as its implementation.”

So Mace — chair of the House Oversight subcommittee on cybersecurity, information technology and government innovation — asked Walden on Thursday who would be leading the implementation of the recently unveiled Biden cyber strategy, and how. The strategy is notable for its desire to shift the burden of cybersecurity to critical infrastructure owners and software makers.

Walden said her office would be leading implementation, in collaboration with the Office of Management and Budget. (The strategy document itself said Walden’s office and the Office of Management and Budget would lead implementation “under the supervision of NSC [National Security Council] staff,” a sentence clause that has raised eyebrows in turf-conscious D.C.)

  • The strategy, Walden said, assigns implementation responsibilities to federal agencies. A future implementation plan already in the works will further establish who’s responsible for doing what.
  • The administration has already started implementing other principles of the strategy under an executive order from 2021, and has begun crafting a related workforce and education strategy. Walden said her office was coordinating with the Office of Personnel Management on a federal workforce bill, and Mace said she, too, was developing legislation to accelerate federal hiring of cyber personnel — a topic of interest to the administration and other committees as well.

“We will have your back,” said Rep. Gerald E. Connolly (Va.), the top Democrat on the subcommittee, who praised the strategy as a “bold, comprehensive plan” to Walden. “We’re going to talk about implementation of the strategy because we’re eager to see that happen. I do believe the task in front of you is herculean.”

Energy cybersecurity

Meanwhile, senators on both sides of the aisle at the Energy and Natural Resources Committee made the case Thursday that the Energy Department needs to elevate its office with primary responsibility over cybersecurity, given the threats the sector faces.

With the leader of that Cybersecurity, Energy Security, and Emergency Response office testifying before the panel, senators invoked the 2021 Colonial Pipeline hack and raised the specter of Chinese cyberattacks on energy infrastructure.

Top panel Republican John Barrasso (Wyo.) asked the office’s director, Puesh Kumar, whether he would benefit from having his role becoming a Senate-confirmed assistant secretary position. 

The Biden administration changed that designation. Energy Secretary Jennifer Granholm has defended that decision by saying when it was a “political” position, it left appointees awaiting confirmation. 

Kumar said he would defer to the president and Congress about the title of his job, but said he has access to top department leaders and resources “to accomplish this mission.”

Another witness begged to differ. “Director Kumar is fantastic,” said Robert M. Lee, CEO of cybersecurity company Dragos. “I’m surprised the position wasn’t elevated. That absolutely has caused him to be sidelined in some meetings. Titles matter in government whether we like it or not.”


The best rundown of Thursday’s House Energy and Commerce Committee hearing featuring testimony from TikTok CEO Shou Zi Chu, and the issues surrounding it, comes via my colleagues Cat Zakrzewski and Jeff Stein and others.

Cyber experts weighed in repeatedly on Twitter on how they thought lawmakers were missing the mark by focusing on the connections of TikTok owner ByteDance to China, when it comes to data privacy.

Here’s Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation:

And here’s Alejandro Carabello, a clinical instructor at the Harvard Cyberlaw Clinic:

There also was one exchange that caught the attention of cyber watchers regarding whether TikTok has spied on U.S. people at the direction of the Chinese government:


We brought you a preview of this hearing before, but lawmakers and witnesses seized on the theme of “growing pains” for CISA, as we discussed Thursday morning.

That theme manifested in some ways we did not discuss.

For instance, CISA has significant election security responsibilities, and Rep. Laurel M. Lee (R-Fla.) asked if the agency was up to the task. It’s a “nascent” responsibility, one where CISA needs to improve its “capabilities” to quickly respond to incidents on Election Day and more locally tailor its threat information sharing, said Tina Won Sherman, director of the Government Accountability Office’s homeland security and justice team.

The keys

CISA’s Easterly calls for safe AI innovation in cybersecurity

Cybersecurity and Infrastructure Security Agency Director Jen Easterly is more worried about artificial intelligence’s impact on security than she is about quantum computing, she said at a conference Thursday.

“I want us to be able to leverage technology for all the good things that can come out of it and still innovate,” she said. “I also want us to be really mindful that we are not innovating at the expense of our safety and security.”

AI tools that exist today like ChatGPT have sparked concerns from cyber experts ranging from dire to mild, based on their estimation of its potential for writing malware or spreading believable disinformation.

“We need to fully understand the downsides and the risks,” Easterly said at the conference, which was hosted by the Economic Club of New York.

Quantum computing is also a concern for the Biden administration, however, including Easterly. Its development could lead to the tech being able to break through modern encryption protocols, its recent national cybersecurity standard warned while emphasizing the need to prepare for a post-quantum future. A presidential advisory committee also recently recommended steps to defend against quantum computers.

China-linked hackers increasing operational effectiveness, report finds

A study of intrusions into unnamed Middle Eastern telecommunications entities shows that China-linked adversaries are making advancements in their hacking operations, AJ Vicens from CyberScoop reports, citing research from Sentinel Labs and German IT company QGroup GmbH.

Vicens quotes the researchers saying the data “highlights the increased operational tempo of Chinese cyberespionage actors and their consistent investment in advancing their malware arsenal to evade detection.”

The analysts examined Operation Soft Cell, a hacking campaign that has been linked to Chinese hackers targeting global telecom operators. The report says with medium confidence that a related hacking group that Microsoft has called Gallium is also involved in the hacking activities.

The attackers use compromised Microsoft Exchange servers to allow for systems reconnaissance, credential stealing and data exfiltration.

CISA rolls out new ransomware warning program

The CISA will roll out a new early warning program to help critical entities like schools and hospitals detect the presence of ransomware before hackers hijack a system, CNN’s Sean Lyngaas reports.

The program would rely on backchannels “between researchers, government officials and potential victims,” Lyngaas writes. Essentially, a tip line would be established between outside researchers and CISA, and the former would notify the latter about a potential ransomware intrusion. From there, CISA would warn the entity before any damage is caused.

Senior CISA official Eric Goldstein told CNN that the agency has hired more advisers outside the Washington beltway to serve as individuals that warn companies of potential or incoming ransomware attacks.

Government scan

CISA, NSA issue guidance for IAM administrators (SecurityWeek)

New CISA tool detects hacking activity in Microsoft cloud services (Bleeping Computer)

National security watch

The pressing threat of Chinese-made drones flying above U.S. critical infrastructure  (CyberScoop)

Global cyberspace

US, Albania on 'hunt' for Iranian cyber actors (Voice of America)

UK Government sets out vision for NHS cybersecurity (Infosecurity Magazine)

Cyber insecurity rotates its exposed private SSH key (Bleeping Computer)

Cannabis regulators putting out ‘a series of fires’ involving a Russian oligarch and data breach (GBH News)

Kids tech camp iD Tech still silent weeks after data breach (TechCrunch)

Cyberterrorism tops list of threats to US vital interests: Gallup (The Hill)

Encryption wars

Bogus ChatGPT extension steals Facebook cookies (The Register)

Privacy patch

America’s online privacy problems are much bigger than TikTok (By Will Oremus)

Click to cancel: FTC proposes rule to help consumers ditch subscriptions (NBC News)

PayPal’s bringing its passkey logins to Android (The Verge)


Secure log off

Thanks for reading. See you next week.