Welcome to The Cybersecurity 202! Spring, keep on springin'. Spring and summer are the months of life; fall and winter are the months of everything dying or being dead. I prefer life, all you death-worshipping fall/winter weirdos.
Below: Cybersecurity and Infrastructure Security Agency Director Jen Easterly has concerns about AI, and CISA rolls out a new ransomware warning system. First:
TikTok, energy cybersecurity, CISA and the National Cybersecurity Strategy all graced the congressional agenda in a single day
Thursday brought one of the busiest days for cyber on Capitol Hill in recent memory.
Across both chambers and four different committees, lawmakers scrutinized energy cybersecurity, a national cybersecurity strategy unveiled this month, the Cybersecurity and Infrastructure Security Agency and TikTok.
I hereby bring you the greatest hits of each.
National Cybersecurity Strategy
Acting National Cyber Director Kemba Walden and Rep. Nancy Mace (R-S.C.) were in agreement that, in Walden’s words, “a strategy is only as good as its implementation.”
So Mace — chair of the House Oversight subcommittee on cybersecurity, information technology and government innovation — asked Walden on Thursday who would be leading the implementation of the recently unveiled Biden cyber strategy, and how. The strategy is notable for its desire to shift the burden of cybersecurity to critical infrastructure owners and software makers.
Walden said her office would be leading implementation, in collaboration with the Office of Management and Budget. (The strategy document itself said Walden’s office and the Office of Management and Budget would lead implementation “under the supervision of NSC [National Security Council] staff,” a sentence clause that has raised eyebrows in turf-conscious D.C.)
- The strategy, Walden said, assigns implementation responsibilities to federal agencies. A future implementation plan already in the works will further establish who’s responsible for doing what.
- The administration has already started implementing other principles of the strategy under an executive order from 2021, and has begun crafting a related workforce and education strategy. Walden said her office was coordinating with the Office of Personnel Management on a federal workforce bill, and Mace said she, too, was developing legislation to accelerate federal hiring of cyber personnel — a topic of interest to the administration and other committees as well.
“We will have your back,” said Rep. Gerald E. Connolly (Va.), the top Democrat on the subcommittee, who praised the strategy as a “bold, comprehensive plan” to Walden. “We’re going to talk about implementation of the strategy because we’re eager to see that happen. I do believe the task in front of you is herculean.”
Meanwhile, senators on both sides of the aisle at the Energy and Natural Resources Committee made the case Thursday that the Energy Department needs to elevate its office with primary responsibility over cybersecurity, given the threats the sector faces.
With the leader of that Cybersecurity, Energy Security, and Emergency Response office testifying before the panel, senators invoked the 2021 Colonial Pipeline hack and raised the specter of Chinese cyberattacks on energy infrastructure.
Top panel Republican John Barrasso (Wyo.) asked the office’s director, Puesh Kumar, whether he would benefit from having his role becoming a Senate-confirmed assistant secretary position.
The Biden administration changed that designation. Energy Secretary Jennifer Granholm has defended that decision by saying when it was a “political” position, it left appointees awaiting confirmation.
Kumar said he would defer to the president and Congress about the title of his job, but said he has access to top department leaders and resources “to accomplish this mission.”
Another witness begged to differ. “Director Kumar is fantastic,” said Robert M. Lee, CEO of cybersecurity company Dragos. “I’m surprised the position wasn’t elevated. That absolutely has caused him to be sidelined in some meetings. Titles matter in government whether we like it or not.”
The best rundown of Thursday’s House Energy and Commerce Committee hearing featuring testimony from TikTok CEO Shou Zi Chu, and the issues surrounding it, comes via my colleagues Cat Zakrzewski and Jeff Stein and others.
Cyber experts weighed in repeatedly on Twitter on how they thought lawmakers were missing the mark by focusing on the connections of TikTok owner ByteDance to China, when it comes to data privacy.
Here’s Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation:
If you think the US needs a TikTok ban and not a comprehensive privacy law regulating data brokers, you don’t care about privacy, you just hate that a Chinese company has built a dominant social media platform.— Eva (@evacide) March 23, 2023
And here’s Alejandro Carabello, a clinical instructor at the Harvard Cyberlaw Clinic:
Banning TikTok for privacy reasons is absurd when Meta can collect the same data and sell it to governments and foreign companies. Surveillance is apparently not an issue if it's done for profit.— Alejandra Caraballo (@Esqueer_) March 23, 2023
The fundamental problem is that the US has no meaningful data privacy laws. pic.twitter.com/BTV0T96nPk
There also was one exchange that caught the attention of cyber watchers regarding whether TikTok has spied on U.S. people at the direction of the Chinese government:
Here's what TikTok says about the exchange: pic.twitter.com/qwDKAo5gSb— Tonya Riley (@TonyaJoRiley) March 23, 2023
We brought you a preview of this hearing before, but lawmakers and witnesses seized on the theme of “growing pains” for CISA, as we discussed Thursday morning.
That theme manifested in some ways we did not discuss.
For instance, CISA has significant election security responsibilities, and Rep. Laurel M. Lee (R-Fla.) asked if the agency was up to the task. It’s a “nascent” responsibility, one where CISA needs to improve its “capabilities” to quickly respond to incidents on Election Day and more locally tailor its threat information sharing, said Tina Won Sherman, director of the Government Accountability Office’s homeland security and justice team.
CISA’s Easterly calls for safe AI innovation in cybersecurity
Cybersecurity and Infrastructure Security Agency Director Jen Easterly is more worried about artificial intelligence’s impact on security than she is about quantum computing, she said at a conference Thursday.
“I want us to be able to leverage technology for all the good things that can come out of it and still innovate,” she said. “I also want us to be really mindful that we are not innovating at the expense of our safety and security.”
AI tools that exist today like ChatGPT have sparked concerns from cyber experts ranging from dire to mild, based on their estimation of its potential for writing malware or spreading believable disinformation.
“We need to fully understand the downsides and the risks,” Easterly said at the conference, which was hosted by the Economic Club of New York.
Quantum computing is also a concern for the Biden administration, however, including Easterly. Its development could lead to the tech being able to break through modern encryption protocols, its recent national cybersecurity standard warned while emphasizing the need to prepare for a post-quantum future. A presidential advisory committee also recently recommended steps to defend against quantum computers.
China-linked hackers increasing operational effectiveness, report finds
A study of intrusions into unnamed Middle Eastern telecommunications entities shows that China-linked adversaries are making advancements in their hacking operations, AJ Vicens from CyberScoop reports, citing research from Sentinel Labs and German IT company QGroup GmbH.
Vicens quotes the researchers saying the data “highlights the increased operational tempo of Chinese cyberespionage actors and their consistent investment in advancing their malware arsenal to evade detection.”
The analysts examined Operation Soft Cell, a hacking campaign that has been linked to Chinese hackers targeting global telecom operators. The report says with medium confidence that a related hacking group that Microsoft has called Gallium is also involved in the hacking activities.
The attackers use compromised Microsoft Exchange servers to allow for systems reconnaissance, credential stealing and data exfiltration.
CISA rolls out new ransomware warning program
The CISA will roll out a new early warning program to help critical entities like schools and hospitals detect the presence of ransomware before hackers hijack a system, CNN’s Sean Lyngaas reports.
The program would rely on backchannels “between researchers, government officials and potential victims,” Lyngaas writes. Essentially, a tip line would be established between outside researchers and CISA, and the former would notify the latter about a potential ransomware intrusion. From there, CISA would warn the entity before any damage is caused.
Senior CISA official Eric Goldstein told CNN that the agency has hired more advisers outside the Washington beltway to serve as individuals that warn companies of potential or incoming ransomware attacks.
National security watch
Cannabis regulators putting out ‘a series of fires’ involving a Russian oligarch and data breach (GBH News)
- The R Street Institute holds an event discussing how data privacy laws may affect start-ups at 12 p.m.
- The Silverado Policy Accelerator holds the first day of its inaugural summit this Sunday at 4 p.m., which will explore geopolitics, semiconductors and the global cybersecurity landscape, among other areas.
Secure log off
March 23, 2023
Thanks for reading. See you next week.