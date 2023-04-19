Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

Below: A key staff member departs the Cybersecurity and Infrastructure Security Agency, and senators plan a markup for the controversial EARN IT Act. First:

Republican AGs try to block EPA water cyber protections, citing federal intrusion on states' authority

A trio of Republican state attorneys general asked a federal court this week to block an Environmental Protection Agency rule intended to strengthen the cybersecurity of the water sector. The GOP officials argue that it’s an “unlawful” mandate on states.

It amounts to the most direct challenge to date of the Biden administration’s bid to impose more cyber mandates on critical infrastructure. The administration contends that voluntary measures have not been adequate.

Missouri, Arkansas and Iowa filed their petition for review on Monday in the U.S. Court of Appeals for the 8th Circuit. Beyond their objections to what they consider a federal intrusion on states, they also argue that it will be costly to small and rural public water systems.

“Rather than cleaning up our water, the federal government is hurting Iowa’s small towns,” Iowa Attorney General Brenna Bird said in a statement. “At a time of soaring inflation, where it’s hard enough to make ends meet, the federal government insists on making Iowans’ water bills more costly. We’re going to hold the Biden Administration accountable and protect Iowans’ pocketbooks.”

Without commenting on the legal petition, Adrienne Watson, a National Security Council spokesperson, commended the EPA approach.

“The Nation’s water systems are under threat of attack from cybercriminals and others, bringing risk to the safety of Americans’ drinking water,” she said via email. “These intrusions are preventable with basic cybersecurity practices that too many water systems lack. The Administration supports the EPA’s work to improve the cybersecurity of our water systems and protect the safety of our water supply.”

The EPA declined to comment, citing the pending legal action.

The rule

The mechanism the EPA used to advance the water rule has proven controversial with industry and some cyber experts. When conducting sanitation surveys of water facilities, states must evaluate the adequacy of cyber protections as well, the EPA said in a March 3 memo. In the memo, EPA also pointed to financial resources like grants that states could try to use.

“The Safe Drinking Water Act requires that states really assess the physical operational capacities of a public drinking water system to deliver clean, safe water,” Radhika Fox, assistant EPA administrator for water, told reporters in a March 2 briefing. “And it is our interpretation of the Safe Drinking Water Act that given the critical threat that cybersecurity can pose, it too must be part of what states consider” when meeting the law’s mandates, she said.

The water sector has long been considered among the most vulnerable, even though the FBI recently said that it “was not able to confirm” that a much-publicized incident in Oldsmar, Fla., “was initiated by a targeted cyber intrusion.”

The suit

The petition, which was first reported by Charlie Mitchell of Inside Cybersecurity, argues that the EPA water rule represents an “unlawful tradition of creating new legal obligations and labeling them guidance.”

The agency promulgated the rule without necessary statutory or congressional support, the petition contends.

The EPA rule attempts to shift the burden to states for what is a federal responsibility, according to the petition.

At the same time, the rule “intrudes on state sovereignty” as “primary enforcers” under the Safe Drinking Water Act.

“This Petition for Review asks the Court to hold unlawful and set-aside EPA’s March 3, 2023 Cybersecurity Rule requiring States to impose new and burdensome cybersecurity infrastructure mandates on Public Water Systems,” it reads.

The reaction

The American Water Works Association, which represents water supply professionals, said it would seek to participate in the court action because the EPA rule is “not only unwise, but legally flawed,” according to a news release. It supports more regulation, but the sanitation surveys are “not the right tool for the job,” the association said in an unattributed statement.

“Many state primacy agencies lack both the resources and technical expertise to evaluate and address cybersecurity issues,” it reads. “Further, state laws do not protect sensitive information collected through sanitary surveys, and if publicly shared, that information could expose water system vulnerabilities. We look forward to working collaboratively with EPA and others to arrive at the right solution to address cybersecurity risks in the water sector.”

Without taking a position on the lawsuit, Duncan Greatwood, CEO of Xage Security, said it’s not surprising.

“As regulators seek to impose new requirements, pushback is often seen from those who would be responsible for implementation,” he told me via email.

“A new, higher standard of cybersecurity is needed in critical infrastructure, including Water, and we hope regulatory authorities can find the right way to support the necessary cyber transition,” Greatwood said.

While the lawsuit is the most direct challenge to date for the administration’s cyber regulatory agenda, it is not the only hurdle. Industry groups have often criticized agencies’ inaugural offerings, but sometimes have come around to accepting them after they went through changes. The Republican takeover of the House poses further potential obstacles.

It’s also not the only time the Biden administration’s cyber agenda has drawn legal objections to cyber-related actions. Federal officials are still battling a lawsuit – funded by cryptocurrency exchange Coinbase – that challenges its crackdown of the Tornado Cash cryptocurrency mixer. Officials say North Korean hackers used the tool, which pools cryptocurrency assets to obscure their ownership, to launder hundreds of millions of dollars in stolen crypto.

The keys

CISA chief of staff departs, will remain in advisory role

Cybersecurity and Infrastructure Security Agency (CISA) Chief of Staff Kiersten Todt will depart the agency and return to the private sector, the agency announced Tuesday. Kathryn Coulter Mitchell, deputy undersecretary for the Department of Homeland Security’s Science and Technology Directorate, will replace Todt, the announcement added.

Todt, who will continue to work with the agency in a senior advisory role, does not have a new position lined up yet. She told Tim that she did not want to search for a job while in her position.

“I believe strongly how you leave a job is as important as you enter it. I wanted to be fully present to the end. I'll take some space and be deliberate about what comes next,” she said, adding that she is excited to stay on as a senior adviser.

Asked why she decided to depart, she told Tim that chief of staff roles in the government are typically not long term and that she felt she was departing at a “good time where the agency is.” She took the position in the fall of 2021.

Todt said she is pleased with the progress the CISA has made and grateful to have worked with agency director Jen Easterly. “I’ll be a thoughtful and aggressive advocate of CISA … and this administration [in my next role],” she said.

Before joining CISA, Todt was a co-founder and managing director at the Cyber Readiness Institute. She also has served as the executive director of then-president Barack Obama’s Commission on Enhancing National Cybersecurity and as a staffer on the Senate Homeland Security and Governmental Affairs Committee.

Dominion, Fox settle defamation lawsuit for $787.5 million

Fox News agreed to pay Dominion Voting Systems $787.5 million to settle a lawsuit that alleged the news service smeared the voting technology company with fantastical claims that it helped rig the results of the 2020 presidential election, our colleagues Jeremy Barr, Paul Farhi, Patrick Marley and Elahe Izadi report.

“The eye-popping figure — the largest publicly disclosed monetary settlement ever in an American defamation action — averted what could have been an even costlier outcome for Fox and its parent company, Fox Corp., had the suit gone to a jury. Dominion had sought $1.6 billion, and several pretrial rulings had strengthened its claims,” they write.

“We acknowledge the Court’s rulings finding certain claims about Dominion to be false,” Fox said in a statement, adding that it hopes the country can move forward.

“The truth has meaning,” said Dominion lawyer Justin Nelson, who delivered remarks outside the courthouse. “Lies have consequences.”

Senators renew push to weaken tech’s legal shield over child abuse material

The Senate Judiciary Committee has added the EARN IT Act, a bill aimed at curbing child sexual abuse material, to its lineup for a Thursday markup session. But the bill, led by Sens. Richard Blumenthal (D-Conn.) and Lindsey Graham (R-S.C.), has faced scrutiny over its potential impact on privacy, speech and encryption.

The bill would expose platforms to greater civil liability for hosting child sexual abuse material by creating a fresh carve out to Section 230. It would also launch a new commission tasked with developing best practices for how digital platforms can combat such material.

The bill advanced out of the committee last year with bipartisan support, but some cybersecurity and privacy advocates expressed concern it could weaken encryption protections. Digital rights and LGBT groups have also said the bill could have a chilling effect on free expression online.

Additionally, the committee has listed for consideration a related bill that directs tech companies to remove child exploitation material and updates penalties for those who are in violation of hosting such content. The committee also plans to consider a bill aimed at cracking down on drug trafficking on social media platforms.

Government scan

Hill happenings

Securing the ballot

National security watch

Global cyberspace

Cyber insecurity

On the move

U.S. Central Command (Centcom) has hired Andrew Moore to serve as the command’s first adviser on AI, robotics, cloud computing, and data, according to an announcement shared with The Cybersecurity 202.

Moore previously worked as director of Google Cloud AI and is a former dean of the Carnegie Mellon University School of Computer Science.

“I couldn’t be more excited and honored by this opportunity,” Moore said. “I love the math and creativity of advanced technology development, but like so many of my friends in the AI industry, I want to see that theory being applied where it really makes a positive difference and CENTCOM’s mission is seriously inspiring to me.”

Daybook

The Senate Armed Services cybersecurity subcommittee convenes a hearing about the integration of AI and machine learning technologies in defense applications at 9:30 a.m.

DHS Secretary Alejandro Mayorkas testifies to the House Homeland Security Committee about the agency’s fiscal 2024 budget request at 10 a.m.

The National Security Institute at George Mason University’s Antonin Scalia School of Law holds an event discussing the Biden administration’s national cyber strategy at 1 p.m.

Mila Kofman , executive director of the DC Health Benefit Exchange Authority, , executive director of the DC Health Benefit Exchange Authority, testifies to a joint House panel about the recent data breach at DC Health Link at 2 p.m.

The House Energy and Commerce oversight and investigations subcommittee holds a hearing on data brokers at 2 p.m.

Secure log off

