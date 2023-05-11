Comment on this story Comment Gift Article Share

It could trigger other moves toward further safeguarding the nation’s most vital potential hacking targets in sectors like banking, energy and agriculture.

The question of how to govern such protections “has evolved and will continue to evolve,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said at the annual Hack the Capitol conference on Wednesday.

“The awareness and the importance of securing critical infrastructure has evolved significantly because of things like Colonial Pipeline,” she said, referring to the 2021 ransomware attack on the major supplier of fuel to the East Coast. “We remain very vulnerable to significant threats,” she said, such as from Russia and China, the latter of which is — according to a recent annual intelligence community assessment — not deterred from potentially attacking U.S. critical infrastructure should the United States put up any resistance to a possible invasion of Taiwan.

Where it was, where it’s at

The Biden administration first signaled to Congress in November that it planned to revise 2013’s Presidential Policy Directive 21, which is also known as PPD-21. That directive, which was written two presidents ago, was a replacement for another directive under the George W. Bush administration that spelled out which agencies were responsible for steering protection of each of the 16 critical infrastructure sectors, known as sector risk management agencies.

While PPD-21 preserved much of the structure of the Bush administration memo, it made some changes, such as calling for an updated National Infrastructure Protection Plan that detailed more specifically needed actions to fortify critical infrastructure defenses.

Notably, the Obama administration also published PPD-21 before Easterly’s agency existed. The fiscal 2021 defense policy bill directed CISA to undertake some sector risk management agency responsibilities, but the Biden administration said it would further clarify CISA’s role.

“Updated policy would strengthen the public-private partnership and provide clear guidance to executive departments and agencies (agencies) on designating certain critical infrastructure as systemically important,” President Biden wrote in his November memo. “Moreover, it would clarify the roles, responsibilities, and services of the Sector Risk Management Agencies and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate a national effort to secure and protect against critical infrastructure risks.”

Together, agencies and offices like CISA, the Office of the National Cyber Director and the National Security Council are working to rewrite PPD-21.

“We’re looking at, how can we assess sectors, whether we still need certain sectors, whether we want to add a sector like space or something else,” Easterly said.

When the federal government designates something as a critical infrastructure sector, that means more devoted cybersecurity attention from, and coordination with, the federal agencies responsible for overseeing them.

Acting National Cyber Director Kemba Walden recently met with space industry officials to discuss the topic of whether space should be a critical infrastructure sector, among other topics. But space firms might already fall under one or more existing critical infrastructure sectors, some say.

Easterly also said that CISA has a draft of another revision of the National Infrastructure Protection Plan ready to go when the PPD-21 rewrite is complete.

How much improvement is needed?

The administration shouldn’t wait for PPD-21 to publish an update of that protection plan, though, argued Mark Montgomery, the executive director of the congressionally established Cyberspace Solarium Commission and its successor organization, CSC 2.0.

The sector-specific plans under the existing plan “are all garbage,” he said at the Hack the Capitol conference.

It looks like someone basically copied and pasted most of the plans and changed the name of each sector, he said. Nor do any of them mention CISA, as that agency came into existence due to an act of Congress in 2018.

Both documents need to be updated more regularly, he said. “You cannot be an emerging technology document and go a decade” without updating, Montgomery said. He’s worried it won’t be done anytime soon, either. While the administration has said it will be done with the PPD-21 rewrite in September, Montgomery said, “My question is, which September.”

Notably absent from the list of critical infrastructure sectors is both space and cloud computing, he said.

Other major shortcomings include the adequacy of threat-information sharing between sector-specific agencies and their critical infrastructure sectors, and funding for personnel in sector risk management agencies that might have only a few people working in the subject area, Montgomery said.

And he had many other criticisms — pointing to a potentially high bar for the Biden administration on its PPD-21 rewrite.

AI boom will enhance cybercrime, poses threat to developments in cyberdefense

As artificial intelligence find its way further into cybersecurity, cybercriminals have become early adopters of the emerging technology, and experts, executives and government officials fear it is just the beginning, our colleague Joseph Menn reports.

Threat actors have used AI “to write software that can break into corporate networks in novel ways, change appearance and functionality to beat detection, and smuggle data back out through processes that appear normal,” Joseph writes.

Over time, more believable scams and account takeovers will grow as more criminals hire AI specialists, according to the report.

They’ll use the tools for ‘automating, correlating, pulling in information on employees who are more likely to be victimized,’ Zscaler chief information security officer and head of research Deepen Desai told Joseph.

Federal officials have sounded the alarm about how the proliferation of AI will challenge norms in the cybersecurity landscape, though some are unclear about how that dynamic will unfold, The Cybersecurity 202 previously reported. Agencies are nonetheless taking action.

E.U. regulators plan to act if U.S. data transfer pact becomes troublesome

E.U. Justice Commissioner Didier Reynders said European regulators will closely monitor the implementation of a data transfer agreement with the United States and will be ready to act if problems ensue, Stephanie Bodoni reports for Bloomberg News.

The pact ensures that E.U. citizens’ data will be kept safe when it is transmitted into the U.S. It follows an executive order signed by President Biden last year that expands privacy checks for cross-border data exchanges.

“Rest assured that the commission will of course be particularly vigilant to ensure the implementation of this new legal framework, and won’t hesitate to react in case of any problems,” Reynders told a parliamentary assembly.

The pact was unveiled in December after an initial version was nixed by the E.U.’s top court over concerns that its protections were too weak and would enable U.S. spies to access European data. It is set to take effect by the middle of this year, according to the report.

Half of North Korean missile program funded through crypto theft and cyberattacks, official says

White House cyber official Anne Neuberger said about half of North Korea’s missile program is funded by cyberattacks and cryptocurrency theft, Sean Lyngaas reports for CNN.

An ongoing U.S. government effort is being conducted to understand how “a country like [North Korea] is so darn creative in this space,” Neuberger, the deputy national security adviser for cyber and emerging technology, said at an event on Wednesday.

“North Korean hackers have stolen billions of dollars from banks and cryptocurrency firms over the last several years, providing a key source of revenue for the regime, according to reports from the United Nations and private firms,” Lyngaas writes.

The remarks indicate that hacking and espionage have been a key component to the nation’s survival, the report notes.

North Korea-linked hackers’ practice of pilfering cryptocurrency for its regime and missile program was explored by your Cybersecurity 202 host in March.

Neuberger at an event last year said that a third of North Korea’s missile program was funded by stolen crypto. CNN confirmed with a Neuberger spokesperson that the provided figure yesterday was accurate, indicating that the issue has only grown.

Daybook

ICS Village kicks off Day Two of its Hack the Capitol event beginning at 9:30 a.m.

The Committee on House Administration hosts a hearing titled “American Confidence in Elections: Protecting Political Speech” at 9:30 a.m.

The House Homeland Security Committee holds a hearing titled “Censorship Laundering: How the U.S. Department of Homeland Security Enables the Silencing of Dissent” at 2 p.m. No DHS officials are slated to testify.

