The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Lawmakers tell Biden to act quickly to nominate a national cyber director

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Denver’s calling me. Be back in a small bit.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The U.K. national crime agency wins a legal challenge over EncroChat and Twitter launches encrypted direct messages, but there are some caveats. First:

First in The Cybersecurity 202: Cyberspace Solarium Commission co-chairs urge Biden to fill key cyber gig

Leaders of the independent commission behind the creation of the Office of the National Cyber Director are calling on President Biden to fill the vacancy of the office leadership post — which has been open for months.

The first national cyber director, Chris Inglis, left the post in February after indicating in December that he would depart. The acting director is Kemba Walden, who previously worked as assistant general counsel in Microsoft’s Digital Crimes Unit and counsel at DHS.

Today, the leaders of the congressionally established Cyberspace Solarium Commission, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), wrote to the president asking him to fill the position on a permanent basis — and to strongly consider Walden for the job.

“Since Chris Inglis’ departure and even prior, Acting NCD Kemba Walden has demonstrated that she is highly qualified for and well suited to the position,” the pair wrote. “We urge you to send her nomination to Congress soon, where we believe she will receive fair consideration and swift confirmation.”

A permanent office leader enhances that office’s power, as it signals that the leader has the full backing of the administration, King told me. In this case, it would strengthen the ability of the office to “wrangle the federal agencies adequately” when coordinating on cyber actions, King said.

Under the legislation establishing the office, the national cyber director is charged with advising the president on cybersecurity policy and strategy. It replaced a White House “cyber czar” position that former president Donald Trump eliminated. The Solarium Commission contended that the White House needed “a more robust and institutionalized national-level mechanism for coordinating cybersecurity and associated emerging technology issues.”

The letter comes one day after a news report that another top cyber leader, Cyber Command and National Security Agency Director Gen. Paul Nakasone, could soon step down.

NCD status

“Enough is enough already,” King, who alongside Gallagher co-chairs the successor to the Solarium Commission, CSC 2.0, told me. “It’s been a long time. And they have an excellent candidate right under their nose. Kemba Walden is well-qualified. She’s running the office now, but she needs the authority to be the director, so we can move on with the confirmation.”

Inglis, the first national cyber director, exited the office toward the end of the finalization of the Biden administration’s first national cybersecurity strategy. His office led the writing of the policy document, but the apparently rocky process reportedly contributed to his exit.

“The coordination across the federal government is of the size and scope that demands the leadership of a Senate-confirmed NCD,” King and Gallagher wrote. “While we applaud the White House’s efforts under Director Inglis to stand up the office and his strong leadership in drafting the National Cybersecurity Strategy, we are extremely concerned that the three-month delay (and counting) in nominating a candidate to replace Chris will hinder the implementation of the strategy and lead to a lessening of the stature of the office.”

Before he served as national cyber director, Inglis also served on the Solarium Commission. He is now serving as an adviser to CSC 2.0.

King said he has “prodded the White House publicly and privately” but has gotten no answer about the reason for the national cyber director position still being open. Neither the White House nor the Office of the National Cyber Director responded to requests for comment on the vacancy.

“This is an easy one,” King said. “I don’t know if there is a problem or if it’s just the slowness of the personnel process at the White House.

“From people that I’ve talked to, Kemba is universally respected and is in a great position to move forward in terms of continuity,” King said. “I’m not telling them they have to choose her and that’s not my role. But we need somebody in that position, and I think it would be a bad look for the administration if there was a major cyber incident and this position had not been filled.”

Even after a nomination, there would be some time before Inglis’s replacement took over full-time. The administration nominated him in April of 2021 and he took office two months later. The Senate would have to confirm his successor; Inglis was unanimously confirmed.

NSA and CYBERCOM status

Meanwhile, Nakasone has told Biden administration colleagues that he expects to step down from his NSA and Cyber Command roles “in the coming months,” Dustin Volz reported on Thursday for the Wall Street Journal, citing “people familiar with the matter.”

A CYBERCOM spokesperson, Rebekah Kasule, told me via email that “General Nakasone serves at the pleasure of the President. He remains focused on leading U.S. Cyber Command, the National Security Agency and Central Security Service in their critical missions to safeguard the nation.”

Nakasone took those posts in 2018 and was asked last year to stay on for another year, Martin Matishak and Dina Temple-Raston reported last year for the Record.

Nakasone “demurred” in a conversation with reporters last week about his plans, Matishak reported. Replacing Nakasone — and other military cyber nominees — could prove complicated with Sen. Tommy Tuberville (R-Ala.) placing a blanket hold on all Pentagon promotions.

King said that the two vacancies combined could pose a problem. “If you add Nakasone to an empty national cyber director, it’s a big gap,” he said.

The keys

Britain’s National Crime Agency wins legal challenge over EncroChat hack

The U.K.’s Investigatory Powers Tribunal ruled that the nation’s National Crime Agency (NCA) obtained proper warrants in connection to hacking and arrests made by European law enforcement agencies over the shuttered EncroChat encrypted messaging service, Alexander Martin reports for the Record.

  • “Encrochat was a bespoke encrypted communications platform widely used by serious organized crime groups in Europe,” Martin writes. “Although its creators claimed it was developed for celebrities who needed additional privacy, law enforcement agencies argued that the vast majority of Encrochat’s customers were actually criminals.”
  • EncroChat subscribers paid 1,000 euros ($1,092) per device to receive a modified phone with physical privacy modifications like the removal of the GPS and camera functionality. European law enforcement agencies monitored messages on the service after infiltrating it.
  • The intelligence collected from the platform enabled thousands of arrests across the continent, including over 2,800 arrests in Britain alone and nearly 77 million euros ($96 million) seized in criminal cash.

“However the Tribunal also said it had not been able to come to a decision about whether the NCA complied with legal distinctions requiring police and security agencies to use different warrants to access information stored on a system versus intercepting messages while they are being transmitted,” Martin writes. “Such a decision would be necessary in the future, the judgment said, adding the Tribunal would address the issue following the conclusion of ongoing Encrochat proceedings in the Crown Court.”

FBI violations of contested surveillance rule decreased, data shows

FBI staff appear to have complied more with communication interception rules outlined in the Foreign Intelligence and Surveillance Act (FISA), Charlie Savage reports for the New York Times, citing data from the agency’s auditing office.

  • Savage writes: “In the year before the changes were enacted, about 18 percent of queries, or database searches, lacked sufficient justification or were improperly defined, according to the office’s survey of a sampling. In a nine-month period after the changes, about 4 percent failed to comply with rules, the bureau said.”
  • The studies scrutinized data under both traditional FISA intercepts collected under court orders, as well as intercepts via Section 702. That authority is controversial, and it has allowed the United States to eavesdrop on foreign targets without a warrant.
  • A noncompliance rate of 4 percent represents “a shocking number of violations” because of the vast number of searches conducted, Elizabeth Goitein of the Brennan Center for Justice at New York University School of Law told Savage. (Goitein also discussed the report in a Twitter thread.)

The intelligence community calls 702 a key national security tool, while privacy groups say it’s a threat to constitutional rights. It is set to expire at the end of the year unless Congress votes to authorize it.

Twitter launches encrypted messaging, but it is missing key features and is only accessible to subscribers

Elon Musk’s Twitter this week launched its long-promised encrypted direct messages offering, according to a new document on its site, but the service is paywalled, posing a potential security risk to users who do not pay up, reports say.

“According to the document, encrypted DMs are only available if you are a verified user (somebody who pays for Twitter Blue), a verified organization (an organization that pays $1,000 per month), or an affiliate of a verified organization (which costs $50 per month per person),” Jay Peters reports for the Verge.

Additionally, messages on both ends of the conversation will have to adhere to those rules, and they’ll also have to have the latest version of Twitter installed, the document says.

The feature appears to contain a “laundry list” of flaws for an encrypted messaging service, Andy Greenberg writes for WIRED.

  • “The encryption feature is opt-in, for instance, not turned on by default, a decision for which Facebook Messenger has received criticism. It explicitly doesn’t prevent ‘man-in-the-middle’ attacks that would allow Twitter to invisibly spoof users’ identities and intercept messages, long considered the most serious flaw in Apple’s iMessage encryption,” Greenberg writes.
  • “This clearly is not better than Signal or WhatsApp or anything that uses the Signal Protocol, in terms of features, in terms of security,” Johns Hopkins University professor Matthew Green told WIRED.

Government scan

Chertoff, who endorsed Supreme Court’s leak investigation, warns judges to stay vigilant (Politico)

NIST debuts new cyber guidance for contractors handling sensitive data (Nextgov)

Hill happenings

The Marines’ next cyber chief is stuck in a pileup of nominations in the Senate (The Record)

Lawmakers introduce bill to strengthen whistleblower protections for federal contractors (FedScoop)

Securing the ballot

Industry report

Flood of ransom payments continues as officials mull ban (Cybersecurity Dive)

Global cyberspace

Australian software giant won't say if customers affected by hack (TechCrunch)

Breach of mental-health records challenges nation’s court system (Wall Street Journal)

IRS gives Ukraine tools to expose Russian oligarchs hiding riches in crypto exchanges (CyberScoop)

Cyber insecurity

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (Bleeping Computer)

Crypto scammer arrested again in Florida on fraud, gun charges (Bloomberg News)

Microsoft patches bypass for recently fixed Outlook zero-click bug (Bleeping Computer)

Encryption wars

Inside the Italian mafia’s encrypted phone of choice (Motherboard)


Secure log off

View Tweet on Twitter

Thanks for reading. See you next week.