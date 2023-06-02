Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! It was nice to dingle-dangle about with my oldest pals on a vacation these past few days, but I’m back in the saddle again. Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Russia blames the United States and Apple for a recent hacking campaign, and a judge dismisses a privacy suit against Meta over Cambridge Analytica. First:

Debt ceiling agreement has little impact on old CISA money, agency says, but prospects are dicier going forward

The Cybersecurity and Infrastructure Security Agency is largely shielded from a provision of the debt ceiling deal that takes back money that Congress sent to the agency through an economic stimulus and covid-19 relief law, the agency said.

Under the 2021 American Rescue Plan Act (ARPA), CISA received $650 million, which it devoted toward improving the monitoring and blocking of threats for federal agencies, among other purchases.

Advertisement

The debt ceiling deal — which the House passed Wednesday and the Senate cleared late last night — would rescind approximately $27 billion in unspent money from the $1.9 trillion package.

But an agency spokesperson said CISA has effectively spent almost all of its American Rescue Plan money already.

The agency has historically had bipartisan supporters among both parties in Congress. Still, the debt ceiling deal and CISA’s historical support don’t mean the agency won’t face budget pressures from House Republicans going forward.

The deal

The debt ceiling agreement — which was brokered by House Speaker Kevin McCarthy (R-Calif.) and President Biden — suspends the nation’s borrowing limit of $31.4 billion until January of next year. It also caps spending for the next two years, with nondefense fiscal 2024 spending relatively flat and fiscal 2025 spending restricted to a 1 percent increase.

Advertisement

The ARPA funds listed in the bill have been used by CISA for four things, as Eric Goldstein, the agency’s executive assistant director for cybersecurity, explained in 2021:

Detection sensors at federal agencies;

Responding to incidents and hunting down threats;

Analysis of cybersecurity information shared with CISA; and

Altering agencies’ defensive network architecture.

The agency appears to have been largely spared by the deal’s targeting of its ARPA funds. “CISA has obligated nearly 99 percent of its $650 million allocated ARPA funds,” said Avery Mulligan, the spokesperson. “We remain grateful that cybersecurity and protecting our nation’s critical infrastructure continue to receive strong bipartisan support, and we will continue to be good stewards of taxpayer dollars.”

CISA Director Jen Easterly also hailed the agreement this week.

“I was really encouraged about the deal,” Easterly said at an Axios event. “Look forward to that being passed.”

“We have enjoyed incredible bipartisan congressional support since CISA was established at the end of 2018,” she said of future agency spending.

“Since I came on board, our budget has grown by a billion dollars, we’ve hired 1,105 people, been good stewards of that budget,” she said. “I believe we will get the resources that we need to help defend the nation in cyber.”

“I’m very confident that cybersecurity will remain a bipartisan congressional issue,” she said. “We’re grateful for it.”

But beyond the debt ceiling agreement, Republicans appear to have been pushing for more modest funding for CISA, which experts say could negatively impact its important cybersecurity work.

Advertisement

The Republican-controlled House Appropriations subcommittee that handles CISA funding said it would give the agency $2.9 billion for fiscal 2024 under the annual spending bill for the Department of Homeland Security, a $19 million boost over the prior year but $130 million less than what President Biden requested.

A bill markup last month that advanced the spending legislation was in line with Biden’s expectations, Easterly said. But she warned that insufficient funding runs the risk of harming the nation’s cyber defenses.

“I do worry about our ability to defend the nation, to work with critical infrastructure to keep us safe and resilient in the face of increasingly complex and dynamic cyberthreats,” she said.

Other ramifications

Biden’s budget proposal for the agency in fiscal 2024 included a $98 million request to implement last year’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which imposed mandates on critical infrastructure owners and operators to report to CISA when they suffer major cyber incidents or make a payment to ransomware gangs. Final regulations for the law are due by September 2025.

Advertisement

The current House fiscal 2024 DHS spending bill would harm CISA’s ability to implement that law, Zephranie Buetow, DHS assistant secretary for legislative affairs, said in a March letter to Rep. Rosa L. DeLauro (Conn.), the top Democrat on the Appropriations Committee. It would also harm CISA’s ability to strengthen state and local governments’ ability to withstand cyberattacks and respond to incidents, Buetow said.

A former CISA official told Sara Friedman of Inside Cybersecurity that implementing the cyber incident reporting law should be the top budget goal.

“The priority for the Agency has to be getting CIRCIA right,” Bob Kolasky, now senior vice president for critical infrastructure at Exiger, told Friedman. “I do not think the Agency is going to be willing to compromise on requirements for budgetary reasons if such a compromise would come at the expense of an effective reporting regime that will be beneficial across critical infrastructure sectors. Nor should it be.” (Kolasky previously led CISA’s National Risk Management Center.)

Advertisement

Still, the degree to which the debt ceiling deal will affect the final version of the House fiscal 2024 DHS spending bill remains up in the air. The panel delayed a full-committee markup last month.

“Given recent developments in the negotiations between Speaker [Kevin] McCarthy [R-Calif.] and the President, and in order to give the Speaker maximum flexibility as talks continue, the Committee will postpone this week’s markups,” House Appropriations Chairwoman Kay Granger (R-Tex.) said last week.

Democrats in the Senate are likely to be friendlier toward CISA once that chamber begins the process of appropriating spending for DHS, given their party overlap with Biden.

Aaron Schaffer contributed to this report.

The keys

Russia blames U.S., Apple for hacking campaign against thousands of iPhones

Russia’s Federal Security Service (FSB) on Monday said thousands of iPhones in the country were hacked in a newly discovered espionage campaign and attributed the incident to the United States without providing evidence, our colleague Joseph Menn reports.

Advertisement

And “Russian cybersecurity company Kaspersky Lab said that the campaign had implanted file-stealing malware on iPhones of its employees who were running a year-old version of Apple’s mobile operating system, adding that it did not have enough evidence to blame any government or group for the breaches,” Joseph writes.

Kaspersky said it believed the hack began with an iMessage attachment that didn’t include any user interaction. Spyware firms like NSO Group have sought such “zero-click” hacks.

“A Kaspersky spokesperson told The Washington Post that researchers were still analyzing the campaign and did not have enough technical evidence to attribute it to anyone,” Joseph adds.

Apple vehemently denied FSB claims that the company colluded with the U.S. government to carry out the hack that allegedly ensnared thousands, including diplomats. “We have never worked with any government to insert a backdoor into any Apple product and never will,” a spokesperson said.

Kaspersky often works with Russian authorities, Menn notes in his report.

In 2017, the U.S. government moved to ban the company’s software from government networks amid concerns about its alleged links to Russia’s government. The company has denied the allegations.

Kaspersky came under scrutiny from U.S. national security officials shortly after Russia invaded Ukraine amid concerns that Moscow could influence the company’s software designs. The company said it wasn’t given the opportunity to respond to the “further damaging” allegations.

Federal prosecutors probing if Tucker Carlson video leaks were part of hack by journalist

Prosecutors are exploring whether leaked videos of former Fox News host Tucker Carleson were exposed through a hacking operation by a journalist, our colleagues Jeremy Barr and Will Sommer report.

Advertisement

“In the days after Tucker Carlson’s abrupt firing from Fox News, a stream of unauthorized, behind-the-scenes videos appeared, showing the conservative pundit grousing about a variety of subjects and making uncouth remarks. In one, Carlson blasted Fox colleagues who cite their preferred gender pronouns; in another, he smirkingly asked an on-set makeup artist if “pillow fights ever break out” in the women’s restroom,” Jeremy and Will write.

The videos were published by left-leaning watchdog group Media Matters for America, but a federal prosecutor in Florida “alerted Fox that it might be the victim of several cybercrimes, including wiretapping and the intentional unauthorized access of a computer,” they write.

“The Tampa Bay Times, which first reported the notification letter, connected it to an FBI search in early May at the home of a local city council member and her husband, veteran journalist Timothy Burke,” they add.

Burke’s lawyer Mark Rasch confirmed that his home was searched in connection to the investigation but denied he hacked the network. Burke, who previously worked for sports news website Deadspin and now runs his own company, is still engaged in journalism, the report notes.

“We are confident that when all the facts come out, it will be demonstrated that Timothy never hacked anyone and that all the information he provided was accessible to the public,” Rasch said, adding Burke was doing his duty as a seeker of newsworthy information.

Judge tosses D.C. attorney general Cambridge Analytica privacy suit against Meta

A D.C. superior court judge on Thursday dismissed a long-running lawsuit from the D.C. attorney general that alleged that Facebook parent Meta maintained poor data practices that misled users and failed to promptly inform them of the events of the 2018 Cambridge Analytica scandal.

Advertisement

Judge Maurice A. Ross granted Meta’s request to dismiss the lawsuit filed by former D.C. attorney general Karl A. Racine (D).

Mark Zuckerberg directly participated in decisions that enabled the political consulting firm to siphon personal data from millions of users on its Facebook platform. Racine filed the initial lawsuit in December 2018 and followed up with an additional suit last May claiming that Meta CEOdirectly participated in decisions that enabled the political consulting firm to siphon personal data from millions of users on its Facebook platform.

Ross in the decision argued that Facebook “took swift action” in response to the scandal and added that while “the District may disagree with Facebook’s approach to the situation, there is no legal basis that required Facebook to act differently.”

The scandal opened Facebook up to significant regulatory scrutiny in the United States and around the globe.

“We respectfully disagree with the Court’s decision and are considering all of our options,” said D.C. attorney general office spokesperson Gabriel Shoglow-Rubenstein.

Government scan

Industry report

National security watch

Global cyberspace

Cyber insecurity

Secure log off

Thanks for reading. See you next week.

GiftOutline Gift Article