Defense bill is a major cyber legislation opportunity for Rep. Langevin

Langevin is reaching for cyber measures even as he heads out the door

Rep. Jim Langevin (D-R.I.), one of the most important cyber lawmakers in history, isn't running for reelection – but he still has work to do.

He’s looking at the annual must-pass defense authorization bill as an opportunity to fold in cybersecurity provisions that weren't even on the radar when he first joined Congress two decades ago.

The final version of the bill could include a flurry of cybersecurity measures, including recommendations from the Cyberspace Solarium Commission, which Langevin served on.

Langevin is eyeing at least five recommendations from the commission to be considered for the bill. Those include programs to boost cybersecurity collaboration and information gathering, and other proposals designed to reshape how the U.S. government thinks about cybersecurity and risk.

• Codification of defining the most important types of critical infrastructure to U.S. society. The Cybersecurity and Infrastructure Security Agency (CISA) has been working on identifying those entities.
• Creation of centers to study important issues like open-source software, industrial technology and network security.
• Making a Bureau of Cyber Statistics to collect, analyze and share cybersecurity-related data.
• Inclusion of the Cyber Diplomacy Act to codify a Bureau of International Cyberspace Policy at the State Department. The department this year opened the long-awaited bureau, a step Langevin said “hits the right mark … but I want to see it enacted into law so it can't be changed by some future administration, or dropped or demoted in terms of its importance.”
• Forming a system for the U.S. government to share sensitive cybersecurity information with the country’s most important infrastructure entities. That proposal is in a version of the bill that the full committee will discuss tomorrow.

“For the remainder of my time in Congress, I'm committed to advancing the key Cyberspace Solarium Commission recommendations, and this year's NDAA is an excellent opportunity to do so,” Langevin told The Cybersecurity 202 in an interview.

The annual defense bill is being considered at a critical time. For months, CISA has told organizations to put their “shields up” and prepare for potential cyberattacks in the wake of Russia’s war in Ukraine. While U.S. organizations haven’t been hit in any devastating, public hacks recently, CISA and other federal agencies have for more than a year been responding to a surge of ransomware that has hit hospitals, schools, small businesses and other organizations around the country. 

The Pentagon has also been busy. When it comes to Ukraine, U.S. Cyber Command has “conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations,” U.S. Cyber Command and NSA leader Gen. Paul Nakasone told Sky News this month.

Langevin announced in January that he's not running for reelection this year, writing that “it is time for me to chart a new course, which will allow me to stay closer to home and spend more time with my family and friends.”

Cybersecurity has come a long way in the two decades since he joined Congress. Over the years, the U.S. government has formed and funded agencies to defend from cyberattacks and conduct hacking operations.

• “When I first came to Congress in 2001, the [defense authorization bill] didn't even mention cyber or the internet,” Langevin said. “Now we have a whole section that is devoted to cyber-related issues, and so cyber is only growing in importance,” he said, noting that funding has followed, but oversight is also critical.

In the more than 10 years since U.S. Cyber Command began operations, it has been involved in major operations like hijacking a ransomware gang’s website, disrupting a massive botnet and combating election interference.

Cyber Command and the National Security Agency are both led by Nakasone, a four-star general. The debate over whether a “dual-hatted” leader should run both has simmered for years. But Langevin is firm that now’s not the time to be talking about changing how they’re structured.

“In terms of splitting the dual hat, we are nowhere near ready to even start talking about splitting the hat. Maybe someday down the road that happens, but right now there’s such important synergy between NSA and U.S. Cyber Command: one informs the actions of the other and it makes it more effective,” Langevin said. “By splitting the hat, I think we’ll be fighting battles with one hand tied behind our back.”

Georgia’s top elections official will testify at today’s Jan. 6 committee hearing

Georgia Secretary of State Brad Raffensperger (R) and his deputy, Gabriel Sterling, will testify at an afternoon hearing held by the House committee investigating the Jan. 6, 2021, attack on the U.S. Capitol, the committee said. It appears to be part of an effort by the committee to tie former president Donald Trump’s false claims that the election was stolen to threats and pressure on election officials — and, ultimately, the attack on the Capitol.

Raffensperger played a significant role in parrying Trump’s false claims that the election was stolen in Georgia. In a January call, Trump pressured Raffensperger to “find” enough votes in the state to overturn President Biden’s victory, but Raffensperger resisted.

Raffensperger won a primary election against a Trump-endorsed candidate last month. He “repudiated Trump’s false claims of election fraud to anyone who would listen,” but he also “​​won in part by courting Trump’s base with promises of stricter election security,” my colleague Amy Gardner wrote.

U.S. officials expect Russia to try to interfere with midterm elections

Interference in this year's midterm elections is still hypothetical, but officials worry that interference — or even the perception of interference — could play into fears about stolen elections and undermine trust in voting systems, CNN’s Edward-Isaac Dovere reports.

Department of Homeland Security this month warned that Russia will “probably” try to undermine this year’s elections in retaliation for the U.S. government’s response to Russia’s invasion of Ukraine, according to a report obtained by CNN. “We expect Russian interference in the upcoming 2022 midterm elections, as Russia views this activity as an equitable response to perceived actions by Washington and an opportunity to both undermine U.S. global standing and influence U.S. decision-making,” the report says.

Jury convicts former Amazon Web Services engineer over Capital One hack

The jury found Paige Thompson guilty of six computer-hacking charges and one wire-fraud charge, the Seattle Times’s Maya Miller reports. The 2019 hack of Capital One compromised 100 million credit card applications. The bank later agreed to pay a $190 million settlement of a class-action lawsuit brought by customers. It also agreed to pay an $80 million fine to regulators.

“We’re thrilled with the verdict,” prosecutor Nick Brown told Miller. “Hopefully it’s good deterrence for other people, like Ms. Thompson, who purport to be good-faith hackers, but who are in fact engaged in something far more dangerous.”

The case partly hinged on what it means for someone to access a computer system “without authorization,” Miller reports.

• After Thompson left Amazon Web Services, she looked for misconfigured accounts and posed as a user who was authorized to access them, prosecutors argued. Because she didn’t have explicit permission to access those accounts, she didn’t have the proper authorization, prosecutors said.
• Thompson’s attorney, on the other hand, argued “that Thompson’s actions were legal because the breached companies’ systems performed as they were programmed, and anyone with access to a web browser could’ve taken the same actions as Thompson,” Miller writes.

Using Thompson’s words: Prosecutors also “used a sampling of Thompson’s tweets, Slack messages and chat board posts to argue that she was a calculated hacker motivated by greed, rather than a noble ‘white-hat hacker’ trying to identify and patch vulnerabilities in companies’ online defenses,” Miller writes.

Cyber attack: Gloucester council services still not back to normal (BBC News)

• CISA Director Jen Easterly and energy executives discuss cybersecurity at the EEI 2022 conference today.
• Third Way hosts an event on China and the digital world order Tuesday at 11 a.m.
• Sen. Angus King (I-Maine) speaks at a Reagan Institute on foreign information operations Wednesday at 10 a.m.
• The House Judiciary Committee holds an oversight hearing for the Justice Department’s National Security Division on Wednesday at 10 a.m.
• Michael Brown, who leads the Pentagon’s Defense Innovation Unit, speaks at the Center for a New American Security on Wednesday at 12:30 p.m.
• CISA’s Cybersecurity Advisory Council meets at 1 p.m. on Wednesday.
• White House special assistants Tim Wu and Peter Harrell discuss the Biden administration’s Declaration for the Future of the Internet at a Brookings Institution event on Wednesday at 2 p.m.
• The Committee on House Administration holds a hearing on disinformation’s threats to democracy on Wednesday at 2:30 p.m.
• A House Homeland Security Committee panel holds a hearing on securing emerging technologies on Wednesday at 2:30 p.m.
• The R Street Institute hosts an event on the cybersecurity of the water industry on Wednesday at 4:30 p.m.

Thanks for reading. See you tomorrow.