Exclusive: EAC’s top staffer heading to CISA
With help from Eric Geller
— CISA’s nabbed the executive director of the Election Assistance Commissionas the agency beefs up its election security staffing ahead of the 2022 midterms.
— The Kremlin’s latest moves make an invasion of Ukraine appear imminent. But experts can’t agree on whether cyber’s role in the conflict will escalate.
— Despite the near-passage of several major cyber bills last year, the top cybersecurity firms’ lobbying spending varied throughout 2021, according to recent lobbying disclosures.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin, and I’m currently on the hunt for easy (and fun!) ways to sneak more veggies into my snacking habits while I write the newsletter. Bonus points for anyone with ideas that I can whip up in five minutes or less.
Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. (Full team contact info below.) Let’s get to it:
FIRST IN MC: FROM EAC TO CISA — The Election Assistance Commission’s top staffer is heading to CISA, just as the two agencies are discussing how to balance their responsibilities.
Mona Harrington, who has served as the EAC’s executive director since October 2019, is joining CISA as the deputy assistant director of the National Risk Management Center, which houses the agency’s election security team, she told Eric. In this new role, she’ll help oversee the NRMC’s work protecting elections, 5G wireless networks, supply chains and critical infrastructure. The EAC announced Harrington’s departure on Friday but did not say where she was headed next.
“Mona’s management experience and background in information security and risk management will be a huge asset,” Bob Kolasky, the CISA assistant director who leads the NRMC, told Eric. “She has been a great partner with us while at the Election Assistance Commission, and we will maintain the strong organizational relationship between CISA and the EAC as she begins her new role.” Kolasky said Harrington would focus on “helping mature the NRMC as we continue to build out our risk management and analysis work.”
— Interesting timing: Some election security experts have been pushing lawmakers for years to transfer some of the EAC’s work to CISA. Matt Masterson, who served as an EAC commissioner before leading CISA’s election security program, told the House Homeland Security Committee last week that Congress should transfer the EAC’s voting system certification program to CISA, cementing the latter agency’s role as the “technical lead” for election security while freeing up the EAC to “focus on everything else,” from grants to poll worker training. “The EAC is small and has limited resources,” he said, while “CISA [is] much larger.”
(EAC Chairman Don Palmer has previously said Masterson’s ideas are “personal animus over the dysfunction he participated in” and shouldn’t “interfere with the importance of the good election work the Commission is currently doing.”)
— Taking matters into our own hands: CISA also recently recruited Kim Wyman, the most recent secretary of state for Washington state, as its senior elections lead.
WHAT ROLE CAN CYBER HAVE — With an intelligence report this weekend warning Russia is planning to install a pro-Kremlin government in Ukraine if it invades, tensions are at an all-time high for U.S. officials navigating the conflict between Russia and Ukraine.
But leading up to a possible invasion, a key question still remains: Will cyber’s role in the conflict continue to escalate at the same rate?
— A helpful distraction: Some experts are arguing that cyber will remain a supporting character for the Russians. Dmitri Alperovitch, Crowdstrike co-founder and former chief technology officer, said in aQ&A with The Record that it’s likely Russia will continue to use cyberattacks to slowly weakened Ukraine’s defensives, such as by targeting the financial sector or launching a disinformation campaign arguing “resistance is futile.”
— A Western retaliation tool: Meanwhile, others are preparing for Russian intelligence to launch cyberattacks against the U.S. and its allied countries’ infrastructure. “Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine,” John Hultquist, Mandiant’s vice president of threat intelligence, wrote in a blog post.
But the situation in Ukraine is changing fast. Secretary of State Antony Blinken said Sunday on NBC’s “Meet the Press” that the situation on the ground is changing by the hour. And the Russian government could continue to lean on its allies in Belarus for cyber operations, throwing a wrench in Biden’s strategy for striking back. (The Kremlin has already started amassing Russian troops onthe border between Ukraine and Belarus, and Ukraine officials have blamed a cyberattack on its government websites earlier this month on Belarus intelligence)
— Adding to the mix: President Biden said last week he’s willing to launch reciprocal actions against the Russians, including cyber offensive strikes.
Preparing for the worst: Government officials are actively encouraging critical infrastructure operators to patch critical vulnerabilities and shore up their cyber defenses quickly. CISA issued a warning to operators last week. Canada and Poland have also issued similar warnings in recent days. As the week goes on, more countries could follow.
CYBER’S ANNUAL BUDGET REVIEW — Despite renewed congressional interest in passing major cybersecurity legislation in 2021, companies either went big or went home when it came to lobbying spending. According to an MC analysis of quarterly lobbying disclosures, including fourth quarter disclosures released last week, at least two companies nearly doubled their budgets in 2021, and eight others either made modest spending cuts or kept their budget flat.
— Big spenders: FireEye increased its annual lobbying spending 71 percent in 2021. Last year, FireEye spent $274,000 last year, compared to the $160,000 it spent in 2020. The company was also navigating the sale of part of its business to McAfee Enterprise for most of the year. A spokesperson for Mandiant, which was a part of FireEye before the sale, attributed the increase to lobbying efforts surrounding mandatory cyber incident reporting legislation.
Palo Alto Networks more than doubled its lobbying budget in the last year: In 2021, the company spent $708,000, compared with $334,000 in 2020. Most of that additional money went to Palo Alto Networks’ in-house lobbyists and $260,000 of it was spent in the last three months of 2021 to lobby on cyber issues in the National Defense Authorization Act and on mandatory incident reporting legislation. A spokesperson for Palo Alto Networks didn’t respond to a request for comment.
Zscaler spent $20,000 more in the fourth quarter on lobbying to influence cyber issues in the Democrats’ social spending package and last year’s NDAA, as well as updates to FISMA and FedRAMP. That $20,000 increase brought its annual totals from $110,000 in 2020 to $130,000 in 2021.
— Budget cuts: Another four companies instead made lobbying budget cuts: Tenable, Iron Mountain, McAfee and ForeScout.
While Tenable spent more in the second half of the year than it did during the same period in 2020, its annual 2021 budget was $40,000 less than in 2020. In all, Tenable spent $1 million lobbying Congress and other Washington offices on cybersecurity issues, including on incident reporting and legislation targeting state and local cyber issues, last year.
Iron Mountain cut its lobbying spending by $75,000 in 2021, spending $1.4 million in the last year compared to $1.5 million the year before. Most recently, the company focused on consumer data breach notification legislation and other data security bills.
McAfee’s lobbying budget decreased $80,000 as it finalized its purchase of FireEye from Mandiant during much of the year. Most of its focus had been on cybersecurity provisions in the NDAA, changes to federal IT rules and legislation targeting consumer data breach notification.
ForeScout Technologies cut its lobbying budget by $120,000, from $480,000 in 2020 to $360,000 in 2021. Its focus has been on the Pentagon and Department of Homeland Security’s appropriations.
— Status quo: Four cybersecurity firms — Rapid7, Akamai Technologies, Cloudflare and CrowdStrike — didn’t change their annual lobbying budgets at all, even as lawmakers came closer than ever to passing mandatory incident reporting and updates to agencies’ cybersecurity rules. For example, Cloudflare consistently spent $40,000 in each quarter throughout both 2021 and 2020.
EVOLVING MALWARE THREATS — The malware wiper found on some of the Ukrainian government’s systems earlier this month has more “components designed to inflict additional damage” than the NotPetya wiper that targeted Ukraine in 2017, according to researchers at Cisco Talos Intelligence Group. Ina report Friday, the researchers said the most recent wiper, known as WhisperGate, is similar to NotPetya because they both masquerade as ransomware that wipes the system rather than encrypting the data and holding it for ransom. However, WhisperGate was likely sitting on the victim’s network “for months before the attack,” researchers said.
— Peiter Zatko, Twitter’s head of security who goes by the hacker name “Mudge,” has left the company. Rinki Sethi, Twitter’s chief information security officer, is leaving in the next few weeks.
Some perspective on choosing security tech from J Wolfgang Goerlich, Cisco’s advisory CISO: “Most of us learn to drive with a starter car. Maybe it's a hand-me-down. Maybe it's all we can afford. But if anything happens, we're only out a few thousand dollars. Once we master the road, we get a decent car. Skills first, investment second. Same goes for security tooling.”
— Russian state media is reporting that the country has detained four members of the international cybercrime ring, the Infraud Organization. (Bloomberg)
— CISA added 17 vulnerabilities last week to the list of flaws agencies must patch immediately. (Bleeping Computer)
— American Airlines is accusing travel website The Points Guy travel of violating the Computer Fraud and Abuse Act, an anti-hacking law, because its app syncs the airline’s frequent flyer information. (The Verge)
— Richard Grabowski, the acting program director for CISA’s Continuous Diagnostics and Mitigation Program, discusses how the agency is adapting the program to increase the visibility into the federal government’s security threats. (FedScoop)
— Opinion: “The Russia Sanctions That Could Actually Stop Putin” (POLITICO)
FOR YOUR CALENDAR (Send your events to: [email protected])
Monday
10 a.m. — Cyber Threat Alliance’s webinar about fostering collaboration in the cybersecurity industry.
Tuesday
11 a.m. — Chris Painter, former cyber issues coordinator at State, and former Energy Secretary Ernest Moniz participate in the Nuclear Threat Initiatives’ virtual seminar about avoiding cyber escalation.
2 p.m. — Presidio Federal and Cisco’s virtual discussion about the future of collaborative technology.
2 p.m. — House Majority Leader Steny Hoyer and Michigan Secretary of State Jocelyn Benson participate in the Center for Tech and Civic Life and CQ Roll Call’s event about cyber funding for elections.
Wednesday
8:30 a.m. — Federal Computer Week’s virtual workshop about cloud security, featuring officials from the Commerce Department, National Science Foundation, State Department and Red Hat.
10 a.m. — The German Marshall Fund’s virtual discussion about security resilience in Ukraine, including cybersecurity protections.
2 p.m. — The Information Technology Industry Council’s virtual discussion about cyber planning for state and local governments.
5:30 p.m. — The Bipartisan Policy Center’s virtual discussion about technology and national security issues.
Thursday
No events scheduled.
Friday
No events scheduled.
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).
Gloss