Feedback on the DHS ‘Cyber Essentials’ initiative
With help from Eric Geller, Mary Lee, Martin Matishak and Matthew Brown
Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— DHS debuted a small-business cyber initiative this week, but not everyone’s on board with how they went about it.
— A Senate bill that would bolster how DHS can assist local governments in getting a .gov domain is an important step, says a firm that has studied the cybersecurity ramifications of local governments that have other addresses.
— The U.S.’s rush to be the first to deploy 5G could undercut security, a think tank warned.
HAPPY FRIDAY and welcome to Morning Cybersecurity! It’s a pretty good duo. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
FITTING IN TO THE SAME SMALL SPACE — The head of an organization that aims to bolster small-business cybersecurity is “disappointed” in a DHS initiative unveiled this week that’s devoted to aiding small-business digital defenses. The DHS Cybersecurity and Infrastructure Security Agency’s “Cyber Essentials” program was “a missed opportunity” to collaborate, said Kiersten Todt, managing director of the Cyber Readiness Institute and the former executive director of the Obama administration’s Presidential Commission on Enhancing National Cybersecurity. The DHS program’s recommendations and tools are very similar to those from the institute, she said.
“What set me back a little bit is, if they did do all this research, that's too bad, because CISA doesn't have the bandwidth” given its broad mandate, Todt told MC. “We could have done that and shared. If they worked off our program that's also disappointing because we could have helped them even more.” CISA also could have helped more by recommending pre-existing programs, rather than adding one more thing for small businesses to filter through, she said. Todt praised CISA and its leadership overall, saying this wasn’t about sour grapes or turf. She hopes she can work with the agency to harmonize their small-business cybersecurity efforts and those of other agencies and organizations, she said.
A CISA official said the agency is trying to close the distance between small-business “haves” and “have-nots” in a “few ways, like sharing our insights from protecting federal networks and advising private sector, state and local organizations, and by bridging prior government-industry templates — like the NIST Cybersecurity Framework — and the many industry resources available, accelerating uptake of the tools offered by the likes of the Global Cyber Alliance, Cyber Readiness Institute, and Center for Internet Security.” The official said the agency welcomed the feedback from Todt and “we will continue to work with our public and private partners to raise awareness of cyber risk and tools available to help manage that risk.”
DOTGOV, REVISITED — The Senate Homeland Security Committee approved a bill this week that would help local governments move to the .gov domain, a “very positive contribution” to a cybersecurity problem McAfee has studied, a McAfee official told MC. Tom Gann, McAfee’s chief public policy officer, said the lack of local government sites using non .gov addresses is “a widespread issue throughout the public sector. We have long felt that DHS could really up its game by working with local governments to help them further and more widely adopt .gov domain environments.” Those domains have to be validated by the federal government, whereas anyone can get a .com domain.
The key change in the legislation (S. 2749), according to Gann, is one that allows local governments to use the Homeland Security Grant Program to reimburse the expense of switching. “They tend to be underfunded and tend to have a harder time doing everything they need to do given their range of priorities,” Gann said. The legislation is sponsored by four Homeland Security members: top Democrat Gary Peters of Michigan, Chairman Ron Johnson (R-Wis.), Democratic presidential candidate Amy Klobuchar of Minnesota and James Lankford (R-Okla.).
Another bill from Johnson and Peters, which would mandate that government officials with supply chain responsibilities get counterintelligence training, passed the Senate on Thursday. The legislation (S. 1388) moved through the chamber by unanimous consent.
CHEESING — A majority of the malware samples U.S. Cyber Command shared online this week have been used before by North Korean hackers, according to FireEye. The samples are variants of the ROCKEYE and CHEESETRAY malware families, the latter of which has been deployed by a group, dubbed APT38, which is believed to have had a hand in the largest cyber heist in history, the 2016 Bangladesh Bank theft of $81 million.
The group is a “financially motivated North Korean sponsored group that targets financial institutions, ATM infrastructure and inter-bank financial systems in order to raise large sums of money for the North Korean regime,” Ben Read, head of cyber espionage analysis at FireEye, said Thursday via email. “Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, APT38 is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems.”
FOR 5G, TORTOISE BEATS HARE — Slow and steady will win the long-term race for 5G, rather than the Trump administration’s speed-centric, America-first approach, the Center for a New American Security argued in a report published Thursday. “The notion of ‘America first in the race to 5G’ is not a winning strategy, nor should the aim of the United States be to deploy 5G as quickly as possible,” wrote researcher Elsa Kania. “U.S. policy should focus on promoting the security, collaboration, and healthy competition that are so vital to the future of 5G, in close collaboration with allies and partners.” Kania argued for government-led 5G investment to spur private-sector follow-on work; a “rigorous” vendor evaluation process and a “comprehensive framework” to assess 5G’s “systemic risks”; international cooperation and careful coordination to counter China’s ambitions; and preparations for a world in which China will nonetheless dominate 5G.
Kania’s specific recommendations call for action by a wide range of government agencies, including CISA, the FCC, the Pentagon, the technical standards agency NIST, the Office of Science and Technology Policy, the National Science Foundation and the Defense Advanced Research Projects Agency. “It is critical,” she wrote, “to progress beyond the defensive or reactive responses to Chinese initiatives that have dominated recent U.S. policy conversations.”
CYBERSPACE — Dialogue on cyber threats against satellites and other space assets have largely flown under the radar, warns a paper published this week by the Aerospace Corporation, a nonprofit that runs the only federally funded research and development center focusing on space. And without formal space-centric cybersecurity policy and regulations, government and industry should shore up defenses within the space system and provides some key principles for acquiring or designing a cyber-resilient spacecraft, the paper urges. It recommends that spacecraft makers implement a supply chain risk-management program that would ensure their vendors handle hardware and software appropriately; onboard logging, a process that collects and stores data over a period to analyze events and actions of a system; and a “tamper-proof means to restore the spacecraft to a known good cyber-safe mode.”
TWEET OF THE DAY — Endlessly comforting.
RECENTLY ON PRO CYBERSECURITY — The NSA's David Imbordino and Army Brig. Gen. William Hartman, head of the Cyber National Mission Force, will lead the joint NSA and Cyber Command election task force that will seek to protect the 2020 elections against foreign interference. … Earl Matthews, a senior National Security Council official who has become embroiled in the House impeachment inquiry, is leaving his job today.
— Jacky Rosen (D-Nev.) has enlisted in the Senate Cybersecurity Caucus. She is the lead sponsor of the Cyber Ready Workforce Act (S. 1466) and JROTC Cyber Training Act (S. 2154).
— Researchers tied an increase in heart attacks to data breaches and ransomware. Krebs on Security
— After its massive data breach, Capital One’s CIO is getting a new role. The Wall Street Journal
— Some Americans are voting on their phones in 2020, for better or worse. NPR
— Motherboard reports that Chronicle, Google’s cybersecurity startup, is now imploding.
— Suspected North Korean hackers targeted India’s space agency. Financial Times
— A flaw in Amazon’s Ring doorbell leaks customer’s Wi-Fi credentials, per CyberScoop.
— Proofpoint released its third-quarter threat report.
— The Committee to Protect Journalists is raising alarms about Pegasus spyware.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
Gloss