Good morning! Welcome to Tim Starks, who is joining The Cybersecurity 202 as its author. Tim graciously spent yesterday — his first day at The Washington Post! — helping me write this newsletter. You can send tips and congratulations to tim.starks@washpost.com.
Inglis talks cybersecurity jobs, recruitment strategy ahead of White House summit
Cyber workforce challenges aren’t just an economic issue or national security issue, but a “national issue,” National Cyber Director Chris Inglis told The Cybersecurity 202 in an exclusive interview.
The National Cyber Workforce and Education Summit is designed as an early step toward making progress on workforce issues, Inglis said.
But the summit is about more than just the need to fill cybersecurity jobs, he said. “It's about creating an opportunity for a broader swath of people to take those jobs. It's about making sure that every citizen has the skills necessary to take full advantage of … cyberspace,” Inglis said, calling it a “national issue.”
“Our goal — first, middle and last — is to bring leaders from a very diverse kind of broad swath of the American system together to understand that, to commit to solving that and to put their efforts together so that we begin to make some progress broadly across that front,” Inglis said.
The context: The summit comes amid years of concern that the United States doesn’t have enough cybersecurity professionals to fill thousands of important cybersecurity jobs.
- The good news: “We continue to fill cyber jobs at a constant rate” of about two-thirds, Inglis said.
- The bad news: “The denominator is going way up, so that last year it would have been [that] we're 550,000 short; this year we're 771,000 [short].”
The agenda: The summit will consist of a plenary session and three breakout sessions, Inglis said. Those sessions will be focused on filling traditional IT and cybersecurity jobs, looking at disciplines that need to know more about cyber issues and ensuring that the broader American public has digital and cyber skills that are important to being successful in cyberspace, Inglis said.
A host of employers, education leaders and federal agency heads are also expected to attend, including Cybersecurity and Infrastructure Security Agency Director Jen Easterly and Anne Neuberger, the deputy national security adviser for cyber and emerging technology.
Both the private sector and government are facing cyber talent shortages. That presents a “stunningly important intersection,” Inglis said.
- “It turns out that no matter where you look — private sector, public sector — about one third of the jobs that have IT or cyber in their job title are unfilled,” Inglis said, calling the intersection a “common problem or a common opportunity.”
- But the “government's not going to get healthy and well unless the larger nation gets healthy and well, and vice versa,” Inglis said.
Inglis’s office is writing a strategy this fall, he said. The document is expected to address workforce issues, as Tim Starks reported for CyberScoop last week.
Last month, the congressionally led Cyberspace Solarium Commission recommended that cybersecurity leaders develop a grouping of human resource specialists within the government to hire cyber pros. The commission also recommended getting more data about the government’s cybersecurity workforce and investing more money into recruiting and retaining cybersecurity professionals.
“We’re about two-thirds manned now,” the commission’s executive director, Mark Montgomery, told The Cybersecurity 202 at the time. “When you’re two-thirds manned, you clearly aren’t getting the job done. It can make for low morale. … You can end up with an underperforming, unhappy, undertrained workforce.”
No need for a disinformation governance board, DHS advisers say
The Department of Homeland Security’s advisers unanimously endorsed a recommendation urging the agency to scrap its controversial disinformation governance board, The Post's Maria Sacchetti reports. The report comes two months after DHS announced that it was pausing the work of the board.
“Officials said they created the board in April to fight disinformation-fueled extremism that might endanger national security, but Republicans and conservative media portrayed it as an Orwellian tool that could infringe on privacy and free speech,” Maria writes.
- Homeland Secretary Alejandro Mayorkas said the board was created to combat disinformation-related security threats, with a focus on Russia and human smuggling. DHS later emphasized that the board didn't have “any operational authority or capability.”
A council subcommittee is working on a report about disinformation, which is due Aug. 3, according to former DHS secretary Michael Chertoff, who co-chaired the subcommittee. “There is no room for a separate disinformation governance board,” Chertoff said. He didn’t explain the panel’s reasoning for its recommendation.
Dozens of Thai activists and supporters were hacked with Pegasus
“More than 30 Thai activists and supporters have been hacked with NSO Group’s potent Pegasus spyware, civil society groups said late Sunday,” The Post's Joseph Menn reports. Thailand’s government would be a logical suspect in the hacks, the Toronto-based Citizen Lab said.
Local human rights group iLaw issued a report identifying some victims. Amnesty International used a different method to examine phones and agreed with the conclusions that Citizen Lab reached.
The campaign represents the “first countrywide campaign brought to light because Apple warned targeted iPhone users” in November, Menn writes.
NSO’s clients are all government agencies, according to the company. Thailand’s government has denied hacking activists, but it has the ability to spy on Thai citizens under new laws.
NSO didn’t answer questions about its business in Thailand. “Politically motivated organizations continue to make unverifiable claims against NSO hoping they will result in an outright ban on all cyber intelligence technologies, despite their well documented successes saving lives,” it said in a statement. (Citizen Lab has not called for such a move.)
Advocacy groups want Cyber Ninjas banned from federal contracts
Four democracy and voting advocacy groups want the Interagency Suspension & Debarment Committee to consider Cyber Ninjas and chief executive Doug Logan for “debarment,” The Post's Yvonne Wingett Sanchez reports. Cyber Ninjas was responsible for a shoddy, partisan review of the 2020 election in Maricopa County, Ariz.
The review was riddled by flaws that were both procedural and cyber-related, this newsletter reported in January. The review eventually found that President Biden won Arizona.
Two nonpartisan groups, All Voting Is Local Arizona and Arizona Democracy Resource Center, requested the debarment along with liberal organizations Living United for Change Arizona and Mi Familia Vota.
“Logan and Cyber Ninjas representatives have stood by the Florida-based firm’s work,” Yvonne writes. “In January they said the business was shutting down and laying off its workers, news that came as a judge ordered the company to pay $50,000 each day in fines until it complied with public records requests involving the ballot review to media and oversight groups. Logan told the Associated Press he planned to start a new company and hire some Cyber Ninjas employees; the status of those plans is unclear.”
Senate bill wades into Cyber Command leader’s powers
The Senate’s version of the annual defense authorization bill would specify how long the leader of the Defense Department’s cyber military wing could serve in the job and grant that commander explicit authority to conduct overseas operations when the United States is under cyberattack.
The bill would let the president authorize U.S. Cyber Command to conduct military cyber operations in foreign cyberspace to deter or defend against active foreign government cyberattacks on vital U.S. targets like pipelines or water systems, according to a summary. An Armed Services Committee aide, speaking on the condition of anonymity to candidly comment on the legislation’s intent, told The Cybersecurity 202 that “this provision reauthorizes existing Cyber Command activities and emphasizes the critical role they play in our national security.”
Existing law does not limit the term of the commander of U.S. Cyber Command, only requiring Senate confirmation. The fiscal 2023 Senate bill would limit the commander to two four-year Senate-confirmed terms. Gen. Paul Nakasone, who currently holds the position, has served a little more than four years, longer than any of his predecessors. The Record reported in May that Nakasone had been asked to stay on another year. But it’s common for military combatant commanders to stay on for two to three years, and the aide said that the idea is to encourage a longer-lasting Cyber Command leader by setting a four-year mark and adding the possibility of another four years.
The Senate measure is now teed up for floor consideration, following the House’s passage of its own version of the bill last week. The two chambers would have to reconcile any differences into one bill before Congress could send it to the president’s desk to be signed into law.
CISA is opening a London office
The Cybersecurity and Infrastructure Security Agency’s attache office in the United Kingdom will open this month, the agency said. It’s the first attache office that the cybersecurity agency is opening.
CISA proposed an international expansion as a counterweight to Chinese influence in a document for Biden transition officials, The Cybersecurity 202 previously reported. It’s not clear whether Biden officials saw the document.
- Cybersecurity officials speak at the International Conference on Cyber Security today and Wednesday.
- The House Judiciary Committee holds a hearing on government access to personal data today at 10 a.m.
- Election officials testify at a House Homeland Security Committee hearing on election security and threats to election infrastructure and workers on Wednesday at 9:30 a.m.
Thanks for reading. See you tomorrow.
Gloss