Lawmakers try to get ahead of cyber war’s quantum leap- POLITICO

With help from Maggie Miller

— House lawmakers are hoping to get ahead of the quantum computing curve with new legislation to protect federal agencies from the hacking risks connected to this emerging tech.

— As the Biden administration mulls further actions against Kaspersky, former officials break down what’s at stake in their decision to sanction the Russian cyber firm further.

— And as CISA sets up rules for its own incident reporting program, companies are preparing to navigate a web of reporting obligations worldwide.

HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. Hopefully your family was able to find all of the Easter eggs you hid for the annual hunt — or that you at least used plastic eggs or marked where you hid them all. No one wants to end up like Kirk in Gilmore Girls, when he spent days looking for dozens of lost eggs in the town square.

Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:

BEING PROACTIVE — A bipartisan group of House lawmakers led by Rep. Ro Khanna (D-Calif.) will introduce legislation today aimed at getting ahead of one of the most significant cybersecurity concerns tied to quantum computing: hackers relying on these advanced devices to decrypt stolen encrypted messages.

As Maggie writes in, the Quantum Computing Cybersecurity Preparedness Act would build on the Commerce Department’s preemptive efforts to fend off possible attempts by foreign intelligence services to use quantum computers, once they’re available, to gain access to secure government information. While quantum computing isn’t widely available yet, encryption experts have warned for years that devices powerful enough to handle it could more easily unlock encrypted messages — and that hackers have already started collecting encrypted files so they can access them once quantum computers are available.

“We are all, in Congress, reactionary — we wait until something is hacked, we wait until there is a leak, we wait until there is a breach,” Khanna told Maggie. “What this is trying to do is be forward-thinking.”

— What the bill does: The legislation adds to ongoing work at the National Institute of Standards and Technology to establish sufficiently tough cryptography standards for non-quantum federal systems. The bill would require the Office of Management and Budget to work with the federal chief information officer’s office to make sure NIST’s standards are implemented in all federal systems within a year after their release. (A draft of those standards could come as late as 2024","link":{"target":"NEW","attributes":[],"url":"https://csrc.nist.gov/Projects/post-quantum-cryptography/workshops-and-timeline","_id":"00000180-3d16-d0b8-ade9-7df6f2e40008","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2e40009","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">could come as late as 2024). OMB would also submit a report to Congress on what else is needed to keep hackers out of quantum computers.

— Who’s supporting it: Sponsors include Rep. Gerry Connolly (D-Va.) and Rep. Nancy Mace (R-S.C.). Connolly leads the House Oversight and Reform Committee’s government operations subcommittee, which has jurisdiction over the bill.

Khanna, who represents parts of Silicon Valley, also said several major technology companies, including Google and IBM, are endorsing the legislation. While these companies weren’t involved in crafting the bill language, Khana said his office worked with their teams since they “understand the importance of encryption.” IBM spokesperson Miki Carver confirmed the company is endorsing the bill and pointed to a blog post published last year about the company's embrace of quantum tech. A spokesperson for Google did not respond to a request for comment Sunday.)

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro","link":{"target":"NEW","attributes":[],"url":"https://www.politicopro.com/act-on-the-news?cid=promkt_20q1_corenews_act_energy","_id":"00000180-3d16-d0b8-ade9-7df6f2e70001","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2e70002","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

A DIFFERENT BALL GAME — Russian cybersecurity firm Kaspersky has been squarely in the West’s crosshairs ever since the Russian invasion of Ukraine nearly two months ago.

While several European countries have moved to strip the company’s products from its networks, the Biden administration has reportedly been considering sanctions that would bar any U.S. transactions with Kaspersky and freeze its American assets.

But former U.S. cybersecurity officials tell MC that part of the reason the administration hasn’t moved forward with those sanctions is that it’s using a different risk calculus. U.S. sanctions against companies over concerns of spying for an enemy country, like those targeting Chinese telecommunications company Huawei, weren’t levied in response to an ongoing war, for instance. What would make Kaspersky’s sanctions so different:

— It’s all about messaging: Kaspersky’s sales in the United States have dropped “drastically” since the federal government stopped using its services in 2017, said Jim Lewis, a senior vice president at the Center for Strategic and International Studies and former senior adviser for a few UN expert groups. So sanctioning Kaspersky would be more of a messaging play than in more typical cases like Huawei, where sanctions are aimed at destabilizing a foreign company and forcing it out of the U.S. market.

“This is icing on the cake,” Lewis said. “It’s not a bad thing to do, it sends a good message, but we’ve already hurt Kaspersky almost as much as we can.”

— It could weaken some countries’ cybersecurity: Imposing sanctions on Kaspersky could have unintended consequences “for customers in countries that abide by U.S. sanctions” and force them to switch cybersecurity providers during the height of the Russia-Ukraine crisis, said Michael Daniel, CEO of the Cyber Threat Alliance and a former Obama White House cybersecurity coordinator. “Making such a switch is not easy, and it would certainly decrease global cybersecurity for a period of time,” he said.

— Increased Russian retaliation? While the country has yet to see the deluge of Russian cyberattacks that the president warned about last month, some officials caution that further Kaspersky sanctions could finally spur Moscow’s hackers into action. But Lewis isn’t convinced: “Adding one more sanction to the pile isn’t going to change the Russians’ minds on whether to retaliate.”

MR. WORLDWIDE — At nearly every session about the International Association of Privacy Professionals’ Global Privacy Summit last week, the same concern about CISA’s forthcoming mandatory cyber incident reporting program kept coming up: How are the new rules going to differ from the pile of similar rules other countries are passing?

In the last year, at least three governments — the European Union, the United Kingdom and Australia — have weighed updates to their cyber incident reporting programs, in order to cover more companies, speed up the timeline for reporting attacks, levy fines against noncompliant companies and more.

As CISA starts to weigh how to implement its own incident reporting program, approved by Congress last month, let’s run down some key similarities and differences:

— The European Union: European and British officials are both considering changes to their network and information systems regulations, which already include mandatory reporting of cyber incidents, to make more companies covered under these rules and to speed up the timeline for communicating with government agencies.

Members of the European Parliament are seeking to expand their existing program to cover all medium-sized and large organizations that operate within several critical infrastructure sectors. Companies would have 24 hours to submit an initial report about the incident and one month to submit a final report. The proposed changes also include fines of at least up to 10 million euros or 2 percent of total global revenue for organizations that don’t report properly. That could create headaches for companies affected by both sets of rules: CISA’s program will only require incident reporting in the first 72 hours and ransomware payments in the first 24, and they won’t fine non-compliant organizations.

— The United Kingdom: U.K. regulators are considering a few of the same changes as the EU, as well as tweaks to what kinds of incidents companies need to report. The U.K. could also adopt fines and the EU’s proposed two-tiered reporting timelines. Because CISA hasn’t yet defined which companies are covered entities in its rulemaking process, it’s also possible the list of affected organizations will differ between the two countries.

— Australia: Australia implemented a new cyber reporting program earlier this month, known as the Security Legislation Amendment (Critical Infrastructure) Act of 2021, that gives affected critical infrastructure operators up to 12 hours to share details about a “critical” incident with the Australian Cybersecurity Centre — one of the tightest reporting timelines globally. While CISA will only focus on “significant” cyber incidents, Australia’s rules require affected entities to report both significant and noncritical incidents. While Australian operators have 12 hours for critical reporting under the new rules, they still have 72 hours to report incidents that aren’t critical, as U.S. operators do under CISA rules.

CONNECTING THE DOTS — Researchers at Arctic Wolf and Tetra Defense worked with blockchain analysis firm Chainalysis on a report released Friday to analyze cryptocurrency transactions sent to data extortion group Karakurt, which has targeted dozens of companies since it started operating in August. They found that oftentimes, Karakurt operators ended up forwarding their earnings to wallet addresses linked to Conti, suggesting that Karakurt is a Conti offshoot rather than its own group.

In case you didn’t have luck finding all of those Easter eggs, a hot tip from Proofpoint threat analyst Joshua Miller: “Parenting Hack: Relax while you let your kids re-hide the eggs and then ask for their help finding them!”

— CISA Director Jen Easterly said in a “60 Minutes” segment she's most concerned Russian hackers will go after the energy and finance sectors as the war in Ukraine continues. (CBS)

— Financial lobbying groups are worried that cybersecurity proposals under consideration at the Securities and Exchange Commission are going too far and could be too prescriptive. (The Wall Street Journal)

— “A $620 million hack? Just another day in crypto.” (MIT Technology Review)

— A New Jersey regulator warned T-Mobile customers about an ongoing, unblockable text messaging-based phishing campaign that’s sending malicious links in text messages. (BleepingComputer)

— A class action lawsuit against data broker Otonomo claims the company is secretly harvesting the real-time geolocation data from “tens of thousands” of vehicles in California. (Motherboard)

— "The Incredible Rise of North Korea’s Hacking Army" (The New Yorker)

Chat soon.

Stay in touch with the whole team: Eric Geller (egeller@politico.com","link":{"target":"NEW","attributes":[],"url":"mailto:egeller@politico.com","_id":"00000180-3d16-d0b8-ade9-7df6f2f50000","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2f50001","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">[email protected]); Konstantin Kakaes (kkakaes@politico.com","link":{"target":"NEW","attributes":[],"url":"mailto:kkakaes@politico.com","_id":"00000180-3d16-d0b8-ade9-7df6f2f50002","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2f50003","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">[email protected]) ; Maggie Miller (mmiller@politico.com","link":{"target":"NEW","attributes":[],"url":"mailto:mmiller@politico.com","_id":"00000180-3d16-d0b8-ade9-7df6f2f50004","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2f50005","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">[email protected]); Sam Sabin (ssabin@politico.com","link":{"target":"NEW","attributes":[],"url":"mailto:ssabin@politico.com","_id":"00000180-3d16-d0b8-ade9-7df6f2f50006","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2f50007","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">[email protected]); and Heidi Vogt (hvogt@politico.com","link":{"target":"NEW","attributes":[],"url":"mailto:hvogt@politico.com","_id":"00000180-3d16-d0b8-ade9-7df6f2f50008","_type":"33ac701a-72c1-316a-a3a5-13918cf384df"},"_id":"00000180-3d16-d0b8-ade9-7df6f2f50009","_type":"02ec1f82-5e56-3b8c-af6e-6fc7c8772266"}">[email protected]).

Comments are closed.