Welcome to The Cybersecurity 202! Don’t forget to send tips to tim.starks@washpost.com.
The government is (mostly) paying heed to a key cybersecurity commission
And there's been momentum compared with last year, according to the update by the congressionally created Cyberspace Solarium Commission:
- More than 58 percent of recommendations are implemented or nearly implemented with another 27 percent on track.
- In 2021, more than 35 percent were implemented or nearing implementation and nearly 44 percent were on track.
Some of the commission’s recommendations remain among the top cybersecurity agenda items that Congress could take action on between now and the end of the year, such as legislative language to identify U.S. computer systems where a cyberattack could do massive damage, then strengthen protections for them.
But they’re not the only major outstanding legislative proposals for Congress before year’s end, with one of the pending bills being a proposal to update protections of federal agencies. And some of the commission’s recommendations, today’s report concedes, are unlikely to see action anytime in the near future. (Others require action from the executive branch.)
Sen. Angus King (I-Maine), who co-chaired the commission and chairs the follow-up organization dedicated to tracking and continuing work, told me recently that one of his 2022 priorities included establishing a Bureau of Cyber Statistics to collect data on incidents that could help policymakers assess risks. Another would fuse and share threat information between federal agencies and owners of operators of critical infrastructure.
Many commission recommendations would likely hitch a ride on the annual defense policy bill if they’re to become law at all this year. That bill has regularly become law for 61 years straight, and that’s how a great many commission recommendations have recently advanced.
That legislation, known as the National Defense Authorization Act, is home to some other major cybersecurity proposals and is due for Senate floor action in October after the House passed its version in July. The two chambers would have to negotiate a final version of the bill after Senate passage.
A tally, and some prospects
The commission draws its name from Project Solarium, a Cold War-era project led by President Dwight D. Eisenhower that itself is named after a room in the White House.
In addition to tallying progress on the commission’s recommendations, CSC 2.0, the nonprofit successor to the commission that released today’s report, has tracked progress on follow-up recommendations — bringing the total to 116. It’s also continued studying things like cybersecurity in the water sector.
“Since the publication of the first annual assessment in August 2021, Congress and the administration have made substantial progress bolstering U.S. cyber defenses by organizing and resourcing the U.S. government, cooperating with partners and allies, and enhancing collaboration with the private sector,” the report reads. “But the work is not done.”
Some of the report’s assessments might be a little optimistic. It labels the proposal on identifying and protecting ultra-vital infrastructure as “on track,” and while there have been signs of progress, industry opposition has been mounting.
But legislation that became law earlier this year that requires critical infrastructure owners to report major cyber incidents to the federal government shows how industry is willing to embrace cybersecurity legislation, King said.
“One of the things that's happening — and it's happening faster than I expected, frankly — is that the private sector is catching on that this is no joke,” King said. “Things that they perhaps didn't really relish a few years ago, like mandatory reporting, I think they're now understanding that this is really necessary.”
The commission recognizes that some of its ideas are doomed for now, such as a recommendation to consolidate cybersecurity oversight in Congress. Existing committee leaders tend not to like giving up their turf to newly created panels.
It has, nonetheless, been a very fruitful session of Congress for cyber legislation, and that remains true regardless of what happens the rest of the year.
Senate Homeland Security and Government Affairs Chairman Gary Peters (D-Mich.) has played a major role in that. But he told me in a written statement that he still wants to see action on a bill that would update an agency security law known as the Federal Information Security Modernization Act (FISMA); legislation that would update a program that governs security of cloud products for the federal government, known as the Federal Risk and Authorization Management Program (FedRAMP); and a measure to strengthen satellite cybersecurity.
“This has been one of the most productive Congresses for cybersecurity in history,” Peters said.
On the House side, Homeland Security Chairman Bennie G. Thompson (D-Miss.) and cybersecurity subcommittee chairwoman Yvette D. Clarke (D-N.Y.) also have accomplished some of their biggest cybersecurity priorities this session, such as getting more grants to state and local governments, spokesperson Adam Comis told me.
Remaining House Homeland Security Democratic priorities include legislation to strengthen the cybersecurity workforce for systems that control industrial processes such as in the manufacturing sector, and a bill to authorize into law a cybersecurity competition the Cybersecurity and Infrastructure Security Agency hosts annually.
In the meantime, I’m moderating a panel with the leaders of CSC 2.0 this morning; you can watch it here.
DHS turned down a proposal to track online harassment of election officials
In the spring, the nonprofit Center for Internet Security submitted the proposal, which sought to monitor the internet for postings of election workers’ personal information online, boost the funding for a program allowing election officials to report misinformation and add a service to track foreign disinformation, CNN’s Sean Lyngaas reports. But some of the plans stalled or were rejected after DHS officials had legal concerns and saw backlash to its Disinformation Governance Board, which DHS eventually terminated.
Florida and Colorado election officials asked officials from DHS and the Cybersecurity and Infrastructure Security Agency to approve the plan on “doxing” — when personal information about someone is posted on the internet — “before these efforts of intimidation worsen in the lead up” to this year's midterm elections. The request came as election officials have faced a rise in violent threats after former president Donald Trump and his allies falsely claimed that the 2020 election was tainted.
CISA Director Jen Easterly responded to the letter after CNN asked CISA about it. “I very much share your concerns about threats to our nation’s election officials,” Easterly wrote in the letter dated Sept. 16. “We are committed to working with you and our partners to identify mechanisms to help address this real and concerning risk.”
Some parts of the proposal aren’t being implemented, however. “While the anti-doxing and foreign influence parts of the proposal remain stalled, work on the online ‘portal’ for election officials to flag misinformation to social media platforms predated the proposal and continues today,” people familiar with it told Lyngaas. CIS spokesperson Jason Forget declined to comment to CNN.
U.S. counterintelligence agency faces challenges, Senate Intelligence Committee says
A report by the committee warned that a top counterintelligence agency’s work is being hampered by bureaucracy and funding issues, the Associated Press’s Nomaan Merchant reports. The warning comes as U.S. officials continue to warn that Chinese spies are trying to steal information from U.S. industry and government officials.
“The Senate Intelligence Committee report released Tuesday says the National Counterintelligence and Security Center, which is supposed to coordinate efforts by the U.S. government, doesn’t have a clear mission and is limited in its authority,” Merchant writes. “NCSC cannot fund or mandate programs for many government agencies or private companies that hold secrets prized by foreign spy services.”
Hackers stole $160 million from cryptocurrency firm
An executive at cryptocurrency firm Wintermute said the company remains solvent after the hack and is asking for the hacker to get in touch, the Record’s Alexander Martin reports. It’s the latest major hack in the cryptocurrency space, where hackers have stolen record sums from the burgeoning industry.
“Wintermute is a ‘market maker’ for cryptocurrency platforms, an organization that holds a large inventory of a particular asset to keep the market liquid by ensuring that traders have someone to buy and sell with,” Martin writes. It’s not clear who was responsible for the hack.
- The RH-ISAC hosts its cyber intelligence summit today in Plano, Tex.
- Your newsletter host moderates a discussion with Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of Cyberspace Solarium Commission 2.0, at a Foundation for Defense of Democracies event today at 8:30 a.m.
- The House Homeland Security Committee holds a hearing on the resilience and preparedness of the water sector today at 10 a.m.
- Emily Goldman, the director of the U.S. Cyber Command/National Security Agency Combined Action Group, speaks at a Carnegie Endowment event today at 10 a.m.
- Principal deputy national cyber adviser Kemba Walden speaks at Crowdstrike’s Fal.Con conference today at 11:30 a.m.
- The Senate Intelligence Committee holds a hearing on the National Counterintelligence and Security Center, and protecting U.S. innovation today at 2:30 p.m.
Thanks for reading. See you tomorrow.
Gloss