The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Cybersecurity legislation is waiting in the wings

Analysis by
October 18, 2021 at 7:41 a.m. EDT
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning and welcome to The Cybersecurity 202. It's my last day at the helm before your regular host Joe Marks returns …. thanks for sticking with me these past few weeks!

Below: Financial institutions reported more than $590 million in payments tied to ransomware attacks in the first half of 2021 and North Korean hackers have their Twitter accounts suspended.

The ground is fertile for cybersecurity legislation

Members of Congress have proposed a range of cybersecurity legislation that could make it to President Biden’s desk amid a ransomware epidemic and major hacks by groups linked to China and Russia.

Broadly, the bills aim to strengthen the government’s response to hacks like ransomware, which has hit critical infrastructure sectors like pipelines and food production and emerged as a “core national security challenge,” according to Biden.

Here's a run-through of what to watch:

1. Critical infrastructure reporting bills

Members of Congress have presented competing proposals to require critical infrastructure entities to report hacks. Though the bills offer different visions, scope and details, they broadly seek to require key U.S. sectors to tell the government about hacks.

In the months since the Colonial Pipeline ransomware attack in May, they’ve introduced three bipartisan bills to require critical infrastructure entities to report cyberattacks to CISA so the agency can have more insight into the hacking ecosystem. Top Biden administration officials like CISA Director Jen Easterly and Director of National Intelligence Avril Haines have endorsed the push.

But Easterly told Congress that it should give CISA flexibility about what those requirements would end up looking like.

The requirements themselves have become the distinguishing differences among the bills. 

A bipartisan proposal spearheaded by Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) would require critical infrastructure operators to report hacks within just 24 hours. Warner’s bill has drawn the ire of some industry groups, which say that’s too little time and could take away key resources.

On the other hand, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) has introduced a bipartisan proposal with a 72-hour requirement. 

Warner said in September that he hopes to merge his bill with Peters’s bill. 

Warner’s end goal: attach the final bill to the Senate’s annual defense authorization bill.

Meanwhile, on the House side, Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity subcommittee, introduced a more flexible bill that would set up a Cyber Incident Review Board at CISA for critical infrastructure operators to report incidents. The review board is also a feature of Peters’s bill. But Clarke’s proposal prohibits the government from requiring critical infrastructure to report breaches in less than 72 hours.

Her measure passed as part of the House’s defense authorization bill, which still needs to be approved by the Senate.

2. The annual defense authorization bill

The Senate still has to pass its annual defense authorization bill. Besides Clarke’s critical infrastructure legislation, dozens of other cybersecurity measures made it into the $768 billion package passed by the House, including:

  • Language shielding the CISA director from politics with a five-year term
  • $500 million in annual state, local, tribal and territorial cybersecurity grants
  • Authorization for a State Department program incentivizing security researchers to find and report cybersecurity vulnerabilities

Rep. Jim Langevin (D-R.I.), who chairs the House Armed Services Committee’s cybersecurity panel, touted a provision that directs the Department of Homeland Security to set up a system for the U.S. government to share sensitive information about cyber threats with critical infrastructure. 

  • Its cloud-based analytics would facilitate real-time collaboration as opposed to email-based communication, Langevin told me.
  • CISA’s new Joint Cyber Defense Collaborative is a “perfect place” to house that program, Langevin said.

3. Infrastructure and spending bills

Lawmakers have also tried to pack cybersecurity provisions in the massive infrastructure and social spending bills that Congress is considering. But the legislation faces uncertainty on Capitol Hill, where Democrats are feuding about how expansive — and expensive — their reconciliation bill should be.

Liberal Democrats in the House want a $3.5 trillion bill to keep funding for liberal priorities, while moderates in the Senate, whose votes are needed to pass the legislation, say that’s too much spending.

The House’s proposal includes hundreds of millions of dollars in additional funds for CISA over the next decade.

The fate of a smaller $1 trillion infrastructure package that the Senate passed in August is also uncertain. Liberals in the House have stalled the bill until they reach an agreement on the social spending bill.

The Senate-passed infrastructure bill, which is more than 2,700 pages long, includes:

  • $21 million in funding for National Cyber Director Chris Inglis’s office
  • New authorities for DHS to declare a “significant incident” when there’s a devastating hack and provide funds to affected entities
  • $1 billion in grants to state, local, tribal and territorial governments for cybersecurity over the next four years

In an interview, Clarke called the state and local grants “critical” because the funding would go toward defending against “semi-local threats that go unrecognized.” The program, she added, “would provide the type of assistance to our state, local [and] tribal governments to really build out a strong and robust cyber defense.”

The keys

The U.S. government identified more than $5 billion in transactions potentially related to ransomware

“Payments tied to ransomware attacks in 2021 are already exceeding 2020′s total, the U.S. government’s financial crimes watchdog said Friday,” CoinDesk's Nikhilesh De reports.

“Exchanges and other financial institutions reported more than $590 million in payments tied to ransomware attacks, including cryptocurrency payments, to the Financial Crimes Enforcement Network (FinCEN) in the first half of 2021, outstripping a 2020 total of just $416 million,” Nikhilesh writes. “It was not immediately clear what amount of this total was comprised specifically of cryptocurrency transactions, versus more traditional payment methods.”

U.S. firms have increased their reporting of suspicious ransomware payments, according to FinCEN. The surge comes after the Treasury Department warned firms in October 2020 that facilitating ransomware payments could trigger the reporting requirements.

Cybersecurity firms responding to the hacks sent more than 60 percent of the 635 suspicious reports that FinCEN received in the first half of 2021, FinCen said, adding that its analysis “indicates that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public."

Hackers showed off vulnerabilities in Apple, Google and Microsoft software at a Chinese hacking competition

Security researchers who showed off their hacks at the prestigious Tianfu Cup were awarded $1.88 million in prize money, the Record’s Catalin Cimpanu reports. The two most stunning exploits were on a fully up-to-date iPhone and the Google Chrome web browser.

“The competition, now at its fourth edition, took place using the now-classic rules established by the Pwn2Own hacking contest,” Catalin writes. “In July, organizers announced a series of targets, and participants had three-to-four months to prepare exploits that they would execute on devices provided by the organizers on the contest’s stage….Researchers had three 5-minute attempts to run their exploits, and they could register to hack multiple devices if they wished to increase their winnings.”

“However, all eyes were on this year’s competition for another reason, namely that one of the iOS exploits showcased at last year’s competition was used in a cyberespionage campaign carried out by the Beijing regime against its Uyghur population,” Catalin writes. 

Twitter suspended two accounts used by North Korean hackers

The two accounts posed as security researchers and each had less than 1,000 followers, Catalin writes. The accounts were “directly related” to a campaign Google exposed in January, Google Threat Analysis Group analyst Adam Weidemann said:

The North Korean hackers built Twitter accounts to build credibility with the security research community, Google said in January. Then, they would ask to collaborate with a researcher, hacking them in the process. Some researchers were also hacked after visiting a link on Twitter to a cybersecurity blog, Google also said.

Global cyberspace

South Korea seeks Interpol notice for two cyber gang leaders (Associated Press)

Privacy patch

Facial recognition cameras arrive in UK school canteens (Financial Times)

Cyber insecurity

Sinclair TV stations disrupted across the US in apparent ransomware attack (The Record)

Daybook

  • National Cyber Director Chris Inglis, CISA Director Jen Easterly, FBI Deputy Director Paul Abbate and NSA Director of Cybersecurity Rob Joyce speak at a McCrary Institute event on public-private cybersecurity partnerships on Tuesday at 9 a.m.
  • Homeland Security Secretary Alejandro Mayorkas and Easterly speak at the CISA’s annual cybersecurity summit on Wednesday.
  • CISA Executive Director Brandon Wales speaks at the Cyber Future Summit on Wednesday at 1 p.m.
  • Bob Kolasky, who leads the DHS’s National Risk Management Center, speaks at FAIRCON21 on Wednesday at 2 p.m.
  • Mayorkas testifies before the Senate Judiciary Committee on Thursday at 10 a.m.
  • Easterly speaks at the Capital Cyber Summit on Friday at 8 a.m.
  • Inglis participates in an American University Washington College of Law event on Friday at 10:30 a.m.
  • House Veterans' Affairs Committee Chairman Rep. Mark Takano (D-Calif.) discusses law enforcement algorithms at a Brookings Institution event on Oct. 25 at 3 p.m.

Secure log off

Thanks for reading. See you tomorrow.