News: Cyber priorities for the rest of 2022

Tuesday, July 5, 2022

Cyber priorities for the rest of 2022

Jul 05, 2022

Quick Fix

— Believe it or not, 2022 is officially halfway over, and both the Biden administration and Congress have a long cyber to-do list staring them down before the year is up.

— DOJ has set a September 2023 goal of having two-thirds of all ransomware cases reported to the feds — but first it needs to figure out how many total ransomware attacks there are to begin with.

— A recent Supreme Court ruling could hinder some agencies' abilities to regulate data privacy and cybersecurity issues without congressional approval.

HAPPY TUESDAY, and welcome back to Morning Cybersecurity! I'm your host, Sam Sabin, and I'm keeping everyone who faced a dreaded flight delay or cancellation during the holiday weekend in my thoughts. It's rough out there.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You'll also receive daily policy news and other intelligence you need to act on the day's biggest stories.

Have any tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you've got to ssabin@politico.com. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let's get to it.

THE COUNTDOWN IS ON — It's the beginning of July: The summer heat is here, the fireworks are popping and the grills are heating up. But this month also marks the end of the first half of the year — and with it comes a midterm election-induced rush by The White House and Congress to get officials' top priorities across the finish line before the end of the year.

Here's a sliver of what MC is expecting everyone from congressional aides to Biden administration officials to be zeroing in on in cyber world during the next six months:

— Cyber items in the NDAA and next year's budget: As usual, this year's National Defense Authorization Act and proposed cyber budgets across agencies are angling to beef up the amount of money going toward lawmakers' cyber goals. In the House, lawmakers are looking to give CISA a $3 billion budget in fiscal year 2023, a 13 percent increase from last year's enacted levels. And in the Senate, lawmakers are eyeing the creation of a new assistant secretary role at the Pentagon focused on cyber policy as part of this year's NDAA.

— Ranking critical infrastructure: For years, lawmakers have been trying to push forward a recommendation from the congressionally mandated Cyberspace Solarium Commission that would clarify which of the 16 critical infrastructure sectors are the most crucial. The proposal aims to help better direct CISA and other agencies' cyber resources, and it's a key legislative priority for retiring House lawmakers Reps. Jim Langevin (D-R.I.) and John Katko (R-N.Y.), who could make one last attempt to get this proposal out the door before leaving at the end of the year.

— Kickstarting mandatory incident reporting: Now that Congress has passed highly anticipated mandatory incident reporting legislation , it's up to Congress to make the program a reality. While the agency has up to two years to start rulemaking to figure out the program's parameters, CISA executive director Brandon Wales has said the agency is "going to try to move a little bit more quickly than that" — suggesting we could have a better idea of their updated timeline by the end of the year.

Ransomware

ALL ABOUT THE NUMBERS — The Justice Department set a lofty strategic goal Friday of ensuring that at least two-thirds of all ransomware attacks in the U.S. are reported to law enforcement – by September 2023. But DOJ is bound to hit one major obstacle just out of the gate: no one has a good way of measuring the number of ransomware attacks.

— What's the problem: Ransomware analysts have long cautioned that it's difficult to know the true number of ransomware incidents. Many reports published by cybersecurity firms and law enforcement officials rely either on the victims reporting the incidents to those firms (which doesn't always happen) or ransomware gangs posting about the attack on their dark web extortion sites (to which researchers and law enforcement officials have varying levels of access).

This reality will make measuring DOJ's benchmark difficult. As Emsisoft threat analyst Brett Callow pointed out last week, "the details relating to many incidents remain in the shadows, sometimes being intentionally obfuscated, and it's simply not helpful." And Eric Goldstein, executive assistant director for cybersecurity at CISA, has said the lack of reporting has made defending against ransomware attacks much harder.

— Slowly, but surely, fixing the problem: CISA and DOJ launched the StopRansomware.gov program nearly a year ago to encourage more businesses to report ransomware attacks to the federal government, but it's unclear how effective the initiative has been so far. CISA's forthcoming program requiring critical infrastructure operators to report significant cyber incidents within 72 hours, and ransomware payments within 24 hours, will also help a bit with this problem — but it's not a total solution. Not all companies will need to follow these rules, and CISA still has a few years left to stand up the program.

— Other cyber goals : DOJ also pledged to continue its work to both prosecute those behind cyberattacks and disrupt the online infrastructure they use to initiate those attacks, such as botnet networks.

At the Agencies

CHANGE IN THE RULES — The Supreme Court's ruling late last week restricting the Environmental Protection Agency's ability to issue climate-protecting rules could also have ramifications for agencies trying to regulate certain cybersecurity and privacy issues, experts tell MC.

The court ruled 6-3 in the case West Virginia vs. EPA on Thursday that the EPA went beyond its stated regulatory statute in a 2015 rule aimed at transitioning the country away from coal and toward natural gas and renewable sources. The majority opinion argued that because Congress didn't explicitly authorize the agency to make such a rule, the EPA went beyond the scope of its powers. That opinion may have detrimental impact for other agencies trying to self-regulate many of the problems under its purview during the current narrowly-divided congressional session.

John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a tech trade group, told MC in an email over the weekend he's specifically watching to see what impact this ruling has on the Federal Trade Commission. The agency has already accepted comments for possible rules focused on regulating commercial surveillance and lax data security practices, and it's weighing next steps while Congress struggles to negotiate rules of its own.

— Add it to the list: In an emailed research memo shared with MC, Blair Levin at New Street Research said it won't be known "for a long time" which exact issues will be affected. Levin also warned there could be "higher risk that any FCC or FTC rulemaking will be overturned in court." (The FCC has been weighing some of its own cybersecurity-specific rules.)

But many experts also note that most cyber regulations could be safe seeing as Congress has already authorized most of them. Mark Montgomery, executive director of the Cyberspace Solarium Commission, said he doesn't see many cases where the ruling would "jeopardize ongoing efforts to work with critical infrastructure sectors" because much of the existing rulemakings aren't "a mismatch with congressional guidance."

— Getting through Congress : Miller agreed there are a few upcoming cyber rulemakings safe from the Supreme Court ruling because Congress has either authorized them or is in the process of doing so. For example, Miller said, Congress is the one that's charging CISA with establishing its forthcoming mandatory cyber incident reporting program.

Vulnerabilities

HACKING THE PENTAGON — The Department of Defense is offering monetary awards to ethical hackers who report high risk security vulnerabilities in the Pentagon's system to the agency this week. Working with vulnerability reporting company HackerOne, the Pentagon is awarding hackers $1,000 for each critical vulnerability they discover and report, $500 for "high severity" flaw reports and $3,000 for "additional special categories," according to a media release.

People on the Move

— Jeff Greene is joining Aspen Digital as its senior director for cybersecurity, according to our pals at NatSec Daily. He was most recently the chief of cyber response and policy at the National Security Council.

Tweet of the Day

A bittersweet note from cyber-focused lawmaker Rep. Jim Langevin (D-R.I.) from the holiday weekend: "This is my last Fourth of July as a member of Congress, and it is bittersweet. But I can't think of anywhere I'd rather celebrate than at the oldest Independence Day parade in the country. Thank you to everyone who came out to Bristol today!"

Quick Bytes

— ICYMI: The State Department is offering a reward of up to $10 million for any information about foreign interference in U.S. elections. (POLITICO)

— Google said it plans to delete users' location data and other personal data if they visit an abortion clinic following the Roe ruling. (POLITICO)

— A hacker with the username "ChinaDan" claims to have stolen more than 23 terabytes of personal information about 1 billion Chinese citizens from the Shanghai police. (Reuters)

— Cybersecurity experts are poking holes into the validity of Microsoft's recent report detailing lessons from the "cyber war" in Ukraine. (CyberScoop)

— DTEK Group, a Ukrainian private energy conglomerate, claims Russian hackers have tried to attack their systems in retaliation to the owner's opposition to the Russian war in Ukraine. (CNN)

— Macmillan, one of the largest book publishers in the United States, confirmed a cyberattack has shut down its IT systems and disrupted operations. (TechCrunch)

Chat soon.

Stay in touch with the whole team: Eric Geller (egeller@politico.com); Konstantin Kakaes ( kkakaes@politico.com); Maggie Miller (mmiller@politico.com); Sam Sabin (ssabin@politico.com); and Heidi Vogt (hvogt@politico.com).