News : EXCLUSIVE: Grassley knocks agencies slacking on cyber

Monday, April 8, 2024

EXCLUSIVE: Grassley knocks agencies slacking on cyber

Apr 08, 2024

— With help from Maggie Miller

Driving the day

— The Senate Budget Committee’s top ranking Republican is criticizing seven federal agencies for not adequately addressing years (for some) of recommendations from the Government Accountability Office to bolster cyber defenses for critical infrastructure.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Today is not the day to stare lackadaisically into space for a post-lunch pondering of life’s unknowns. This time, stare (with eye protection) for a purpose: the total (or partial if you’re in D.C.) eclipse.

You probably won’t see anything like it over here until the year 2200, but at that point, your AI clones probably won’t care as much.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Access New York bill updates and Congressional activity in areas that matter to you, and use our exclusive insights to see what’s on the Albany agenda. Learn more.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

The Pentagon’s principal director for trusted AI and autonomy Kimberly Sablon is joining Defense One for a virtual discussion on “Genius Machines: The dawn of the human-machine team.” 2 p.m.

Director and chief information officer at the Air Force Digital Capabilities Directorate Alexis Bonnell, acting chief digital and AI officer for acquisitions at the Defense Department Bonnie Evangelista and director of mission services at DARPA Jason Preisser are headed to the Government Executive Media Group for a virtual chat on how AI is being used in the Defense Department. 2 p.m.

On the Hill

RINSE AND REPEAT — Sen. Chuck Grassley (R-Iowa) is ripping into seven federal agencies over their sluggish efforts to lock down the nation’s critical infrastructure from disruptive cyberattacks, according to a round of letters obtained by Morning Cybersecurity.

The top Republican on the Senate Budget Committee fired off those missives Friday afternoon to the heads of the departments of Defense, Homeland Security, Energy, Transportation, Treasury, the Environmental Protection Agency and Health and Human Services – all of which have outstanding recommendations from Congress’ watchdog to beef up their cyber defenses.

Grassley is hitting the agencies on everything from their processes for reporting cyber incidents to their engagement with private stakeholders. He’s now asking for records detailing how exactly they prioritize risks across sectors like energy, finance and defense that nation-state hackers are actively targeting.

— Digging in: Some of the unanswered recommendations from the Government Accountability Office that Grassley highlighted date back years, to the Trump administration. They include a 2019 GAO report that found the EPA has to establish a process for conducting organization-wide cyber risk assessments — which still hasn’t been addressed — and a 2020 warning that the Treasury Department wasn't adequately tracking efforts by banks and other financial firms to lock down their networks.

Grassley also revived recent GAO findings that the Defense Department lacks clear policies on reporting cyber incidents impacting its contractors and that the Department of Homeland Security needs to better gauge ransomware readiness across multiple sectors it oversees.

The GAO made six recommendations in 2022 that the DOD agreed with and as of Friday, all are still open, according to the letter sent to Pentagon Secretary Lloyd Austin. The DOD declined to comment on correspondence with Congress.

“[The] EPA will review the letter and respond through the appropriate channels,” agency spokesperson Nick Conger tells MC.

“DHS responds to congressional correspondence directly via official channels,” DHS spokesperson Mia Ehrenberg told MC. “And the Department will continue to respond appropriately to Congressional oversight.”

The other agencies did not respond to requests for comment.

— One caveat: The senator is only pointing to years-old reports when it comes to the EPA, Treasury and DOD. For the rest of the agencies, including Homeland Security which houses CISA, Grassley is asking for records and redress corresponding to a late January GAO report — around 80 days later.

— Reading the tea leaves: The letter barrage shows cyber friends in the executive branch are still struggling to stay ahead of a torrent of hacks on federal agencies, like the SolarWinds supply chain attack, last summer’s email hack on Commerce and State Department agencies from Chinese attackers, Russian criminal groups launching ransomware sprees to Iranian hackers targeting at least 18 industrial control systems on America’s water sector. And that Congress hasn’t forgotten.

Still, while the Budget Committee is empowered to oversee the federal budget, it’s the appropriations committees that are the main panels with oversight.

“Keeping Americans safe is job one for the federal government. Yet, many of the nine agencies charged with shielding the U.S. from cyberattacks are dragging their feet on GAO’s recommendations,” Grassley tells MC in a statement. “Congress needs to know how those agencies are working to bolster critical infrastructure defense, or whether they’re asleep at the switch.”

— Show your work: Grassley set an April 19 deadline for agencies to account for their efforts to address the issues raised by GAO, including details on the number of cyberattacks impacting each critical sector.

TURNER DEFENDS FISA — House Intelligence Committee Chair Mike Turner (R-Ohio) forcefully defended the pending FISA legislation in an interview on CNN's "State of the Union" Sunday, pushing back against criticism that the bill allows warrantless surveillance of Americans.

"We are not surveilling foreigners in the United States," Turner told host Jake Tapper. "Those individuals who say, 'This is a warrantless search of Americans' data,' are just not telling the truth."

— Pump the breaks: The FISA bill up for a House vote this week would renew authorities for U.S. intelligence agencies to conduct surveillance on foreign targets located outside the United States. But lawmakers and civil liberties groups have both raised concerns about the incidental collection of Americans' communications swept up in that surveillance.

That includes Republican Sen. Mike Lee (R-Utah), who in a December hearing with FBI Director Christopher Wray called out the spy program for being used by agents to investigate contributors to political campaigns. He also cited a couple of declassified reports that showed the FBI used controversial powers to surveil protesters involved in the Black Lives Matter movement.

— In his words: Turner insisted the program is narrowly focused on foreign threats, saying it covers only "a select group of individuals who are a national security threat."

"If you're an American and you're corresponding with ISIS, yes, if we're spying on ISIS, your communications are going to be captured," Turner said. "You would want us to do that. All Americans would want us to try to make certain that we keep ourselves safe from these outside terrorist groups and organizations."

— Will it pass?: When pressed by Tapper on whether the bill has enough support to pass the House by April 19, Turner expressed confidence: "I think it does. I think it will."

SUBSCRIBE TO GLOBAL PLAYBOOK: Don’t miss out on POLITICO’s Global Playbook, the newsletter taking you inside pivotal discussions at the most influential gatherings in the world, including WEF in Davos, Milken Global in Beverly Hills, to UNGA in NYC and many more. Suzanne Lynch delivers the world's elite and influential moments directly to you. Stay in the global loop. SUBSCRIBE NOW.

At the Agencies

ARGUING THE CASE — Homeland Security Secretary Alejandro Mayorkas is gearing up for a battle on Capitol Hill this week over the administration's funding request for CISA’s fiscal year 2025 funding.

In back-to-back appearances before House and Senate appropriators on Wednesday, Mayorkas plans to "fight for the dollars that we need," he told Maggie on Friday during a reporter roundtable at DHS headquarters.

“It’s an especially important year for CISA … the number of cyberattacks is not diminishing,” he said.

— By the numbers: DHS requested $3 billion for CISA’s 2025 budget, just slightly above the $2.9 billion granted to the cyber agency in fiscal year 2024. The 2025 fiscal year begins in October, just weeks ahead of the November election, in which CISA will play a key role.

Despite efforts by some Republicans in the past year to drastically cut CISA’s funds, Mayorkas pointed to the election and to other rising nation-state threats in stressing CISA’s criticality.

He plans to argue that CISA’s full budget is vital to “battle different threat vectors” — including physical threats to election officials, cybersecurity risks and “the spread of disinformation, especially by adverse nation states.”

— What’s been working: One of CISA's main counter-disinformation initiatives is its "Rumor vs. Reality" webpage, which Mayorkas touted as a key part of DHS' strategy. A similar "rumor control" site partially prompted Donald Trump to fire the agency's leadership in 2020 over his unsupported claims of voter fraud.

Critical Infrastructure

THE FUTURE IS FEAR — Critical government programs millions of Americans rely on for basic needs like food and health care could become prime targets in future cyberattacks aimed at sowing chaos and undermining faith in U.S. institutions, a report out today from the Center for Strategic and International Studies warns.

The report on eroding trust in government — drawing on six wargames and input from dozens of cyber experts — outlines scenarios where hackers disrupt services like SNAP and Medicaid during elections to stoke panic on the most vulnerable members of society.

— A note to note: Foreign adversaries are also increasingly looking to pair such disruptive cyberattacks with the theft of U.S. intellectual property and aggressive disinformation campaigns for a double whammy assault on American stability and global competitiveness, CSIS concluded after surveying more than 1,000 cyber analysts.

CSIS recommended the federal government take steps to increase the cybersecurity of basic services, enhance public education campaigns around cybersecurity and establish a cyber reporting organization within the government, an idea lawmakers have previously floated on Capitol Hill.

Tweet of the Day

An interesting thread on the Xz backdoor from an engineering director at Google on the power of authentication, but we at MC want to remind institution overlords of the power of privacy.

Source: https://twitter.com/infernosec/status/1776706388435362244

Quick Bytes

BIG MONEY — The price of hacking tools that exploit unpatched vulnerabilities in popular software for Androids and iPhones has skyrocketed in recent years, writes Lorenzo Franceschi-Bicchierai for TechCrunch.

SECRET’S OUT — The identity of Yossi Sariel, the closely guarded commander of Israel's powerful surveillance Unit 8200, was inadvertently exposed online through an embarrassing security lapse linked to a book he published on Amazon under a pseudonym. The Guardian’s Harry Davies and Bethan McKernan have the story.

IS IT SPY POWERS TIME? — Speaker Mike Johnson kicked off another round of debate as the House is expected to vote this week to reauthorize and make changes to Section 702, reports POLITICO’s Jordain Carney.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).