News: The never-ending cyber disclosure drama

Monday, May 13, 2024

The never-ending cyber disclosure drama

May 13, 2024

With help from Rebecca Kern

Driving the day

— Some cybersecurity industry leaders worry the SEC cyber reporting rule will make executives scapegoats for breaches and potentially drive them out of the industry — even though the Biden administration has vowed repeatedly to protect it.

HAPPY MONDAY and welcome to MORNING CYBERSECURITY! Feeling a little jealous of all the people who were able to catch the extraterrestrial wonder of those “Northern Lights” in our area. The only thing I was able to look at this weekend post-RSAC has been the back of my eyelids.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X, formerly Twitter, at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

JOIN 5/22 FOR A TALK ON THE FUTURE OF TAXATION: With Trump-era tax breaks set to expire in 2025, whoever wins control of Congress, and the White House will have the ability to revamp the tax code and with it reshape the landscape for business and social policy. Join POLITICO on May 22 for an exploration of what is at stake in the November elections with our panel dissecting the ways presidential candidates and congressional leaders are proposing to reshape our tax rates and incentives. REGISTER HERE.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

Ambassador at Large for Cyberspace and Digital Policy Nate Fick and CISA Director Jen Easterly are headed to the Atlantic Council for a discussion on how to implement the new U.S. international cyberspace and digital policy strategy. 1 p.m.

Industry Intel

SPEAKING FOR THE CISO’S — The battle over the SEC's cyber incident reporting rule for public companies raged on at the RSA Conference, with cybersecurity firm Trellix CEO Bryan Palma siding with Washington’s biggest critics against the controversial mandate.

During a conversation with MC in a boardroom inside San Francisco’s dizzying Intercontinental Hotel on the edges of the conference, Palma expressed deep concerns that incident reporting rules gloss over the roles of C-suite security execs. He said it could very well lead to a talent exodus from an already strained pool at a time when the cyber workforce gap is already staggering.

"I think most CISOs are out there, advocating and working to protect their organizations," Palma said. "Many of them are worried now with the SEC … that they're going to be held personally liable for breaches,” similar to the 2016 Uber case where its chief security officer was ultimately sentenced to three years of probation.

— Disappearing act: Palma warned that administration actions like the SEC cyber rules "may actually have a counter effect.”

“It may force good people out of the profession, which in cybersecurity, is not what we need."

— The lines to consider: The SEC rule, which took effect late last year, requires companies to report hacks within four business days. Critics like House Homeland Security’s cyber subcommittee chair Andrew Garbarino (R-N.Y.) argue it creates unintended national security risks by forcing disclosure of sensitive data that could attract more attackers — like the BlackCat ransomware gang.

POLITICO was first to learn that the Biden administration had vowed to veto efforts to undo the SEC requirements, arguing they protect investors, strengthen cyber defenses and improve overall transparency around digital vulnerabilities and cyber threats. That veto threat already once prompted Sen. Thom Tillis (R-N.C.) to pull back his side’s version of a reversal on the rule, one that he was already struggling to build support for.

— Where industry and the Congress meet: Garbarino has recently been pushing to kill the SEC rule by working to add a measure under the Congressional Review Act during an upcoming House Financial Services markup (a committee he’s also a part of) this month.

To Garbarino, those SEC rules not only take away from CIRCIA — last year’s law requiring CISA to develop and issue regulations for cyber incidents — but also run contrary to both congressional and White House intent.

— A role for regulation: When Morning Cyber asked Palma what he thinks would be a better solution, he didn't dismiss all cybersecurity regulation, saying "There's a role for the government to play by having thoughtful regulation."

He pointed to the (non-cyber) Sarbanes-Oxley Act in 2002 as an example of financial reporting regulation that "raised the profile for cybersecurity, in private companies, and also raised the profile for CISOs, which I think was a positive thing overall."

— One thing to remember: Despite being primarily about financial reporting and auditing rules, the law forced companies to pay more attention to IT controls over financial data and reporting systems.

And while it created more transparency and accountability for public companies, it still didn’t sit right with all the C-suites, who would experience high costs to comply with auditing and reporting rules.

DON’T MISS POLITICO’S ENERGY SUMMIT: The future of energy faces a crossroads in 2024 as policymakers and industry leaders shape new rules, investments and technologies. Join POLITICO’s Energy Summit on June 5 as we convene top voices to examine the shifting global policy environment in a year of major elections in the U.S. and around the world. POLITICO will examine how governments are writing and rewriting new rules for the energy future and America’s own role as a major exporter. REGISTER HERE.

On the Hill

THE TYPHOON IN THE ROOM — Sen. J.D. Vance (R-Ohio) is seeking extensive details from CISA about the Chinese state-linked hacking group known as Volt Typhoon.

In a letter to CISA director Jen Easterly ahead of the weekend, Vance outlined concerns about how Volt Typhoon has deeply embedded itself across U.S. critical infrastructure networks. He warned the group’s access poses risks of potential “disruption or destruction” during heightened geopolitical tensions.

— Nine-part inquiry: Vance gave Easterly until May 24 to answer a series of questions, including how Volt Typhoon initially breached systems, what prompted CISA's urgent February warning on the threat, which critical infrastructure sectors have been impacted beyond energy/utilities, the total number of compromised devices, which agencies and information sharing hubs are involved in the response, CISA's mitigation efforts so far and a count of related incident reports since January 2023.

— The backdrop: The request comes after top cyber diplomat Amb. Nate Fick revealed to reporters at a roundtable at the RSA Conference that Volt Typhoon came up “directly” in U.S.-China talks, when top officials joined U.S. Secretary of State Antony Blinken for a state trip to China to meet Chinese President Xi Jinping last month. Fick told reporters that Blinken told Chinese officials that the Volt Typhoon intrusions were “dangerous,” “escalatory” and “unacceptable.”

— And this is pretty important: Fick told reporters at RSAC last Tuesday the two countries were set to meet again in a third country to discuss AI soon. POLITICO’s Mohar Chatterjee and Doug Palmer report that the U.S. and Chinese delegations will meet in Geneva this Tuesday to discuss “technical risks” with AI, according to senior administration officials.

— Join the club: It also follows months of CISA, White House, intelligence officials and security firms beating the drum on the massive threat Volt Typhoon poses to American networks, culminating in a late January disruption of the KV Botnet on outdated U.S. routers and critical infrastructure networks.

It’s a tight timeline for Easterly, but top cyber and intel officials have long warned lawmakers on the Hill about the Chinese state-backed hacking threat, and CISA already proclaimed in a February advisory that Volt Typhoon is pre-positioning itself for potential future attacks.

HOUSE E&C LEADERS WANT TO SUNSET SECTION 230 — House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and ranking member Frank Pallone (D-N.J.) released a two-page draft bill that would sunset tech companies’ liability shield “Section 230 of the Communications Decency Act” by Dec. 31, 2025.

The lawmakers said in a Wall Street Journal op-ed on Sunday that the proposal would require tech companies to work with Congress over the next 18 months to develop a new framework for free speech while also ensuring the platforms are safe.

—On the clock: “Sunsetting Section 230 will require Congress and stakeholders to create a solution that ensures accountability, protects innovation and free speech, and reflects the realities of the digital age,” the lawmakers wrote.

Sen. Lindsey Graham (R-S.C.) also said earlier this year he’s also working on legislation to sunset Section 230 in the Senate.

— Big question: The E&C leaders didn’t share what exactly they’d replace Section 230 with. It’s been a point of contention for years with Democrats calling for more harmful hate speech to be removed, and Republicans urging platforms to push for more free speech and stop censoring conservative viewpoints.

Section 230 has only been updated once since it was enacted in 1996, with a law in 2018 that peels back liability protections when it comes to online sex trafficking.

Tweet of the Day

Keep an eye on this thread

Source: https://twitter.com/matthew_d_green/status/1789687898863792453

@matthew_d_green/X

Quick Bytes

LATEST ON ASCENSION — Ascension Health is reporting progress in restoring its systems following a cyberattack, all while collaborating with law enforcement agencies. David Harris with CRN has the story.

SOLAR STORMS — A solar storm affected high-precision GPS in tractors crucial for planting, forcing farmers to stop operations, reports Jason Koebler for 404Media.

“Russia is ramping up sabotage across Europe” (The Economist)

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).