News: This week’s cyber hearings are next year’s battles

Monday, November 18, 2024

This week’s cyber hearings are next year’s battles

Nov 18, 2024

With help from John Sakellariadis

Driving the day

— It’s one of the Democrats’ last chances to shape the narrative on cyber threats before Republicans take control of the Senate and complete a GOP trifecta on all branches of the government.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! If you ask me, the only winner of the Jake Paul and Mike Tyson fight is Netflix for successfully swindling my time on a Friday night.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

The lame duck session could reshape major policies before year's end. Get Inside Congress delivered daily to follow the final sprint of dealmaking on defense funding, AI regulation and disaster aid. Subscribe now.

Today's Agenda

White House Deputy Assistant National Cyber Director for critical infrastructure cybersecurity policy Brain Scott, DHS Science and Technology Directorate’s Ernest Wong and the Federal Aviation Administration’s Deputy Associate Administrator for commercial space transportation Michael O’Donnell are headed to the 2024 CyberSat conference. Starts at 8:30 a.m.

The Wilson Center's Latin America Program will hold a virtual discussion on AI governance in Colombia. 9:30 a.m.

Former DHS Secretary Michael Chertoff is joining a panel to discuss AI governance for lawyers and executives with the American Bar Association. 1 p.m.

On the Hill

FINAL PUSH — Congress is back from its post-election hibernation and lawmakers are cramming in at least one more cyber push this lame duck session. Three hearings this week could set the stage for how a divided Congress handles cyber threats under a GOP legislative trifecta. Here's what you need to know.

— The China split: Sen. Richard Blumenthal’s (D-Conn.) Senate Judiciary subcommittee hearing on Chinese cyber threats would normally be just another China-focused session. But with Republicans taking the Senate gavel in January with a firm grip, this is Democrats' last chance to frame the debate their way.

The hearing on Chinese cyber threats comes after a year marked by aggressive state-sponsored campaigns. That includes Volt Typhoon’s hacking of hundreds of outdated routers and critical infrastructure networks, to a monthslong espionage campaign breaching AT&T, Verizon, Lumen Technologies and T-Mobile.

Blumenthal’s hearing may again focus on a key Democratic strategy: linking Chinese cyber threats to oversight of tech giants.

The Republican playbook looks slightly different. Subcommittee ranking member Josh Hawley ’s (R-Mo.) focus the last few years suggests a separation of China policy from tech regulation — focusing more on sanctions, export control and dealing with China more directly as a distinct national security threat.

— Transportation’s security crossroads: The House Homeland Security subcommittee hearing on TSA's cybersecurity posture is shaping up as a referendum on the agency's regulatory approach. Chair Carlos Gimenez (R-Fla.) is positioning the Tuesday session as an examination of TSA's cyber risk management, particularly its recent proposed rulemaking affecting rail, pipeline and bus security.

Industry pushback against TSA's numerous security directives signals some tension between federal oversight and sector-specific concerns. Gimenez believes these directives “have fallen short and lack necessary feedback from the transportation sector,” suggesting Republicans may push for a regulatory reset.

Though watch for the potential industry divide. The American Gas Association will have a representative at the hearing, after recent praise of TSA’s proposed tougher cyber rules shows some sectors are finding alignment with federal oversight, even as others push back. This split could complicate GOP efforts to paint TSA’s approach as universally problematic.

— AI fraud: Perhaps the most politically charged session will be Sen. John Hickenlooper's (D-Colo.) examination of AI-enabled fraud. The hearing's witness list — including a mother of a deepfake victim and leading AI ethics researchers — suggests Democrats are building a case for stronger consumer protections ahead of the power shift.

The inclusion of Truepic's leadership points to growing interest in technical solutions for content authentication, a priority that gained urgency after the summer's wave of AI-generated campaign disinformation.

— The lame duck factor: With power shifting in the Senate and margins razor-thin in the House, these hearings are less about immediate action and more about positioning for 2025's cyber battles. Regulating cyber powers, China policy and AI protection are shaping up to be the holy trinity of next year's cyber agenda.

UNWINDING REGS — Bipartisan lawmakers and White House officials are making a late push to pass legislation aimed at easing the crush of cyber regulations on the private sector — raising the odds the 118th Congress could get one big cyber bill across the finish line by January.

— The momentum: Last Thursday, Rep. Clay Higgins (R-La.) introduced a little-noticed House companion bill to the Streamlining Federal Cybersecurity Regulations Act, a bill from Sens. Gary Peters (D-Mich.) and James Lankford (R-Okla.) that moved out of the Senate Homeland Security Committee this summer. Cyber stalwart Sen. Angus King (I-Maine) also announced his support for the Senate bill the same day.

It comes as the White House has been making its own PR blitz for the bill. Last week, top officials from the National Security Council and Office of the National Cyber Director appeared at a conference on cyber regulation at Columbia University, where keynote speakers included New York Gov. Kathy Hochul and former Secretary of State Hillary Clinton.

— Why it matters: Federal agencies have advanced myriad new cyber regulations in the last decade to incentivize schools, pipelines, and banks to up their defenses. But many of those mandates overlap, causing a major compliance headache for businesses.

The Streamlining Federal Cybersecurity Regulations Act would seek to fix that by creating an interagency committee empowered to “harmonize” the labyrinth of different regulations on companies.

— Driving it home: In an interview, Nicholas Leiserson, the assistant national cyber director for cyber policy and programs, argued the bill is a national security imperative.

He pointed to a recent survey of large financial institutions from the Bank Policy Institute that found that senior cyber leaders spend between 30 to 50 percent of their time on compliance.

“When you're filling out additional forms, or having to respond to multiple regulators who are asking for the same types of controls, that is time off-mission,” said Leiserson, who added: “That’s why this is just critical to improving our cyber security posture.”

At the White House

QUIET IN THE LIBRARY — Someone's been reading over Congress' shoulder.

According to an internal notice obtained by Morning Cyber, the Library of Congress just disclosed a major cyber breach that let attackers access emails between many congressional offices and library staff — including the Congressional Research Service — from January through September 2024.

— The damage: While House and Senate systems weren't compromised, months of back-and-forth between an undisclosed number of lawmakers and CRS were exposed. The library hasn't specified what was in those emails, but CRS communications typically include everything from routine research requests to sensitive policy discussions.

The library attributed the attack to an unnamed adversary and says it is “currently analyzing what email communications were accessed,” the email shared with MC reads.

— What's next: The LOC confirmed the discovery of a breach with MC.

Director of Communications Bill Ryan tells us “an adversary accessed email communications between Library staff and congressional offices,” and that a vulnerability was leveraged by the attackers to access the emails.

Law enforcement is investigating, the vulnerabilities have been patched and the Library says it's analyzing which specific communications were accessed, according to the LOC’s notification email.

Vulnerabilities

CHINA'S CYBER DOMINANCE ISN'T WHERE YOU THINK — Chinese universities aren't just publishing cybersecurity research — they're dominating the field's most influential work, according to new analysis shared exclusively with Morning Cyber from the Emerging Technology Observatory at Georgetown University.

— The numbers: Chinese institutions were 8 of the top 10 producers of cybersecurity research between 2017-2022, with Chinese researchers pumping out one in every five cybersecurity papers globally. In comparison, U.S. scholars produced 17 percent of cybersecurity-related articles.

— The wild card: Xidian University — a relatively unknown Chinese institution — has emerged as the world's second biggest producer of cyber research articles. Previous research has linked Xidian's cyber program to Chinese government hacking groups.

— Missing in action: Where are the Massachusetts Institute of Technology, Stanford and Carnegie Mellon? The usual American tech scholars are notably MIA from the top rankings. Though, Microsoft managed to crack the top 10 for highly-cited research.

Even when Georgetown's team filtered for research quality (tracking citation counts), Chinese institutions were still high on the list, but the U.S. produced 31 percent of the most-cited work compared with China's 25 percent.

The data reveals a 57 percent surge in global cyber research from 2017 to 2022, with over 210,000 papers published.

Tweet of the Day

If you don’t respond to my joke after 5 months I’m assuming you’re still laughing.

Source: https://x.com/vxunderground/status/1858214444863504722

Quick Bytes

A CYBER VOID — Ukraine's top cybersecurity official, Yury Myronenko, has resigned after a year in office, citing successful completion of tasks and a move to the Ministry of Digital Transformation, reports Daryna Antoniuk for The Record.

MICROSOFT'S SECURITY SWEETENER — When President Joe Biden summoned tech CEOs to the White House in 2021 amid mounting cybersecurity concerns, Microsoft CEO Satya Nadella came bearing gifts — $150M in free security upgrades and consulting services. But what looked like corporate philanthropy was actually a calculated play to dominate federal IT spending, reports ProPublica’s Renee Dudley (with research by Doris Burke).

ICYMI — WhatsApp won a legal battle, forcing the release of documents revealing NSO Group's internal operations. (TechCrunch)

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis ( jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Rosie Perper (rperper@politico.com).

Policy change is coming—be the pro who saw it first. Access POLITICO Pro’s Issue Analysis series on what the transition means for agriculture, defense, health care, tech, and more. Strengthen your strategy.