News: The holiday cyber sprint

Monday, December 2, 2024

The holiday cyber sprint

Dec 02, 2024

Presented by

With help from Maggie Miller

Driving the Day

— Beltway cyber policy players face a slew of important deadlines and decisions this month, as the clock ticks down on the 118th Congress and the Biden administration.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Showtime’s new spy thriller “The Agency”? I am all-in after just one episode.

Follow me and Maggie on X at @johnnysaks130 and @magmill95, on Bluesky at @maggiemiller.bsky.social, or reach out via email or text for tips. You can also follow @POLITICOPro on X.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Want to know what's really happening with Congress's make-or-break spending fights? Get daily insider analysis of Hill negotiations, funding deadlines, and breaking developments - free in your inbox with Inside Congress. Subscribe now.

Today's Agenda

Nothing on the schedule today.

At the Agencies

WINTER CYBERLAND — When it comes to fending off criminal hackers and state-backed cyber spies, December is shaping up to be one of the most consequential months of 2024.

The 118th Congress, the Biden administration and the Trump-Vance transition each are set to make critical personnel and policy choices this month that will ramify well past 2025. Here’s what we’re watching.

— Defense bill time: Congress has just three weeks to pass the National Defense Authorization Act, the must-pass defense policy bill on which major cyber policy fixes regularly hitch a ride into law.

Two of the bigger changes that appear within reach this year? First, both the Senate and House have included language in their versions of the NDAA requiring an independent study on the need for a dedicated cyber service. Advocates hope that could lay the groundwork for Trump to green-light a keyboard-centric counterpart to the Army, Navy, Air Force and Space Force.

In addition, leading cyber lawmakers in both chambers have signaled their interest in a bill that would empower the Office of the National Cyber Director to trim redundant federal cyber regulations. While it’s not in either version of the NDAA yet, it is perhaps the last-best landing spot for the bill, which the White House is also making a late push for.

– The EO … and the election report: The Biden administration is aiming to issue an ambitious new executive order on cybersecurity this month that will cover everything from supply chain security to federal contracting and zero-trust, as we previously reported.

The detailed order — rumored to be up to 60 pages — could significantly alter the landscape for federal cybersecurity. And while Donald Trump could theoretically scrap the sweeping mandate on his first day in office, the National Security Council is betting it can get buy-in for its changes by focusing on technocratic issues that draw support across the aisle.

The Intelligence community, for its part, faces another big December deadline: per a 2018 Trump executive order, it has until the week before Christmas to complete an assessment on the nature and extent of any foreign interference efforts in the 2024 election.

– Transition time: Having finally signed an agreement with the White House, the Trump-Vance Transition team is ready at last to get started on the nuts-and-bolts work of the changeover — albeit on a compressed timeline and with some key restrictions around its ability to receive classified briefs from current administration officials.

All that policy work may nonetheless be secondary to the big personnel question looming over D.C.: Who will Trump pick to head CISA and the Office of the National Cyber Director, a pair of roles that could shape U.S. cyber policy for the better part of the next half-decade?

Vulnerabilities

FIRST IN MC: WELL, THAT’S CONCERNING — Critical code in software used in major U.S. utilities has dozens of key vulnerabilities that would be easy for nation states or cybercriminals to exploit, a report out today from Fortress Information Security found.

As Maggie writes in, Fortress researchers delved into the North American Energy Software Assurance Database in order to review the Software Bill of Materials of more than 2,000 products. They found that of around 9,000 vulnerabilities present, more than 800 are classified as “highly exploitable” for any attacker.

Even more concerning? Just 20 components studied are the reason for around 80 percent of the vulnerabilities found.

“The bad news is, these 20 components are everywhere, and so our adversary, if they were to choose to exploit them, could wreak significant havoc,” Fortress CEO Alex Santos told Maggie. “These 20 components cause our infrastructure a systemic risk.”

— Our friends in the East: The researchers also found a high level of dependence on Chinese technology, with 90 percent of the software products studied containing Chinese-developed coding. Santos said the “good news” is that there was no “smoking gun” found in these products that could have been designed with the intent of causing disruption — however, they could still cause concerns in the future.

“There doesn’t seem to be any consistent, disciplined practices by software manufacturers to keep those Chinese components from becoming a problem,” Santos said. “I think we’ve gotten lucky that China has chosen not to utilize some of those components for nefarious purposes yet.”

Cybercrime

A KREMLIN SURPRISE — A notorious Russian hacker who has evaded Western law enforcement for years appears to be in custody at long last — though given who arrested him, it’s unclear just how promising a development that may be.

Russian law enforcement recently arrested an unnamed cybercriminal in Kaliningrad, whom Bleeping Computers reports to be ransomware kingpin Mikhail Pavlovich Matveev.

Just desserts: Matveev is a prolific cybercriminal who has preyed on Western organizations for years, even flaunting his ability to evade U.S. law enforcement by holing up in Russia.

Last May, the U.S. Justice Department charged Matveev with using three different ransomware variants dating back to 2020 — LockBit, Hive and Babuk — to attack thousands of organizations around the world, while the State Department put a $10 million bounty on his head.

Matveev seemed anything but deterred, however; he responded by hawking a T-shirt with his “Wanted” poster.

The intrigue: The Kremlin has a history of flouting international pressure to prosecute domestic cybercriminals, so long as they focus their criminal activity abroad — and perhaps, respond to marching orders when necessary from Mother Russia.

But there’s no clear sign Russian police are bending to U.S. pressure, meaning it is likelier Matveev may simply have angered the wrong person inside Russia.

Tweet of the Day

British humor, applied to cyber:

Quick Bytes

DIRTY TRICKS — The FBI is investigating a lobbyist for Exxon over their role in a hack-for-hire operation to damage a group of environmental activists, Reuters’ Raphael Satter and Christopher Bing reports.

MAY THE CYBER FORCE BE WITH YOU — The debate over the need for an independent cyber force within the military is rearing its head again, The Wall Street Journal’s Cheryl Winokur Munk reports.

SOUTH DAKOTA TRIO — Three South Dakota lawmakers are set to play an outsized role in cybersecurity in the next Congress, CyberScoop’s Tim Starks reports.

NOT ALL TYPHOONS ARE EQUAL — T-Mobile says it wasn’t hit as bad or as long as other victims of a sweeping, China-backed spying campaign, POLITICO reports.

Chat soon.

Stay in touch with the whole team: John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Rosie Perper (rperper@politico.com).

Don't just read headlines—guide your organization's next move. POLITICO Pro's comprehensive Data Analysis tracks power shifts in Congress, ballot measures, and committee turnovers, giving you the deep context behind every policy decision. Learn more about what POLITICO Pro can do for you.