Magnificent News: The Cybersecurity 202: Angus King says It’s time to get tougher on Russian hackers

Read online

Your daily cybersecurity policy download.

By By Joseph Marks
with Aaron Schaffer

The United States should get far more aggressive at punching back against cyber adversaries including ransomware gangs operating in Russia, Sen. Angus King (I-Maine) says.

President Biden denounced cyberattacks from both the Kremlin and Russian criminal gangs during his summit meeting with President Vladimir Putin this month. That was a good first step, King told my colleague Ellen Nakashima during a Post Live event.

But the next vital move is for U.S. officials to respond to such attacks with swift and harmful consequences, said King, who co-leads a major cybersecurity commission that is pushing for far more rigorous government cyber policies.

"We've been a cheap date in cyber where we've been attacked repeatedly in a variety of ways [with] no real serious response," King said.

He added, "I want somebody in the Kremlin, in the Politburo to say, 'Gee, boss, I'm not sure we ought to do this because we're liable to get whacked in some way by those Americans.'"

King stopped short of insisting that the United States retaliate for cyberattacks by hacking back — something critics say the government has been too hesitant about.

He did say that U.S. responses thus far — which have focused on sanctioning Russian officials and state-owned enterprises and indicting hackers who are not likely to reach a U.S. courtroom — haven't been nearly punitive enough.

"The important thing is that we have a clear declaratory policy that there will be a costly response," he said. "I think it has to be specific and it has to be quick."

Sen. Angus King (I-Maine). (Michael Reynolds/EPA-EFE/Shutterstock)

King also wants the U.S. Cyber Command to disrupt the operations of criminal ransomware gangs.

Those gangs are responsible for a slew of attacks that tied up computer networks at Colonial Pipeline and the JBS meat processing firm as well as schools, local governments and other organizations.

It would seemingly be an expansion of work the military cyber unit is already doing to halt criminal hacking groups in Russia from aiding the Kremlin.

For example, Cybercom disrupted the world's largest botnet — a band of zombie computers harnessed by Russian criminals for ransomware and other attacks — to ensure it wasn't used to interfere in the 2020 election. Military hackers also disrupted Internet connectivity at a Russian troll farm the Internet Research Agency before the 2018 midterms and digital operations of the Islamic State.

However, it could backfire if the U.S. military gets too aggressive in cyberspace, Kevin Mandia, CEO of the cybersecurity firm FireEye, warned at the same Post Live event.

Because the United States relies more on Internet connectivity than other nations, it is also more vulnerable in a hacking exchange, Mandia said.

"We're in the glass house in cyber," he said. "If the cyber domain is where we choose to go tit for tat, the challenge we've got is we stand to lose more as a nation than other nations."

King pressed for stronger cybersecurity requirements for critical U.S. industries.

The Department of Homeland Security is in the process of creating mandatory cybersecurity requirements for oil and gas pipelines in the wake of the Colonial Pipeline ransomware attack, which disrupted oil supplies to the southeastern United States. Government has been slow, however, to consider cybersecurity mandates for other critical sectors such as agriculture, energy and water.

Some critics are skeptical that government regulations can be nimble enough to keep up with cyber threats.

One option, King suggested, would be to require critical industries to undergo live fire cybersecurity testing by ethical hackers working for either a government agency or cybersecurity companies contracted for the purpose.

"There's nothing like a skull and crossbones coming up on the CEO's desktop to let them know how vulnerable they are," he said, referring to a not-so-subtle message the ethical hackers might send a company.

Those reviews, called penetration testing, are increasingly common in some industry sectors such as financial services, but are far from widespread.

Mandia endorsed the idea of penetration testing critical infrastructure. Those tests may be part of a broader expansion of cybersecurity regulations for the most critical industry sectors, he said.

"As a private-sector CEO, whenever you hear the term regulation, you have to twitch and say, 'No, not that.' That's the default answer out of the gates," he said. "But…here's the facts. I think regulated industries ordinarily, when they're regulated in regard to the cybersecurity risk, probably are better defended."

Share The Cybersecurity 202

The keys

We're heading into the July 4 holiday without a permanent CISA leader.

Jen Easterly, nominee to be the Director of the Cybersecurity and Infrastructure Security Agency, testifies during her confirmation hearing. (Photo by Kevin Dietsch/Getty Images)

A confirmation vote for Biden's nominee to lead the Cybersecurity and Infrastructure Security Agency, Jen Easterly, was blocked by Sen. Rick Scott (R-Fla.). Scott lifted his hold after Vice President Kamala Harris visited the southern border last week, but a vote on the Easterly's confirmation will still wait until after the holiday.

Sen. King urged a confirmation as quickly as possible.

House lawmakers proposed a big budget boost for CISA.

The $2.4 billion for the agency in this year's House appropriations bill would be an increase of nearly $400 million compared to last year's budget. It's also an increase of $288 million over Biden's budget request for the agency.

The House Appropriations Committee's homeland security panel plans to discuss the proposal today.

Former CISA director Chris Krebs called the budget proposal "an indicator of Congress's confidence in a growing/maturing agency":

Federal agencies' use of facial recognition systems raises major privacy concerns, a government watchdog says.

Three agencies said they used the technology to identify Capitol rioters. (Eric Lee/Bloomberg News)

Use of the technology is widespread with at least 20 U.S. government agencies adopting it in recent years, Gerrit De Vynck reports. Facial recognition has been used to identify people suspected of breaking the law during protests after the killing of George Floyd and people who participated in the Jan. 6 Capitol riot.

Some agencies told the Government Accountability Office that they used their own facial recognition databases, but most said they used databases created by outside companies like Clearview AI, which claims to have scraped 3 billion face images from the Internet.

Many agencies couldn't say for sure what systems they used, something the GAO said needed to change.

An NSA surveillance program continues to operate with little oversight.

A member of the Privacy and Civil Liberties Oversight Board blasted the program. (Patrick Semansky/AP)

Years after it was publicly exposed by NSA contractor Edward Snowden, the XKeyscore program has serious issues, Privacy and Civil Liberties Oversight Board member Travis LeBlanc told Ellen Nakashima. LeBlanc was the only member of the board to vote against approving a classified report on an investigation into the program in December.

"What most concerned me was that we have a very powerful surveillance program that eight years or so after exposure, still has no judicial oversight, and what I consider to be inadequate legal analysis and serious compliance infractions," LeBlanc said.

NSA officials defended the program, saying the agency conducted appropriate legal reviews into its use and has protections to safeguard the privacy of Americans.