| Welcome to The Cybersecurity 202! All hail Frodrick, his fellow Frods, King Julian, Queen Julia, Mort and especially the fellow who gave them luxury accommodations. Was this forwarded to you? Sign up here. Below: Top administration officials warn of a year-end lapse in U.S. surveillance powers, and Dish Network says its Feb. 23 outage was caused by ransomware. First: | Biden gets mostly positive marks on living up to his campaign cyber pledges |  Biden talked about prioritizing cybersecurity across the federal government. (Photo by Demetrius Freeman/The Washington Post) | | | A little more than two years since President Biden took office, some cyber experts say he's mostly done a good job of living up to cyber promises he made on the campaign trail and early in his presidency. Biden didn't make very many cyber promises, given the campaign's focus on issues like covid-19 and the economy, nor was he very specific. He talked about, for example, making cybersecurity a priority for federal agencies, and countering Russian cyberattacks. I surveyed four experts who represent various elements of the cyber world for opinions on whether Biden has fulfilled his pledges: | - Jim Lewis, with the Center for Strategic and International Studies think tank.
- Mike Rogers, former House Intelligence Committee chair and co-founder of data protection firm AutnHive.
- Henry Young, director of policy at BSA I The Software Alliance, an industry group.
- Tom Kellerman, senior vice president of cyber strategy at the company Contrast Security.
| | I then spoke to Anne Neuberger, deputy national security adviser for cyber and emerging technology, for her take on how Biden has delivered on his promises. | | Some of Biden's pledges were about approach and emphasis. In the wake of news reports about the SolarWinds cyberattack in December 2020, Biden said he would "make cybersecurity a top priority at every level of government" and "elevate" the topic across the government. He said he would "further strengthen partnerships with the private sector," and "expand our investment in the infrastructure and people we need to defend against malicious cyberattacks." Here were the experts' thoughts on Biden making cyber a priority for the government: | - Lewis said that while the White House has certainly pushed agencies well to do better on cybersecurity, he's not convinced that agencies without cyber missions — say, the Interior Department — are making it a top priority. But things are better than they were before, he said. "The good news is all the Cabinet secretaries know how to spell 'cybersecurity'" Lewis said. Young similarly wasn't sure cyber was a priority at agencies that don't work on cyber as part of their mission, but said, "In general, he has elevated cyber as a priority."
- Rogers and Kellerman both praised the leadership at cyber-focused parts of the government, citing the hiring of well-regarded figures such as Neuberger, National Cyber Director Chris Inglis (who recently left) and Cybersecurity and Infrastructure Security Agency Director Jen Easterly. "I do think he has raised it up," Rogers said.
| | "He's really made it a priority," Neuberger said. She pointed to a May 2021 executive order directing agencies to bolster their own security, and comprehensive meetings with agencies to track progress every two to three months. Here are the experts' thoughts on strengthening the partnership with the private sector: | - Kellerman pointed to frequent threat alerts to industry as an example of the approach working, as well as the creation of a new information-sharing initiative at CISA. Lewis said CISA, housed in the Department of Homeland Security, has been a major success story under Biden. "The attitude is so much more positive than it was five years ago or even 10 years ago, particularly about DHS," he said.
- The Biden administration's more regulatory approach doesn't equate to soured relations with industry, Young said. "Partnership is not always agreeing, but it is working together," Young said. "Even when we don't like what they have to say and they don't like what we have to say, the partnership's pretty strong."
- Rogers was the least impressed. "I don't think they're doing well. They're talking the right game. I would count that as a swing and a miss," he said. "They have lots of meetings, it just hasn't translated into an easier, more productive private sector partnership with the government."
| | "There's a push and a pull on that because, from a U.S. government perspective, we always want critical infrastructure maximally secure, and to the companies who own and operate critical infrastructure, it's a cost," Neuberger said. She touted private sector initiatives such as holding sector-by-sector classified threat briefings; bringing in industry on its Counter Ransomware Initiative; collaborating with the private sector to defend Ukraine; and the Transportation Security Administration adjusting its pipeline security directive in response to industry feedback. And here are the experts on investments in infrastructure and people: | - Young called it a "mixed bag," noting that while Biden can propose a budget, "Congress needs to increase its funding." Still, Kellerman noted, "There has been a dramatic increase" in spending.
- "I'm not sure I've seen a big change," Rogers said. While CISA has gotten "huge," he said, overall on the federal agency investments, "I would argue I have not seen them more effective and more focused just yet."
- Lewis said it could be years before the Biden administration sees results, although he noted Inglis hosted a White House cyber workforce summit last year as an example of the administration making an effort.
| | In his first year in office, Biden proposed $8.7 billion in cybersecurity funding for civilian federal agencies, up from $7.8 billion the prior year. For the most recent fiscal year, he again proposed an increase, to $10.9 billion. But as Young mentioned, it's up to Congress to give him the funding. CISA's personnel increased from 2,365 full-time positions in fiscal year 2021, to 2,464 in fiscal year 2022, the first year that reflected his priorities. His fiscal 2023 budget proposed 2,758 positions. But a hiring initiative that launched last year to dramatically increase the number of cyber personnel at DHS got off to a slow start. | | Some of Biden's promises were about going on offense against malicious hackers. He said, "We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place," by "imposing substantial costs on those responsible" and "coordination with our allies and partners." He said he would not "stand idly by in the face of cyber assaults on our nation." He also said Russia, China and Iran "would pay a price if I'm elected" for interfering in the 2020 election," and he said that he would respond "proportionally to Russia's interference in our elections and the cyberattacks on our government and our business." Here are the experts on those promises to respond to cyberattacks: | - Kellerman pointed to actions by agencies like the Justice Department and National Security Agency to disrupt threats, such as the Justice Department more frequently seizing hackers' ill-gotten gains. The administration also has made use of sanctions to punish malicious hacking, he said.
- The administration "took some of the handcuffs off" at NSA and Cyber Command, Rogers said, allowing them to pursue foreign government-connected hackers "trying to do election interference." And they've kept the pressure on, he said, but "we haven't turned the corner on this yet."
- "It's difficult to know about imposing costs," Young said, given how much of that government activity is classified and might not be declassified for a while. "The people are thinking seriously and taking action. How well it works is really going to be a question for 2033, more than 2023."
- Lewis said some of what Biden said on this has been overtaken by events. Russia's war with Ukraine has eclipsed Russia's cyberattacks on the United States as a U.S. priority, he said. Russia didn't demonstrate much interest in the 2022 elections, Lewis observed. "Maybe Russia took the hint that they should be less obvious," he said. "I doubt it. You can take credit for that if you want." He said he didn't see much response to China and Iran over 2020 election interference, probably because "I don't think they did" interfere. And ransomware, Lewis said, "is just a huge problem, and it will take years to chip away at it."
| | Neuberger pointed to the joint attribution with the European Union to blame Russia for a cyberattack on satellite company Viasat at the start of the Ukraine war as an example of a success in confronting cyber adversaries. "That was the first time the European Union came together to attribute a cyberattack and call out Russia," she said. "This was a big deal in terms of cyber norms." | | |  | The keys | | Top administration officials warn of lapse in U.S. surveillance powers |  Matthew Olsen, assistant attorney general for the National Security Division, speaks during a news conference at the Justice Department. (Carolyn Kaster/AP) | | | White House officials are warning Congress of a pending lapse in a powerful surveillance-gathering mechanism that they say would stifle intelligence collection capabilities of adversarial nation-states, our colleague Ellen Nakashima reports. Top national security officials told top lawmakers that the year-end expiration of Section 702 of the Foreign Intelligence Surveillance Act should be a top priority for lawmakers. They argued that the intelligence obtained from the authorization has saved American soldiers' lives, nabbed spies, prevented ransomware hacks and thwarted cyberattacks from China, Russia, North Korea and Iran. Gen. Paul Nakasone, who leads the NSA and U.S. Cyber Command, made the case in January for Congress to renew the expiring surveillance power, we reported. Renewing the surveillance powers could face hurdles because of criticisms by civil liberties groups, which say it violates Americans' privacy, and growing skepticism from congressional Republicans. | Dish Network links outage to ransomware |  Dish Network satellite dishes at an apartment complex in Palo Alto, Calif. (Paul Sakuma/AP) | | | Dish Network, one of the largest American television providers, on Tuesday said that its Feb. 23 network outage was caused by a ransomware breach, Bleeping Computer's Sergiu Gatlan reports. Dish said in a securities filing that an outage at the company was caused by a "cyber-security incident." The filing also referenced a "ransomware attack." "Dish Network's website is still affected by the outage and is only partially functional, with the company prominently displaying a 'We are experiencing a system issue that our teams are working hard to resolve" message at the top of the homepage,' " Gatlan writes. | | |  | Government scan | | | |  | Hill happenings | | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | On the move | | - John Costello, who was chief of staff in the office of the national cyber director under Chris Inglis, has left government and rejoined WestExec Advisors, Costello writes on LinkedIn. Inglis also worked as a consultant for the firm before becoming national cyber director.
| | |  | Daybook | | - The House Energy and Commerce Subcommittee on Consumer Protection and Commerce holds a hearing titled "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy" today at 8:30 a.m.
- The Senate Judiciary Committee will hold an oversight hearing to examine the Department of Justice today at 10 a.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment