| Welcome to The Cybersecurity 202! Two words: Rhea. Seehorn. Also a few more, actually: Today's newsletter is jam-packed. When even the fifth thing down is a banger, you know it's been a busy cyber day. Was this forwarded to you? Sign up here. Below: Officials release the national cyber strategy implementation plan, and Chinese hackers breach a Cabinet member's email. First: | GOP state officials secure win, Biden administration suffers setback in water cyber rule case |  A Maryland wastewater treatment facility. (Katherine Frey/The Washington Post) | | | A U.S. court on Wednesday placed a temporary hold on an Environmental Protection Agency rule intended to better safeguard public water systems against hackers, dealing a setback to the Biden administration's cybersecurity regulatory agenda and a win to GOP state attorneys general challenging federal power. The U.S. Court of Appeals for the 8th Circuit granted a stay of the EPA's March 3 memorandum directing states to evaluate the cyber defenses of water systems when conducting sanitation surveys. The stay would block the EPA initiative during court deliberations over a petition for review that three state attorneys general brought against the agency, with support from organizations that represent water utilities. The one-sentence ruling doesn't provide the court's reasoning. But it serves as perhaps the biggest complication to date for an administration that has sought to put cybersecurity mandates into place on a variety of critical infrastructure sectors, sometimes relying on expanding prior regulatory authorities to cover cyber protections. | | Two of the parties involved in the proceedings, Arkansas' attorney general and the American Water Works Association (AWWA), which represents water utilities, said in written statements that they were pleased by the court's ruling. | - "EPA has no authority to impose this one-size-fits-all mandate on States, certainly not without complying with well-established APA requirements," said Arkansas Attorney General Tim Griffin (R). Attorneys general in Missouri and Iowa, also Republicans, are the other two lead petitioners.
- "AWWA strongly supports efforts to strengthen cybersecurity in the water sector, but the Sanitary Survey Program is not the right tool for the job," said the group's CEO, David LaFrance. "We are grateful our viewpoint will be heard by the court and look forward to working together with EPA and others on a smart path forward." The National Rural Water Association also celebrated the decision. Both groups are intervenors in the case.
| | The EPA did not provide a response to a request for comment on Wednesday. But the Biden administration warned in a June 30 filing that "[t]he risks to public health and critical infrastructure from staying the Memorandum are significant." | | The EPA memo cited powers under the Safe Drinking Water Act as its basis. And cyber experts routinely rank the water sector as among the kinds of critical infrastructure that are the most vulnerable to, and least prepared for, cyberattacks. The sector heavily relies on operational technology to control industrial operations, such as those that monitor or control physical processes. Last week, the U.S. attorney's office for the Northern District of California announced that a grand jury had indicted a former contractor for allegedly deliberately uninstalling software at a wastewater treatment plant. The office described the attack as one that removed protections for the entire system, including filtration and chemical levels. "Today, [public water systems] are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack," wrote Radhika Fox, the assistant administrator for the office of water at the EPA, in the March memo. "Clarifying that cybersecurity must be evaluated in reviewing operational technology that is part of a PWS's equipment or operation during sanitary surveys or other state programs will help reduce the likelihood of a successful cyber-attack on a PWS and improve recovery if a cyber incident occurs." Reasoning that voluntary measures haven't sufficiently protected vital critical infrastructure, the Biden administration has advanced cyber rules across a range of justifications, and has indicated plans to seek congressional aid where it believes it lacks the authority to do so. Besides challenging the EPA's existing authorities, the petitioners to the court contend that the agency's cyber rule will impose greater financial burdens on small utilities. | | The 8th Circuit's decision is the latest win for Republican attorneys general who have challenged the Biden administration in court. | | Several GOP state attorneys general recently obtained a preliminary injunction against a number of federal agencies, including several that work on cybersecurity, that prevents them from communicating with social media platforms on "protected speech." The officials maintained in their lawsuit that work the agencies did in the name of countering disinformation amounted to censorship. Missouri Attorney General Andrew Bailey (R) also secured a hold in May on an EPA regulation intended to reduce air pollution. | | |  | The keys | | Officials release national cyber strategy implementation plan |  The strategy aims to implement federally mandated rules for protecting critical infrastructure, bolster agencies with resources to defend against cyberthreats and hold software developers accountable for security defects in their products. (Robert Miller/The Washington Post) | | | The Office of the National Cyber Director (ONCD) on Thursday unveiled the implementation framework for the White House's new national cyber strategy, a sweeping plan that aims to improve U.S. cybersecurity preparedness through a more aggressive regulatory approach. The strategy aims to implement federally mandated rules for protecting critical infrastructure, bolster agencies with resources to defend against cyberthreats and hold software developers accountable for security defects in their products, among other areas. | - The implementation plan, which serves as the road map for the strategy, contains 69 initiatives each assigned to a singular responsible federal agency.
| | Additionally, 18 different agencies are leading at least one initiative in the plan, several of which have already been completed, according to acting national cyber director Kemba Walden. | - While the national cyber strategy is a broad vision, the implementation plan is a living document that is expected to evolve on a regular basis. The plan will be updated annually, Walden said.
| | The implementation framework's release comes as the Biden administration faces pressure to nominate a permanent national cyber director. A coalition of cyber industry groups this week told the White House they were concerned that such a delays could hinder the cyber strategy's implementation. | - But Walden, who took leadership of the office in her current capacity after former director Chris Inglis stepped down in February, said that the lack of a permanent director hasn't had any adverse effects on the office's business, telling The Cybersecurity 202 that "it doesn't seem that the personnel issues of the day are having any impact."
| NSA, Cyber Command nominee talks encryption, surveillance |  U.S. Air Force Lt. Gen. Timothy Haugh, left, testifies during the Senate intelligence hearing on his nomination to be the director of the National Security Agency on Wednesday. (Mariam Zuhaib/AP) | | | President Biden's nominee to lead the National Security Agency and U.S. Cyber Command pledged to preserve strong encryption and touted the need to renew expiring surveillance tools at a confirmation hearing Wednesday. Air Force Lt. Gen. Timothy Haugh, who Biden picked to replace outgoing Gen. Paul Nakasone atop both organizations, told Sen. Ron Wyden (D-Ore.) that encryption is a "critical responsibility" of the NSA "to defend our national security systems and our weapons systems." | - "If confirmed, we will not weaken encryption for Americans," Haugh said.
| | Lawmakers pressed Haugh repeatedly on so-called Section 702 surveillance powers, due to expire at year's end. The program, aimed at overseas targets, has drawn fire from both sides of the aisle over whether it needs more protections for Americans and for how the FBI has or hasn't complied with rules for querying a database for Americans' information. Haugh called Section 702 "absolutely essential." Biden administration officials have touted Section 702 successes in countering cyber attackers. But Sen. Martin Heinrich (D-N.M.) criticized Haugh for saying in answers to prehearing questions that he had limited familiarity with Section 702 in his current role. "I don't view that answer as good enough," Heinrich said. "I'm disappointed." More steps await for Haugh. The Senate Armed Services Committee is also expected to have a hearing on Haugh's nomination. And Sen. Tommy Tuberville (R-Ala.) has placed a hold on all military nominations over a Pentagon abortion policy. | Chinese hackers breached Commerce secretary, State Department emails |  Chinese cybercriminals exposed a flaw in Microsoft's cloud, allowing them to breach the email account of Commerce Secretary Gina Raimondo. (Photo by Ricky Carioti/The Washington Post) | | - "Raimondo is the only known Cabinet-level official to have their account compromised in the targeted cyberespionage campaign, according to U.S. officials familiar with the matter who spoke on the condition of anonymity due to the matter's sensitivity," they write.
- Raimondo's agency has imposed significant export controls against China's technology sector.
| | The breaches were mitigated, but the FBI continues to examine the incident, officials said. Our colleagues add: "The Microsoft vulnerability was discovered last month by the State Department. Also targeted were the email accounts of a congressional staffer, a U.S. human rights advocate and U.S. think tanks, officials and security professionals said." The State and Commerce departments are the only two known executive branch agencies to have been breached, the report adds. | The key cyber provisions developing in the national defense spending bill |  The Senate's NDAA includes an amendment from Sen. Ron Wyden (D-Ore.) that would require the Defense Department to adopt a policy requiring memory-safe software for agency operations. (Demetrius Freeman/The Washington Post/pool) | | | House and Senate members have asked for a slew of cyber-related provisions to be baked into their respective chambers' National Defense Authorization Act (NDAA), the premier annual defense spending bill commonly taken up at year's end after both chambers reconcile on a singular package. The Senate's NDAA includes an amendment from Wyden that would require the Defense Department to adopt a policy requiring memory-safe software for agency operations. | - Memory safety is a property of certain programming tools that allocates memory automatically, helping to prevent human errors that open up software to memory-related hacks.
- Pleased with the fact the amendment has been included, Wyden told The Cybersecurity 202: "These security benefits will trickle down to the private sector, ultimately protecting American consumers."
| | Other Senate additions include: | | On the House side, the most significant amendment adopted Wednesday from House Homeland Security Chairman Mark Green (R-Tenn.) would require the Pentagon to study whether it's feasible to establish a cyber unit in every state's National Guard. The House will also consider an amendment limiting the Pentagon's ability to purchase data that would otherwise require a warrant. The developments come as the House is expected to continue floor consideration of the bill this week and possibly beyond, Politico reports. | | |  | Government scan | | | |  | Hill happenings | | | |  | Securing the ballot | | | |  | Industry report | | | |  | Global cyberspace | | | |  | Encryption wars | | | |  | Daybook | | | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment