FCC chair talks biggest cyber issues, 'modern meaning' of old authorities |  FCC Chair Jessica Rosenworcel discussed the agency's cybersecurity efforts. (Demetrius Freeman/The Washington Post) | | | Under the tenure of Chair Jessica Rosenworcel, the Federal Communications Commission has recently launched several cybersecurity-focused initiatives and has been mentioned in a federal implementation plan to overhaul the U.S. cybersecurity landscape. The FCC will also be part of a new initiative that aims to put cybersecurity labels on smart devices, which Rosenworcel recently discussed with my colleague Geoffrey A. Fowler. I spoke with Rosenworcel this week about the FCC's cybersecurity efforts, as well as how the commission is working to evolve to address cyberthreats. This interview has been edited and condensed for length and clarity. It looks like the FCC has recently taken on more cybersecurity items. How has the agency thought about cybersecurity in the past, and what's changed since the start of the year? I think it's an issue that we've been working on with more energy since I took the reins at the agency. But I think there's a good reason for that. We live in an era of always-on connectivity. Connections aren't just convenient; they power every aspect of modern life. And if this energy is new, I would say our authority is old. We're just giving it modern meaning. And I think in a modern way that requires us thinking about how to make [communications] networks cybersecure. What are your top cyber priorities and challenges at the agency right now? | | We've got network security issues and consumer security issues. In consumer security, I've proposed updated rules to address SIM swapping fraud before my colleagues because we've seen an increase of complaints about that. We've also started a proceeding to update our data breach policies. And I'm pushing my colleagues forward to do enforcement on wireless carriers inappropriately selling our geolocation data because information about where we are when we use our devices has a lot to do with personal as well as national security. On network security, we have issued a list of equipment that we believe is insecure that we won't support in our networks. We also have an ongoing program to rip out and replace insecure network equipment to the extent it's out there. We started proceeding to try to understand the Border Gateway Protocol, which is a protocol for exchanging internet traffic that's widely used but has known vulnerabilities. I don't think this task is one where the agency succeeds on its own, I think we have to increase our coordination with others all across the government, who have other experiences and expertise. How much support do you have from your colleagues in these areas? I think you should know that, at the moment, it's a four-member agency with two Democrats and two Republicans. So I don't get things out the door at the moment if they lack bipartisan support. With all those initiatives I just announced, we've had some degree of bipartisan support. And I'm proud of that because I don't think there's anything partisan about security matters. You mentioned the rip-and-replace program, which I understand is short about $3.8 billion. There's a bill in play that would address that shortage using unobligated covid-19 emergency funding. Are there any updates on that, and are there other initiatives underway in the agency to close the loophole? Congress appropriated the FCC funds that don't cover the full replacement costs of this equipment. In addition to that bill, there's also legislation that's out there that would use revenue from FCC spectrum auctions to provide us with full funding for taking that equipment out and replacing it. The deadline for starting to file first invoices with us is this week, and the carriers will have a year to actually complete that process. So during the next year, I expect a lot of legislative activity to try to address that shortfall. Appropriators are the source of funding for this kind of activity, so the FCC will have to wait for appropriation to do so. Right now we have funds sufficient to provide 39.5 cents on every dollar. We can support 39.5 percent of the costs. But my hope is Congress is going to close that shortfall and work with us to do so, it's an issue of national security. E.U. officials are also urging members of the bloc to eject this type of equipment from their networks. How much has the FCC weighed in on those discussions? The United States has long been talking about the importance of secure equipment in our networks, including principles that are developed on this subject as an international effort. When I travel internationally at events for the International Telecommunication Union, I talk about what we're doing everywhere I go. | | Huawei and ZTE — two of the major equipment providers in question — have pushed back on being deemed national security threats. What is your response to that? We do a lot of work with our national security colleagues. In fact, our entire covered list is developed in conjunction with them. And we bring a lot of energy and effort to understanding this issue, and I'm comfortable with their work on it. Turning to the recently unveiled National Cyber Strategy implementation plan, it mentions the FCC a whopping three times. How much do you expect the agency to contribute to the efforts it's assigned to at a time when some in the cyber industry are pushing back against mandated protections? You have to be nimble because the threats are always evolving and in some environments that's going to mean regulation, and in other environments it means cooperation. In many environments, it's going to require sharing of information. So I think that's the approach the FCC is evolving to. One of the things that I've done is I started up the cybersecurity forum for independent regulators. The idea is to bring everyone together and say we all have different legal authorities, different statutes and different responsibilities, but why don't we commit together to see how we can harmonize our efforts and even use some of that more of the same vocabulary? These [cybersecurity] problems require coordination, and we've got to forge those relationships and start using similar vocabulary. To what degree do you think the FCC is a cybersecurity agency at this point? Do you think Congress needs to give you more authorities to address cyber matters on the airwaves or other areas the commission has jurisdiction over? I think network security and national security go hand-in-hand. So it's incumbent on the agency to think about how we improve trust in our networks every day in every way. And we'll use the authorities we have because it's right there in the very first sentence of the Communications Act. We will always work with Congress if they want to find new ways to make sure that we can do this job and do it well. | | |  | The keys | | Microsoft expanding free access to logging tools after China-linked hack |  Microsoft will offer free expanded logging tools for customers in September, following a breach of U.S. government emails that use its services. (Joan Mateu Parra/AP) | | - "The announcement follows a recent wave of criticism over the company's tier-priced logging practices after a disclosure this month that a China-based espionage group hacked government Exchange email accounts," Sabin writes.
| | Logging allows users to identify activities occurring in their networks, serving as a record that can help pinpoint security threats. The company will now double the number of days of default logging activity from 90 to 180. | - The report adds: "Federal officials have said that the U.S. government was only able to identify the breaches after studying the security logs — which record activity that happens on a server — that were only available to premium customers."
| | Hackers since May had leveraged a Microsoft digital key and a code flaw to break into the emails of U.S. government agencies and other clients, including the email account of Commerce Secretary Gina Raimondo, as well as State Department accounts. The breach has put Microsoft's security practices under scrutiny at a time when some in Congress are growing increasingly concerned about the Pentagon's heavy utilization of Microsoft products. Microsoft came under similar scrutiny two years ago, when investigators discovered that Russian hackers had penetrated U.S. government systems. | Kevin Mitnick, hacker turned security consultant, dies at 59 |  Mitnick, right, was released from prison in January 2000. (AP Photo/Damian Dovarganes) | | | Kevin Mitnick, who became the country's most famous cybercriminal after an FBI manhunt and later became a cybersecurity consultant, died on July 16, our colleague Kelly Kasulis Cho reports. Mitnick, who was 59, died of pancreatic cancer, said Kathy Wattman, a spokeswoman for KnowBe4, where Mitnick worked. Mitnick's survivors include his wife, Kimberley, who is expecting a child this year. "Mr. Mitnick branded himself the 'world's most famous hacker,' as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage," Kelly writes. "Before he was 30, Mr. Mitnick had already served a brief prison sentence for computer crimes. But his infamy as a hacker was cemented in 1995, when the FBI arrested him in the middle of the night at a North Carolina apartment in a highly publicized raid that capped a 24-hour stakeout outside his home and brought an end to his more than two years as a fugitive." Mitnick was a polarizing figure in the cybersecurity community after his release from prison in 2000. "He portrayed himself as a misunderstood 'genius' and pioneer, and some supporters said he was a victim of overzealous prosecution and overhyped media coverage," Kelly writes. | - "He became a cause célèbre for the internet," former federal cybercrime prosecutor Mark Rasch, who investigated Mitnick, told Kelly. "There was this idea that he was liberating data, he was liberating information, and that he was just proving how hacking could be done," he said. "You had a whole bunch of people in the hacker defense community who thought he was the worst thing in the world, and people in the hacker community who thought he was a demigod."
| Legislation preventing data broker sales to government agencies advances |  Ron Wyden (D-Ore.), the bill's original Senate sponsor, intends to include elements of the bill in an incoming comprehensive surveillance reform legislation. (Demetrius Freeman/Pool/The Washington Post) | | | The House Judiciary Committee on Wednesday advanced a bill to close loopholes that allow data brokers to sell consumers' data to law enforcement and federal agencies, Tonya Riley reports for CyberScoop. The Fourth Amendment Is Not For Sale Act "addresses longstanding concerns from civil liberties and privacy advocates that such purchases allow law enforcement to evade the Fourth Amendment, which protects against warrantless searches," Riley writes. | - Interest in the bill recently increased amid debates over whether to renew Section 702 of the Foreign Intelligence Surveillance Act that allows for "the collection of data belonging to foreign intelligence targets whose communications transit U.S. communications infrastructure," Tonya writes. Section 702 is set to expire at the end of the year unless Congress reauthorizes it.
| | Ron Wyden (D-Ore.), the bill's original Senate sponsor, "plans on including elements of the bill in a comprehensive surveillance reform legislation 'in the coming weeks,'" the report adds. A declassified report released last month shows the U.S. intelligence community has leaned heavily on purchasing information that includes data protected by the Fourth Amendment. | | |  | Government scan | | | |  | Hill happenings | | | |  | Industry report | | | |  | National security watch | | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | Daybook | | - NSA Director and Cybercom head nominee Tim Haugh testifies to the Senate Armed Services Committee at 9 a.m.
- CISA Strategic Technology Branch Chief Martin Stanley participates in a panel on emerging tech in cyber at the Gov Future Forum DC beginning at 9 a.m.
- Assistant Attorney General Kenneth A. Polite, Jr. and Principal Deputy Assistant Attorney General Nicole Argentieri speak at the Center for Strategic and International Studies about the national cyber strategy implementation plan at 10 a.m.
- Reps. Mike Gallagher (R-Wis.) and Raja Krishnamoorthi (D-Ill.) speak at a Punchbowl News event on supply chain security at noon.
- The Center for Democracy and Technology holds a webinar on zero-trust frameworks at 1 p.m.
- CISA CIO Bob Costello speaks at a FedInsider discussion on cyberattacks at 2 p.m.
- Secretary of State Antony Blinken, national security adviser Jake Sullivan and others speak at the Aspen Security Forum beginning tomorrow around 11 a.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment