Editor’s Note: Cybersecurity Weekly is a weekly version of POLITICO Pro’s daily cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a political intelligence platform that combines the news you need with tools you can use to take action on the biggest stories of the day. Take action on the news with POLITICO Pro.
– Congress gets back to work, and after a series of cyber incidents in recent weeks, a long list of things to do awaits them.
– Following President Joe Biden’s most recent conversation with Putin, Lawmakers and other policymakers in Washington are always eager to take concrete retaliatory action against Russian ransomware.
– The executive order on competition recently signed by Biden also has an element of data security – once again, linking antitrust policy to conversations about privacy and security.
HAPPY MONDAY and welcome to Morning Cybersecurity! I am your host, Sam Sabin. Send your thoughts, comments and especially your story tips to [email protected]. Make sure to follow @POLITICOPro and @MatinCybersec. Full team contact details below.
RETURN TO WORK – Congress has a long list of things to do when it returns to Capitol Hill this week, with the Senate back in full swing and the House leading a week of committee work. Here’s what your MC host is considering:
– Jen Easterly’s vote for the CISA nomination: As POLITICO previously reported, Sen. Rick Scott (R-Fla.) Is expected to lift his grip on all candidates for the Department of Homeland Security today, paving the way for a vote on Easterly’s nomination to the head of the Cybersecurity and Infrastructure Security Agency.
– Invoices, invoices, invoices: The Senate Homeland Security on Wednesday marked two cybersecurity-related bills: the Civilian Cybersecurity Reserve Act, which would establish a pilot civilian “cyber reserve” program, and the K-12 Cyber Security Act to study the security risks facing K-12 schools. (We have more details in Friday’s MC.)
– Credit season: Although they are not in plenary session, the owners of the House have a long week ahead of them. For internet users, the content of the Justice Department bill released on Sunday will carry the most weight, especially the FBI budget. Officials are seeking $ 148.2 billion for the department as a whole and $ 10.2 billion for the FBI, which is in line with the agency’s request for fiscal year 2022. The department’s budget will be annotated in subcommittee this afternoon and considered by committee of the whole on Thursday.
PRAGMATIC ON POUTINE? – Within a week, the NSA and CISA warned against Russian intelligence agents attempting to gain access to government and private groups around the world; thousands of organizations fell victim to the Kaseya ransomware attack; and federal investigators are investigating whether Russia was behind a data breach reported by an RNC technology provider. Through it all, the White House has taken a more measured approach to its relations with Russian President Vladimir Putin.
There are reasons for this (which were detailed in MC last week), but cyber experts are still waiting for more action. Tatyana Bolton, policy director of the R Street Institute’s cyber team and former senior policy director at the Cyberspace Solarium Commission, told C-SPAN’s “Washington Journal” program on Sunday that “the United States must be much stronger with Russia “.
“We need real, strong action against Russia to make sure they understand how serious we are and give them consequences for the actions they take,” Bolton said.
And three experts from the Center for Strategic and International Studies wrote in a blog post on Friday that it was time for the White House to follow through on its measured approach with harsher measures or “risk losing credibility as the two administrations previous ones have already damaged in Moscow “. ”
– The White House has stepped up its game: Biden said he “made it very clear” to Putin in a phone call Friday about the ransomware attacks that the United States expects the Russian leader to crack down on criminal gangs in his country, especially when these attacks target American organizations. And later that day when a reporter asked, “Does it make sense for the United States to take it up a notch and attack the real servers that are being used?” Biden said “Yes”.
– But even before the events of last week, Lawmakers had called on Biden to take a stronger stance against Putin. In recent weeks, they have been pushing for Cyber Command, which holds most of the country’s offensive cyber capabilities, to play a leading role in the country’s fight against ransomware.
SECURITY ANTITRUST PREVENTION – Biden’s executive order to promote competition and harness concentrated corporate power, which he signed on Friday, includes a directive for the Federal Trade Commission that will certainly be of interest to privacy and security watchers: “Establish new rules on monitoring and data accumulation. . ”
Under the order, the FTC will start what could be a multi-year regulatory process to strengthen the protection of consumers’ online data. Historically, the FTC has been limited to the use of its enforcement actions, which often resulted in one-off offenders receiving only a warning. Now, Biden has given FTC President Lina Khan, a fervent Big Tech critic, the keys to do what Congress has struggled to do for decades: institute sweeping new data collection and security rules. .
– The FTC is the go-to agency whenever a business misuses user data or has been lax in securing it. For example, the FTC was one of the main agencies investigating the 2017 Equifax data breach, which affected nearly 150 million Americans, and the agency fined Facebook $ 5 billion. in 2019 for authorizing the misuse of user data in the Cambridge Analytica scandal.
Although it may seem strange at first glance that this landing in an OE on competition, experts have long argued that it is impossible to separate the debates over privacy and security in Washington from those over competition given the amount of data companies like Google, Amazon and Facebook collect on each of their clients. As such, any new rule will have a direct impact on how Big Tech collects, secures, and manages user data.
– Not without a fight: The big tech companies, which are mentioned throughout the executive order, have been warning for years that changing antitrust laws could actually harm consumer privacy. Apple released a white paper on this point last month ahead of what ended up being a 29-hour markup on several antitrust bills.
– Khan’s position: Khan has previously hinted that she supports strict privacy mandates. During her confirmation hearing, she told lawmakers that “the harms of lax data security are immense,” adding that it is “no longer about identity theft. There are real national security implications and we have also seen state sponsored hacks. ”
SECURING CRITICAL SOFTWARE – After defining what constitutes critical software in Biden’s cyber executive order, the Commerce Department’s National Institute of Standards and Technology on Friday released advice on how to secure such software – responding to another key requirement of the OE. Recommendations include configuring multi-factor authentication, isolation or segmentation of networks that connect to critical software, and encryption of sensitive data used by critical software.
– NIST also released guidelines on how to test vendor and developer software source code on Friday, as required in the order.
Michel garcia starts today as a staff member of the Democratic side of the Senate Committee on Homeland Security work on cybersecurity, critical infrastructure and emerging technology issues. He joins the Third Way committee, where he was a senior policy advisor focusing on cyber… John cohen now runs the Department of Homeland Security Intelligence and Analysis Office in addition to his current role as the department’s senior counterterrorism official, according to a note obtained.
From Joseph Menn of Reuters: “Have you ever wondered how much of the rest of our critical infrastructure is in such dire condition as our computer networks? I’m afraid climate change will show it to us.
– Microsoft buys security software maker RiskIQ and could announce an agreement in the coming days, according to people familiar with the matter. (Bloomberg)
– Former employees claim Kaseya was repeatedly warned between 2017 and 2020 of numerous cybersecurity issues prior to her ransomware attack. (Bloomberg)
– “The anatomy of a ransomware attack.” (The Washington Post)
– The United States has sanctioned 14 Chinese tech companies over surveillance issues. (The edge)
– A deep dive into the content of the Pentagon’s latest multi-vendor cloud contract. (FedScoop)
– A “small” number of Mint Mobile customers have been affected by a data breach, the company warned over the weekend. (Sound computer)
We’ll talk later.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).