Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The United States’ unique digital vulnerabilities and the pressure to protect the intelligence community’s prized hacking tools will make it hard for President Joe Biden to punish Russia and China for their massive cyberattacks.
— The government needs to get better at assessing the impacts of software vulnerabilities before they blow up into crises like SolarWinds, a new report argues.
— The House Science Committee is making a bipartisan push to boost the National Science Foundation, including to counter growing digital threats.
HAPPY MONDAY and welcome to Morning Cybersecurity! Your MC host wasn’t that worried, but still, this is good to know. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
DECISIONS, DECISIONS… — As President Joe Biden considers how to hit back at Russia and China for massive cyberattack campaigns tied to their regimes — the SolarWinds cyber espionage campaign and the breaches of Microsoft Exchange email servers — the reality is that his options may be limited to a well-worn playbook that has failed to stem digital threats during multiple previous administrations.
“U.S. security leaders have long expressed caution about deploying offensive cyberattacks to cripple adversaries’ critical infrastructure or expose embarrassing information on their leaders, for fear of triggering an escalating conflict that could see foreign hackers shutting off the lights in the United States,” Martin reports in a story out this morning for Pros. Other approaches could still endanger national security, experts and former officials told Martin, by exposing the intelligence community’s painstakingly assembled taps into foreign adversaries’ computer networks. That could make it harder for them to continue spying on those adversaries — or limit their options for responding to an even more serious attack in the future.
Biden’s dilemma is the same one that vexed former President Barack Obama after Russia intervened in the 2016 election, even as observers said the U.S. needs to respond or risk tacitly condoning the SolarWinds and Exchange compromises. One “extreme” option would be to “turn the power off in Moscow,” a former Trump administration defense official told Martin, but doing so “has so many dynamics in the wrong direction. We don’t want that happening in the U.S.”
A cyber expert in the Biden White House has shared that concern about the digitally dependent United States’ unique vulnerabilities. “If you’re covered in gasoline, be careful throwing matches,” Michael Sulmeyer, now the senior director for cybersecurity on the National Security Council, told POLITICO in 2018.
Biden’s best option may be to take a page out of the Trump administration’s book, deploying U.S. Cyber Command to degrade Russian and Chinese hackers’ own capabilities. But whatever he does in response to SolarWinds, experts said, he shouldn’t combine it with his planned responses to Russia’s other malign activities. That wouldn’t “send them a message that they need to change one or two specific behaviors,” said Dmitri Alperovitch, who co-founded the security firm CrowdStrike and now leads the Silverado Policy Accelerator.
ASSESSING DAMAGE BEFORE THE EXPLOSION — The federal government must mount a major effort to identify the “software with the largest potential blast radius” to prevent another wide-reaching cyberattack campaign like the SolarWinds operation, according to a report out this morning from the Atlantic Council.
Once the government knows which programs would pose the biggest risks if compromised by hackers, the authors wrote, it should divide them into multiple tiers and apply varying levels of scrutiny to them — everything from periodic cyber hygiene assessments to penetration testing. “It is low-profile software used in critical parts of a network or given high-level permissions that present valuable targets,” says the report, an outgrowth of the think tank’s “Breaking Trust” initiative on supply chain threats.
The report examines seven supply chain attacks, including the Chinese hack of clutter removal program CCleaner and the NSA’s subversion of a cryptographic algorithm later placed in Juniper Networks’ popular firewalls. It then explains the government and private-sector failures that led to the SolarWinds campaign and makes 12 recommendations for preventing future supply chain crises. These include creating a CISA team and a grant program to help improve the security of open-source code, taking a “deliberate” approach to the rollout of nascent software ingredient labels that are considered valuable risk management tools, and developing a new way to rapidly move cloud services through GSA’s security authorization process.
One interesting recommendation is a “Hunger Games”-style competition that tests agencies’ ability to respond to cyberattacks. The agency that contains a simulated breach in the shortest amount of time should get “a 10-percent bump in baseline IT sustainment or security-related funding” in the next fiscal year, the Atlantic Council said. “CISA will be responsible for capturing a concise lesson learned from each event, and for adapting the [winning] agency’s guidance to [other agencies] accordingly.”
Congress must acknowledge that a lack of sustained funding is hobbling agencies’ efforts to defend U.S. supply chains, the report argues, but the technology industry must also admit that it is helping to create the problem by failing to “adhere to reasonable or adequate security practices.” The public and private sectors need to work together, the report’s authors wrote, to “bring supply-chain security further out of the darkness of the byzantine and proprietary, and into the harsh light of day.”
NSF FTW — The leaders of the House Science Committee want to energize the National Science Foundation to tackle cybersecurity and emerging technology challenges such as artificial intelligence, quantum computing and advanced manufacturing. On Friday, Chair Eddie Bernice Johnson (D-Texas) and ranking member Frank Lucas (R-Okla.) introduced the National Science Foundation for the Future Act, which would authorize increasingly large budgets for NSF — from $11.5 billion in fiscal 2022 to $18.3 billion in fiscal 2026 — “to address major societal challenges and sustain United States leadership in innovation.”
In fiscal 2022, the bill would direct $9.4 billion to research, including through the foundation’s Graduate Research Fellowships Program, and $1.3 billion for “education and human resources,” including $66 million for the Cybercorps Scholarship for Service Program. The legislation would also direct NSF to make grants to “institutions of higher education or non-profit organizations” that will “advance knowledge of risk assessment and predictability.” While it lists “extreme events and natural hazards, including pandemics,” as examples of risks, cybersecurity risks will surely be in the portfolio too.
“Our competitiveness with China and other nations drives much of the national discourse around innovation because our economic and national security depend on our leadership in science and technology,” Johnson said in a statement.
PRICING DIGITAL DIPLOMACY — The Cyber Diplomacy Act (H.R. 1251), a bipartisan House bill that would create a cyber bureau at the State Department, would likely cost $110 million in the five-year period beginning in fiscal 2021, the Congressional Budget Office said in an estimate released Friday. The CBO based its projection on the State Department’s ongoing cyber bureau creation plan, which began in the waning days of the Trump administration. Based on how the department outlined that plan to Congress, the CBO estimated that the new 80-employee bureau would have an average annual budget of $24 million, or $108 million between now and fiscal 2026. The budget office then added $2 million to cover the reports that the House bill would direct the bureau to produce and the “policy coordination committee” that it would establish within the bureau.
The CBO analysis contained a notable caveat, however. “There is some uncertainty about those estimated costs,” the office warned. “The Biden Administration is reviewing the structure and mission of the new bureau and could modify the plan to create it. Any changes could affect its staffing and operating costs. Additionally, costs could be lower than CBO estimates if the department reassigns existing staff and resources to the new bureau.”
HOW MANY NAILS IN THE COFFIN IS THAT? — The election software used in Antrim County, Mich., in 2020 was not rigged or hacked, one of the United States’ leading voting security experts said in a report produced as part of an ongoing lawsuit over the results. The report, which Michigan Secretary of State Jocelyn Benson publicized on Friday, further rebuts a document published in December by a former Republican House candidate’s cybersecurity firm that went viral in right-wing circles for alleging that “systemic fraud” explained Antrim County’s initially inaccurate unofficial results.
A manual audit of Antrim County’s results long ago confirmed that its final official tally was accurate, and the new report by University of Michigan professor J. Alex Halderman backed up that finding. “Although vulnerabilities in election technology are well documented,” Halderman wrote, “the Antrim County incident was not caused by a security breach,” and “the inaccurate unofficial results were a consequence of human error.”
While Halderman stressed that his report was not “a comprehensive security review of Antrim’s voting system,” he did suggest several improvements, including that Michigan’s election office “require election technology … to promptly receive all appropriate security updates.”
TWEET OF THE WEEKEND — Interesting results here…
— Turf wars and political sparring are delaying the nomination of a national cyber director (although Biden says a name is coming “soon”). (POLITICO)
— The Biden administration is trying to improve coordination with industry to fight cyber threats to the power grid. (Bloomberg)
— The chief election officials of Michigan and Ohio signed a charter vowing to promote cybersecurity awareness within their offices and across state government.
— Former Defense Secretary Robert Gates argues for an interesting hybrid DHS-NSA approach to cyber defense.
— DHS Secretary Alejandro Mayorkas dismissed almost the entire membership of the Homeland Security Advisory Council. (POLITICO)
— Google researchers exposed a major counterterrorism hacking operation by a U.S. ally.
— A NATO-affiliated cyber research center reviewed recent major digital security incidents.
— Hackers are trying to breach the email accounts of German lawmakers during an election year. (CyberScoop)
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgels); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Heidi Vogt ([email protected], @heidivogt).
This is a syndicated post. Read the original post at Source link .