With help from Martin Matishak
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Microsoft’s decision to charge extra for security log data has angry lawmakers asking the Biden administration to push the tech giant to change its policies.
— Cybersecurity is a priority for the U.S. and three Asian allies who face digital threats from China, according to a top White House official.
— The State Department said it’s concerned about Russia and China’s push for a cyber arms control agreement but remains committed to participating in a U.N. working group they created.
HAPPY MONDAY and welcome to Morning Cybersecurity! Hope everyone had a safe and delicious Pi Day yesterday. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
‘BOEING DOESN’T CHARGE EXTRA FOR THE BLACK BOX’ — As the Biden administration moves to prevent a repeat of the SolarWinds campaign, DHS’ Cybersecurity and Infrastructure Security Agency is considering one step that has irked key lawmakers: paying Microsoft more money to get expanded access to network logs that will help it spot future SolarWinds-style attacks.
After the hackers first accessed government networks through compromised software updates for a SolarWinds product, they tricked Microsoft’s cloud platform into giving them far-reaching access to federal workers’ emails and other documents. By impersonating legitimate users, they bypassed the government’s traditional cyber defenses. The only way to spot that kind of attack, experts say, is to thoroughly examine logs of user behavior for signs of suspicious activity, such as a login from a country far from an employee’s home.
So why, some lawmakers want to know, does Microsoft charge extra for service tiers that include full log data? “It’s kind of like buying a car” and hearing, “‘Oh, you want airbags with that, and brakes? Well, that’s going to be an upcharge,’” said Rep. Jim Langevin (D-R.I.), who raised the issue with Microsoft President Brad Smith during a Feb. 26 SolarWinds hearing. “That doesn’t sit well with me,” he said, adding that the inaccessibility of log data constitutes “an unacceptable risk.”
House Homeland Security Chair Bennie Thompson (D-Miss.) “has serious concerns about making basic security features an add-on, particularly if additional fees are profit-driven as opposed to cost-driven,” a committee aide told MC. “As far as we know, Boeing doesn’t charge extra for the black box.”
Rep. Lucille Roybal-Allard (D-Calif.), who chairs the House Appropriations Homeland Security Subcommittee, raised the issue during a March 10 hearing with CISA leaders, saying it was “concerning” that CISA planned to spend “a significant portion” of the $650 million that it’s getting from the Covid-19 relief bill on upgrading Microsoft licenses.
CISA hasn’t made any decisions yet, Eric Goldstein, who leads the agency’s cyber division, told MC. CISA intends to ensure that third-party software has “strong and robust logging built in by design,” he said, and upgrading licenses is “one potential course of action that will be evaluated.”
There’s a growing appetite on the Hill for the government to push back on Microsoft. “We need to reexamine how we contract with Microsoft for these … services,” Langevin said, including using agencies’ “substantial purchasing power to ensure taxpayers are not getting a raw deal when it comes to security.” Logs shouldn’t be considered a “profit center,” he added, especially since a lack of access to them hurts Microsoft’s customers and “the broader cyber ecosystem.”
Microsoft wouldn’t explain why it charges extra for vital security data. “We provide different … licensing options for our customers based on their needs,” a company spokesperson said. “Larger organizations may require more advanced capabilities such as a greater depth of security logs and the ability to investigate those logs and take action … It is up to the customer to determine what level of service works best for them.”
Lawmakers understand that CISA may need to pay extra now to fix an urgent vulnerability, but they don’t want it to become a habit. “This is definitely in the ‘never again’ category,” said a congressional aide who requested anonymity to speak candidly.
QUAD GOALS — The U.S., Japan, India and Australia plan to establish working groups on cybersecurity and emerging technologies to evaluate ways to protect themselves from digital threats and make the best use of artificial intelligence, 5G networks and other new innovations, National Security Adviser Jake Sullivan told reporters during Friday’s White House press briefing. The decision came as part of a virtual “Quad Leaders Summit” between President Joe Biden and his counterparts from the three Asia allies.
Cyberattacks represent “a common challenge that we face from both state actors and non-state actors,” Sullivan said, “and we do intend to make the Quad a central vehicle for cooperation on cyber.” Japan and other Asian countries face a steady tide of digital intrusions from several of the U.S.’ major cyber adversaries, especially China, whose regional influence the Quad forum is meant to combat. Biden and his counterparts discussed cyber issues during their meeting, Sullivan said, as well as the need to ensure a steady supply of semiconductors from trusted vendors.
The Quad will use its emerging technologies working group to “encourage cooperation on telecommunications deployment [and] diversification of equipment suppliers” as nations’ 5G buildouts proceed amid fears of Chinese market domination, according to a White House fact sheet.
Chinese government hackers are reported to be behind the initial hacks leveraging Microsoft Exchange Server flaws, but Sullivan wouldn’t comment on that attribution. “We will be in a position to attribute that attack at some point in the near future,” he said. “We won’t hide the ball on that. We will come forward and say who we believe perpetrated the attack.”
CAUTIOUSLY OPTIMISTIC — The U.S. remains opposed to binding arms control agreements for cyber capabilities, the State Department said on Friday, a position that will likely lead to escalating tensions with China and Russia. The U.S. reiterated its stance after the latest iteration of the U.N.-sponsored Open-Ended Working Group published its report about the challenges of protecting cyberspace.
“We remain of the view that [information and communications technologies] are simply not susceptible to traditional arms control arrangements,” Michele Markoff, the acting coordinator for cyber issues at State, said in written comments submitted to the OEWG. International law already prohibits certain destructive cyber conduct, such as attacks on hospitals, Markoff wrote, and if countries won’t abide by those prohibitions, “what possible confidence could we gain from negotiating a new treaty instrument?”
The OEWG began as an effort by Russia and China to push an alternate vision for international cyber norms from the U.S.-supported Group of Governmental Experts. The U.S. initially opposed the group but ended up participating in it anyway, and Markoff said officials were generally pleased to see the increased dialogue.
The State Department views the latest OEWG report as “a step forward,” Markoff wrote, and hopes to see “a return to consensus-based action” based on voluntary international norms instead of binding treaties.
ANOTHER CISA EXIT — A top CISA official is leaving the agency in May, raising the looming prospect of a vacancy in a role that is critical to CISA’s situational awareness and its ability to provide services to non-federal partners. Rick Driggers, the assistant director of the Integrated Operations Division, will leave in May to continue his cyber career in the private sector, he told MC on Friday.
Driggers initially planned to leave CISA late last year, but he stayed after being tapped to lead IOD, which includes the 24/7 watch center CISA Central, intelligence analysis teams, and security services such as vulnerability assessments for state and local governments. “I wanted to give that some additional time,” he said. “They had a lot of things in the works, and I wanted to make sure I was able to get those things done and get leadership in place.”
Laura Delaney, the deputy assistant director of the division, will take over after Driggers leaves, and the agency is searching for his replacement. Matthew Travis, CISA’s former deputy director, praised Driggers, saying that he and former Director Chris Krebs chose Driggers to lead IOD because “he has always had a great track record of getting results.” CyberScoop first reported Driggers’ departure.
— FBI Director Christopher Wray last week tapped Bryan Vorndran to be the assistant director of the bureau’s cyber division. Vorndran most recently served as the special agent in charge of the FBI’s New Orleans office. Vorndran has served in a variety of roles since joining the bureau in 2003, including helming the agency’s Joint Terrorism Task Force; assistant special agent in charge of the cyber and counterintelligence programs in Baltimore; and the head of the Strategic Operations Section of the Counterterrorism Division at FBI headquaters.
RECENTLY ON PRO CYBERSECURITY — Most of the agencies hit by SolarWinds have completed independent cyber audits … The Biden administration isn’t seeking new domestic surveillance powers to combat hackers … The FCC named the five countries that it will treat as national security threats for regulatory purposes.
TWEET OF THE DAY — Well when you put it that way…
— CISA released technical reports about the malware associated with the Exchange hacks.
— Ransomware gangs have jumped into the Exchange hacking frenzy. (CyberScoop)
— Microsoft said that only about 82,000 of 400,000 Exchange servers remained vulnerable.
— Microsoft is investigating whether someone leaked word of the Exchange flaws before it patched them. (Bloomberg)
— Police raided the home of a hacker who helped expose dangerous vulnerabilities in a surveillance camera’s operations. (CyberScoop)
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Heidi Vogt ([email protected], @heidivogt).