— The next defense policy bill is just around the corner, and MC has a roundup of the cyber policy items that experts most want to see tucked into the legislation.
— The EPA and the NSA have completed recent cyber tasks involving water systems and sensitive government networks, but many other projects remain incomplete.
— CISA weighed in on a hot-button voting security debate, but its conclusions likely won’t settle the issue.
HAPPY TUESDAY, and welcome back to Morning Cybersecurity! I’m Eric Geller, filling in for Sam Sabin. I wrote this newsletter on a flight home from a Star Wars convention, where I spent four days hanging out with friends and getting early looks at incredible new TV shows, books and other stories. What a delightful vacation.
Have any tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected] and [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
EVERYTHING BUT THE KITCHEN SINK — Do you hear the merry rustling of papers? Do you smell the fresh scent of printer toner? That’s right, everyone — it’s National Defense Authorization Act season again. The annual defense policy bill has becomea go-to vehicle for cyber legislation, with lawmakers focused on digital security seizing every opportunity to attach uncontroversial measures to the must-pass bill. With the armed services committees holdingNDAA markups throughout June, MC asked cyber experts what they hope to see included this year.
— Systemically important critical infrastructure: One of the biggest remaining priorities from the congressional chartered Cyberspace Solarium Commission’s report is a new designation for the most vital U.S. critical infrastructure, a label that would require them to meet higher cybersecurity standards — potentially with third-party assessments — in exchange for priority government support. Companies “will get increased access to intelligence information, maybe even an opportunity to shape the [intelligence] collection, and most importantly some improved liability protection” after nation-state intrusions, said Mark Montgomery, the commission’s executive director.
“SICI” is a top priority for retiring Solarium member Rep. Jim Langevin (D-R.I.), and CISA is already hard at work identifying what Director Jen Easterly is instead calling “primary systemically important entities.”
— A better portal for information sharing: Solarium also recommended the creation of a Joint Collaborative Environment where government agencies and industry partners could submit cyber threat information and use advanced analytics to process big data sets of hacking indicators. Advocates have said that this portal could facilitate better data sharing among members of CISA’s new Joint Cyber Defense Collaborative. Montgomery cited this proposal, now called the “Cyber Threat Information Collaboration Environment Program,” as an NDAA priority.
— Streamlining tech contracting: Aging federal computer systems are ripe for hacking, but efforts to upgrade them have yielded mixed results. Henry Young, director of policy at the software trade group BSA, urged Congress to simplify the process for participating in the Pentagon’s Cybersecurity Maturity Model Certification program, which aims to bring commercial providers of secure, modern software into the Defense Department. CMMC should offer “flexibility with how we demonstrate compliance,” Young said, especially to help smaller firms enter the CMMC marketplace.
— Improving cyber diplomacy: The House has passed legislation creating a State Department bureau focused on providing cyber aid to allies, promoting norms of responsible digital behavior and helping to develop secure technology standards. But that bill, the Cyber Diplomacy Act, H.R. 1251, has languished in the Senate. The Biden administration recently stood up a bureau on its own, but the legislation’s backers say it’s important to codify this work as a message to allies and a bulwark against the bureau’s elimination under a future administration. Montgomery urged Congress to pass the bill.
— Protecting software: Recent cyberattacks such as the SolarWinds campaign have highlighted how software supply chains remain opaque and vulnerable to tampering. To set an example for the rest of the government, Young said the NDAA should direct the Pentagon to clarify its policies for when and how it uses open source software. BSA also wants to see better coordination between various agencies responsible for software supply chain security, such as CISA and NIST. Young also encouraged lawmakers to support the development of usable models for software bills of materials, which provide transparency about the code used in each piece of software.
CLOCK’S TICKING — As Congress keeps passing cyber legislation, the requirements for agencies to complete studies, reports and policy changes have been piling up. But how much have agencies actually accomplished? Here’s where a few key projects stand. MC will keep providing updates on these and other tasks in the months ahead.
— Studying water cybersecurity: The bipartisan infrastructure law, H.R. 3684, gave the EPA until May 14 to develop a “prioritization framework” to identify public water systems whose disruption would create significant public health and safety problems, with the agency required to report to Congress on its framework by May 24. The EPA has completed those tasks, according to Associate Administrator for Public Affairs Lindsay Hamilton, who said the agency submitted the required reports last week.
— Protecting national security systems: In a Jan. 8 memorandum, President Joe Biden ordered the NSA to undertake several efforts to identify and protect the most sensitive military and intelligence computer systems. These tasks included accelerating cloud adoption, protecting critical software and improving incident response plans. The NSA has completed all of the tasks assigned to it, spokesperson Daniel Bases told MC.
MC is still waiting to hear from agencies about the following work:
— By March 27, agencies were supposed to begin reporting to CISA and GSA if they still used any public websites without .gov domains, which CISA has been trying to promote for their security and authenticity benefits.
— By May 12, according to Biden’s cyber executive order, DHS was supposed to recommend language for inclusion in all federal contracts that would require companies to comply with NIST’s software supply chain security and critical software protection guidance.
— By May 14, according to the infrastructure law, the Energy Department was supposed to create a program to provide cyber grants and technical aid to rural and municipal electric utilities. By the same deadline, FERC was supposed to conduct a study to identify ways to encourage utilities to make cyber investments and participate in threat information sharing programs.
— The fiscal 2021 NDAA, H.R. 6395, required CISA to brief Congress on a wide range of topics in April and May, including its technical assistance to state and local governments, its plan for addressing cyber education funding needs, its work with FEMA to create the new Cyber Response and Recovery Fund and the extent of its shared services offerings to other agencies. And a recent OMB memorandum gave CISA until April 6 to create a best-practices document to help agencies set up endpoint detection and response software.
And that’s just the tip of the iceberg. MC has yet to hear back from agencies about 127 cyber tasks that they’ve been assigned in legislation and executive action since the beginning of 2021.
IT’S UNDER CONTROL — CISA has found no evidence that hackers took advantage of security vulnerabilities in Dominion’s electronic voting machines to tamper with U.S. elections, but the agency has been notifying election officials about those flaws to ensure that mitigations are deployed.
“We have no evidence that these vulnerabilities have been exploited and no evidence that they have affected any election results,” CISA Executive Director Brandon Wales said in a statement to MC.
CISA’s conclusion, contained in an advisory that the agency shared with election officials, comes as activists spar in a federal court with the secretary of state of Georgia, which uses the machines statewide, over whether the machines are unconstitutionally unreliable. As part of the case, a judge granted University of Michigan voting security expert Alex Halderman complete access to a Dominion machine, and Halderman produced a massive report that he said described serious vulnerabilities. For security reasons, the judge sealed the report, but CISA requested and received a copy in order to produce an advisory about it.
Ultimately, CISA found, standard election administration procedures“would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely,” Wales said, which “makes it very unlikely that these vulnerabilities could affect an election.”
Halderman told MC that the problems he’d discovered “are serious in nature” and encouraged jurisdictions using the Dominion machines to “diligently and promptly take specific actions that CISA urges in the advisory.” He also cautioned that neither CISA nor Georgia’s analyses of the flaws were “the type of investigation that could determine” if they were being exploited, although he said he too lacked evidence of such.
CISA’s analysis is short — only five pages — compared to Halderman’s 100-page report, according to The Washington Post, which first reported on the agency’s conclusion. Wales told MC that CISA will release the advisory “soon.”
It’s unlikely that CISA’s findings will tamp down criticism of electronic voting machines, which some security experts dislike because voters rarely review their paper printouts before casting them to ensure that the machines tallied their votes correctly. These machines, known as ballot-marking devices, have become a popular replacement for paperless machines that nearly every state has now eliminated, but many experts prefer reserving them for voters with disabilities.
Magnet Forensics’ Matt Suiche poses a fun question: “What’s the best exploit name you heard about?”
— A New York man received a four-year prison sentence for participating in the cybercrime work of the Infraud Organization.
— As part of the process of joining a NATO-affiliated cyber research center, Ukraine on Monday participated in its first meeting of the center’s steering committee.
—A venture capitalist pushing internet voting is buying ads criticizing a D.C. Council member who’s refusing to move a bill to test mobile voting. (Washington City Paper)
— Cybersecurity researchers have spotted a new Microsoft Office zero-day vulnerability that abuses a Word template feature. (Threatpost)
— Five Democratic senators asked Apple and Google to ensure that apps in their stores didn’t compromise the privacy of people seeking abortions.
That’s all for today! Thanks for reading.
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]); Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).