With help from Maggie Miller and Kelsey Tamborrino
— A handful of critical infrastructure and cyber working training provisions will hang in the balance as the Senate revisits its China competition package this week.
— The use of facial recognition to identify people in Ukraine is worrying privacy advocates.
— CISA Director Jen Easterly is setting out to have half of the country’s cyber roles filled by women by 2030.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. I’ve been spending the last few weeks digging into what has — and hasn’t — changed in the cybercrime world since the invasion of Ukraine, and everyone seems to have a slightly different answer. Have thoughts to share? Hit me up.
Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:
DEJA VU — If all goes according to plan for Senate Majority Leader Chuck Schumer this week, we could see some movement on his closely watched China competition package, which includes cyber provisions focused on cybersecurity worker training and battling disinformation.
Schumer has promised to bring his bill to the floor this week. To do that, he’s likely to just drop the text of the Senate’s U.S. Innovation and Competition Act into the House’s America COMPETES Act and leave it up to a conference committee to negotiate the difference between the two.
While most of the headlines have focused on the legislation’s big-ticket $52 billion in funding for domestic semiconductor production, cyber-minded lawmakers, lobbyists and industry leaders will be watching closely to make sure that the following cyber items remain in the package:
— Laying a foundation for funding: USICA includes a provision establishing a program at the Department of Homeland Security to allow the agency to study the physical and cyber threats facing the different U.S. critical infrastructure sectors. The process, which plays off of a recommendation from the Cyberspace Solarium Commission, would give the federal government a good base point for determining which critical infrastructure risks to prioritize each year.
— State Department disinformation funding: Both bills provide the State Department’s Global Engagement Center, which is designed to counter foreign disinformation and propaganda, with $150 million in funding to increase its ability to fight these campaigns ahead of the midterm elections.
— CyberCorps investments: The House bill expands the budget for an ROTC-like program for the federal cyber workforce, known as CyberCorps, from $60 million to $90 million. The program awards scholarships to enrollees in cyber degree programs, and in return, participating students promise to work for the U.S. government for up to four years in a cyber-related position. The new funds would allow the CyberCorps to increase the number of students it accepts as well as the number of universities and community colleges it can partner with.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
DOUBLE TAKE — When government officials and nascent open source intelligence researchers want to track down someone who has gone missing, died or fled Ukraine, they often turn to facial recognition. Even some surveillance companies have started offering their services to groups in the region: Clearview AI CEO Hoan Ton-That announced last week his company has given Ukraine’s defense ministry free access to his company’s powerful facial recognition technology.
But the growing reliance on facial recognition throughout Ukraine is also amplifying many of its flaws, like false positive matches and racial biases, privacy advocates warn.
“When it’s being deployed in an active war zone, the risks are so much graver,” said Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project. “I’m terrified to think about the Ukrainian refugees who are fleeing for their lives, who are stopped at a checkpoint and who, because of a facial recognition error, aren’t wrongly arrested — they might be shot.”
So far, the Ukrainian government hasn’t said whether it’s using Clearview’s facial recognition technologies — or any other vendor’s biometric tech — to identify people crossing borders or who have died in battle. And Clearview did not respond to MC’s questions about whether or how the Ukrainian government is using its product.
And it’s not just Clearview that advocates are worried about. Some researchers and journalists have started running their own facial recognition scans to identify people in photos of Ukraine and sharing those results publicly. Henk van Ess, a member of the investigative news group Bellingcat, received criticism last week over a Twitter thread detailing his attempt to identify a woman believed to be a Ukrainian refugee in Russia. (The initial matches he posted were later proven wrong.)
— Different strokes: While critics see facial recognition’s use in Ukraine as an example of why it should be banned completely, the libertarian Cato Institute argued in a post Thursday that the war in Ukraine shows that the policy focus should instead be on placing restraints on its deployment so it can be used ethically.
But, if you ask Cahn, ethical uses of facial recognition just don’t exist: “Yeah, there are some facial recognition systems that are worse than others, there are some uses that are more dangerous than others,” he said. “But at its core, the technology is too biased, too error-prone and, when it works, too primed for misuse to actually be used safely.”
LET’S GO, GIRLS — CISA officials are leaning into Women’s History Month to take on one of the agency’s top priorities: addressing the shortage of women in cybersecurity.
As Maggie writes in, Easterly pledged in remarks Friday to bring the percentage of women in cybersecurity roles across the U.S. up to 50 percent by 2030. That figure is just about 20 percent currently.
“We have the technical skills, and we have the emotional intelligence,” Easterly said at the Women in Cybersecurity Conference. “I have seen the future of cybersecurity, and sisters, it’s us.”
— Getting started: Easterly’s renewed effort comes less than a year after the Department of Homeland Security announced a partnership with the Girl Scouts of America to educate girls grades six through 12 on cybersecurity, and after CISA announced a separate partnership with nonprofit group Girls Who Code to increase awareness of cyber careers.
— An uphill battle: The lack of diversity in cybersecurity is an ongoing problem for both the government and private sector. The Aspen Institute’s Tech Policy Hub found in a report last year that roughly 24 percent of cybersecurity workers self-identify as women, while 9 percent identify as Black and 4 percent as Hispanic.
“If we don’t do something about it, there is still going to be 3.5 million unfilled cybersecurity jobs by the year 2025,” Easterly said, adding that “without more women in our field, we know we are missing out on incredible talent.”
SHUT IT DOWN — The Energy Department has prohibited the use of encrypted messaging applications, including WhatsApp and Signal, on department-issued mobile devices and technology equipment, according to a document obtained by POLITICO’s Kelsey Tamborrino. The guidance, sent to staff March 17, also prohibited staffers from downloading the encrypted messaging apps onto their own personal devices to handle government business, unless approved by DOE. A DOE spokesperson confirmed the guidance.
DOE’s move comes as more lawmakers raise concerns about the potential for government officials to use encrypted messaging apps to skirt rules governing the public’s access to information, including through the Freedom of Information Act.
“Using encrypted messaging applications, such as Signal and WhatsApp, creates risks that Federal records may not be properly retained as required by law and DOE policy,” Deputy Energy Secretary David Turk wrote to staff.
— The final countdown: The guidance said WhatsApp or Signal will be removed from all DOE-issued devices starting on April 4 and set a March 30 deadline to preserve any records created through the applications.
Are you seeing similar guidance at other government agencies? I’d love to hear about it.
KEEP ON SWIMMING — In the three months since security researchers discovered a critical security flaw in open source code Log4j, 70 percent of the 3 million IT assets that were vulnerable have been patched, according to a report from Qualys released Friday. It took most IT professionals an average of 17 days to fix the Log4j flaw once it was detected, but the number of potential attacks targeting the vulnerabilities “trended down” in the beginning of the year, as IT teams deployed “mitigating controls and patches.”
— Matt Ashburn is joining Langley Cyber as its chief strategy officer. He is a former CIA officer who has served as the chief information security officer for the National Security Council.
— Benjamin Haas is now principal senior adviser in the Office of the National Cyber Director. He most recently was senior adviser in the Bureau of Democracy, Human Rights and Labor at the State Department.
The Ukrainian internet is still mostly up and running, more than three weeks into the war. Doug Madory, director of internet analysis at Kentik, explains why: “Despite many outages, Ukraine’s Internet is still online due in part to the heroic efforts by local techs fixing disruptions at great risk to themselves. A [thread] of 30-day snapshots of Ukrainian internet connectivity…”
— Mark your calendars: Biden is planning to send his fiscal 2023 budget request next Monday. (POLITICO)
— The National Rifle Association confirmed it was the target of a ransomware attack last fall. (Gizmodo)
— “Inside the plan to fix America’s never-ending cybersecurity failures.” (MIT Technology Review)
— Italy is planning to direct all agencies to replace Russia-based Kaspersky’s antitrust software, according to a draft notice. The notice follows a broader mandate in Germany directing all organizations to purge Kaspersky from its systems. (Reuters)
— The Russian cyber onslaught everyone expected during the invasion of Ukraine hasn’t happened. Why is that? (Bloomberg)
— Researchers at Proofpoint released a report this morning detailing a phishing campaign targeting French government, real estate and construction organizations through emails pretending to be about privacy law violations.
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]) ; Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).