Welcome to The Cybersecurity 202! This must be a particularly French way to protest.
Its goal: to rein in a bipartisan congressional effort to require companies to alert the government when they’re hacked, which would amount to one of the most significant increases in cybersecurity requirements for industry in years.
The various pieces of legislation share a primary goal: To give the Cybersecurity and Infrastructure Security Agency (CISA), which would receive the reports, better insights about a wave of blistering cyberattacks that have hit critical industry sectors and U.S. government agencies in recent months. CISA would share information from those reports back to industry to help better protect them against future hacks.
There are two versions of the bills and at least one more in the works. They vary widely, however, in the sorts of cyber incidents companies would have to report to CISA and how quickly the reports would have to come in.
Industry asks
ITI laid down a marker yesterday for less onorous requirements. The group, which represents Amazon, Google and a slew of other top companies, is pushing for:
- Only reporting incidents in which companies have verified hackers breached their networks.
- Giving at least a 72-hour window before those reports must come in.
The list of recommendations is a frontal assault on the first Senate bill, which was sponsored by Intelligence Committee Chairman Mark Warner (D-Va.) and the committee’s top Republican, Marco Rubio (Fla.), among others. That bill called for reports within 24 hours and would require companies to make such reports even if they aren’t sure hackers actually penetrated their computer networks.
The strict requirements have given heartburn to some in the industry who say a time frame of 24 hours is too fast for companies to have useful information about a breach. They warn the requirement could end up stealing valuable time from cyber workers that would be better spent investigating.
It could also flood CISA with half-baked reports that don’t actually illuminate anything about cyber threats, they warn.
“I understand why there’s a push to get more information, but getting too much information could be even worse if it places too much burden on industry,” Ari Schwartz, an Obama-era White House cybersecurity official who now works for the law firm Venable, told me. “They need to get to the right balance.”
Warner’s office didn’t respond to a request for comment about the ITI recommendations.
Uh-oh
The dispute could spell trouble for the bill. Previous efforts to expand government's role in cybersecurity have gotten bogged down for years or scuttled entirely by fights over how much government should require of industry and how to protect company and customer privacy.
The House version of the bill is far less proscriptive.
It would kick most of the big questions about which cyber incidents should be reported to CISA. But it would block the agency from requiring reports faster than 72 hours after a company verifies that a breach occurred.
That bill, sponsored by Rep. Yvette Clarke (D-N.Y.), passed the House last week as part of a major defense policy measure.
The Warner bill would apply to companies in critical infrastructure sectors, such as energy and finance, and to government contractors and cybersecurity companies. The House bill would focus on critical infrastructure.
The big wild card
Senate Homeland Security Chairman Gary Peters (D-Mich.) and the committee’s top Republican, Rob Portman (Ohio), are working their own version of the bill. Details of that bill aren’t out yet.
CISA Director Jen Easterly urged something like a compromise position in testimony before that committee last week.
She said reports should come in “ideally within 24 hours of detection.” But she also pushed for flexibility for CISA to change requirements based on what the agency learns works best.
She stressed the agency doesn’t want to put undue burdens on industry or to gather information that’s not ultimately useful. “What we don't want is to have CISA overburdened with erroneous reporting,” she said. “And we don't want to burden a company under duress when they're trying to actually manage a live incident.”
The keys
Apple apologized to a security researcher who said the company “ignored” his reports about iPhone bugs
The company told Denis Tokarev in an email that it’s “still investigating” the iPhone security vulnerabilities he wrote about in a blog post last week, Motherboard’s Lorenzo Franceschi-Bicchierai reports. Tokarev went public about the three vulnerabilities after months of waiting for the company to fix them.
Apple declined to comment.
The high-profile dispute comes just days after Apple publicly released the latest iteration of its iPhone operating system. Security researchers say Apple is slow to fix bugs and doesn’t always pay what they believe they’re owed, my colleague Reed Albergotti reported this month.
Twitter analysis from Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy:
The only thing worse than no vulnerability disclosure process is a dysfunctional vulnerability process. Here's a great example of that dysfunction making the security problem worse. https://t.co/8w8ZlcozzX
— Maurice Turner (@TypeMRT) September 24, 2021
CISA is mulling “guerrilla marketing” and working with social media influencers
The cybersecurity agency is thinking about participating in Comic-Con and South by Southwest in an effort to promote its cybersecurity graphic novels, Politico’s Sam Sabin reports.
“We need interesting content, we need to be compelling,” National Risk Management Center Director Bob Kolasky said.
The marketing blitz is part of an effort to educate the public about disinformation and Russian Internet trolls in the lead up to the 2022 election. The agency released its first graphic novel in the run up to the 2020 contest.
Details from CISA:
What are the dangers of #disinformation campaigns? How can you help stop incorrect information from spreading online? We’re publishing a graphic novel series to answer these questions. The first issue, “Real Fake,” is available now: https://t.co/5cmM4T0WzT #Protect2020 pic.twitter.com/x8ZnuFTedg
— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 23, 2020
California will become the eighth state to have mail-in voting by default
All the state’s registered voters will automatically receive a mail ballot in 2022 and future elections under a bill signed into law by Gov. Gavin Newsom (D). A surge in mail voting was widely credited with helping voters cast ballots safely and securely in 2020, but many states that temporarily expanded mail voting have limited it again since the election.
California's move stands in stark contrast to Republican leaning states that have passed additional voting restrictions since the election, such as Florida, Texas, Georgia and Arizona.
The California bill also expands the use of software that helps voters track their ballots, the Los Angeles Times’s John Myers reports.
The law will go into effect in January. It applies to both statewide and local elections in California, the largest state by population.
Securing the ballot
CISA wants to see a sealed report on Georgia voting vulnerabilities
The expert report was submitted as part of a long-running lawsuit challenging the state’s use of voting machines known as ballot marking devices (BMDs). The federal judge in the case sealed the report out of apparent concern it could fuel conspiracy theorists who falsely claim the 2020 election was rigged against former President Donald Trump, The Daily Beast’s Shannon Vavra reports.
The report only focuses on potential future election interference.
But the sealed report has drawn interest from CISA, which helps states protect their elections against hacking, and from states that also use BMD voting machines.
The author of the sealed report, University of Michigan computer science professor J. Alex Halderman, has corresponded with CISA about it and asked the court’s permission to share it with federal officials, Shannon reports.
Election security advocates are generally split on BMDs. Some argue they create additional opportunities for hacking that don’t exist with hand-marked paper ballots because they introduce more machines into the voting process. Others argue the benefits of BMDs outweigh those risks, including making voting easier for people with disabilities.
Global cyberspace
Hill happenings
Privacy patch
Daybook
- Cybersecurity officials speak on the second day of the four-day International Wireless Communications Expo today.
- The Senate Homeland Security and Governmental Affairs Committee holds a hearing on replacing legacy government IT systems today at 2:30 p.m.
- The Federal School Safety Clearinghouse holds a webinar on cybersecurity for K-12 schools today at 3 p.m.
- CISA Director Jen Easterly, FBI Deputy Director Paul Abbate, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, NSA Cybersecurity Director Rob Joyce and others speak at the Aspen Cyber Summit on Wednesday.
- TSA Administrator David Pekoske testifies before the House Homeland Security Committee on Wednesday at 9:30 a.m.
- The Senate Commerce Committee holds a hearing on consumer privacy on Wednesday at 10 a.m.
- Customs and Border Protection and Department of Homeland Security officials discuss facial recognition technology at a Center for Strategic and International Studies event on Wednesday at 3 p.m.
- Department of Homeland Security officials testify before the House Homeland Security Committee on Thursday at 2 p.m.
Secure log off
Someone somewhere can definitely get a booster shot probably pic.twitter.com/g9DvVf0C55
— Washington Post TikTok Guy 🪑 (@davejorgenson) September 27, 2021
If George W. Bush was there, would they have thrown a choux? Thanks for reading. See you tomorrow.
