A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! Octopuses, you just stay being the charming jerks you always have been.
Below: FBI Director Christopher A. Wray weighs in on TikTok, and an alleged hacker is arrested in Switzerland. First:
For years, the U.S. government has honed plans for how to keep itself operating if a huge catastrophe struck — from the Cold War and the advent of nuclear weapons to 9/11.
Almost two years ago, Congress directed the Biden administration to develop a similar plan to keep the economy functioning in the event of a national-level cyberattack. It’s been crickets ever since.
On Tuesday, Rep. Andrew R. Garbarino (R-N.Y.) asked Department of Homeland Security Secretary Alejandro Mayorkas again about progress on the “continuity of the economy” plan. His answer:
“I’ll look forward to following up on that for you and responding swiftly,” Mayorkas said at a hearing of the House Homeland Security Committee. “I’ll have to look into that, where the report that is due to you is.”
The question probably shouldn’t have surprised Mayorkas, since Garbarino and Rep. Mike Gallagher (R-Wis.) asked Mayorkas and other administration officials about it in a letter two weeks ago, too.
Congress gave the administration two years to develop the plan, but with the deadline approaching in less than two months, the administration hasn’t made so much as a peep about it.
Garbarino wrote in his letter that as of spring this year, the White House had tasked DHS’s Cybersecurity and Infrastructure Infrastructure Security Agency with leading the development of the plan.
That decision to send the job to CISA was “pretty much setting the agency up for failure,” coming 15 months after Congress originally asked the administration to take action, Garbarino said.
But developing the plan “is a national security imperative for the safety, security and prosperity of the United States,” Garbarino said.
Like much of congressional cybersecurity action in recent years, the idea for a continuity of the economy plan sprung from the Cyberspace Solarium Commission, which Congress established to study cyber policy questions and develop recommendations.
“We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack,” the March, 2020 final report reads. “Such a plan is a fundamental pillar of deterrence — a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.”
The 2021 fiscal year defense policy bill, signed into law in January of last year, said the cyber plan should, among other steps:
Garbarino, the top Republican on the Homeland Security panel’s cybersecurity subcommittee, also asked CISA Director Jen Easterly and others about progress on the plan in December of last year, but said he didn’t get an answer then, either. Congress has given CISA $200,000 to help develop the plan, he said in his more recent letter.
“As the Great Power Competition with Russia and China continues to unfold on the world stage, the United States faces cyberthreats across all sectors of our economy from adversarial nations who seek to sow discord within the Homeland and reduce our ability to flow forces and project power,” the letter states. “Given this reality, it is unfathomable that since you received the requirement to develop a COTE plan in January 2021, there appears to be little to no progress on the implementation of this authority.”
It might seem a bit wonky that simply developing a plan could be such a big deal. But at a panel discussion I moderated in August, Gallagher, who co-chaired the Cyberspace Solarium Commission, said it was the top unfinished recommendation he wanted to see completed.
It’s not likely at this point that CISA will meet the congressional deadline, Mark Montgomery, who served as executive director of the Solarium panel, told me.
As originally conceived, DHS would be just one of the Cabinet agencies advising the president on the plan, alongside the departments of Commerce, Transportation and others. Despite the additional money from Congress, CISA’s team might still be “under-resourced,” Montgomery said.
“You don’t send a whole-of-government issue to one federal agency,” said Montgomery, who is now the executive director of the organization tracking progress on Solarium recommendations and senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies think tank. “That kind of shortchanges the system.”
“My guess is that the best that they’ll have in January is a plan for a plan,” he said. “That’s a partial success.”
FBI Director Christopher A. Wray told lawmakers at a House Homeland Security Committee hearing that the FBI has “national security concerns” about the popular video app, including the Chinese government’s potential ability to collect data on users or control the app’s algorithms or software. TikTok, which has denied that it poses such a threat, has agreed on some initial terms for a deal with the U.S. government’s Committee on Foreign Investment in the United States (CFIUS), but the deal isn’t close to a clear outcome, my colleagues reported last month.
“The FBI’s foreign investment unit working through the Department of Justice is part of the CFIUS process and would be relevant,” Wray said in response to questions from Rep. Diana Harshbarger (R-Tenn.). “Our input would be taken into account in any agreements that might be made to address the issue.”
Vyacheslav “Tank” Penchukov was arrested in Switzerland three weeks ago — around eight years after U.S. prosecutors unveiled criminal charges against Penchukov and other alleged hackers who they accused of targeting companies with Zeus malware, journalist Brian Krebs reports. Penchukov evaded capture for years, partly by being well-connected, Krebs writes.
“Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years,” Krebs writes. “The late son of former Ukrainian President Viktor Yanukovych (Viktor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.” The FBI declined to comment to Krebs.
China’s cyber capabilities ‘pose a serious threat’ to U.S., advisory panel warns (NextGov)
Medibank defends decision to not pay hackers ransom, as it contacts 480,000 customers (Australian Broadcasting Corporation)
E.U. approves 15 percent defense budget increase as ministers sign off on joint military CERT (The Record)
US advises academic researchers on stopping Chinese spying (Bloomberg News)
Breaches of personal data at DOD have doubled since 2015 (FCW)
Good Morning from the Golden Retriever Channel. Does he just need a reboot? Or is this a 404 #doggo_error Call tech support🤣#dogs #cute
(Katalthouse34 TT via WoofwooďTV IG) pic.twitter.com/3jruDWioeO
Thanks for reading. See you tomorrow.