A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! The video gamer in me finds all the partially empty, green “percent estimated vote” bars on TV to be stressful, as if Election Day isn’t stressful enough. I need those bars to be full. At least drink a potion or try to find a power-up.
Below: Cyber officials don’t see significant Election Day cyberthreats, and election deniers win major midterm races. First:
Election Day on Tuesday has left command of Congress up in the air.
But we can say this much: bipartisan attention to cybersecurity could drop off in the next congressional session regardless of which party controls the House and Senate when all the votes are tallied.
The GOP leaders of the House and Senate homeland security panels, Sen. Rob Portman (R-Ohio) and Rep. John Katko (R-N.Y.), have earned reputations as among the more moderate members in their chambers and for working with Democrats to pass cybersecurity legislation. Both are retiring, and it’s not clear if the cybersecurity policy momentum will continue.
Cybersecurity is also losing another key lawmaker in Congress with the retirement of Rep. Jim Langevin (D-R.I.), a bipartisan dealmaker with longtime cyber policymaking expertise who helped some of the bigger cyber measures become law in recent years. Langevin has also helmed the cybersecurity subcommittee of the House Armed Services Committee.
Langevin’s subcommittee and the House and Senate homeland security panels have been at the center of most of the major cyber legislation in recent years.
“It’s definitely going to hurt our proactive public policy as it relates to cyber,” Tom Kellermann, who served on an influential cybersecurity commission with Langevin and now works as senior vice president for Contrast Security, told me. “All three of those representatives and senators have been leaders in cyber. … They really see cyber as a national security and economic imperative, and they treated it in a bipartisan fashion — what might be the only bipartisan issue on the Hill.”
Both Langevin’s perch and the Homeland Security panels have played a big role in advancing meaningful cybersecurity legislation of late. “The Defense Authorization Act has really been the steroids for American cybersecurity over the past few years,” Kellerman said.
In order to get some of those cybersecurity provisions into the annual defense bill, leaders of the Cyberspace Solarium Commission had to get 180 clearances.
“I think it’s important to recognize how pivotal our colleague Jim Langevin was in doing that,” Rep. Mike Gallagher (R-Wis.) told me in September. Because of Langevin’s leadership on the House panel and “his indefatigable efforts in this space, we were able to get a lot passed,” Gallagher said. “And I don’t think it would have been possible without his help.”
The Homeland Security committees, meanwhile, played a key role in advancing one of the biggest cybersecurity bills Congress has passed yet. That law established requirements for critical infrastructure owners to report major attacks and ransomware payments to the federal government.
People tracking the issue inside and outside Congress who spoke on the condition of anonymity think that either Rand Paul (R-Ky.) or James Lankford (R-Okla.) will take over for Portman on the Senate Homeland Security and Governmental Affairs Committee. (A cyber-aside: Lankford defeated a cybersecurity pro, Democrat Madison Horn, in the midterms.) Neither Paul’s nor Lankford’s office responded to an offer to comment on this story.
Paul could instead choose to take the top Republican spot on the Health, Education, Labor and Pensions Committee. But his track record of working on cybersecurity legislation in the past is thin, and many expect that he’d focus on investigating the Biden administration on other matters if he takes the Homeland spot.
Lankford has taken more of an interest in cyber and has demonstrated a history of working with Democrats on it, too.
Among the leading contenders to replace Katko as the top Republican member on the House Homeland Security Committee are Dan Crenshaw (Tex.) and Mark Green (Tenn.).
Crenshaw has “unique experience” in cybersecurity among other prospective candidates for top GOP member of the Homeland Security Committee and would make it a “top priority,” Kara Zupkus, a spokesperson for Crenshaw, told me.
Cybersecurity would “continue to be a top focus” for Green if he served as top GOP member of the Homeland Security panel, according to spokesperson Rachel del Guidice.
Other potential candidates include Michael Guest (Miss.), Clay Higgins (La.), Dan Bishop (N.C.) and Scott Perry (Pa.). Whoever’s in charge, they’d also probably scrutinize Homeland Security Department efforts to counter what the department labels as disinformation.
Katko’s replacement could have his time consumed by subjects other than cybersecurity.
Should the GOP take control of the House, as appears likely, Rep. Kevin McCarthy (R-Calif.), who is expected to become House speaker, has said border security will be a caucus priority. The Homeland Security panel would surely be key for that. A push to impeach DHS Secretary Alejandro Mayorkas, should it emerge, could also consume much of the committee’s time.
Should Democrats lose their grip on the House and Senate, the Biden administration would find less support for its plans to seek additional regulatory authority on cybersecurity.
“If the Republicans take control of Congress, there will be no regulation,” Kellerman said.
CISA’s budget has grown significantly since its inception. It got $1.7 billion in its first year in fiscal 2018, and is on course for more than $2.9 billion in fiscal 2023. Cyber spending has increased elsewhere, too. Republicans in charge of either chamber might want to take a closer look at that.
“It’s fair to say that when it comes to cybersecurity, you have seen both authorities and budgets of agencies handling cybersecurity grow over the last several years,” Andrew Howell, a partner at the lobbying firm Monument Policy who has tech clients, told me. “Assuming Republicans take the House, they will certainly conduct rigorous oversight from both the appropriations and authorization perspective. If Republicans also take the Senate, expect that to happen there, too.”
Election officials in areas like Maricopa County, Ariz., worked to battle misinformation on Tuesday, my colleagues Isaac Stanley-Becker and Drew Harwell report. Meanwhile, officials at the CISA told reporters that many of the cyberthreats that election officers faced were low-level website disruptions, and that officials were able to bring websites online.
A senior CISA official said the agency was aware that potential distributed denial-of-service attacks — in which a flood of malicious internet traffic overwhelms a website — affected some websites belonging to state election offices and political campaigns. One such DDoS attack knocked down the Mississippi secretary of state’s office, for example. The websites were usually quickly restored, an official said.
Vote counts to date left uncertain whether any prominent election-denying candidates for secretary of state, such as Arizona’s Mark Finchem or Michigan’s Kristina Karamo, won. That’s a key position; in some states, it’s the top election official.
But plenty of election deniers have won other races. As of this morning 164 people who denied the results of the 2020 election won their midterm races, Adrian Blanco, Daniel Wolfe and Amy Gardner report. The races span elections for House, Senate and key statewide offices.
“Candidates who have challenged or refused to accept President Biden’s victory — 51 percent of the 569 analyzed by The Washington Post — are running in every region of the country and in nearly every state,” according to the story.
The Treasury Department said in a statement that Tornado Cash was sanctioned for “enabling malicious cyber activities” that ultimately supported North Korea’s weapons of mass destruction program. The reissued sanctions come exactly three months after the U.S. government first sanctioned the cryptocurrency service. At the time, U.S. authorities said Tornado Cash had been used to launder $7 billion in cryptocurrency, including hundreds of millions of dollars worth of cryptocurrency stolen by North Korean hackers.
Nigerian fraudster Hushpuppi sentenced to 11 years in U.S. prison (Victoria Bisset)
Cyber police hacked beyond court order Case 3000 (Jerusalem Post)
It’s magic.. 😅 pic.twitter.com/CTaFRoKg5A
Thanks for reading. See you tomorrow.