DOJ ‘very engaged’ already on cyber incident reporting- POLITICO

With help from Eric Geller

A top FBI official tells MC that CISA is working with the FBI to help write new cyber incident reporting rules.

Cybersecurity companies are closely watching congressional data privacy talks as lawmakers prep for a hearing this week.

A recent report about a cyber executive’s role in writing government cyber rules is raising new questions about public-private partnerships.

HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin, and shout out to all the other RSA attendees who are also on Covid watch right now. Wishing good health to everyone who attended!

But first, have any tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it.

DOJ’S ROLE IN HACK REPORTING PROGRAM — When Congress first passed a law requiring certain companies to report significant cyber incidents to CISA, the FBI was nervous about the new program cutting out the bureau’s role in helping companies recover from a breach, hack and all other attacks.

But so far, CISA has been working hard to keep the FBI in the loop to make sure that doesn’t happen, a senior FBI official told Eric at last week’s RSA conference.

“We’re very engaged already with CISA … and they’ve had very much an open-door policy with us, and [been] very inviting to us,” said Bryan Vorndran, the head of the FBI’s Cyber Division.

Since Congress started contemplating the new program, the bureau has been concerned about whether companies will still feel safe talking to the bureau after a breach. Under the new program, reports to CISA will receive liability protections to prevent most lawsuits tied to a breach, creating a safer space for companies to share what happened. That same protection isn’t extended to FBI reports, which has been DOJ’s main objection to the program as written.

But Vorndran said he isn’t worried. “There’s not one example where liability or privilege have come in the way of all of us doing the right thing,” he said. “We don’t really see that in any way impacting our need or a company’s need to build a relationship with the bureau proactively.”

The incident reporting law already implicitly grants the necessary protections for companies, according to one of Vorndran’s senior DOJ colleagues. “The way we read the current provision … we think it is enough to give folks who are going to share similar protections,” Adam Hickey, a deputy assistant attorney general for national security, also told Eric at RSA. Still, Hickey acknowledged that DOJ might have to issue a formal statement interpreting the extent of the protections. “All of us who are lawyers have gotten the question from our counterparts in the private sector, ‘How do you interpret this?’” he said.

Meanwhile, DOJ and CISA are focused on more practical questions during the initial regulatory period (which could last up to two years, although CISA intends to move faster than that). Vorndran summarized some of those challenges: “How should the database be built? How should information be taken into the database? How should information in the database be shared with Sector Risk Management Agencies, with the FBI?”

The incident reporting law also created a Joint Ransomware Task Force to streamline the government’s response to this pressing threat. Vorndran, who’s co-chairing the task force with CISA Cybersecurity Division chief Eric Goldstein, said discussions about the group’s functions are “very preliminary” and “we’re not quite sure yet” what it will actually do. “We’re looking [at], how do we add unique value that hasn’t been already pursued” by other agencies, he said. Talks are currently focusing on issues such as the group’s structure and whether to include private-sector participants (Vorndran predicted that they would be included).

Also from Hickey and Vorndran at RSA: DOJ has increasingly become comfortable reaching directly into Americans’ computers to disable malware as part of the department’s new strategy of disrupting hackers, Eric reported Friday.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

SQUEEZING SECURITY IN — When House lawmakers (once again) host a hearing on data privacy legislation later this week, they’ll also be weighing a topic that many other governments have started including in privacy legislation: data security rules for private companies.

Inside a draft privacy bill from leaders of the House Energy and Commerce and Senate Commerce committees is a short, but consequential section requiring companies to “establish, implement and maintain reasonable” data security practices.

The data security section is one of the newer sections that lawmakers have added to federal privacy talks. Drew Bagley, vice president of privacy and cyber policy at CrowdStrike, said it’s also part of a broader trend in global and state-level privacy regulations.

Keep it nimble: One provision Bagley is excited about requires company data security practices to consider “current state of the art” strategies for protecting data. Because of how quickly hackers and nation-state groups change their methods of breaking in, staying up-to-date is key: “For example, many breaches occur without the use of malware, rendering legacy antivirus technologies ineffective,” Bagley said in a statement.

— What other security rules will Congress weigh? During Tuesday’s House Energy and Commerce Committee hearing about the draft bills, lawmakers will also weigh other requirements for data security plans to include timely patching of known security vulnerabilities and mandating employee data security training.

Zooming out: Expect even more cybersecurity firms to start weighing in on Congress’ latest draft privacy bills in the coming weeks. Alissa Starzak, global head of policy at Cloudflare, told MC that while she’s still digging through the meaty draft bills, she’s just excited about any movement on this issue, which has faced repeated stalemates over the last four years.

“We, as long as many other people, have been hoping for privacy legislation for a long time,” she said. “As for the specifics of it, we recognize everything is going to be a compromise, and so practically, just the fact that there’s progress in coming up with legislation is a huge positive from that standpoint.”

WHAT INFLUENCE CAN LOOK LIKE — The critical infrastructure security world hasn’t stopped talking about a Bloomberg story Friday on the involvement of Dragos CEO Robert M. Lee, one of the most well-known critical infrastructure security executives, in crafting a set of government cyber rules that seemingly favored his products. While there’s reason to question Lee’s role in the discussions, the story — and the response to it — offer a glimpse into a larger problem: how the Biden administration’s public-private partnerships with the cyber industry could inadvertently give executives a competitive advantage.

Here’s what happened: According to Bloomberg’s reporting, Lee suggested language favoring his own products when advising on security guidelines for energy companies. But Lee argued in a blog post about the story that profiting from the guidelines was never his goal. He says the description of Neighborhood Keeper, a tool where critical infrastructure operators anonymously share info about cyber threats, aligns with what the same language Energy Department usually requests in its cyber products on purpose since the product was created through a DOE grant.

Common practice? Dragos isn’t the only company that’s been suspected of pushing their own product in government regulations. Shortly after the story, Kevin Beaumont, a veteran cybersecurity analyst, tweeted about an instance where the company formerly known as FireEye, which has since split into the standalone threat intelligence firm Mandiant and part of newer cyber firm Trellix, worked with NIST to add its tech specs to its Cybersecurity Framework.

Walking a tough line: Public-private partnerships have become a huge part of the Biden administration’s cyber strategy for a reason: the vast majority of critical infrastructure is owned and operated by the private sector. Without partnerships, the government doesn’t have the insight it needs to size up hacking threats, common vulnerabilities and necessary regulations. But leaning too hard on executives could give them a disproportionate amount of influence.

“Government officials need to treat tech [and] security industry employees — and especially executives, and most especially high executives — very carefully,” said Brian Boyer, a legal consultant for energy companies’ security practices, in a tweet. “Used appropriately, they can be valuable resources. Used inappropriately, their engagement begets corruption or its appearance.”

MEDIA UNDER FIRE — The Computer Emergency Response Team of Ukraine warned over the weekend about an active phishing campaign targeting media outlets — including radio stations, newspapers, news agencies and others — in an effort to infect their networks with malware. CERT-UA said it has “medium certainty” that the Russian military’s Sandworm hacking group is behind the attack, and hackers appear to be relying on already compromised email accounts to send the messages. So far, CERT-UA had identified more than 500 email targets.

COUNTDOWN TO ZERO — In the weeks since researchers discovered critical vulnerabilities in Microsoft software and Atlassian Confluence servers, hackers have already started targeting the flaws in unpatched systems. On Friday, researchers at Check Point Research said in a report they’ve seen hackers use the Confluence vulnerability to download malware onto affected systems, as well as an entire crypto-mining scheme targeting Linux and Windows machines. And several security firms last week said state-backed hackers are already targeting the Microsoft Follina vulnerability.

Your MC host is obsessed with these depictions of Russian APT groups Cozy Bear and Fancy Bear. Really puts things into perspective. From Shashank Joshi, defense editor at The Economist: “Cosy bear, fancy bear #dalle2.”

— Researchers at Palo Alto Networks are warning this morning of a new campaign from Chinese state-sponsored group Gallium that’s targeting national internet service and telecom providers in nine countries.

— A cybersecurity executive who worked with 2020 election deniers to investigate the vote said in a recent court document that he “forensically examined” the voting system used in Coffee County, Georgia. (The Washington Post)

— Iranian state-sponsored hackers have been using a recently discovered DNS backdoor to target companies in the energy and telecommunications sector. (Bleeping Computer)

“Conti’s Attack Against Costa Rica Sparks a New Ransomware Era.” (Wired)

— A French academic briefed on an ongoing investigation said France’s internet infrastructure was disrupted in April because of likely radical ecologists cutting the wires, rather than a cyberattack. (CyberScoop)

— Job cuts are starting to hit the cybersecurity industry, too. (CNBC)

Chat soon. 

Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]); Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).