New K-12 cybersecurity law is just the first step

— Federal policymakers scored their first big win on tackling K-12 cybersecurity issues. Experts say this isn’t the end of the road.

— As the number of cyberattacks grows, so does the pressure on state-level data breach notification laws to understand the extent of these incidents in the private sector.

— A recently uncovered suspected Iranian cyberattack targeting the maritime and shipping sector underscores the growing congressional interest in addressing maritime cybersecurity vulnerabilities.

HAPPY TUESDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Stay up to date by following @POLITICOPro and @MorningCybersec. (Full team contact info below.) Let’s get to it:

ONE STEP AT A TIME — Now that President Joe Biden has signed what is believed to be the first K-12 cybersecurity-focused law, school cyber experts say the work has only just begun.

The K-12 Cybersecurity Act, introduced by Sens. Gary Peters (D-Mich.) and Rick Scott (R-Fla.), gives CISA 120 days to study the cybersecurity risks facing K-12 schools, including ransomware attacks.

Still, “this is a marathon, not a sprint,” said Doug Levin, national director of the K-12 Security Information Exchange, a nonprofit that facilitates threat information-sharing among schools. “It’s a complicated issue, and I don’t think there are a lot of easy solutions.”

— Making the most of CISA’s study: The agency will consult with teachers, school administrators, federal agencies and other relevant organizations about their cybersecurity problems, and from there CISA will recommend voluntary guidelines to help K-12 schools strengthen their cyber posture. But as Levin points out, the agency has already published recommendations for schools to help fight ransomware and other cyber threats.

While plenty of studies already measure schools’ cyber threats, CISA’s forthcoming report could still be helpful, Levin told MC, so long as it examines solutions to systemic reasons why schools struggle to fight off cyberattacks.

“There’s no shortage of advice being offered to organizations,” he said. “We’re going to need to look under the hood if we really want to understand why that advice hasn’t made a difference.”

— The problems CISA will find: Schools don’t have standardized cybersecurity requirements, leaving some districts more exposed to attacks than others, and they tend to lack the IT expertise on their staffs to properly handle cyber issues, Levin said. And not all schools are required to disclose cyberattacks or data breaches.

THE PROBLEM WITH NOTIFYING IS… — As Congress debates whether to proceed with a federal data breach notification system, a patchwork of notification laws has been filling the void for the private sector. And as the number of high-profile cyberattacks grows, the variety in those laws is becoming more noticeable.

— The latest case study? Cox Media Group’s ransomware attack. After facing a ransomware attack in June, the company formally acknowledged the incident for the first time on Friday after filing a required notification letter with the California attorney general’s office. The letter, first reported by Bleeping Computer, said the company got help from the FBI and that hackers attempted and failed to steal sensitive employee information collected “for human resources purposes.”

The incident underscores the increased pressure on state-level data breach notification laws in the absence of any federal requirements. For instance, the Republican Governors Association only disclosed how its own data was affected by the Microsoft Exchange Server hacks earlier this year through a notification letter filed under Maine’s data breach law.

— But these state laws come with their own obstacles: Each state has its own rules of the road, and often it’s unclear what reporting deadline companies must meet. California’s statute doesn’t specify a reporting timeline, saying only that a disclosure should be made “in the most expedient time possible and without unreasonable delay.” Meanwhile, Maine requires companies to disclose within seven business days of completing an investigation and after law enforcement officers approve the public release.

Congress is starting to become more interested in revisiting the topic of a federal statute — although negotiations about infrastructure, social spending and the debt ceiling will keep them busy the rest of the year. Last week, the Senate Commerce Committee held a data security hearing focused on both federal data breach notification and data security standards for private sector entities.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

TAKING TO THE SEA — A discovery this week from Microsoft security researchers is adding to concerns about the mounting cyberattacks against the maritime transportation sector.

Microsoft warned in a report Monday that a hacking group likely linked to the Iranian government targeted more than 250 Office 365 accounts, including those belonging to maritime and cargo transportation companies, as well as defense companies that work with the United States, Israel and the European Union. Hackers used the “password-spraying” technique, in which they repeatedly try new username and password combinations to break in. Researchers estimate that fewer than 20 of those accounts were successfully compromised.

— Following a familiar pattern: Iranian state actors are well known for targeting shipping and maritime organizations in both military and cyber attacks, Microsoft said. For instance, Sky News reported in July on classified files believed to belong to Iran that detail how a cyber attack could take down a cargo ship, if necessary.

Just three days earlier, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) penned an op-ed in CyberScoop calling on Congress and the executive branch to “collaborate with one another and take the steps necessary to help manage the risk to the maritime sector.” Earlier last week, the Atlantic Council released a report arguing that the sector’s cybersecurity strategy isn’t enough to address the growing threat.

TOP OF THE LIST — Nearly seven in 10 organizations predict they’ll increase their cybersecurity budgets in 2022, with 25 percent of those firms expecting a double-digit increase, according to PwC’s Global Digital Trust Insights Survey released Monday. Half of organizations say they expect to see more cyberattacks in 2022 than this year.

GROWING CONCERN — Nearly two-thirds of American adults (62 percent) say they’re extremely or very concerned about a data breach involving their personal information, including identity and financial records, according to a survey released Monday and conducted Sept. 9-13 by the Pearson Institute and The Associated Press. Sixty-eight percent have the same level of concern about cyberattacks on financial institutions, and 67 percent said the same about attacks on national security and defense systems.

— Know thy enemy: Adults also view China and Russia as the United States’ top nation-state cybersecurity threats, with 73 percent saying Beijing was a “big threat” and 72 percent saying the same about Russia.

Charlie Bell, a former long-time senior executive at Amazon Web Services, has officially started his new position at Microsoft leading a new cybersecurity engineering team after reaching a resolution with AWS … Riya Anandwala, formerly the director of industry communications at the Consumer Technology Association, is joining cryptocurrency exchange Bullish.

Let’s give a warm MC welcome to Microsoft associate general counsel Cristin Goodwin’s new small kitten: “Hi Twitter! I’m new here!”

— ICYMI: “White House plans ‘whole-of-government’ approach to cryptocurrency” (POLITICO)

— The Office of Management and Budget is giving federal agencies 90 days to provide CISA with access to their endpoint detection and response systems as a part of the implementation of Biden’s cyber executive order, according to a memo sent Friday. (FedScoop)

— Google pulled policy-violating ads that promoted spyware apps in search results after journalists noticed them last week. (TechCrunch)

— Pacific City Bank has started notifying customers about a ransomware attack that happened in August (Bleeping Computer)

— “The covid tech that is intimately tied to China’s surveillance state” (MIT Technology Review)

— Opinion: “We need to talk about how Apple is normalising surveillance” (Wired UK)

Chat soon.

Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).