— The Biden administration’s cyber partnerships face their biggest test yet after the Russian invasion of Ukraine. MC dives into how they’re holding up.
— Okta’s top government affairs official says he wants to make sure CISA’s cyber incident reporting program takes into account the piecemeal way companies learn more about the cyberattacks they’re facing.
— With Congress in recess, several administration officials will spend part of their week speaking at one of the top global privacy conferences.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. What cyber proposals and projects are you planning to catch up on during the two-week congressional recess? I’d love to know more.
Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:
PROGRESS REPORT — During President Biden’s first year in office, his administration focused heavily on building partnerships — with other governments and the private sector — to tackle the country’s most pressing cyber issues. Now, with the U.S. preparing for possible Russian cyberattacks, those partnerships could very well be tested: How well are law enforcement coordination or government briefings with the private sector actually working?
MC assesses what’s working in these dynamics — and where officials and lawmakers might improve them in future:
— What’s working: While international law enforcement partners and government offices were already collaborating to thwart ransomware hackers, legal authorities’ actions in the last week are showing how exactly these partnerships have been put to work after the invasion. Last week, German police worked with U.S. authorities to shut down Hydra, a prominent Russian darknet marketplace. Shortly after the shutdown, the Treasury Department sanctioned both Hydra and crypto exchange Garantex based on information from various global partners.
The Biden administration’s public-private partnerships have also been put to work to better prepare critical infrastructure operators from any Russian attack. Last week, representatives for the water and financial services sectors noted at a House Homeland Security Committee hearing that their companies have been getting warnings and briefings from both the EPA and the Treasury Department about possible threats since at least December. Those briefings — including an FBI briefing last month with more than 100 companies — provide companies with more details about which exact vulnerabilities and hacking groups they need to be prepared to fend off.
— What they’re still working on: While the Biden administration’s partnerships have already yielded several successes, some officials already see opportunities to strengthen them. In a letter to Rep. Ted Lieu (D-Calif.) last week, DHS official Alice Lugo encouraged Congress to consider allowing their investigators to use more “administrative subpoenas,” which don’t require a court order, to speed up the pace of cybercrime investigations (that could receive pushback from those who are worried about how many subpoena powers investigators already have.) Lugo also suggested finding more funds to beef up investigators’ resources.
CISA’s forthcoming mandatory cyber incident program, which would lead to more threat information sharing between the public and private sector, also isn’t operational yet. Although Congress passed the program last month, CISA still has up to two years to even kick start the rulemaking process to determine which exact companies will need to report significant cyber incidents within 72 hours — and what incidents are considered significant.
LESSONS LEARNED — When Okta, the maker of the login authentication tool of the same name, discovered the extent of a data breach that affected more than 300 of its customers late last month, the startup thought the right thing to do was to be transparent and give daily updates about their findings as they investigated what happened.
But Jim Green, head of government affairs at Okta, told your MC host that strategy ended up having unintended consequences: Instead, some people mistakenly interpreted the updates as the company maliciously holding back information, he said.
Now, Green says that experience offers some valuable insights as is shaping how the company would like CISA to sets up the 72-hour incident reporting program. The agency will determine which companies need to submit incident reports and what details need to be shared before the deadline once it launches the rule-making process.
— What Okta really, really wants: While Green said his team is still finalizing specific asks, so far he has two top-level hopes: Harmonization between U.S. reporting requirements and those in other countries, and ensuring that corporate interests don’t minimize reporting requirements too drastically. “Sometimes corporate America has been seen to make [different issues] small or minimize what is possible,” he said. “I’m not sure that’s right in this moment.”
— What happened: Okta has been cleaning up a data breach at one of its suppliers, Sykes Enterprises, in mid-January that led to hackers compromising the data of 366 corporate customers. Sykes reportedly first alerted Okta to the incident in late January, but Okta says it wasn’t aware of how far-reaching the breach ended up being until March when hacking group Lapsus$ posted leaked information from the hack online.
The incident underscores what most companies are worried about when they hear about the 72-hour reporting window: What if they don’t have all the necessary details by then?
But despite the timeline, Green said the 72-hour window is still just right. “It is incumbent upon the private sector and people who have been through it who think about this all the time how to not have unintended consequences,” he said.
— Join the club: Okta is far from the only company that’s using its experience with a higher-profile cybersecurity incident to either lobby lawmakers or advise Washington officials and other private sector organizations. For instance, Solarwinds CEO Sudhakar Ramakrishna has become a go-to source for CISA officials and business leaders seeking advice on how to handle a breach.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
ON THE AGENDA — Biden administration cyber officials are also preparing to make waves at the International Association of Privacy Professionals’ Global Privacy Summit throughout the week in Washington. While the keynote addresses will be livestreamed, your MC host and tech reporting colleague Rebecca Kern will be on the ground this week to bring y’all updates from the other panel sessions. As the week’s events kick off this evening, here’s what we’re watching for this week:
— Data breach and user privacy regulations: FTC Chair Lina Khan will give one of the first keynote remarks this evening. The remarks come as the commission anxiously waits on the Senate to confirm the nominee for its fifth commissioner seat, privacy-focused Alvaro Bedoya, and as the FTC weighs whether to pursue a rulemaking targeting companies’ data security practices.
— Dynamic duo: National Cyber Director Chris Inglis and CISA Director Jen Easterly will also give remarks at the conference. Inglis will go first with a fireside chat Tuesday afternoon where he’s expected to discuss both public-private partnerships and his plans to build out the office in the coming months. On Wednesday, Easterly will participate in a discussion about CISA’s role in federal cyber responses and the impact that Biden’s cybersecurity executive order, signed in May, has had on the federal government’s cyber defenses in the last year.
— Ransomware response dos and don’ts: Officials from the FBI and the DOJ’s national security division will also give an overview of how and when companies should call their offices after facing a ransomware attack. While the conversation will mostly focus on the basics, the information is taking on greater importance amid the threat of Russian retaliatory cyberattacks as economic sanctions take effect.
SPRINGING FORWARD — Hackers are now actively targeting the recently discovered critical vulnerability known as SpringShell, according to a report Friday from researchers at Trend Micro. So far, hackers are mostly attempting to deploy the Mirai malware strain onto the networks of organizations in Singapore, but it’s still unclear how many organizations worldwide are affected by the vulnerability, which could give hackers remote access to any impacted system. CISA directed federal agencies last week to patch the vulnerability by April 25.
DHS Secretary Alejandro Mayorkas shares some details about his latest field trip: “Last week I met with the incredible @HSI_HQ personnel at the Cyber Crimes Center (C3). I received an overview of their heroic work in saving victims of child exploitation and holding the perpetrators accountable. Their investigative work and commitment are truly extraordinary.”
— European officials are pushing for U.S. cloud companies, including Microsoft, Google and Amazon, to sign onto cybersecurity requirements that go against U.S. surveillance protocols. (POLITICO)
— Hacking group NB65 is using Conti’s leaked ransomware source code to steal Russian organizations data and leak it online in retaliation to Russia’s invasion of Ukraine. (Bleeping Computer)
— The recently relaunched Federal Interagency Cybersecurity Forum, led by FCC Chair Jessica Rosenworcel, held its first meeting on Friday to discuss threats posed by the war in Ukraine.
— Experts warn there aren’t enough resources being dedicated to slow the growth of business email compromise scams, which victims lost nearly $2.4 billion to in 2021. (The Associated Press)
— Nigeria’s tech ecosystem has been trying to move away from its reputation for online scams and fraud, but cybersecurity researchers’ continued use of the term “Nigerian Prince scam” has made that difficult. (Wired)
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]) ; Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).
