Senate finally passes big cyber bills

Despite Biden’s cyber-free SOTU, it was a great day for cybersecurity on the Hill

Correction: This post has been updated to correct the cyber incident reporting deadline.

The great cyberenergy was not at the State of the Union address last night, but rather in the Senate.

Hours before President Biden’s speech, the chamber passed the most significant cybersecurity legislation in history – including a mandate for companies in critical sectors to alert the government when they are hacked or when they pay ransoms to hackers.

The measure narrowly failed to become law last year amid senatorial wrangling. But this time he crossed the finish line – spurred in part by growing concern over Russian cyberattacks following the invasion of Ukraine and punitive sanctions imposed by the United States and its allies.

“As our nation continues to support Ukraine, we must prepare for retaliatory cyberattacks from the Russian government,” the Senate Homeland Security Chairman said. Gary Peters (D-Mich.), one of the bill’s main sponsors, warned.

He called the bill “a significant step forward in ensuring that the United States can fight back against cybercriminals and foreign adversaries.”

  • A measure that updates 20-year-old rules on how government agencies handle their information security
  • Another measure that updates how the government assesses and manages the cybersecurity of cloud computing systems used by federal agencies

The House has yet to pass its version of the e-filing measure, but the odds seem good. The chamber easily included a version of the measure as an amendment to a must-have defense policy bill last year when the Senate fumbled it to the finish line.

The measure marks a step change in the way the government deals with cyber threats. This is the first time that Congress has imposed a cyber mandate on a wide range of critical infrastructure companies – a category that includes companies in energy, transportation, financial services, healthcare health and many other areas.

This comes after years of trying to manage cybersecurity almost entirely with voluntary cooperation from companies. This model has led to significant improvements, but has not kept pace with the incredible growth of cyber threats, according to most cybersecurity professionals and policymakers.

How big is the change? : The last cyber bill to have such a broad impact on the private sector was passed in 2015 and it simply gave companies legal cover to voluntarily share cyber threat information with the government. The bill only narrowly passed, and the idea of ​​stronger measures was basically unthinkable for years.

There are two main objectives for the bill.

First, the Cybersecurity and Infrastructure Security Agency (CISA) wants to quickly share the big insights from the reports with other companies that may face similar cyberattacks. This can be particularly critical during rapid events, such as a wave of Russian cyberattacks.

  • “At a time when we face significant threats from Russian cyberattacks against our institutions and our allies, it is more important than ever that the government has a sense of what those threats are,” the senator said. Mark Warner (D-Va.), supporter of the bill.

Second, the bill will give CISA a general overview of the number and type of cyberattacks that hit American businesses every day. These are questions that are extremely difficult to answer at this time due to major loopholes in data breach reporting laws.

  • The measure was passed despite opposition from some critical infrastructure sectors. They complained that the definition of a “substantial cyber incident” in the bill is too vague and that the 72-hour deadline for reporting is often too fast to share useful information.
  • Senate Majority Leader chuck schumer (DN.Y.) claimed these companies “came to see the light,” in the Senate, but there is little evidence that their concerns have been fully allayed.

Here’s more from Schumer, via Politico’s Eric Geller on Twitter:

Despite skyrocketing cyber tensions between Russia and the West, Biden made no mention of cybersecurity during his speech last night. Would you like an overview of the cyber-reporters who complain about it? Of course you would.

Wall Street Journal’s Dustin Volz:

Martin Matishak from Record:

CyberScoop’s Joe Warminsky:

Ukrainian volunteer cyber army targets Russian critical infrastructure

The volunteer group of cyberpros, which formed in the wake of Russia’s invasion, plans to launch disruptive hacks targeting the railways, power grid and other services that could help Russia move troops and weapons in Ukraine, Reutersreport by Joel Schechtman, Christopher Bing and James Pearson.

This is a significant escalation from the website takedowns and downgrades the group has primarily focused on so far.. But it’s far from clear that the band of cyber patriots will be able to cause much damage in Russia, which has relatively advanced digital defenses.

Targets include “anything that could stop the war”, Egor Ausheva Ukrainian businessman and cybersecurity expert who is helping organize the effort, told Reuters.

Experts worry that the proliferation of outside groups launching digital attacks in the Ukraine conflict is increasing the chances of dangerous mistakes that could harm civilians or escalate cyber tensions between Russia and the West.

Ukraine wants to cut off Russia from the Internet. Experts say that’s a bad idea.

Ukrainian officials have asked Internet governance organization ICANN to end use of the “.ru” country code, revoke certificates for those domains, and shut down some Russian servers to prevent the spread of the virus. Russian propaganda. These measures would effectively prevent people outside of Russia from accessing Russian websites and make it more difficult for people in Russia to access sites outside the country.

But such actions would make ordinary Russians more vulnerable to hackers, warn the experts. In particular, it would be easier to surreptitiously spy on their web traffic and harvest any personal information they enter, CyberScoop“, reports Tonya Riley.

This decision would also politicize ICANN’s fragile balancing act.a worldwide group of volunteers who administer the Internet and work primarily by consensus.

“It’s the complete opposite of what we need,” security researcher Runa Sandvik told Tonya. “We have to make sure that the Russian people see what is happening and what their government is doing.”

Ukraine also said it would ask a regional internet registry to block Russian members from using IP addresses. The registry declined and said it would remain neutral, its board said:

DC Council passes bill to regulate government employees’ use of messaging apps

The legislation is designed to ensure public officials’ communications on WhatsApp and other messaging apps are subject to public disclosure laws, reports Michael Brice-Saddler. The bill was spurred by a February report from Axios DC which found that the DC mayor Muriel BowserThe administration of (D) uses WhatsApp “extensively” for government communications.

After learning about the use of encrypted messaging apps by members of the executive, there is an urgent need for us to increase transparency in district governmentsaid the chairman of the DC Council Phil Mendelson (D) when he introduced the legislation. “I understand that many in government would like to conduct their business privately. But this is contrary to long-standing policy. We value open government. We don’t like automatic deletion.

Bowser said she supports efforts to ensure the recordings are preserved ahead of the Council’s unanimous vote on the measure. But she criticized the council for not applying the bill to itself, calling the discrepancy “the height of hypocrisy”.

Mendelson reference rules that already require council members to keep their messages on non-government devices. A spokesperson for Bowser did not respond to a request for comment on the bill.

Replacing outdated voting machines across the country would cost hundreds of millions of dollars

According to a report from the Brennan Center at New York University and the group Verified Voting, it would cost more than $350 million to replace voting equipment that is now more than a decade old and more likely to suffer from cyber weaknesses.

  • Senior intelligence and law enforcement officials testify before the House Intelligence Committee on Global Threats at 10 a.m. Tuesday.

Thanks for reading. See you tomorrow.

Comments are closed.