Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— With Congress back in session, we break down the cyber issues — including impending nominations — that will likely receive sustained oversight in the weeks ahead.
— Key lawmakers still have concerns about cyber funding despite generally praising the White House’s budget request for it.
— The last White House cyber coordinator just took up his new post leading the NSA’s defensive cyber division, a role that’s expected to suit him well.
HAPPY MONDAY and welcome to Morning Cybersecurity! NASA’s Mars helicopter hit a small speed bump, but your MC host is sure that this very good robot will be flying in no time. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
CONGRESSIONAL CYBER CHECKLIST — The House and Senate are back in session today, and while President Joe Biden’s infrastructure proposal is likely to dominate chatter on the Hill for the foreseeable future, cyber watchers should pay close attention to how lawmakers approach the following issues on their near- and medium-term to-do list:
— Scrutinizing Biden’s new cyber nominees. The president on Monday will nominate two former NSA officials and a former DHS official to key cyber positions, according to The Washington Post. Chris Inglis, the NSA’s former deputy director, will be named as the new national cyber director, while Jen Easterly will be named to lead DHS’ Cybersecurity and Infrastructure Security Agency. Both Inglis and Easterly had been rumored to be the front-runners for the national cyber director position, which Congress created last year. Meanwhile, Rob Silvers, the previously rumored front-runner to be CISA director, will instead get the job of DHS under secretary for policy, a role in which he will focus on cyber issues, the Post reported late Sunday night. (Inglis, Easterly and Silvers did not respond to requests for comment.) Biden’s expected announcements of these nominations will kickstart a Senate confirmation process that could draw out important indications from Inglis, Easterly and Silvers about how they intend to approach these critical jobs at a time of mounting digtal threats.
— SolarWinds and Microsoft Exchange. Scrutinizing the Biden administration’s response to these two major cyber campaigns will obviously be at the top of lawmakers’ list. The Senate Homeland Security Committee last week signaled what it’s keeping its eye on, asking CISA for information about its marquee federal network monitoring programs and questioning the Office of Management and Budget about the division of responsibility between various agencies. Your MC host has tallied half a dozen letters from lawmakers to the executive branch — most sent in the waning days of the Trump administration — seeking information about SolarWinds. As the government moves from expelling the suspected Russian hackers to fixing the problems they exploited, expect future inquiries to focus on the status of those improvements.
— Does the intelligence community need more authorities? This has been one of the thorniest debates to emerge from the SolarWinds and Exchange crises, and it has implications far beyond the response to those specific campaigns. Advanced hackers are increasingly exploiting the fact that intelligence agencies can’t collect data domestically like they can overseas. The Biden administration has said that it prefers to work with the private sector to gather the necessary insights into hackers’ behavior, but some national security experts want to see the NSA in particular do more to protect U.S. networks — and some lawmakers may agree. This issue is likely to come up during Wednesday and Thursday’s worldwide threats hearings with intelligence chiefs.
— How should the U.S. push back? As Martin wrote in a recent story, Biden faces few good options for combating Russian and Chinese digital threats, with the most aggressive approaches risking severe blowback and escalation. But lawmakers don’t like hearing “sanctions and indictments” over and over again. They want to know what else Biden is considering. Intelligence agencies just sent Biden their report on SolarWinds and Russia’s 2020 election interference, but White House press secretary Jen Psaki said Thursday that any retaliation is still “weeks” away.
— What to do about CISA? As yours truly wrote recently, despite an emergency infusion of funding in Biden’s Covid-19 relief bill, the U.S.’ lead cyber agency is still struggling to spot evolving threats and keep up with all the requests for aid from other federal agencies, state and local governments and private companies. There’s bipartisan support for increasing CISA’s regular appropriations, but Republicans in particular have signaled that they want to know what they’re getting for their money. “Heightened oversight will naturally follow any increase in agency responsibility,” House Homeland Security ranking member John Katko (R-N.Y.) told your MC host. Biden requested a tiny boost for CISA in his so-called skinny budget, and his forthcoming cyber executive order is expected to put the agency at the center of several reforms. Look for lawmakers to scrutinize that directive closely — and to keep asking Biden when he’ll nominate a director for CISA.
— How to help state and local governments? For many lawmakers, their most direct experience with cyberattacks comes from ransomware crippling businesses in their districts. Members of Congress frequently bring up local ransomware incidents during cyber-focused hearings. As such, it’s not surprising that boosting state and local cyber grants is a top priority for many lawmakers. House Homeland Security cyber subcommittee chair Yvette Clarke (D-N.Y.), who talked about this in her recent POLITICO Q&A, said last week that she’ll soon reintroduce her local government cyber grants bill. Such a program would seem to fit naturally into Biden’s infrastructure plan, but the big question here is whether lawmakers who are already divided over how much to spend on that bill can come together on a relatively small-ticket item like this one.
SPEAKING OF BIDEN’S BUDGET — The president’s request for boosted cybersecurity funding drew praise from some of the lawmakers most focused on the issue. “In the face of growing cyber threats, President Biden has demonstrated a robust commitment to improving our nation’s cyber defenses, and I applaud his recognition of this urgent need,” said Rep. Jim Langevin (D-R.I.), the co-chair of the Congressional Cybersecurity Caucus. House Homeland Security Chair Bennie Thompson (D-Miss.) praised the request for reflecting “the Biden Administration’s commitment to improve cybersecurity” and “invest in researching and developing modern technologies.”
But even some of the praise came with caveats. Katko, for example, praised Biden’s inclusion of $20 million for a Cyber Response and Recovery Fund to aid state and local governments, but he said the budget’s “modest improvements in CISA funding” were only “a first step” and reiterated his call for CISA to become “a $5 billion agency in the coming years.” Langevin, too, urged more funding for CISA, saying, “We can be even bolder in our vision for the nation’s premiere cybersecurity agency.” He pointedly referred to the funding request as merely “a starting point.”
A FAMILIAR FACE RETURNS TO FORT MEADE — Rob Joyce has started his new job as the NSA’s Director of Cybersecurity, the spy agency announced on Friday, putting one of the nation’s most experienced cyber officials in charge of the NSA directorate that works with the private sector to protect critical computer networks from hackers. Joyce’s new role could help the NSA further win over industry partners who may still be uneasy about working closely with the secretive agency, which only launched its defense-focused Cybersecurity Directorate in 2019.
Joyce, who spent a year as former President Donald Trump’s cybersecurity coordinator before the Trump White House axed his position, took over the directorate from Anne Neuberger, whom Biden appointed to the new post of deputy national security adviser for cyber and emerging technology, essentially the successor to Joyce’s old role. As cyber coordinator, Joyce was a constant presence at conferences and private industry briefings, developing relationships with executives at key companies and serving as the face of federal cyber initiatives. Joyce “has worked to establish strong partnerships across the U.S. Government, industry, and allies, throughout his tenure,” the NSA said, “and will continue these efforts in his new position.”
Joyce took up the post after returning to the U.S. from the U.K., where he had been serving as the NSA’s liaison to the British government. In that role, he worked closely with the U.K. spy agency Government Communications Headquarters, or GCHQ. That agency’s cyber arm, the National Cyber Security Centre, has received praise among some American cyber experts who say the U.S. should adopt its approach to nationwide cyber defense.
— Hackers have been using the contact forms on their victims’ websites to deliver malware to them, relying on these forms’ legitimate Google-owned server infrastructure to bypass security defenses, Microsoft researchers said on Friday. The attackers fill out the contact form with an urgent-sounding invitation to download a file, which generates an automatic email to the website owner from a trusted address. The deceptive message contains a link to a malicious file hosted on Google Sites, which helps the attackers evade detection. The file infects the victim’s computer with the IcedID malware, which Microsoft said “can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.” IcedID, originally designed as a simple banking trojan, “has evolved to become an entry point for more sophisticated threats, including human-operated ransomware,” according to Microsoft.
— The mobile app for the APKPure third-party Android app store contained malware that could have generated fraudulent ad clicks, signed victims up for costly subscription services and downloaded other malicious code, according to a report out Friday from Kaspersky Lab. A recent version of the APKPure app — which must be manually installed, as it is not available on the Google Play Store — shipped with a Trojan that Kaspersky described as standard-issue mobile malware. On old versions of Android that lack modern security protections, this malware could not only download further code but also install it in an unremovable way. Kaspersky notified APKPure and reported that the company “promptly” fixed the problem.
TWEET OF THE WEEKEND — Nothing to see here, folks!
— There’s no evidence yet of a cyberattack in the power outage at an Iranian nuclear enrichment site previously hit by the Stuxnet malware. (New York Times)
— Federal regulators are finalizing a strict cyber incident reporting rule for financial services companies. (CyberScoop)
— Yet another leaked Facebook phone number database. (Motherboard)
— A NATO-affiliated cyber research center is getting ready to host its latest massive “live-fire cyber defense exercise.”
— House Oversight Committee Republicans said good riddance to the Election Assistance Commission’s inspector general, whom they accused of failing to investigate a suspicious California elections contract.
— Trump lawyer Joe diGenova apologized to former CISA Director Chris Krebs for calling for his execution.
— HHS’ inspector general released its annual review of the department’s information security program.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Heidi Vogt ([email protected], @heidivogt).
