|
Presented by VMware: Delivered every Monday by 10 a.m., Weekly Cybersecurity examines the latest news in cybersecurity policy and politics. | | | | | |  | | By Sam Sabin | Presented by VMware | With help from Eric Geller | | | — The Cyberspace Solarium Commission has been trying to update a Cold War-era law to prepare for the mother-of-all cyber emergencies. But industry says there aren’t many details about what this would look like. — As the Biden administration ramps up its crackdown on cybercriminal use of cryptocurrencies, the industry has a familiar refrain: We’re not the only problem. — Missouri Gov. Mike Parson’s recent threat against a journalist for discovering a data security vulnerability is part of a decades-long trend of prosecuting security researchers for such discoveries. HAPPY MONDAY, and welcome back to Weekly Cybersecurity! I’m your host, Sam Sabin, and it seems I’m the one person on the planet who watched the premiere of Succession and didn’t tweet about it? Don’t worry, my inbox is still open for all hot, and even lukewarm, takes. Have tips, secrets or cat photos to share with MC? Send what you’ve got to ssabin@politico.com. Stay up to date by following @POLITICOPro and @MorningCybersec. (Full team contact info below.) Let’s get to it: | | A message from VMware: VMware gives government agencies the freedom to use any cloud, any app, and any device to deliver citizen services and meet mission demands. You can manage all apps and clouds through one secure platform, giving you the choice, speed and control that are essential in fast-moving, critical environments. It’s the freedom of any cloud, with the simplicity of one. Learn more about multi-cloud for government. | | | | | | WHAT’S THE HOLD UP — Despite Congress’ heightened focus on cybersecurity in the annual defense budget and infrastructure packages, the Cyberspace Solarium Commission’s most ambitious policy ideas are still struggling to gain political momentum in Congress. The most distinctive example: a proposal to include cybersecurity firms under the 1950 Defense Protection Act, which would allow the government to tap private cyber firms for help in emergencies such as a debilitating attack on a critical infrastructure firm or, most likely, a pandemic-sized cyberattack on the supply chain. As Eric reports for Pros this morning, cybersecurity firms and their customers have been telling the commission that they’re worried about how the directive would work in practice: Will a government directive end up overruling their existing contracts and ultimately sour relationships with clients? And do they have enough employees to help in a meaningful way if the government taps them? — Although it’s a Cold War-era regulation, the DPA has had a huge role in current politics. Just look at the pandemic. Both the Trump and Biden administrations have used the law to direct companies to produce masks, ventilators and other emergency pandemic supplies. This proposal would mean the government could impose similar mandates on companies if there’s ever a country-shattering cyberattack. While this isn’t the only commission proposal facing an uphill battle, this proposal’s lack of momentum stems from something different than other proposals: No one knows what the logistics would look like. That’s because the type of cybersecurity emergency that this proposal is designed for hasn’t happened (yet). So no one knows what exactly they need to lobby for or what hiring goal they need to set their sights on. “No one was laying in the road against it,” a person close to the commission told Eric, “but everyone was uncertain of what’s exactly required.” | | | | INTRODUCING CONGRESS MINUTES: Need to follow the action on Capitol Hill blow-by-blow? Check out Minutes, POLITICO’s new platform that delivers the latest exclusives, twists and much more in real time. Get it on your desktop or download the POLITICO mobile app for iOS or Android. GET A FIRST LOOK AT CONGRESS MINUTES HERE. | | | | | Want to receive this newsletter every weekday? Subscribe to POLITICO Pro . You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories. | | | NOT JUST US — The cryptocurrency industry has a familiar response to the Treasury Department’s latest warning shot to digital currency companies: Ransomware and cybercrime isn’t just about us. On Friday, the Treasury Department published two ransomware-related items : the Office of Foreign Assets Control released guidelines for virtual currency shops to rid criminal use of cryptocurrencies from its platforms, and the Financial Crimes Enforcement Network shared data on the amount of crypto payments suspected to be tied to ransomware activity. But while the crypto industry mostly supported the actions, some shops focused on bringing attention to other ransomware policy solutions in statements to MC: Blockchain Association Executive Director Kristin Smith called the guidance a “positive first step,” but added that the rise of ransomware can also be halted through “the incorporation of proper cyber-security frameworks and prevention mechanisms.” Coinbase didn’t provide a comment on the specific guidance but pointed MC to a company blog post from July titled, “Ransomware is a scourge, but eliminating cryptocurrencies won’t make it go away.” It’s not just the companies: A senior Treasury Department official also said in a panel discussion following Friday’s announcement that it’s time to refocus the ransomware fight on other areas, such as implementing President Joe Biden’s cybersecurity executive order. “Just attacking the crypto ecosystem is not going to fix the core problem, which is cyber vulnerabilities across multiple sectors,” said Todd Conklin, counselor to the deputy Treasury secretary, during crypto forensic company TRM Labs’ panel. — Why now: In recent weeks, the federal government has placed special attention on how cryptocurrency enables ransomware payments. A group of more than 30 countries promised Thursday to work with cryptocurrency providers and exchanges to promote ransomware-related information sharing. And the Justice Department earlier this month established a national cryptocurrency enforcement team especially focused on cybercrime and money laundering cases. But regulators have good reason to target crypto payments: FinCEN estimates that companies paid $590 million in ransom in the first six months of 2021, a 42 percent jump from the $416 million paid in all of 2020. | | | BLOWING THE WHISTLE — Missouri Gov. Mike Parson (R) caught a lot of flack online last week for threatening to prosecute a journalist who discovered a data security flaw in a state government website, even from CISA Director Jen Easterly. But Parson is far from the first one to attempt to send journalists or security researchers to jail for discovering security vulnerabilities — underscoring enforcement flaws in the nation’s preeminent hacking law that still exist today. — Before becoming known as a far-right hacktivist, Andrew Auernheimer was at the center of a yearslong legal battle to determine if a computer hacking law was legally applied. Auernheimer, who goes by the hacker name “weev,” accessed customer identification numbers and email addresses for about 120,000 iPad users through a security flaw in AT&T’s network that left the information publicly available. A court sentenced him to three-and-a-half years in prison in 2012, but he was released early in 2014 due to a technicality. — Bret McDanel spent 16 months in prison in the early 2000s for alerting his former employer of a flaw that allowed the company’s users to view each other’s emails. When the employer declined to fix the flaw, McDanel made the vulnerabilities public on his own, prompting the company to issue a patch. McDanel was convicted for violating the Computer Fraud and Abuse Act for notifying the public about the issue, though the U.S. attorney office in Los Angeles eventually overturned the conviction and ruled that McDanel was a whistleblower, not a computer hacker. — Tip of the iceberg : It’s not just these cases. “There are a lot of others where well-meaning people got in trouble for telling someone their shit was broken and had to call me,” ACLU lawyer Jennifer Granick said in a tweet last week. How does Missouri’s case stack up : For one, state prosecutors haven’t filed criminal charges against the journalist, Josh Renaud of the St. Louis Post-Dispatch. Parson has only threatened them. Also, Renaud could have two additional things going for him: before publishing the details of the security flaw on the state education department’s website, he waited until a security patch was issued, and he can benefit from journalistic legal protections. — Time for legal changes? The Computer Fraud and Abuse Act has come under increased legal scrutiny in recent years for allowing journalists and security researchers to be arrested for disclosing cybersecurity flaws. While the Supreme Court narrowed the scope of the law in June, plenty of questions about how to apply the CFAA still stand. | | | |   | | | | | | FIRST IN POLITICO: HOSPITALS UNDER SIEGE — One in 10 healthcare industry chief information security officers said their facility had to divert patient care to another place due to a cybersecurity incident in the past year, according to survey released this morning by the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security. — In the survey, which was conducted among the two organizations’ members, two-thirds of respondents said they dealt with a security incident this year. More than 80 percent also said their cyber insurance costs increased during the same period. | | | | THE MILKEN INSTITUTE GLOBAL CONFERENCE 2021 IS HERE: POLITICO is excited to partner with the Milken Institute to produce a special edition "Global Insider” newsletter featuring exclusive coverage and insights from one of the largest and most influential gatherings of experts reinventing finance, health, technology, philanthropy, industry and media. Don’t miss a thing from the 24th annual Milken Institute Global Conference in Los Angeles, from Oct. 17 to 20. Can't make it? We've got you covered. Planning to attend? Enhance your #MIGlobal experience and subscribe today. | | | | | | | | Pam Walker has joined VMWare as the director of government relations and lead on public sector and procurement policies. She previously was the policy analysis lead at Splunk and led public sector and procurement policy at the Information Technology Industry Council … Mike Schmuhl , former Pete for America campaign manager, and Eric Goldwater, former chief financial officer at SKDK, are joining LangleyCyber as a principal and CFO, respectively. | | | From cybersecurity engineer Casey, who runs the InfoSec blog Caseyis: “being aware of cybersecurity doesn’t feel very good” Chat soon. Stay in touch with the whole team: Eric Geller ( egeller@politico.com); Bob King (bking@politico.com); Sam Sabin (ssabin@politico.com); and Heidi Vogt (hvogt@politico.com). | | A message from VMware: As government agencies move to multi-cloud environments, they’re getting the freedom to choose the right cloud for the right workload, data set, or security clearance. But this also comes with a downside: These separate clouds can become siloed, complex, and difficult to manage. This is where a cross-cloud strategy can benefit your agency.
With VMware Cloud, you can manage all your apps and clouds through one platform. Our cloud-agnostic approach lets you retain the freedom you need, plus gain application velocity and simplify operations across clouds and the tactical edge.
And because you can move workloads between clouds, you’re building operational resiliency and aiding in disaster recovery. You’ll also be able to quickly migrate to the cloud and deploy apps without refactoring.
It’s the freedom of any cloud, with the simplicity of one.
Learn more about multi-cloud for government. | | | | | | | Follow us on Twitter | | | | Follow us | | | | |  |
