By signing up, you acknowledge and agree to our Privacy Policy and Terms of Service. You may unsubscribe at any time by following the directions at the bottom of the email or by contacting us here. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Washington’s cybersecurity wish list for 2022

Quick Fix

— Cyber incident reporting legislation and bolstering the cyber workforce top former officials and industry leaders’ wish list in the new year.

— Biden’s ransomware talks with Russia are in jeopardy as Russian military forces continue massing on the Ukrainian border, cyber diplomacy experts tell MC.

— Security professionals spent the weekend scrambling to trace the fallout from an easily exploited security hole affecting dozens of tech vendors. But the lack of insight about which vendors exactly used the affected code means the extent of the damage won’t be known for weeks.

HAPPY MONDAY, and welcome to Morning Cybersecurity! I’m your host, Sam Sabin. This is MC’s last week of publication before the end-of-year holidays. Time flies! Help us leave 2021 on a high note this week by sending all of your juiciest secrets, tips and exclusives to [email protected]. Stay up to date by following @POLITICOPro and @MorningCybersec. (Full team contact info below.) Let’s get to it:

On the Hill

ALL WE WANT FOR 2022 — With the end-of-year holidays right around the corner, many involved in the cybersecurity industry and cyber policymaking are turning their attention to their 2022 priorities, from hashing out a new plan to pass cyber incident reporting in Congress to keeping track of the implementation of President Joe Biden’s cybersecurity executive order. Your MC host caught up with a few former administration officials, researchers and industry leaders to see what tops their cyber policy wish lists in the new year:

— Passing cyber incident reporting: Top of mind for most cyber policy officials and industry leaders in the new year: mandatory incident reporting legislation that was knocked out of this year’s defense policy bill last week. Congressional aides, lawmakers and lobbyists have previously told MC that they’re confident the bipartisan legislation requiring critical infrastructure operators and contractors to report cyber incidents to the government has enough momentum to pass on its own. David Kris, former head of DOJ’s national security division and current founder of Culper Partners, put this legislation at the top of his list.

— Bolstering the cyber workforce: Recorded Future’s ransomware analyst Allan Liska is focusing on creative solutions to tackle the shortage of experienced cybersecurity workers in the United States. Liska told MC he wants to see the AmeriCorps program expand to include cybersecurity professionals. “Using the existing AmeriCorps framework, recent graduates could get real world experience and organizations — including small towns and school districts — could enhance their security capabilities, thus keeping everyone safer while getting the next generation of security professionals fully trained,” he said.

— More public awareness campaigns: Lisa Plaggemier, National Cyber Alliance’s interim executive director, told MC she wants to see the federal government roll out more public awareness campaigns about cybersecurity threats in the new year, and she’d like to see cybersecurity marketing campaigns turn away from using fear as a motivator to get people to use better cyber hygiene practices, such as multi-factor authentication. “The motivation to do those things should be the peace of mind you’ll feel once you’ve done them, as opposed to ‘you’re being attacked, you’re under threat,’” she said, adding that “fear, uncertainty and doubt” are counterproductive messages.

— Building on the foundation: For some, they want to see the Biden administration build on the cybersecurity policy and regulatory foundation it built in 2021. To Michael Daniel of the Cyber Threat Alliance, that means fully staffing the Office of the National Cyber Director, strengthening new alliances with allies to tackle cybercrime and continuing to implement the president’s cybersecurity executive order.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Russia

UKRAINE’S CYBER SPILLOVER — Ransomware diplomacy between President Joe Biden and Russian President Vladimir Putin doesn’t stand a chance if the conflict on the Ukrainian border continues to escalate, international cyber experts told MC.

“If the overall Russia-U.S. relationship continues to deteriorate, there’s certainly an impact that will have on whether or not the Russians and Putin are going to play ball to do something with respect to the ransomware actors who operate in their territory,” Chris Painter, a former top cyber diplomat during the Obama administration told MC.

For months, Biden has been having semi-regular phone calls with Putin about the number of ransomware criminals operating out of Russia, including several who targeted U.S. critical infrastructure earlier this year. The two leaders also discussed the ransomware problem during a highly-anticipated video call last week about the growing Russian military presence on the Ukrainian border.

But if Russia decides to invade Ukraine, cyber diplomacy experts don’t see a path forward for any sort of ransomware talks. “From the Russian perspective, all these geopolitical issues are linked,” said Dmitri Alperovitch, a Crowdstrike co-founder and executive chair of the Silverado Policy Accelerator. “They are not going to do us any favors on the cyber front if they believe we will retaliate with severe economic sanctions for their action against Ukraine.”

Without Russian cooperation, the Biden administration could become more willing to pursue disruptive cyber operations against Russian cybercriminals themselves, Painter said, similar to the U.S. Cyber Command’s recent involvement in disrupting REvil’s online infrastructure.

— Preparing for the worst: The Biden administration has been preparing for weeks for a Russian invasion of Ukraine. The G-7 condemned Russia’s “military build-up and aggressive rhetoric towards Ukraine” in a statement Sunday. Secretary of State Antony Blinken also said during an appearance on Meet the Press on Sunday that the U.S. is “continuing to shore up Ukraine’s defenses” and they’re “looking at what NATO can do, if necessary.”

The possibility of the Russian government weaponizing cyber tools in the Ukraine conflict is also on the Biden administration’s radar. “Could the Russian government choose a different course here — one in which they rely more heavily on information operation, cyber, and destabilization activities inside Ukraine? Yes, they certainly could do that,” a senior administration official told reporters last week.

Vulnerabilities

BRACING FOR IMPACT — Several days after the disclosure of an unpatched vulnerability found in a popular open source code, cybersecurity professionals, researchers and policy officials are still trying to determine the extent of the damage the security flaw can cause once hackers exploit it.

Late last week, CISA and several security researchers warned about a critical security flaw in Log4j, an open source framework in Apache servers that’s used to keep track of activity inside an application. While Apache released a fix the same day, hackers were already scanning the internet for affected systems and built tools to easily exploit them once discovered.

But the fixes rely on end-users patching their systems on their own, leaving room for the flawed systems to remain vulnerable and for hackers to find opportunities to access a system for weeks to come. Affected technology vendors include Apple, Steam, Amazon, Tesla and Microsoft’s Minecraft and LinkedIn. Rob Joyce, the NSA’s director of cybersecurity, also said the agency’s open source tool to reverse engineer cyberattacks, called GHIDRA, was affected.

— Not helping matters: CloudFlare Chief Executive Matthew Prince said Saturday that the earliest evidence his company has found of a Log4J exploit was “at least nine days before” public disclosure.

— Fixes so far: In addition to Apache’s security update, Minecraft released an updated version of its affected Java edition. CyberReason released code on GitHub that will help any organization patch its systems. The NSA also released an update to GHIDRA.

Open source code’s cyber woes: The latest zero-day vulnerability highlights the scope of open source code in popular technology, and the security hurdles that come with it. Three people moderate Apache’s Log4j project on a volunteer basis, meaning they don’t have the same resources major corporations do to scan for flaws and release patches.

— Push for a software bill of materials: CISA Director Jen Easterly said in a statement Saturday that the incident underscores the importance of developing software bills of materials, which act as an ingredient list of what code can be found in a product. In theory, if products had a software bill of materials in this case, they could easily look up whether they’re running Log4j’s code and need to worry about the vulnerability disclosure.

CISA

GET IN FORMATION — During the first meetingof CISA’s new cybersecurity advisory committee Friday, the committee named Thomas Fanning, president and CEO of the Southern Company, as the chair and Ron Green, chief security officer at Mastercard, as vice chair. The committee also named five subcommittees focused on the cyber workforce, cyber hygiene practices, relationships with the hacker community, mis- and disinformation targeting critical infrastructure and systematic risks to both cyber and physical infrastructure. Eric has more for Pros about the meeting.

People on the Move

Daniel Sutherland has left his role as chief counsel at CISA. … Heli Tiirmaa-Klaar, Estonia’s cyber diplomat, is leaving public service to join the Digital Society Institute as its new director.

Tweet of the Day

From Daniel Miessler, Robinhood’s head of vulnerability management and application security: “This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.”

Quick Bytes

— The White House is now requiring the FBI and other agencies to provide details to senior officials about severe cyber incidents within 24 hours. (CNN)

— An independent report found that the cyberattack on Ireland’s health service earlier this year could have been even worse than it was. (BBC)

— The United States is working with Australia, Denmark and Norway to establish standards for export controls on surveillance technology. (Nextgov)

— Telehealth platform Doxy.me says it’s fixing an issue that exposed some patient data to third-party partners. (CyberScoop)

— The Snatch ransomware has claimed responsibility for a cyberattack against Volvotargeting the automaker’s research and development. (Bleeping Computer)

— “I Accidentally Hacked a Peruvian Crime Ring” (Wired)

Chat soon.

Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).