Analysis | Here’s what’s next in the Senate on cybersecurity

Welcome to The Cybersecurity 202! We’re not publishing on Friday or Monday, so we look forward to next seeing you again Tuesday.

Below: Meta removes accounts linked to an Indian hacking-for-hire firm, and the agency that runs the Medicare program says a subcontractor was hit by ransomware. First:

Where the Senate’s cyber agenda-setters want to go in 2023

Sen. Gary Peters (D-Mich.), chairman of the Homeland Security and Governmental Affairs Committee, told me his key cybersecurity priorities next year are fortifying cyberdefenses for small businesses, open-source software, federal agencies and vital technology used in industrial facilities.

Sen. Angus King (I-Maine), who co-led the congressionally created Cyberspace Solarium Commission, said in a separate interview that the key priorities ahead for him are improving cybersecurity threat information sharing and protections for the most important infrastructure.

Peters has played a leading role in a boom in cybersecurity legislation of late, while King’s Solarium Commission has gotten a ton of its recommendations enacted. So their plans could also set the cyber agenda for the Senate overall.

“I worked to elevate that as one of the top priorities for the committee,” Peters said. “Rest assured that cyber will continue to be a top priority for me and the committee. My hope is to be as productive the next two years as we were the last two years.”

Peters’s top cyber achievement came at the start of this year alongside the now-outgoing top Republican Rob Portman (Ohio) on the panel: legislation requiring critical infrastructure owners to disclose to the Cybersecurity and Infrastructure Security Agency when they suffer a major hack or pay ransoms to hackers.

  • He compares the cyber incident reporting law to knowing whether a burglar is in the neighborhood so people can make sure to lock their doors and seek police patrols. “We have to know the landscape,” he said.
  • In the bipartisan infrastructure law this year, Peters secured $1 billion for state and local cybersecurity grants, as well as $100 million for a fund to help victims of major cyberattacks recover from them. Also this year, Peters led a successful bid for passage of an update to a program that governs the security of cloud products for the federal government.
  • And late last year, his legislation that orders a CISA study of cyber risks to K-12 schools became law. CISA would then develop voluntary guidelines for securing schools.

Next legislative aims: In the fast-moving world of cybersecurity, Peters said he might have a different answer within a month. But for now:

  • Legislation designed to protect open-source software like log4j. A vulnerability discovered in that common software tool threatened hundreds of millions of devices, CISA said.
  • An update to a law that provides an information security framework for federal agencies. A bill to do so “ran into some snags” in the House this year, Peters said. He didn’t want to negotiate in the press, so he wouldn’t discuss those snags. But he’s spoken to his House counterpart, incoming Oversight Committee Chairman James Comer (R-Ky.), and Peters said “I feel really good about where we are.”
  • Finding a way to defend operational technology, which keeps industrial equipment running and safe. “Oftentimes, if bad guys are successful attacking some of those physical systems, getting back online can take a whole lot longer than doing some software fixes,” Peters said.
  • Securing small businesses from cyberattacks. “How do we help smaller companies deal with ransomware?” he asked. “We’ve seen a huge increase in hacks for those entities.”

Some of his plans are less legislative in nature, such as pressing state and local governments to continue moving toward the safer “.gov” domain and keeping watch over CISA’s implementation of the cyber incident reporting law.

He’ll be working with a new top panel Republican, Sen. Rand Paul (Ky.), too. “I’ve had an opportunity to sit down with soon-to-be ranking member Paul about priorities for the committee,” Peters said. “I’m confident we’ll have a working relationship that can get things done.” He noted that all of the cyber bills his committee had advanced did so unanimously.

The Solarium Commission is nearing 70 percent adoption of its recommendations since 2020, King boasted.

“If we were the center fielder for the Boston Red Sox with a batting average of .667, what do you think we’d get paid?” he quipped.

As in past years, the commission found a home for its ideas in the annual defense policy bill that’s nearing the finish line in Congress. Among them:

  • Formalizing a permanent cyber office at the State Department.
  • Requiring a biennial report from Cyber Command on its election security work.
  • Increasing funding for Cyber Command’s “hunt forward” defensive cyber missions.
  • Creating an assistant secretary for cybersecurity at the Defense Department.

Some of the commission’s biggest recommendations didn’t make it into the final version of the defense bill, however.

That means King will have to start fresh on a pair of his priorities: protecting “systemically important” critical infrastructure and establishing a “Joint Collaborative Environment.”

The first idea, which involves labeling and safeguarding potential hacking targets that are essential to national security, the economy or public health, ran into opposition from industry groups that called the idea fatally flawed. “I’m not ready to give up,” King said.

The Joint Collaborative Environment idea — which King described as “a project to set up a kind of virtual meeting space for [the] private sector at the cross-section of federal agencies” — ran into opposition from the National Security Agency.

“Part of the problem is, some of the federal agencies aren’t sure they want to play with the others,” King said. “That’s the biggest one we didn’t get, and we’re going to stay after that.”

Meta takes down accounts linked to Indian hackers

Indian company CyberRoot Risk Advisory Private has targeted people in Angola, New Zealand, Russia and the United Kingdom, with the company focusing on activists, journalists, executives and other people in Djibouti, Iceland, Kazakhstan, Saudi Arabia and South Africa, Facebook parent Meta said in a report this morning. Meta took down more than 40 Facebook and Instagram accounts that were part of the network, the company said.

“CyberRoot used fake accounts to create fictitious personas tailored to gain trust with the people they targeted around the world. To appear more credible, these personas impersonated journalists, business executives and media personalities,” Meta said. “In some cases, CyberRoot also created accounts that were nearly identical to accounts connected to their targets like their friends and family members, with only slightly changed usernames, likely in an attempt to trick people into engaging.”

Justice Department seizes websites belonging to DDoS-enabling firms

Authorities charged six people with computer crimes relating to their alleged ownership of “booter” and “stresser” services that enable people to maliciously overwhelm websites with fake traffic in distributed denial of service (DDoS) attacks, journalist Brian Krebs reports. All told, the Justice Department seized 48 domains, Krebs reports.

“Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes,” Krebs writes. “For example, all of the above-mentioned booter sites contained wordy ‘terms of use’ agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.”

Medicare agency says it’s responding after a subcontractor was hit in a ransomware attack

The Centers for Medicare and Medicaid Services said up to 254,000 of the Medicare program’s 64 million beneficiaries may have been impacted in the October breach at subcontractor Healthcare Management Solutions. People whose personal information “may have been put at risk as a result of the breach” will get updated Medicare cards, new Medicare numbers and credit-monitoring services, CMS said.

In a sample letter it posted on its website, CMS said the breach occurred Oct. 8. The next day, “CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved,” the agency said. “As more information became available, on Oct. 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees,” it said. “Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.”

  • CMS said “initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident.”
  • HMS didn’t immediately respond to a request for comment.
  • The California Privacy Protection Agency Board hosts a public meeting on Friday at noon.

Thanks for reading. See you next week.


Donovan Larsen

Donovan is a columnist and associate editor at the Dark News. He has written on everything from the politics to diversity issues in the workplace.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button