Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— As schools prepare for a new school year, their districts remain sitting ducks for ransomware actors looking for a payday, experts say.
— Scrutiny of Apple’s new measures targeting child abuse grew louder over the weekend as an open letter criticizing the move collected more than 5,400 signatures from tech experts.
— The infrastructure package is still a slow-moving train, but if it passes, the electric grid’s security advocates will have a lot to celebrate.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. Start your week on the right foot by sending thoughts, feedback and — especially — story tips to [email protected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
RANSOMWARE HEADING BACK TO SCHOOL — The Delta Covid variant isn’t the only thing threatening the safety of school reopenings this month. A wave of ransomware attacks targeting school systems could also keep students from having a “normal” school year, once again.
So far this year, ransomware attacks have disrupted 58 United States education organizations and school districts, including 830 individual schools, according to Emsisoft threat analyst Brett Callow last month. Compare that with 2020, when Emsisoft estimates that 84 incidents disrupted learning at 1,681 individual schools, colleges and universities.
And the beginning of the school year is a prime time for cybercriminals targeting schools, said Doug Levin, national director of the K-12 Security Information Exchange.
“Back to school time, particularly for ransomware, is a challenging time — especially over the last couple of years when the ransomware actors have really started to focus on state and local government agencies, including school districts,” Levin said.
For example, last year, schools in Hartford, Conn., postponed the first day of school for their 18,000 students due to a ransomware attack. The year before that, Louisiana Gov. John Bel Edwards declared a state of emergency about a month before school started after ransomware attacks targeted three school districts in one week.
— Not helping matters: Much like attacks on critical infrastructure, ransomware actors have been going after larger school districts in the last year, Levin said. And with remote learning’s popularity during the pandemic, ransomware criminals have been demanding even higher payments in some cases, recognizing schools will feel even more pressure to pay.
Among school district IT leaders, the threat of ransomware has become a growing concern, Levin said, but institutional problems pose a challenge in making major changes to security protocols. “Just because IT is concerned, doesn’t mean that superintendents and school board members are concerned,” he said. “They are the ones who set the priorities for the district and they’re the ones in charge of the purse strings.”
— A beacon of hope: The growth of cyber insurance is forcing some schools to make security a priority. If districts want a policy or lower premiums, they have to meet certain security standards — such as implementing multi-factor authentication.
“If these major corporations can’t defend themselves, and even folks in the federal government get affected by this kind of stuff, school districts really have no chance against a motivated skilled actor,” Levin said.
APPLE’S PRIVACY CONUNDRUM — Since Apple announced last week that it would start scanning hashes of iPhone users’ iCloud photos for signs of known child abuse cases, concerns that the new tool could set a dangerous precedent among government agencies have only grown louder.
Over the weekend, more than 5,400 tech experts and privacy advocates signed onto an open letter calling for Apple to halt its plans and to release a statement “reaffirming [its] commitment to end-to-end encryption and to user privacy.” WhatsApp head Will Cathcart said Friday the app doesn’t plan to replicate Apple’s systems because “the approach they are taking introduces something very concerning into the world.” Epic Games Chief Executive Tim Sweeney, who is engaged in an antitrust lawsuit against Apple, said Saturday that “inescapably, this is government spyware installed by Apple based on a presumption of guilt.”
At the same time, lawmakers and government officials are cheering the move: Sen. Richard Blumenthal (D-Conn.) called Apple’s new tools a “welcome, innovative, & bold step.” “Time for others – especially @Facebook – to follow their example,” Sajid Javid, the United Kingdom’s secretary of state for health and social care tweeted on Friday.
— This creates a tough dynamic for Apple to navigate: On one hand it’s been pushing the idea throughout Silicon Valley for years that it’s the one Big Tech company that cares about user privacy and encryption. On the other, government agencies have urged the company for years to provide a “back door” to its encryption to help investigate child abuse and terrorism cases.
Either way, privacy advocates say the new tool sends a very different message from Apple’s typical privacy and surveillance practices. Remember when the company bought a billboard during CES 2019 in Las Vegas that read “What happens on your iPhone stays on your iPhone”?
KEEPING THE LIGHTS ON — As debate continues this week about the $550 billion infrastructure package, one cybersecurity provision is exciting cybersecurity experts: provisions testing the cyber resilience of the nation’s electric grid.
“That’s the target that you could do the single most damage to the United States if you attack it and it’s one we know that’s vulnerable,” said Jim Lewis, senior vice president and program director at the Center for Strategic and International Studies.
The infrastructure bill includes two provisions specifically targeting the security of the electric grid:
— The first is language from the Enhancing Grid Security Through Public-Private Partnerships Act, which passed the House last month and requires the Energy Department to set up a program to facilitate public-private partnerships to audit and assess the physical security and cybersecurity of utilities. It’s similar to a 100-day program the Energy Department started in April.
— And the second creates a Cyber Sense program at DOE to test cybersecurity of products being used in the bulk-power system. A bill setting up the program also passed in the House last month.
Securing the grid has long been a concern among cybersecurity and energy policy experts. When Russia remotely accessed Ukraine’s three energy distribution companies in 2015, 200,000 consumers lost service. And the Government Accountability Office warned in March that the electric grid’s distribution systems are “becoming more vulnerable to cyberattacks, in part because of the introduction of and reliance on monitoring and control technologies.”
Energy Secretary Jennifer Granholm has said adversaries already have the capabilities to take the grid down.
And Washington has been looking for solutions for years to harden distributors’ systems against any cyberattacks before it’s tool: A House Oversight subcommittee took up the problem last month, and the Energy Department’s cyber office undertook a 100-day plan in April for electric utilities operators and owners to follow to upgrade their critical industrial control systems’ cybersecurity.
So the infrastructure provisions have widely been seen as a step in the right direction to defending the electric grid.
“As of now, the electric sector is the only existing sector with mandatory regulatory compliance and, while it has upped the electric sector’s security posture, it is still not to the degree that’s needed to make them defensible,” Ben Miller, vice president of professional services and research and development at cybersecurity firm Dragos, told MC in a statement.
CLIMBING UP THE LADDER — As a part of the Department of Homeland Security’s larger push to recruit and retain cybersecurity workforce, CISA released a workforce training guide Friday to help any prospective and current federal, state and local cybersecurity workers figure out what their path forward could look like in government jobs. The training guide includes possible certifications, training opportunities, and opportunities to shadow or rotate throughout the federal government.
— The guide’s release comes after DHS Secretary Alejandro Mayorkas touted the new Cyber Talent Management System during his Black Hat remarks last week. DHS also hired nearly 300 cybersecurity professionals during a 60-day cybersecurity workforce sprint in May and June.
From Georgetown computer science professor Matt Blaze: “‘Let’s just assume everything will always work as intended’ said no one with more than 10 minutes of experience in security.”
— A call center that counts Apple, Amazon and Uber as clients is requiring AI-powered cameras to monitor employees inside their own homes, prompting surveillance concerns. (NBC News)
— AI is now capable of writing phishing emails, researchers at Black Hat and DEF CON warned. (Wired)
— Cybersecurity workers are burning out amid a rise in attacks. Here’s how workplace experts are trying to combat it. (Insider)
— Australian government warns that attacks from the recently launched LockBit 2.0 ransomware gang are on the rise. (Bleeping Computer)