Axios Codebook

President Joe Biden's new national cyber strategy is teeing up a more aggressive, military-involved fight against ransomware.

Driving the news: In the strategy released Thursday, ransomware is officially declared a national security threat, unlocking new authorities for the military and intelligence community to use some of its strongest cyber tools against ransomware gangs.

What they're saying: "That does flip the switch," a senior administration official told Axios. "We are going to be considering tools and authorities and options that go beyond what we would have traditionally done on a crime problem."

Why it matters: Many of the military and intelligence community's most powerful cyber tools have been reserved for operations involving state-backed hackers, like the Russian GRU or Chinese cyber spies. Now, that should change to also include ransomware gangs, experts told Axios.

• "They will use capabilities that have been previously reserved by law and by policy only to national security operations," said Tom Bossert, president of Trinity Cyber and former U.S. homeland security adviser during the Trump administration.
• "They could now use our capabilities against a ransomware group in the same way they might use our capabilities against the Russian military."

The big picture: The designation of ransomware as a national security threat has been years in the making.

• The National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency and international partners released an advisory last year warning that ransomware is a national security problem.
• A report released in April 2021 from a group of former officials and cybersecurity executives called for the U.S. government to designate ransomware as a national security threat.

Zoom out: Ransomware continues to seize U.S. critical infrastructure, as schools, hospitals and local governments face a deluge of attacks.

• This week alone, the U.S. Marshals Service, a Minnesota school district and a Washington public bus system have reported ransomware attacks.

Between the lines: While the U.S. government has had success in taking down ransomware gangs' infrastructure and working with international allies to arrest ransomware affiliates, officials hope the new designation will help them do more at a faster pace.

• For instance, most of the recent ransomware takedowns have focused on infrastructure based in the U.S. or allied nations rather than proactive operations on servers in enemy countries.
• "It can take a year or even two to get to a point where U.S. law enforcement or global law enforcement are in a position to take that action," the senior administration official told Axios.

Yes, but: The section of the national cybersecurity strategy that describes how exactly the administration wants to expand on its offensive cyber operations is vague — in part because many of these tools and operations are classified.

• The strategy calls on the Pentagon to establish its own strategy to determine how the U.S. Cyber Command defends against both state and nonstate threats. And it calls for providing more resources to the FBI's National Cyber Investigative Joint Task Force.

The intrigue: Adding more muscle to the U.S. ransomware fight comes as dialogue between the U.S. and Russia, the biggest safe haven for ransomware gangs, has dissolved in the last year during the war in Ukraine.

• "Since the criminal justice system isn't going to be able to, on its own, address this problem, we do need to look at other elements of national power to be going after the threat," a senior official told reporters before the strategy's release.

The bottom line: If all goes as planned, expect to hear about more ransomware takedowns and arrests as the intelligence community gets more involved in the fight.

The Environmental Protection Agency issued a memo to state governments today requiring local water systems to meet basic cybersecurity standards.

Why it matters: High-profile cyberattacks on water systems in Florida and California in recent years have showcased how insecure the nation's cash-strapped water utilities are in their digital systems.

The big picture: The EPA's memo is the first set of cybersecurity requirements specifically targeting the water sector, and it fits into the Biden administration's effort to establish cybersecurity requirements for all critical infrastructure sectors.

What they're saying: "Based on the incidents we've seen, we concluded that the water sector had not achieved adequate product progress [on cybersecurity], certainly not commensurate with the importance of the sector to the nation and the nation's security," David Travers, director of the EPA's Water Security Division, told reporters during a press briefing.

Details: The EPA memo establishes a new interpretation of the Safe Drinking Water Act that requires state governments to include questions about cybersecurity in periodic, already required sanitary surveys.

• New questions include those about the water system's password practices, encryption uses and internal cybersecurity team setup.
• The sanitary surveys are conducted every three to five years by local sanitation experts and have historically focused on physical security issues.
• The EPA had to get creative to establish cybersecurity requirements, given its own lack of resources and minimal authorities to regulate water cybersecurity issues.

Between the lines: State regulators will have "quite a bit of flexibility" to determine how best to incorporate cyber into their surveys and how they'll meet these basic requirements, Radhika Fox, assistant administrator for the EPA's Office of Water, told reporters.

• The EPA is accepting comments on the guidance until May 31, and it will update the document later as needed based on those submissions.

Yes, but: Some industry experts have already criticized the EPA's highly anticipated memo, warning that local sanitation inspectors lack the expertise needed to properly assess a water system's cybersecurity program.

LastPass CEO Karim Toubba said in a blog post Wednesday he takes full responsibility for his company's communications failures about recent cybersecurity incidents.

The big picture: LastPass, a password manager with roughly 30 million users, has been called out by customers for sharing limited information about two cyber incidents that happened in August.

• A data breach is high stakes for any password manager, considering they store a user's login information across various online accounts in one place.
• "I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly and more comprehensively throughout this event," Toubba wrote. "I accept the criticism and take full responsibility."

Catch up quick: In the last six months, LastPass has gone back on how serious its recent cybersecurity incidents have actually been.

• In August, the company told users that the data breach had been limited to LastPass's development environment and hadn't affected customer data.
• A few days before Christmas, the company disclosed that there had actually been a second breach that had piggybacked off the access hackers had gotten from the first incident, resulting in sensitive user information being hacked.

Driving the news: Earlier this week, the company shared in a difficult-to-find security advisory that attackers had initially gained access to LastPass's systems by targeting a key employee's home computer.

• The advisory also disclosed that attackers in the second reported incident had access to LastPass's cloud storage between August and October.
• The advisory with these new details wasn't widely shared and included an HTML code to prevent the post from appearing in search engines.

What they're saying: "The length of the investigation left us with difficult trade-offs to make in that regard," Toubba wrote in the post.

Go deeper

@ D.C.

🇨🇳 Commerce Secretary Gina Raimondo said the Biden administration is worried about national security concerns tied to all Chinese apps, not just TikTok. (Bloomberg)

🧠 The Federal Trade Commission is pursuing banning online counseling service BetterHelp from sharing consumer health data, including sensitive information about mental health challenges, to advertisers. (Axios)

📲 A look at why so many governments are trying to ban TikTok. (New York Times)

@ Industry

🤯 About 94% of CISOs say they're stressed at work, according to a recent survey. (CNBC)

📉 A ransomware attack prompted semiconductor supplier MKS Instruments to suspend operations at some facilities, causing an expected 20% hit to quarterly revenue. (Cybersecurity Dive)

@ Hackers and hacks

👀 Three cybercriminal groups breached T-Mobile's internal networks more than 100 times throughout 2022, according to new data. (KrebsOnSecurity)

💸 Digital-first bank Hatch Bank said hackers had exploited a flaw in its internal file-transfer software and accessed thousands of customers' Social Security numbers. (TechCrunch)

Beneath every cat-loving journalist's desk during a busy news week is a small cat sitting in their lap while they work.

• When asked for comment, Barry did not have much to say about the national cyber strategy other than "💤."