December 02, 2020
Hello, and welcome to the latest edition of Codebook. This week, we’re thinking about the concept of "insecurity" in the cyber domain and elsewhere — and how, in the COVID-dominated final weeks of 2020, so many Americans are experiencing insecurity regarding their own safety and that of their loved ones.
Today's newsletter is 1,509 words, a 6-minute read.
1 big thing: Setting the Biden-era cybersecurity agenda
The Biden administration will face a wide array of cybersecurity challenges but can take meaningful action in at least five key areas, concludes a new report by the Aspen Cybersecurity Group.
Why it matters: Cybersecurity policy is a rare refuge from Washington's hyperpartisan dysfunction, as shown by the recent work of the bipartisan Cyberspace Solarium Commission. President-elect Joe Biden should have a real opportunity to make progress on shoring up the nation's cybersecurity and cyber capabilities without bumping up against a likely Republican-controlled Senate.
Where it stands: Per the report, these opportunities include creating a more cyber-ready workforce, fortifying the “public core” of the internet, boosting supply chain security, developing new systems to measure cybersecurity, and enhancing public-private collaboration on shared cybersecurity interests.
- The Aspen group behind the report features current and former government officials — Republicans, Democrats and apolitical national security experts — and private-sector leaders, including former Deputy DNI Director Sue Gordon, former homeland security adviser Lisa Monaco and former NSA Director Keith Alexander, among others.
How it works: The report recommends concrete actions on each front that the Biden administration could take, often in concert with Congress. Here some of the key recommendations.
1. Education and workforce development: Biden could seek new federal funding for grants to support organizations that help increase the participation of underrepresented communities in the cybersecurity field, as well as funding to develop a nationwide K-12 cybersecurity curriculum.
- Those and other measures could help close the "supply gap" in cybersecurity positions, the report concludes, which has left more than 520,000 jobs open in the field, in part due to gaps in diversity, equity and inclusion in the cybersecurity space.
2. Securing the internet: Biden could designate space, including the commercial space sector, as critical infrastructure, in order to make government actors freer to intervene to harden the next generation of technology powering the internet, some of it poised to be satellite-based.
- There should also be a "single interagency strategy," the report contends, on securing that interconnected agglomeration of hardware and software, known as the internet's public core.
- And Biden could create a new assistant secretary position in the State Department aimed at working with other countries on cybersecurity issues.
- As it stands, the fragmentary and piecemeal evolution of the internet has left much infrastructure with critical unaddressed vulnerabilities, says the report.
3. Securing supply chains: The incoming administration could require device makers to label their products with alerts about potential insecurities, particularly in Internet of Things devices.
- It could also fund "critical technology testing centers" where the private sector could check for security flaws. And it could help support more open-source software, which would open technology to more security scrutiny.
4. Measuring cybersecurity: Biden could, among other initiatives, establish a "Bureau of Cyber Statistics" to track and provide statistical data to policymakers and the public, as well as have the Department of Homeland Security form a working group on cyber risk that brings in the insurance industry and modeling experts to better work out potential pricing schemes for cyber insurance.
- The report says that “today, the federal government lacks the most basic, reliable data” on a wide range of critical issues like cyberattacks.
5. Operational collaboration: Biden has a chance to spur more cooperation among law enforcement, intelligence agencies and private companies to take on cyber criminal syndicates and plan for major cyber threats. He could seek to establish a Senate-confirmed “National Cyber Director” to coordinate all cybersecurity policy across the U.S. government and liaise with the private sector, an idea previously floated by the Cyberspace Solarium Commission.
- He could also ramp up incentives for federal law enforcement to disrupt cyberattacks and cyber crime and create an exchange program for private security and government cybersecurity employees.
What’s next: The new national cybersecurity agenda — as well as ransomware, disinformation, supply chains, China and more — will be part of the discussion at this week’s Aspen Cyber Summit, now underway.
2. SCOTUS weighs the future of a major cybersecurity law
Several Supreme Court justices Monday seemed to signal that they're interested in narrowing a landmark cybersecurity law that critics have long charged is overbroad, Axios' Kyle Daly reports.
Why it matters: The Computer Fraud and Abuse Act of 1986 has been the basis for a number of controversial criminal cases, most infamously the prosecution of activist and hacker Aaron Swartz, who committed suicide while awaiting trial after downloading a large number of academic articles. Narrowing the law could prevent overzealous prosecutors from going after internet users engaging in relatively innocuous activity.
Driving the news: The high court Monday heard oral arguments in Van Buren v. United States, a case involving Nathan Van Buren, a former Georgia police officer who was convicted of computer fraud under CFAA for searching a license plate in a law enforcement database in exchange for cash from an FBI informant.
- CFAA, among other things, criminalizes accessing "a computer without authorization" or in a way that "exceeds authorized access."
Between the lines: A number of groups ranging from libertarian think tank the R Street Institute to public interest group Public Knowledge said in pre-hearing filings that they view the law as currently construed as overly broad and vague.
- Several groups said large tech firms dangle CFAA as a threat over would-be competitors, denying access to data and data portability features by invoking the law.
Others maintain that CFAA needs clarifying because prosecutors could extend it to cover a wide range of activity, much of it harmless.
- Some critics note it could in theory criminalize work like security audits and academic research that scrapes sites for data.
- The attorney representing Van Buren, meanwhile, contended Monday that someone using their work computer to check Instagram or a work Zoom account to talk with family would be violating CFAA under a broad interpretation of the law.
The other side: The attorney for the Justice Department said it's widely understood that CFAA only covers specific intentional breaches of computer systems and that there's no reason to think it would lead to the "imaginary avalanche of hypothetical prosecutions" floated by the petitioner's attorney.
Several justices in Monday's session, conducted via video conference, appeared sympathetic to the idea that CFAA is being read too broadly and could use reining in.
- Justice Neil Gorsuch said conduct like Van Buren's is already illegal under other federal and state laws and that interpreting CFAA expansively could make "a federal criminal of us all."
- Justice Sonia Sotomayor said the government's attorney's description of the popular view of CFAA as narrow isn't supported by the text of the law, which she said may be "dangerously vague."
- Justice Stephen Breyer raised the concern that an employee using a work computer for personal reasons could be viewed as breaking the law.
Yes, but: The skepticism cut both ways at times. Justice Samuel Alito, for instance, said a narrower reading of the law could shield from prosecution people who use their authorized access into a system to engage in unauthorized and illicit activity not criminalized by other statutes.
The bottom line: Lines of questioning aren't fully reliable signals for how the Supreme Court is leaning. Clarity will only come when the court rules.
3. Krebs responds to Trump campaign lawyer who suggested he be "shot"
Former CISA director Chris Krebs is hinting at legal action against Trump campaign lawyer Joe diGenova, who suggested Krebs should be "taken out at dawn and shot," reports Axios' Ursula Perano.
Driving the news: Krebs, who led efforts on election cybersecurity, was fired last month by President Trump following the 2020 election. The former director has since spoken out against baseless claims from the president and the Trump campaign that elections systems were rigged in favor of now President-elect Joe Biden.
The big picture: DiGenova made the comment on Monday during a radio interview with Howie Carr, which was aired on Newsmax.
- Krebs responded to diGenova's comments in an interview with the "Today Show" on Tuesday, stating, "It's certainly more dangerous language, more dangerous behavior."
- "And the way I look at it is that we are a nation of laws, and I plan to take advantage of those laws. I've got an exceptional team of lawyers that win in court, and I think they're probably going to be busy."
4. DHS to face lawsuit, internal probe over location data claims
The American Civil Liberties Union is suing the Trump administration over allegations that homeland security and immigration officials inappropriately accessed cellphone data to track people, reports the Washington Post.
Why it matters: The post-Trump era will likely herald more scrutiny of the outgoing administration’s surveillance practices. President-elect Biden will have to decide whether to carry on the push for more expansive surveillance, something that has continued under every president since George W. Bush.
Details: The ACLU is suing the Department of Homeland Security as well as its agencies U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement following news reports that they have used commercial cellphone location databases to track people who may be entering the country illegally.
Meanwhile: The inspector general at DHS will also probe the issue after lawmakers requested an internal investigation, the Wall Street Journal reported.
5. Odds and ends
- Researchers say onerous and unnecessary certification and experience requirements are holding companies back from filling the wealth of global cyber job openings. (Wall Street Journal)
- In a Q&A for Aspen's Cyber Summit, Chris Krebs' former deputy at CISA decried threats against his old boss, as well as Trump allies' ongoing attempt to delegitimatize the election. (CyberScoop)
- Dozens of countries, including some with a checkered human rights history, may be using a tool to instantly identify someone's location using just a phone number, researchers warn. (Forbes)
- Venture-backed cybersecurity startup Tanium, valued at $9 billion, has relocated to the Seattle area, as its CEO says Silicon Valley isn't what it used to be. (GeekWire)
- North Korean hackers have reportedly targeted at least six companies in the U.S., U.K. and South Korea working on COVID-19 research. (WSJ)