Federal officials are examining what role they should play in strengthening the cybersecurity of electric vehicles (EVs) as they push for increased EV adoption in the U.S.

The big picture: EV chargers create unique cyber threats, since the systems tend to be interconnected, run on personal home or business networks, and connect to local power grids.

• Add this to the growing cyber threats posed to all newer car models, which have internet-connected communications and electronic systems with WiFi hotspots and Bluetooth capabilities.

Driving the news: The Office of the National Cyber Director (ONCD) hosted a forum last week with government leaders and private companies, including both automakers and EV charging manufacturers, to discuss the cybersecurity issues facing EVs and the tech they operate on.

• Most of the discussion focused on the possibility for new EV cyber standards and the potential for new research on looming cyber risks, per a meeting readout.
• The White House's meeting readout did not specify which private companies or industry stakeholders attended the ONCD forum.

Why it matters: While EV charger hacks have remained mostly hypothetical, the technology powering chargers could face increased hacker interest as EV adoption rises.

• Earlier this year, a teenage hacker was able to hack into more than 25 Teslas at once through the automaker's open-source activity logging tool.
• Researchers have already discovered several security vulnerabilities in charging equipment that would allow hackers to access user information and impede charging.

Threat level: EV chargers — whether located in personal homes or in public areas — typically collect information about a vehicle's charge rate, identification numbers and drivers' online account information.

• Chargers also typically connect to a system inside cars known as the controller area network, which allows a car's various on-board electronic components and controllers to communicate with one another. Hackers are notorious for targeting this network.
• "If somebody can get into the systems that run public charging infrastructure, then there is potential to inject some sort of malware into the vehicle," says Sam Abuelsamid, a principal research analyst leading Guidehouse Insights' e-mobility division.

Between the lines: No cybersecurity standards exist for EV charging infrastructure, although automakers and charging manufacturers have been working to account for cyberthreats in the development of new vehicles and systems.

• Bringing in new regulations could mean new baseline cybersecurity requirements for both EVs and their chargers to ensure automakers don't cut corners, says Gartner analyst Mike Ramsey.
• However, it's unclear which government agency would lead the charge on setting these standards. Representatives from the White House and the departments of Energy, Transportation and Homeland Security attended last week's meeting.

Yes, but: Standards aren't a foolproof solution to preventing hacks of EVs and their charging systems.

• Hackers are constantly digging up new ways to exploit devices.

What's next: The ONCD office did not make any promises about next steps, but it's possible updated EV standards could come out of the discussion.

The developer of a widely used open-source code library is expected to release details today about a new critical security vulnerability in its tools — as well as a patch to fix it — that could rattle the entire internet ecosystem.

Driving the news: Last week, the OpenSSL Project gave programmers a heads-up that it will release a patch for a "critical" security vulnerability in its tech stack today.

• However, to prevent hackers from exploiting the flaw before a patch is released, the precise details of the vulnerability have been kept under wraps.
• This is only the second time OpenSSL has rated a vulnerability as "critical" since 2014's Heartbleed flaw, which led to breaches at government agencies, hospital systems and other websites.

Why it matters: Developers rarely warn that they're about to patch a critical vulnerability, signaling how widespread and dangerous this flaw could end up being.

• OpenSSL is a commonly used code library to enable secure communications across the internet, and the majority of HTTPS websites rely on it.

The big picture: Coders often feed in open-source projects to their bigger projects to simplify their tasks and avoid rewriting the wheel. But the volunteers who run these programs don't always have the resources to keep updating their code to maintain security.

• Companies don't always know what open-source code their tools rely on, making it impossible for them to understand how vulnerable they are and creating increased incentives for hackers.

Catch up quick: A critical vulnerability in open-source Java logging tool Log4j impacted hundreds of millions of devices last year.

What's next: Websites and companies relying on OpenSSL should be prepared to patch their systems immediately after the patch is released today to prevent inevitable hacking attempts.

A group of more than three dozen governments have gathered at the White House this week to figure out how to fight the ever-growing ransomware threat.

The big picture: The two-day summit is the second annual meeting — and first in-person event — of the Counter Ransomware Initiative, which aims to establish norms across the 37 participants on how to fight and defend against ransomware.

• The participating governments are Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, the Czech Republic, the Dominican Republic, Estonia, the European Commission, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, the Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the U.K. and the U.S.
• Seven of those governments just joined the initiative in the last year.
• A group of 13 companies will also participate in the summit for the first time, including CrowdStrike, Microsoft and others.

Driving the news: The participants will release a set of pledges by the end of the day laying out new policies they've each agreed to during the week's discussions, a senior administration official told reporters earlier this week.

• One of the expected pledges is that the governments will not knowingly harbor ransomware criminals within their borders, the official said.
• The official added that participants will discuss ways to disrupt ransomware operations, counter illicit use of cryptocurrencies, and build resilience against future attacks.

Threat level: The number of companies facing ransomware attacks continues to grow. A recent SpyCloud report found that ransomware affected 90% of IT professionals at large companies in the last year, compared to 72.5% the year before.

The intrigue: Ransomware is a borderless problem, so governments banning together to share their investigative resources and establish both domestic and foreign policies targeting cybercriminals is the best solution they have to mitigate the threat.

Yes, but: The initiative is limited in what it can meaningfully do, as of now, seeing as ransomware criminals mostly hide out in non-participating countries, like Russia, Iran, North Korea and China.

• Many of those countries' governments are also known for either enabling or working with ransomware gangs.

@ D.C.

🗳 One week before Election Day, Cybersecurity and Infrastructure Security Agency Director Jen Easterly says that while she hasn't seen any foreign interference in the 2022 elections so far, her agency remains vigilant against those threats. (Axios)

📚 The Federal Trade Commission filed a legal complaint against Chegg accusing the education tech company of numerous data security lapses in recent years that allowed a contractor to steal the login credentials of about 40 million users in 2018. (New York Times)

📲 A look at how the National Security Agency has leaned into meme culture to get more people engaged with cybersecurity. (CyberScoop)

@ Industry

💰 BNSF Railway Co. will have to pay $228 million to some truck drivers after a jury decided the company had violated Illinois' Biometric Information Privacy Act by scanning their fingerprints without proper consent. (Wall Street Journal)

☁️ Gartner forecasts cloud spending will grow 20.7% next year to nearly $600 billion, despite predictions of an economic downturn. (Gartner)

@ Hackers and hacks

👾 Researchers at Symantec have uncovered a new malware that can abuse Internet Information Services logs so it can remain hidden on a system for months before deployment. (ZDNet)

💸 U.S. financial institutions estimate that more than $1 billion potentially went to paying off ransomware gangs in 2021, according to new Treasury Department data. (CNN)

I asked for Halloween pet pics in Friday's edition, and boy, oh boy, did you all deliver! We tried to feature as many submissions as we could here.

• Among the submissions are Loaf dressed as a loaf, Cosmo the business cat and Pope Snowy.
• Additional submissions can be found in this Twitter thread.