November 15, 2022
Happy Tuesday! Welcome back to Codebook.
- 🗽 I'll be in New York later this week for the Aspen Cyber Summit. If you're around, let's grab coffee!
- 📬 Have thoughts, feedback or scoops to share? [email protected]
Today's newsletter is 1,341 words, a 5-minute read.
1 big thing: Cyber bipartisanship survives midterm election
In the week since Election Day, cybersecurity lobbyists in Washington are anticipating their jobs will mostly stay the same — even if Republicans take control of the House of Representatives.
Why it matters: Since cyberattacks aren’t going anywhere, lawmakers and lobbyists are optimistic they can push through rules on software security, critical infrastructure security oversight and federal IT spending, even in a closely split Congress.
State of play: As of Tuesday morning, several House races remain uncalled, leaving the lower chamber's balance of power in flux.
- Democrats will hold onto their slight majority in the Senate after winning close races in Nevada and Arizona.
- The Associated Press reported this morning that the GOP is one seat away from winning a majority in the House.
The intrigue: While the potential for a change in party control could slow progress for other issue areas, cyber lobbyists so far don't see a need to change their tactics since most cyber legislation goes through with bipartisan co-sponsors.
- "There's a pretty good history of Republicans and Democrats working together to address cybersecurity challenges," says Henry Young, a policy director at BSA | The Software Alliance focused on cyber issues. "My expectation is that will continue."
- Part of the reason for this is that cyberattacks will just keep happening, creating constant pressure for lawmakers to keep focusing on cyber, says Mike Flynn, vice president and counsel at the Information Technology Industry Council.
Details: Even if cyber bipartisanship isn't expected to change, House leaders at the helm of key cybersecurity committees will.
- Rep. John Katko (R-N.Y.) is retiring at the end of the year, leaving a vacancy in the top Republican position on the House Homeland Security Committee. So far, lobbyists expect Republican Reps. Dan Crenshaw (Texas) and Mark Green (Tenn.) to run for the position.
- Crenshaw and Green would bring different leadership styles to the committees. At the helm of the Homeland Security Committee, Green, a member of the far-right House Freedom Caucus, would likely have more of a focus on border security and immigration.
- On the Senate side, Homeland Security ranking member Sen. Rob Portman (R-Ohio) is also retiring.
Between the lines: Another big reason why bipartisanship is expected to remain is because Sen. Gary Peters (D-Mich.) will still lead the Senate Homeland Security Committee.
- Lobbyists widely consider Peters — who co-authored a law requiring critical infrastructure operators to report incidents to the government — as the go-to lawmaker on cybersecurity. The vast majority of cyber bills don't get through Congress without his sign-off.
- Some of the issues on Congress' to-do list include a Peters bill targeting open-source software security and another one updating the government's federal IT cybersecurity strategy.
Yes, but: The most aggressive cyber actions are still expected out of the White House instead of Congress, says Andrew Howell, a cyber lobbyist at Monument Advocacy.
- So far, the Biden administration has launched several sprints focused on strengthening critical infrastructure sectors, released an executive order overhauling the government's resilience against cyberattacks, and started exploring federal cyber insurance options.
2. Companies' tips for new cyber reporting rules
Companies are giving the country's top cyber defense agency advice for how to build a cyber reporting program they will actually use.
Driving the news: The Cybersecurity and Infrastructure Security Agency (CISA) accepted comments through Monday on how best to implement the program, which was required in a bipartisan law passed earlier this year.
- Under the law, critical infrastructure operators will have 72 hours to report a significant incident — but it's up to CISA to define "significant" and which operators will need to submit reports.
The big picture: Private companies have been wary of reporting cyber incidents to the federal government out of fear of reputational and regulatory blowback.
Details: I dug through the comments industry groups and companies submitted and teased out a few central themes in what they want to see CISA do to ease their nerves:
1. Create a central reporting portal.
- SolarWinds — the company whose technology Russian nation-state hackers exploited to hack hundreds of companies and several federal agencies — noted in its comments that when it faced its incident in late 2020, there was "no clear touchpoint" to report to the U.S. government.
- A lack of a central reporting tool "led to inefficiency in information-sharing," the company added.
2. Be transparent about the program's purpose and how reported information will be used.
- Several groups — including a group of commenters led by the Cyber Threat Alliance — are urging CISA to make it clear that filing an incident report won't prompt a federal investigation.
- BlackBerry requested that CISA clarify that "third parties have no legal duty to report a cyber incident independent of a covered entity they may be working with." This would include cyber incident firms called in to help a company recover from an attack.
3. Harmonize the reporting requirements across the entire federal government.
- CISA's new program will compete with existing reporting protocols at the Department of Energy, the FBI and other agencies.
- While the Office of the National Cyber Director is working to harmonize these efforts, many groups are worried about having to meet staggering deadlines and compile multiple reports while responding to a significant incident.
What's next: CISA Director Jen Easterly has estimated it will take the agency up to two years to develop the reporting program.
3. Google's $392M privacy payout
Google will pay $392 million to 40 states to settle an investigation by state attorneys general into whether the company misled users about location tracking, Axios' Ashley Gold reports.
Flashback: The states' investigation into Google and location tracking kicked off in 2018 after an Associated Press story reported on Google recording user movement even when users had certain settings turned off.
Why it matters: For Google, the agreement marks another pricy privacy settlement with the states, which have taken the lead in U.S. privacy enforcement in the absence of a national online consumer privacy law.
- Google just agreed to pay $85 million to settle a privacy lawsuit brought on by Arizona, and is fighting several others.
Details: The AGs write in the settlement that Google violated state consumer protection laws by not being clear about its policies, including the "Web & App Activity" setting, which is turned on by default.
In addition to the monetary settlement, starting in 2023, Google agreed to:
- Show more information to users when a location-related account setting is turned on or off.
- Make information about location tracking more visible.
- And give users "detailed information about the types of location data Google collects."
The settlement also limits Google's use of certain types of location information.
4. Catch up quick
📑 New documents detail how close the FBI came to using Israeli spyware maker NSO Group's tools in its criminal investigations. (New York Times)
🗳 A look at how Arizona's Maricopa County has fended off a swarm of election disinformation this year. (Associated Press)
🪖 The Pentagon hasn't fully implemented its process for managing cyber incidents, a government watchdog warned. (Government Accountability Office)
🐦 Twitter struggled to keep its text-based two-factor authentication system up and running this week, leaving several users locked out of their accounts for hours. (Wired)
💻 A Russian tech company disguised itself as American and was able to get its code into apps used by the U.S. Army, the Centers for Disease Control and Prevention, and other vendors. (Reuters)
@ Hackers and hacks
🇨🇳 Researchers at Broadcom's Symantec team have uncovered a suspected Chinese nation-state hacking group targeting government agencies, defense organizations and a certificate authority in several Asian countries. (BleepingComputer)
🔎 Crypto investigators are already trying to track down the billions in funds stolen from FTX's crypto exchange over the weekend. (Wired)
5. 1 fun thing
#ShareTheMicInCyber, an organization aimed at uplifting underrepresented communities in cyber, has teamed up with D.C. think tank New America for a new fellowship program focused on studying the intersection of these communities with cybersecurity.
- The organizations announced their fellows on Monday, and their research focuses include the costs of cyberattacks on Black communities, the spyware industry's impact on civil society and much more. It's all so cool!
☀️ See y'all on Friday!
Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.