Driving the Day

— An annual cyber conference will cast a spotlight on the promise and peril of AI, the government’s growing partnership with the private sector and the (in)security of the software supply chain.

HAPPY MONDAY, and welcome to Morning Cybersecurity! Hello from San Francisco, where I am in town for the RSA Security Conference.

It will be a busy week, so please shoot me reminders if we’re due for a chat!

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Today's Agenda

Deputy attorney general Lisa Monaco, assistant director of the FBI’s Cyber Division Bryan Vorndran and executive assistant director for CISA Eric Goldstein all speak at Day 1 of the RSA Security Conference in San Francisco.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

THE CONFERENCE CIRCUIT

RSA ALL DAY EVERYDAY — One of the world’s premier cybersecurity conferences kicks off this morning in San Francisco, where security and tech leaders from industry, academia and government will convene for a four-day sprint on anything and everything to ever have the word “cyber” appended to it.

Here’s a rundown of some key themes to watch this week at RSA:

That AI, so hot right now — AI is the Regina George of the security community, one White House official recently told me during an off-the-record coffee.

The official wasn’t talking RSA, but they might well have been: Across the more than 500 events this week, no single issue will get more love than generative artificial intelligence, the tech that’s driving OpenAI’s epoch-defining application, ChatGPT.

The main focus will revolve around the question of whether AI will create more security risks than it can solve. But a handful of events will step back and ask another important question: how much of the AI hype is real, how much is overkill and how much is pure snake oil?

PDA between the .gov and the .com — Since the Biden administration came into office, it’s worked to develop stronger cyber defense ties with the private sector.

At RSA, you can expect to see a lot of (mostly deserved) back-patting about the success of those efforts, as well as a push to grow them further, with special emphasis on CISA’s joint cyber defense collaborative and the NSA’s cybersecurity collaboration center — two recent, agency-led initiatives to team up with industry.

Taking the fight to the bad guys — One of five pillars of the Biden’s administration’s new cybersecurity strategy was about using creative tools (read: more than just handcuffs) to go on offense against keyboard malefactors, many of whom reside beyond the reach of U.S. law enforcement.

With top officials from U.S. Cyber Command, Justice Department, the FBI and the NSA all set to speak this week — and many more than once — look out for more chest-thumping on what the federal government is doing to give malicious hackers a taste of their own medicine.

Securing the supply chain — A recent North Korean cyberattack that involved compromises of not one but two software supply chains ultimately fell flat. But it had the security community on edge, offering a reminder of how vulnerable modern code remains.

Good thing, then, that supply chain security is one of the most common subjects of conversation at RSA after AI. While those events were planned well in advance of the North Korean hack, the incident will give those chit-chats a bit more bite throughout the week.

At the Agencies

FIRST IN MC: ADMIN EYES CSRB PLUS-UP — The Biden administration is proposing draft legislation that would codify and strengthen the Cyber Safety Review Board, the independent DHS expert panel that the White House founded in 2021 to distill the lessons of major cyber incidents.

The bill mirrors the advice and recommendations of the CSRB itself, which is simultaneously releasing the findings of a new self-study of its inaugural report — an after-action review of how a security community responded to the discovery of a software bug in a ubiquitous piece of open-source code.

The CSRB’s effort to understand what went wrong in that incident – a five-alarm internet fire known as Log4Shell – offered a “successful proof of concept” for the organization, concludes the study. And evidently, the Biden administration agrees.

“Codifying the Board into law will guarantee that the Board remains a permanent fixture in our cybersecurity ecosystem and continues its work to strengthen the cybersecurity of critical infrastructure owners and operators, no matter their size, location, or sector,” DHS Secretary Alejandro Mayorkas said in a statement

Some tweaks — If it became law, the bill would by and large codify the CSRB as is, with two major exceptions.

First, it seeks to expand the size and budget of the organization, giving it permanent staff. Second, it would grant the CSRB limited subpoena power so that it could compel companies to share critical threat information — an issue that hampered the CSRB’s work during its study of the Log4Shell incident.

“The Board generally enjoyed a high level of cooperation from industry stakeholders and received responses from over 80 companies,” the review reads. “However, some organizations from which the Board requested information declined to cooperate and provide the requested information, in whole or in part.”

On the Hill

FIRST IN MC: NEW BILL ON CRITICAL TECH VULNERABILITIES — Rep. Ritchie Torres (D-N.Y.) plans to introduce a bill to help the federal government root out security vulnerabilities in the code powering a range of critical technologies.

The Critical Technology Security Centers Act of 2023 would direct the Department of Homeland Security’s Science and Technology Directorate to establish at least two centers for researchers to test and evaluate open-source software, industrial equipment, communications technology and the code found in key federal networks, according to a copy of the bill shared exclusively with MC.

Not all in-house — DHS wouldn’t run that testing itself but handpick experts from a shortlist of federally funded research organizations and national laboratories, reads the bill, which Torres will officially file on Tuesday.

The act also authorizes the department to issue grant funding to organizations that are working to secure the open-source software ecosystem.

Solarium era, solarium powered — The proposal mirrors an idea first advanced by the Cyberspace Solarium Commission, whose inaugural report on U.S. cybersecurity policy has driven many of the most significant legislative overhauls in federal policy since its 2020 release.

And while the bill doesn’t bear any co-sponsors just yet, the Solarium tie-in means it should find a friendly ear with at least two Congressional stalwarts: the CSC’s co-chairs, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisc.).

Open question — Torres is open to tweaking one part of the current bill, Jacob Long, communications director for the representative, told MC in an email.

While the bill currently places the centers within DHS, Long said there has been discussion of moving it to CISA — making its location an “open question” that would be resolved before enactment.

Tweet of the Day

Rob Joyce is excited for RSA, and so am I: :

Quick Bytes

— The Biden administration wants to avoid the mistakes of 5G with 6G. (CyberScoop)

— Amid spiraling violence, internet service in Sudan is being throttled. (The Record)

— The Discord leaks date back to the earliest days of the war in Ukraine. (The New York Times)

— U.S., NATO cyber forces train for doomsday scenario. (POLITICO)

Follow us on Twitter


• Heidi Vogt @HeidiVogt
• Maggie Miller @magmill95
• John Sakellariadis @johnnysaks130

Follow Us