By signing up you agree to allow POLITICO to collect your user information and use it to better recommend content to you, send you email newsletters or updates from POLITICO, and share insights based on aggregated user information. You further agree to our privacy policy and terms of service. You can unsubscribe at any time and can contact us here. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

White House moves to push foreign hackers out of U.S. cloud

Presented by

Driving the day

— The White House has given the Commerce Department the green light to renew a Trump-era executive order meant to raise the costs and diminish the ability of foreign hackers to abuse U.S. cloud services, MC has learned.

HAPPY MONDAY, and welcome to Morning Cybersecurity! We are almost in March, a very special month to me because it includes my lovely mother’s birthday. Love you, Ma!

Yes, I have always been exceptional at sucking up. Why do you ask?

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

CISA Director Jen Easterly delivers a speech and participates in a fireside chat on technology product safety at Carnegie Mellon University. 10 a.m.

At the Agencies

COMMERCE GETS ITS HEAD BACK IN THE CLOUD — The Commerce Department is getting back to work on a Trump-era presidential mandate that seeks to limit foreign hackers’ ability to stage their attacks on U.S. cloud infrastructure, a senior administration official confirmed to MC.

Passed in the final days of the Trump administration, Executive Order 13984 would require cloud providers like Google, Amazon and Microsoft to implement stricter measures to verify the identity of their users — what is often referred to as “know your customer” regulations. However, the effort to implement the order stalled amid the presidential turnover and a funding shortfall in the Commerce Department office overseeing the order, a Department spokesman told MC in a statement.

“The KYC executive order hands the U.S. government a powerful tool to raise the barrier to entry for malicious cyber actors,” said John Costello, a former Commerce Department official who worked on implementing the mandate and former chief of staff at the Office of the National Cyber Director.

Solving a problem — Foreign hackers routinely rent U.S. cloud infrastructure because it is easier to blend in with normal-seeming internet traffic from an IP address in the States, the senior administration official told MC. Staging attacks within the U.S. also allows them to exploit a blindspot for U.S. Cyber Command and the NSA, which are prohibited from spying on U.S. networks.

Finally, U.S. cloud companies tend to offer more reliable products than foreign competitors, the official said.

How it would change things — The imposition of new compliance procedures for U.S. cloud providers would limit foreign hackers’ ability to abuse U.S. cloud services in three ways, the official confirmed.

By forcing cloud companies and cloud resellers to verify the identity of their customers and more detailed record-keeping logs, the order would discourage criminal actors from using U.S. services and, in the event that they do, provide an investigative leg-up to law enforcement

The big whammy — Perhaps most importantly, said the official, the order could make it untenable for foreign resellers of U.S. cloud services — often a weak link for law enforcement — to play fast-and-loose on compliance, thus drying up the pool of services available to criminals and driving them to non-U.S. services, where they are easier to spot.

“We have a problem where, in essence, U.S. infrastructure as a service provider could unwittingly become, essentially, a bulletproof hosting provider,” said the official, in reference to deliberately non-compliant service providers that often cater to criminals.

Practice what you preach — Pressing ahead on the EO would serve another important goal, senior administration said: demonstrating the U.S. commitment to a “due-diligence norm” in cybersecurity.

“We should not be a source of malicious cyber activity emanating out of the U.S. and affecting other countries any more than we would want to be the victim of malicious cyber activity emanating from their countries,” the official said.

Software Security

CISA CZAR TO TALK BURDEN-SHARING — CISA Director Jen Easterly will double down on the idea that large technology companies and software providers are dropping the ball on security during a speech today on the “designed-in dangers” of modern tech.

Speaking before students at Carnegie Mellon University, the CISA chief will argue that the status quo in which companies eschew security in order to rush feature-rich, security-poor products to market is “unacceptable,” a CISA spokesperson told MC over email.

Part and parcel — The speech, which will call for security to be “rebalanced” away from tech users and toward the companies that write and ship code, is part of a new push by Easterly to needle large technology providers to take on more responsibility for their products.

Earlier this month, Easterly and Eric Goldstein, CISA’s executive assistant director for cybersecurity, penned a Foreign Affairs article calling on technology providers to “stop passing the [security] buck” to their users.

A crisis moment — In the opinion piece, Easterly likened modern tech security to the pre-seatbelt era of automobile safety and proclaimed that a “safety crisis is already here in the cyber-realm.”

But it made no mention of the word “regulation” and it doesn’t look like the speech will either, raising questions about how far Easterly’s cajoling can move the tech industry.

Is that really a surprise? — CISA is (mostly) not a regulator, and with the Biden administration intent on pushing more cybersecurity regulation, Easterly may be hoping CISA can play good cop to other agencies’ bad cop.

The pitch would be simple enough: Get your act together now, and you may be able to keep the regulators at bay. Or don’t — and good luck to you with that.

Russia

NEW CYBER SANCTIONS — A growing number of Russian technology, foreign influence and cybersecurity companies have two things in common: tight relationships with Kremlin intelligence services — and a plum spot on a U.S. sanctions list.

The Treasury Department’s Office of Foreign Asset Controls added 19 Russian technology executives or cybersecurity companies to its sanctions list on Friday, when it announced a broader sanctions package designed to ratchet up pressure on Moscow at the one-year mark of its invasion of Ukraine.

By the numbers — Of those 19, the Treasury called out six cyber or cyber-adjacent firms it alleges have ties to Russian intelligence. While a handful of those charges are vague, the move offers a small window into the web of private contractors that support Russian cyber spooks.

Getting technical — Take Forward Systems R&DC, for example, a Moscow-based computer programming and information technology company that has “developed specialized software and algorithms” for a partner of Russian military intelligence involved in offensive cyber operations, said OFAC.

There’s also Novilab Mobile, a Moscow-based software developer that Treasury says worked alongside another sanctioned Russian entity for a project on “mobile device monitoring.”

Not just the Internet Research Agency — Treasury also sanctioned several firms who support the Kremlin’s foreign influence campaigns.

Explicitly, it called out two firms that helped Russian military intelligence spin misleading narratives online. But it also sanctioned 0day Technologies — a Kremlin subcontractor that has previously been linked to malign influence — for providing “databases” of Western citizens’ personal data to Russian intelligence.

The International Scene

SIGNAL THREATENS TO WALK ON U.K. — Secure messaging app Signal is warning that it will exit the United Kingdom if it passes a controversial bill requiring communications providers to introduce encryption workarounds to limit the spread of online child sexual abuse material.

The U.K.’s Child Online Safety bill, which was first introduced by Boris Johnson and is still wending its way through Parliament, would fatally undermine end-to-end encryption, Signal CEO Meredith Whittaker told Ars Technica, which first reported the story on Friday.

“We would absolutely exit any country if the choice were between remaining in the country and undermining the strict privacy promises we make to the people who rely on us,” Whittaker said. “The U.K. is no exception.”

Nub of the problem — End-to-end encryption is the calling card that makes Signal tick for its more than 100 million users, but U.K. lawmakers, law enforcement officials and child protection advocates believe that it hinders the fight against online child exploitation, a mushrooming problem.

The law’s advocates argue it is “not a ban” on end-to-end encryption, but Signal and most privacy experts assert that there’s no workable, privacy-preserving alternative.

Industry Intel

PARTNERS FOR THE LONG-TERM — The U.S. government needs to set rules of the road for private sector companies that provide cybersecurity support in war zones, argues a new report out this morning from the Atlantic Council.

“It is difficult to know what forms future conflict and future adversaries will take, or the incentives that may exist for companies in those new contexts,” authors Emma Schroeder and Sean Dack write. “But by better understanding the key role that private information and technology companies already play in this domain, the United States and allies can better prepare for future threats.”

To address those problems, the report argues the government should set ground rules for how private companies can contribute to a war, create a database to monitor the services they provide and introduce funding mechanisms to help underwrite their support.

Tweet of the Weekend

Cryptographer Matthew Green has a thoughtful thread on the U.K.’s Child Safety Bill, and where he thinks the winds are blowing in the long-simmering encryption battle between governments and tech providers:

The Long Read

— CyberScoop has a terrific, one-year look back at the cyber implications of the war in Ukraine.

Quick Bytes

— Months after a widespread ransomware attack against Albania drew warnings from the West, Iran continues to target the NATO member with cyber-enabled disinformation campaigns. (The New York Times)

— Australian counter-intelligence has rounded up a highly active “hive” of Russian spies. (Sydney Morning Herald)

— One of the world’s largest commercial DNA diagnostics centers will pay a $400,000 fine for a 2021 data breach. (The Record)

— Ukrainian hacktivists deliver an anniversary gift to the Kremlin: a basket of website defacements. (TechCrunch)

Chat soon.

Stay in touch with the whole team: Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).

~~~~~

Follow us on Twitter

Heidi Vogt @HeidiVogt
Maggie Miller @magmill95
John Sakellariadis @johnnysaks130

White House moves to push foreign hackers out of U.S. cloud

Driving the day

Today's Agenda

At the Agencies

Software Security

Russia

The International Scene

Industry Intel

Tweet of the Weekend

The Long Read

Quick Bytes

Follow us on Twitter

Follow Us

Monday, 5/8/23

Monday, 5/1/23

Monday, 4/24/23

Monday, 4/17/23

Monday, 4/10/23

The Drug-Fueled Protest in Dianne Feinstein’s Office You Haven’t Heard About

5 takeaways from Trump’s CNN smackdown

Feinstein's return fails to unstick controversial judicial nominee

Trump world booked CNN hoping for a big audience. Now, they’re in the thick of it.

Cable carnage: Trump turns CNN town hall into televised combat