White House tiptoes into more cyber regulation

Presented by

Driving the Day

— The Biden administration is signaling that it isn’t waiting for Congress to help it protect overlooked critical infrastructure sectors from hackers.

HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Eric Geller. Nichelle Nichols, who broke barriers and inspired generations as Lt. Uhura on the original “Star Trek” series, died on Saturday. In honor of her remarkable life, here’s my favorite story about her. May she rest in peace.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Email your MC hosts Eric Geller ([email protected]) and Maggie Miller ([email protected]). You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below. Let’s dive in.

At the Agencies

WATER WE WAITING FOR? — With a recent announcement about cyber regulations for the water sector, the Biden administration is sending a message to Congress: We need your help, but in the meantime, we’re going to get creative.

It’s been nine months since the White House revealed it had asked Congress to explicitly authorize the EPA to set cyber standards for the water sector, whose tens of thousands of utilities are strapped for cash and security expertise, leaving their networks dangerously exposed to hackers. Since then, there hasn’t been a scintilla of movement on the issue from Capitol Hill.

So the Biden administration is forging ahead without the Hill. Last week, Anne Neuberger, deputy national security adviser for cyber and emerging technology, announced the EPA will soon issue a rule integrating cybersecurity requirements into the Sanitary Surveys that states are required to conduct at water facilities.

“Our strategy is to use current authorities fully,” said a senior administration official, who requested anonymity to discuss internal planning. “We identified that EPA’s current safety and security authorities allow them to roll cybersecurity in.” The EPA rule will be “modeled after” TSA’s recently issued regulations, the official said, “including a process for input from the sector.”

The EPA will likely issue the rule this summer, according to the official, but the agency still hasn’t decided when to begin enforcement. The EPA is evaluating the “balance of urgency and what’s needed from a practical perspective,” the official said. The rule could create new burdens for state utility overseers that have to hire new inspectors, train existing workers on cybersecurity or readjust inspection schedules to accommodate the new elements of the surveys.

The details of the new cyber requirements remain unclear, although if they’re similar to the TSA rules, they’ll likely mandate incident reporting, the creation of emergency response plans and the implementation of basic technologies such as multi-factor authentication. The EPA didn’t respond to a request for comment.

The White House’s message to Congress remains the same: Pass legislation making it explicit that the EPA, and other agencies responsible for protecting U.S. critical infrastructure, can mandate cyber standards. “We need the Hill to ensure that those authorities are clear,” Neuberger said last week. “There’s hesitancy by agencies to move without real Hill backing to do so.”

Critical Infrastructure

WARNING SHOT — A landmark recommendation from the Cyberspace Solarium Commission is facing intense industry backlash that could sink its chances of becoming law through the next defense policy bill.

An amendment to the House’s fiscal 2023 National Defense Authorization Act would create a “systemically important entities” designation applying new regulations — and offering priority aid — to certain critical infrastructure companies. But leading financial industry trade groups say the amendment, which won approval on the House floor, is a bad idea.

The provision would “duplicate existing designations without addressing gaps in government efforts to help protect private critical infrastructure from national security threats,” the American Bankers Association and the Bank Policy Institute told the leaders of the Senate armed services and homeland security panels in a July 29 letter.

In addition to redundancy concerns, the trade groups criticized the legislation for requiring SIEs to share sensitive information that could endanger companies if stolen, and they said any legislation should improve collaboration with the intelligence community.

It’s unclear if industry objections will sink the provision. The idea of systemically important entities has bipartisan support on Capitol Hill, and CISA is already engaged in a similar prioritization project.

On the Hill

KEEPING THE TECH AID FLOWING — As state and local law enforcement agencies struggle to keep pace with changing technology, including encryption, Congress is keen to continue supporting them.

Sens. Chuck Grassley (R-Iowa) and Dianne Feinstein (D-Calif.) want to reauthorize the National Computer Forensics Institute, which trains local investigators to deal with encrypted devices and other technology issues. On Friday, they introduced a bill to do just that.

Federal officials routinely bemoan the fact that local police face some of the biggest obstacles in their investigations because they often lack sufficient resources and technological expertise.

The NCFI, first authorized in 2017, “has trained law enforcement officers, prosecutors and judges from more than 2,000 state and local agencies across the United States,” according to a statement from the Senate Judiciary Committee, on which Grassley and Feinstein serve.

Election Security

WHAT ARE THEY HIDING? — Election security activists challenging Georgia’s use of electronic voting machines say the state shouldn’t be able to keep details of a local election system breach secret from the public.

The latest twist in a five-year-long federal court battle could have significant implications for Americans’ understanding of exactly how right-wing election officials are opening up voting systems to unvetted third parties.

In a recent filing in their court case, the plaintiffs said voters had a right to know what happened when an election official in Coffee County, Ga., allowed an election denier to examine her election management computers.

Georgia authorities say they’re still investigating the apparent breach and shouldn’t have to turn over records as part of the court case. But that claim “is a ruse to avoid revealing that this extraordinary breach occurred and that a real investigation has not,” the plaintiffs told the judge.

“That State Defendants could identify … only a dozen documents in total about the purported investigation confirms it isn’t real,” the activists wrote. “Where are the investigators’ emails, interview notes, and other typical law enforcement investigative files?”

Tweet of the Day

Security researcher Kevin Beaumont flags a curious trend: “Companies no longer say ransomware on advice of insurance, the term is now cyberattack or — becoming more preferred — cyber incident.”

Quick Bytes

The United States’ organ transplant database is running old technology that has never been checked for security weaknesses. (The Washington Post)

Student performance databases are filled with sensitive data, largely unregulated and often insecure. (New York Times)

An Austrian spyware firm outed by Microsoft says its only customers are European Union governments. (Reuters)

German authorities issued an arrest warrant for a Russian man alleged to have hacked German energy infrastructure. (The Record)

The Justice Department indicted a Russian man who allegedly organized an election influence operation that involved funding U.S. political groups.

The American Dental Association admitted to suffering a ransomware attack in April. (The Record)

Chat soon.

Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]); Maggie Miller ([email protected]); and Heidi Vogt ([email protected]).