Top U.S. cyber official finds hope in Ukraine’s defense
— The National Cyber Director is feeling more optimistic than ever about how much progress the US can make defending itself against digital threats. Why? He’s seen what Ukraine has done against impossible odds — and he believes the US can follow suit.
HAPPY TUESDAY, and welcome to Morning Cybersecurity! This very special edition of MC finds its way into your inbox from balmy Sea Island, Ga., where yours truly is on assignment at The Cipher Brief’s 2022 Threat Conference.
I’m here with retired four-stars, a gaggle of current and former spooks and top executives from the business world. It’s the type of crowd that gossips about North Korean hackers during cocktail hour and breaks into applause at the idea of overhauling the defense acquisition process.
Am I having a good time? Well, I’ve met DOJ officials whose names I knew from hacking indictments, cyber intelligence experts of APT1 lore and an inspiring entrepreneur who used my face to make a Conan O’Brien deep fake. So yes, yes I am.
Got tips, feedback or commentary for MC? Email me at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily political news and other intelligence you need to act on the day’s biggest stories.
PROOF OF CONCEPT — There’s no knowing if National Cyber Director Chris Inglis took confidence from sitting next to your MC host on Monday morning, but it sure seems that way: When he hit the stage at the Cipher Brief’s 2022 Threat Conference, the top US cyber official struck an optimistic note, arguing Ukraine’s stout cyber defense over the last eight months demonstrates the US government can tame a large and growing array of cyber threats.
Speaking as his office puts the finishing touches on the nation’s first national cybersecurity strategy since 2018, Inglis said Ukraine’s surprise performance on the digital battlefield has proven the US can achieve significant progress in security if it makes “serious” investments in digital resilience and does not delegate digital defense to “market forces or destiny.”
“If somebody asked me in February 2022, I would’ve underestimated the power of defense,” said Inglis, who recalled how he once likened cybersecurity to a soccer match where the two offenses could not be stopped. “Ukraine showed us some investment in digital infrastructure, in roles and responsibilities and in people skills can pay huge dividends in your ability to conduct a stout defense.”
Roadmap — Repeatedly citing the example of the automotive and aviation industries during his speech, Inglis argued that the US government had to assume a stronger regulatory role to secure the country’s digital infrastructure.
However, Inglis demurred when asked for specifics about what such regulation could entail. At one point, I insisted the government would apply the “lightest possible touch” with industry.
Definitions — Beyond the question of how to plug holes in the country’s critical infrastructure, Inglis indicated his office is also reassessing how to apply the label itself.
Although a useful “organizing principle,” the country’s digital dependencies do not fit neatly into the 16 industry verticals — like the commercial facilities sector and the dams sector — the government currently uses.
The forthcoming cyber strategy will address the reality that true critical infrastructure is “horizontal,” said Inglis, meaning attacks against critical infrastructure in one sector can spill over into another.
Workforce — Inglis also hinted at major changes in how the government thinks about the country’s IT workforce.
Inglis suggested the new national cyber strategy would address a talent shortfall not just in the people who protect IT systems, but look more broadly at options for training everyday Americans on the secure use of digital services.
ELSEWHERE — This morning, the White House is releasing a fact sheet that details the administration’s efforts on cybersecurity to date. MC got a sneak peek, and two things caught your host’s eye.
First, the administration’s upcoming push to secure Internet of Things devices will start with routers and home cameras. Second, starting Oct. 31, the White House will host a group of international partners for a two-day event dedicated to ransomware.
TIME FOR A MAKEOVER? — The government is dropping the ball when it comes to helping the private sector tackle cyber threats — and it needs to consider fresh thinking, fast. That’s the consensus of a coterie of former government officials and current industry leaders who shared a packed stage at the conference on Monday.
Although they agreed the government’s current model for working with the private sector had serious flaws, they urged a range of competing reforms, from less regulation to more regulation.
incentivize — Teresa Shea, former director of Signals Intelligence at NSA, suggested cooperation with industry is “failing” due to a confusing mix of laws, policies and regulation that cow industry into withholding critical information.
Shea suggested the government could reverse that dynamic by offering inducements to encourage industry to share more information. She did not elaborate what that would entail.
Overhaul — The harshest criticism found a voice in former CISA director Chris Krebs. “The complexity of the digital ecosystem is so overwhelming, and I don’t believe we have the correct structure to fix it,” he said.
Krebs, who recently delivered a speech arguing CISA should become an independent government agency, suggested the government establish an independent advisory council that looks seven years into the future and maps out how to build “the government of today and tomorrow.”
middle ground — Between Shea and Krebs, panelists also offered more modest proposals for how the government could kick-start its efforts to collaborate with the private sector.
The government should expand the number of critical infrastructure sectors it recognizes to include the cloud services and space sectors, argued Mark Montgomery, executive director of both the Cyberspace Solarium Commission and its successor, CSC 2.0.
The government should centralize its approach to regulating the cybersecurity of private industry, said Glenn Gerstell, former general counsel of NSA, who said it “makes no sense” to have cyber “bolted on” to every particular regulatory agency with its own rules.
SPEED OVER SPECIFIC — An all-FBI panel during Monday’s festivities argued US law enforcement is applying a valuable lesson from its success thwarting an Iranian election interference campaign two years ago: When outing covert hacking campaigns, it is sometimes OK to sacrifice detail for speed.
“Country-level attribution is just fine” when it comes to calling out state-backed hacking campaigns, said Cynthia Kaiser, section chief for Cyber National Security Intelligence. “You don’t need to go down to the individual level immediately” she continued, referring to the lengthy process by which states identify the specific hacker or agency behind an incident.
Deets, please — When the FBI and the Office of the Director of National appeared at a surprise press conference just two weeks ahead of the 2020 presidential election and accused Iran of targeting US voters, government officials shared fewer details than is customary.
While that raised some initial questions about the credibility of the claims, it allowed the government to move at an unprecedented speed and nip an exigent digital threat in the bud.
Prior to that, the government tended to wait weeks or even months before issuing public statements revealing who it believed to be the perpetrator of a given hack.
One last thing — Asked whether the emergence of several congressional candidates who dispute the results of the 2020 election would dampen the bureau’s inclination to share information, Kaiser issued a firm no.
“Transparency makes everyone safer,” she said. “We’ve dealt with hesitancy and skepticism from election officials before, and we have a track record of being able to push this forward.”
IT’S SIMPLE, DOCTOR — When it comes to privacy, consumers don’t need much. More than promises about how companies will protect their data, they want greater transparency about how their data is being used, according to a consumer privacy survey out this morning from Cisco. Thirty-nine percent of survey respondents told Cisco that companies could build trust with them just by communicating how their data is being used, whereas 21 percent said companies should refrain from selling customers’ data.
UNDERMANNED — State CISOs from across the country are struggling to find staff to keep pace with a growing cyberthreat landscape, according to a Monday report from Deloitte and the National Association of State Chief Information Officers. Head counts for state cybersecurity professionals have stagnated since 2020 even though the responsibilities of many state CISOs have grown, the researchers find. As a result, more than three-fifths of state CISOs report competency gaps among their staff.
John Hultquist, vice president of intelligence analysis at Mandiant, explains why we shouldn’t panic about the recent Russian DDoS activity against US airports.
Mona Harrington has been named the assistant director for the National Risk Management Center at CISA. Harrington has worked as acting assistant director for the NRMC since March.
The Thursday newsletter misidentified Matt Tait’s affiliation. Tait is now an independent cybersecurity expert.
— Hackers steal $100 million from Binance. (The Record)
— Germany’s cybersecurity chief could face dismissal due to ties to Russian intelligence. (Reuters)
— Russian hackers claim credit for DDoSing websites of US airports. (Bloomberg)
— Russia disrupts internet services in Ukraine amid broader attacks on civilian infrastructure. (Netblocks)
Stay in touch with the whole team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).