The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The White House is releasing important cybersecurity guidance today

Analysis by

with research by Aaron Schaffer

September 14, 2022 at 7:12 a.m. EDT
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Mismatched music covers are a mixed bag of stunts and surprising effectiveness, but the Afghan Whigs' version of “Creep” by TLC won’t get out of my brain so for me it’s the latter. Although … since the Whigs have argued convincingly they’re an R&B band despite forming as a “grunge” group, maybe it’s not so mismatched.

Below: Peiter “Mudge” Zatko testifies on Capitol Hill, and the U.S. government calls out foreign influence operations by Russia. First:

First in The Cybersecurity 202: Much-awaited security guidance arrives today from the Biden administration

A White House office is publishing guidelines this morning for how federal agencies and government contractors will comply with President Biden’s demand last year that federal systems and vendors meet common cybersecurity standards.

The memo — which The Cybersecurity 202 is first reporting — is perhaps the most-awaited cybersecurity guidance from the Office of Management and Budget (OMB) since Chief Information Security Officer Chris DeRusha joined the Biden administration at the beginning of 2021, he told me.

It stands to affect the security of government systems and therefore the ability of feds to provide services, as well as the process for billions of dollars worth of federal contracts. That, in turn, could pressure any company that might want to do business with the federal government to meet the government standards, as a senior administration official told reporters last year before rolling out Biden’s executive order that spawned today’s memo.

“We’re all using Outlook email. We’re all using Cisco and Juniper routers,” the official said. “So, essentially, by setting those secure software standards, we’re benefiting everybody broadly.”

Besides the memo, OMB is set to publish a blog post this morning from DeRusha.

“The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards … and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered,” he writes.

OMB hasn’t yet broadly shared the final draft with industry, which had expressed some nervousness about how details of the executive order, and today’s memo, might look.

Background

Biden’s May 2021 cybersecurity executive order listed many mandates, ranging from requiring agencies to employ security tools like encryption to establishing a Cyber Safety Review Board to analyze major cyberattacks. The memo followed a series of high-profile hacks, one of which, the breach of software company SolarWinds, let spies worm their way into at least nine federal agencies.

One of the memo’s directives was for the National Institute of Standards and Technology to create a foundation for developing secure software. NIST’s final framework includes top-level steps like:

  • “Produce well-secured software with minimal security vulnerabilities in its releases.”
  • “Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.”

OMB ordered agencies to begin adopting that framework this March, but left out some steps, which leads us to today’s memo.

What the memo hopes to achieve

“The number one thing that we heard from industry was, ‘We all want to follow secure development practices, but we need to ensure a consistent approach across agencies and treatment of vendors — we don’t want 100 agencies doing this a hundred different ways,’” DeRusha said. “Absolutely agree with that. And so that’s the goal of this memo.”

A somewhat controversial topic is at the center of one of the memo’s steps. Agencies must receive something called a “self-attestation” from a software producer before using that software. Essentially, the software provider vouches for the security of their product. If a provider is found to be out of compliance later, an agency could no longer use it, according to OMB.

A Defense Department program for vetting the cybersecurity of Pentagon contractors featured third-party auditors because the department determined that self-attestations weren’t a reliable indicator of contractor security, Nextgov reported. DOD has subsequently retreated from that requirement, to a degree.

Another major component of the memo is the amount of information agencies could collect under it. For instance, it states that federal agencies may require prospective contractors to supply an ingredients list for tech systems, known as a Software Bill of Materials. Some have touted that as a measure that could’ve helped quickly clean up the bug in a hugely popular piece of code known as log4j.

That’s data that “we can leverage to protect all other federal agencies,” DeRusha said.

What’s next

It might take a while for all this guidance to become reality. The memo contains an appendix with a baker’s dozen deadlines for federal agencies, ranging from three months to two years.

But DeRusha touted the big picture in his blog post.

“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country,” he writes.

The keys

Twitter whistleblower highlights company’s cybersecurity practices in testimony before Senate panel

Former Twitter security chief Peiter “Mudge” Zatko told members of the Senate Judiciary Committee that executives at the company were financially incentivized to ignore key cybersecurity problems, and he also expanded on claims that foreign government operatives could have had access to sensitive data at the company, Cat Zakrzewski, Joseph Menn, Faiz Siddiqui and Cristiano Lima report. Zatko also grounded his testimony in examples that senators could understand — like their own Twitter accounts being hijacked.

“It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”

In the hearing, Zatko also warned about insider threats at Twitter. “A week before his January firing, Zatko testified, the FBI had warned security staff that a Chinese agent for the Ministry of State Security was employed at the company,” my colleagues write. “Twitter ads paid for by the Chinese government also could have elicited information, including locations of users who click on them, he said.”

Russia secretly spent more than $300 million on foreign political campaigns since 2014, U.S. says

A new U.S. intelligence review said that the money was funneled to candidates and political parties in more than two dozen countries, Missy Ryan reports. The Biden administration declassified the review in an attempt to try to counter Russia’s attempts at foreign influence around the world, a senior U.S. official told reporters.

In a cable provided to reporters, the State Department named Russian oligarchs who it said were involved in “financing schemes.” The oligarchs include Yevgeniy Prigozhin, who U.S. officials charged in 2018 with trying to interfere in the 2016 election by funding a Russian troll farm.

Securing the ballot

The biggest election disinformation event of the 2022 midterm primaries: Text messages (NBC News)

Global cyberspace

EU intelligence chief cancels Taiwan trip after Beijing learns his secret plans (Politico Europe)

Buenos Aires legislature announces ransomware attack (The Record)

Indonesia set to pass new data privacy law after spate of leaks (Bloomberg)

Industry report

Former NSA chief Keith Alexander accused of pump-and-dump investment scheme (The Intercept)

Daybook

  • Current and former executives at social media companies testify before the Senate Homeland Security Committee today at 10 a.m.
  • A Senate Judiciary Committee panel holds a hearing on protecting Americans’ personal information from hostile foreign actors today at 3:30 p.m.
  • Deputy national security adviser Anne Neuberger speaks at a DefenseScoop event Thursday at 9 a.m.
  • The House Homeland Security Committee holds a hearing on the cybersecurity of industrial control systems Thursday at 10 a.m.
  • A House Oversight and Reform Committee panel holds a hearing on federal IT on Friday at 9 a.m.
  • Rep. Mike Turner (R-Ohio), the top Republican on the House Intelligence Committee, speaks at a Heritage Foundation event on countering foreign misinformation and disinformation while protecting civil liberties Monday at 1 p.m.

Secure log off

Thanks for reading. See you tomorrow.