Will new CISA guidelines move the needle on cyber defense?

Driving the Day

This week, the Cybersecurity and Infrastructure Security Agency is set to release a long-anticipated list of cyber performance goals for critical infrastructure. But the guidance is voluntary, and Congress and the White House are divided on further regulation, raising questions about their impact.

HAPPY MONDAY, and welcome to Morning Cybersecurity! In honor of the 60th anniversary of the Cuban Missile Crisis, I thought I’d share some uranium-level hot takes today.

I love “Dr. Strangelove,” but I really love “Fail Safe.” It does a better job bringing to life the rational irrationality of Cold War-era nuclear strategists. It was a time when (mostly) good people felt they had to threaten the destruction of humankind to save it.

The scary part? “Fail Safe” has you seeing eye to eye with the wrong fellows, the ones who want to act crazy to prevent crazy. It all makes sense, until it doesn’t — until mushroom clouds blanket Moscow and New York.

And on that chipper note…it’s time for Morning Cyber!

Got your tips, feedback or other commentary? Send them to me at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Critical Infrastructure

LIFE GOALS — On the surface, the release of a list of general-purpose cybersecurity performance goals for critical infrastructure marks a major step forward for the Biden administration, which called its predecessors’ sector-by-sector approach to protecting the nation’s most vulnerable networks “woefully inadequate” when it announced the initiative last year.

But with industry resistance stifling Congress’s other efforts to mandate greater controls over the nation’s critical infrastructure, the White House is increasingly falling back on the piecemeal and voluntary approach it once sought to leave in the rearview mirror.

That raises questions about the future, utility and impact of the new cyber performance goals, which were supposed to tee up regulatory changes that may never come to fruition.

Bigger things in mind — When the Biden administration directed CISA to draft the new cyber guidelines last year, it signaled they were the first step toward a more ambitious regulatory project.

At its core, the idea behind the CPGs was to create a set of high-priority security practices for all critical infrastructure operators to follow, guidance that would address risk not just “to individual entities, but also the aggregate risk to the nation,” the White House indicated.

But a senior White House official later told the press a goal is “absolutely” to signal that hard-and-fast rules are on the way for operators of the nation’s most critical networks.

Sand in the gears — Since then, the White House has used federal agencies’ existing regulatory authority where possible — issuing new rules over the rail and aviation industries, for example — to protect sensitive U.S. networks. But industry resistance has thwarted the White House and Congress’s most far-reaching regulatory projects.

For example, industry opposition has repeatedly delayed legislation to identify and secure the most critical infrastructure entities within the U.S. — an effort that could have built off and put some real teeth into the performance goals.

One thing to watch — With industry balking at the most recent draft of the baseline goals — as the Washington Post reported last month — CISA could face some pressure to water down the forthcoming CPGs.

That push-and-pull will continue even after the new guidance is made public. A CISA spokesperson told MC it “will maintain an open request for input to accept feedback on how the guidance works in practice.”

What’s next — Once the CPGs are out, CISA will start working with other federal agencies on sector-specific goals, offering tailored recommendations for the new performance baselines.

Because some federal agencies have regulatory power over the sectors they oversee, those sector-specific projects are where the government could get tough. Anne Neuberger, deputy national security adviser for cyber and emerging technology, recently indicated the White House would pursue “creative interpretations” of existing law to regulate certain sectors, as MC reported last week.

On the Hill

INDUSTRY FEEDBACK — A trade group representing large technology firms is pushing lawmakers to reconsider a controversial provision in the forthcoming defense policy bill that would place more rigorous security burdens on contractors who provide software to government agencies.

In a Friday letter, the Alliance for Digital Innovation asked lawmakers on the House and Senate Armed Services committees to remove text in the House version of the 2023 National Defense Authorization Act that would require vendors to certify their software is free of known vulnerabilities or present a plan to fix it. They also want Congress to expunge text instructing DHS to issue contracting guidance that would require vendors to submit a software bill of materials — or ingredients list of the components in a given piece of code — when they bid for federal contracts.

Cui bono? — With top federal IT providers Amazon Web Services, Google Cloud, Adobe, Okta and VMware among its membership, ADI has a vested interest in thwarting any legislation that weighs down their government work. Even so, many independent critics agree the legislation sets high standards for vendors — particularly when it comes to vulnerability remediation.

That’s because all software has vulnerabilities, and not all vulnerabilities are created equal.

A mandate to address every software bug therefore undermines industry efforts to prioritize critical vulnerabilities over minor ones, ADI and other industry trade groups argued in a separate letter to Congress last month.

Hold up — In MC’s opinion, that’s an unfair reading of the draft text, and one that plays rather conveniently into the hands of the private sector.

To weed out any possible confusion, the text merits some tweaking — like a vulnerability’s inclusion in a national database — but the language allowing vendors to provide remediation plans in lieu of fixes provides leeway for vendors to continue selling their software, however imperfect it may be.

On the flip side — Some advocates believe the provision could be a gamechanger for U.S. cybersecurity.

Last month, former top White House cybersecurity adviser Michael Daniel told MC the provision could “mark an enormous market shift” for U.S. cybersecurity because existing market incentives favor vendors who move fast when issuing new software and strap on security protections later.

Ransomware

TROUBLING PATTERN — A Russian-speaking ransomware group that professes to pursue profits over politics appears to be targeting Ukrainian government agencies with spear-phishing emails, according to an alert from Ukraine’s computer emergency response team.

The Ukrainian CERT identified “potential links” to the Cuba ransomware group due the use of a custom backdoor — code for maintaining a covert foothold in victim networks — the Cuba group debuted earlier this year.

Watch this space — Though the jury is out on this particular incident, it would be consistent with a troubling pattern: Ostensibly criminal in nature, the Cuba ransomware group seems unable to kick its habit of zeroing in on politically sensitive targets.

In December 2021, the FBI issued a warning about the group, indicating it had attacked 49 critical infrastructure entities in the U.S. Earlier this summer, the group launched a large-scale ransomware campaign that affected government services in Montenegro, a NATO member.

TASTE OF YOUR OWN MEDICINE — A Russian-speaking ransomware group is breaking the first rule of ransomware fight club: Do not launch extortion attacks in mother Russia.

The OldGremlin ransomware group has been targeting companies in Russia since at least March 2020, according to researchers at the Singapore-based cybersecurity company Group-IB. In addition to open-source and commercial exploitation tools, the group uses custom malware to compromise victims — a hint the group has an above-average degree of skill.

Why that’s caught our eye — Russian-speaking ransomware groups have a tacit agreement with law enforcement in Russia and the Commonwealth of Independent states. So long as they do not attack networks close to home, local police will not prosecute the groups.

It’s a criminal code of conduct that’s cemented, literally, in code: Many Russia-based ransomware groups have configured their malware so it won’t deploy on computers where the default language is set to Cyrillic.

Vulnerabilities

LED TO SLAUGHTER — A pernicious social engineering ploy that originated in Asia is making its way to the English-speaking world, according to research out this morning from cybersecurity firm Proofpoint. Dubbed “Pig butchering,” the ruse begins with scammers ingratiating themselves over long periods with unsuspecting social media users. After gaining their victims’ trust, the scammers convince them to deposit funds into fake cryptocurrency accounts, where criminals inflate victim accounts to convince them to continue investing. Based on the sophistication and breadth of the schemes, Proofpoint researchers believe large criminal enterprises are behind them. According to data cited in the report, the average loss from these scams tallies $122,000, while two-thirds of victims are women between the ages of 25-40.

Tweet of the Weekend

Check out CISA Director Jen Easterly’s thread calling on technology vendors to deploy two-factor authentication for their users. Easterly and Bob Lord, a senior technical adviser at CISA, published a blog post on MFA adoption last week.

Quick Bytes

— Microsoft is struggling to secure its on-premises Exchange email servers, a widespread technology that has recently been at the heart of many large-scale security incidents. (Wired)

— Google is launching a new open-source project to improve software supply chain security. (Google)

— The goal of the Russian-speaking hacktivists who launched DDoS attacks against U.S. websites wasn’t to cause damage, argue three academics who study cyber conflict. (Lawfare)

— Graphika is considering the launch of a “software-based multi-stakeholder threat center” to empower defenders to snuff out online mis- and dis-information campaigns. (CyberScoop)

— Hackers are leaking data stolen from Iran’s atomic energy organization. (Reuters)

Chat soon.

Stay in touch with the whole team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).