A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! Cripes, I hope none of our holiday travel plans get wiped out by this inconsiderate storm.
Below: An inside look at what TikTok is offering the U.S. government as part of a potential deal, and prosecutors accuse two men of working with Russian hackers to manipulate the line of taxis at a major U.S. airport. First:
After an eight-year career as one of the leaders on cybersecurity in Congress, the thing Rep. John Katko (R-N.Y.) is proudest of — helping to build up the Cybersecurity and Infrastructure Security Agency — is the same thing he’s most worried about now that he’s departing Capitol Hill.
The retiring top Republican on the House Homeland Security Committee touted the evolution of CISA, an agency responsible for improving the defenses of both government agencies and the private sector, in a sort of exit interview with me this week on his cybersecurity work. The direction CISA goes next is his colleagues’ foremost mission, he said.
“CISA didn’t exist when I started in Congress,” Katko, 60, said about the agency that Congress created within the Department of Homeland Security in 2018 that succeeded another, now-defunct agency. “We helped stand up CISA and we helped make CISA a young but mature agency that is becoming more and more effective by the minute. That’s huge.”
The agency is now at a “philosophical fork in the road,” Katko said. Bipartisanship still rules in Congress on cybersecurity issues, he said, but there’s been an increasing divide between the two parties over how much regulation the federal government should impose.
“As CISA matures as an agency and becomes more firmly established and better funded, whether or not to turn it into a regulatory behemoth or continuing to work the way it’s working very well now, that’s a natural progression of ideas and discussions,” Katko said, preferring a model that is about “bringing industry to the table and building trust.”
In October, Katko released a long-term plan for the agency that he dubbed “CISA 2025,” which includes other priorities like expanding its workforce.
The existence of CISA isn’t the only change Katko has witnessed since his election to the House in 2014. He came to Congress with a background in law enforcement at a time when foreign-inspired domestic violence was a big topic.
“We’ve got a grip on that, to some extent,” Katko said. “I naturally gravitated toward developing expertise in cyber because I had to, because I probably viewed it as one of the top threats to our country. There’s no doubt in my mind now that cyber is the No. 1 threat.”
The scariest threat these days is potential cyberattacks on critical infrastructure, he said, coupled with the growing sophistication of state-sponsored hackers in places like China, as well as criminal gangs who operate with impunity out of Russia. He pointed to cyberattacks before Russia invaded Ukraine that were meant to make it harder for Ukraine to respond to physical attacks, and the potential for Beijing to do the same thing in Taiwan.
Katko also isn’t the only pending personnel move from the Hill. Sen. Rob Portman (R-Ohio) and Rep. Jim Langevin (D-R.I.), who also are retiring, represent other major departures this year among cybersecurity-focused lawmakers who have emphasized bipartisanship.
“Early in his time on this committee, ranking member Katko became a leader and innovator on aviation security, and more recently, he has made his mark on the committee’s cybersecurity work,” House Homeland Security Chairman Bennie G. Thompson (D-Miss.), said at a hearing last month. “The ranking member and I did not always agree, but we agreed when we could. And when we disagreed, we tried not to be disagreeable about it.”
Katko is not worried about a cyber leadership “brain drain,” he said.
Shoring up border security and potentially impeaching DHS Secretary Alejandro Mayorkas are two top priorities for aspiring House Speaker Kevin McCarthy (D-Calif.). But Katko said, “I do think there’ll be room for cyber” for whoever replaces him atop the Homeland Security Committee.
“Look at what the Democrats have done as far as investigations into [former president Donald] Trump, right? Justified or not, they spent an extraordinary amount of time on that,” Katko said. “Now the pendulum swings the other way. We’re going to see a lot of Hunter Biden stuff and a lot of things about the border. And those are righteous areas to investigate, but I think we cannot take our eye off the ball with respect to cyber.”
As for Katko’s future career plans? “I’m definitely ready to see what’s next in life, no doubt about it,” he said. “I really am going to do everything I can to stay involved in cybersecurity issues going forward. I really, truly believe that’s where the fight is that I want to continue to try to make a contribution.”
A provision in a must-pass omnibus spending bill would ban federal employees from downloading TikTok to government devices, Eugene Scott, Julian Mark and Drew Harwell report. Lawmakers’ inclusion of the ban in the bill — which Congress faces a Friday deadline to pass — comes as the U.S. government and TikTok continue to work on a potential deal to allay U.S. concerns over the app.
TikTok has agreed to separate decision-making from Chinese parent ByteDance, and it also says it will give U.S. authorities the power to veto appointments on its proposed three-person board and its top executives. U.S. officials would also set hiring standards for TikTok’s U.S. staffers. The details were outlined by four people with knowledge of the discussions between TikTok and the secretive Committee on Foreign Investment in the United States (CFIUS).
TikTok last presented the plan in August, and officials still haven’t approved it, the people said. TikTok has started to outline the blueprint to Biden administration officials, and a CFIUS working group expressed some initial support for it, they said.
Biden administration officials say an agreement isn’t imminent, and that government agencies are still looking into what the best approach would be. TikTok spokesperson Brooke Oberwetter called the decision to include a TikTok ban on government devices in the bill a “political gesture that will do nothing to advance national security interests.” Oberwetter said the company was “disappointed” that Congress made such a move “rather than encouraging the administration to conclude its national security review,” and that TikTok continues to brief lawmakers on its plan.
In an indictment, prosecutors accused the two men — Daniel Abayev and Peter Leyman — of working with hackers in Russia to breach John F. Kennedy International Airport’s taxi dispatch system, allowing drivers to skip taxi lines for $10. The hack enabled as many as 10,000 trips in which drivers jumped to the top of lines, according to the indictment.
Abayev and Leyman transferred more than $100,000 of the profits to the hackers, according to the indictment. The two men were charged with two counts of conspiring to commit computer intrusions.
Interviews with taxi drivers on Tuesday suggested that the system was like an open secret, the New York Times reported. Abayev’s lawyer, Matthew Myers, told the outlet that Abayev would plead not guilty. “A proper investigation must be conducted before anyone jumps to conclusions about the involvement or role Mr. Abayev did or did not play in this international matter,” he said. Leyman’s lawyer, Jacob Kaplan, declined to comment to the outlet.
Two top former Twitter executives — former chief security officer Damien Kieran and former chief information security officer Lea Kissner — have spoken with Federal Trade Commission lawyers about whether Twitter will be able to obey a 2011 consent order with the FTC, Bloomberg News’s Kurt Wagner and Leah Nylen report. The FTC began probing Twitter after former chief cybersecurity officer Peiter “Mudge” Zatko filed a whistleblower complaint this year.
“The probe marks at least the third time the FTC has scrutinized the social media platform over its privacy and data security practices,” Wagner and Nylen write. “The review could lead to millions of dollars in fines and a new FTC order imposing obligations on [Elon] Musk himself that would apply across his companies and remain in effect even if he steps down as chief executive officer or leaves Twitter.”
An FTC spokesman declined to comment to Bloomberg News, but FTC spokesman Douglas Farrar previously said that “no CEO or company is above the law, and companies must follow our consent decrees.”
The man behind Trump World’s myth of rigged voting machines (Reuters)
Nio blackmailed for millions in bitcoin by data-stealing hackers (Bloomberg News)
Police seize on covid-19 tech to expand global surveillance (Associated Press)
Facial recognition wielded in India to enforce covid policy (Associated Press)
Give me back my stick.. ? pic.twitter.com/8XzfmDctDH
Thanks for reading. See you tomorrow.