| Good morning and happy Monday, Cybersecurity 202ers! Today is my first day filling in for Joe, who's on vacation. Have anything cybersecurity-related that you want to share with me? Something stand out in President Biden's budget? Drop me a line: aaron.schaffer@washpost.com Below: The FCC adds a Russian company to its list of national security threats for the first time and U.S. and European officials reached a preliminary data privacy deal. | Five takeaways from CISA's marathon call with U.S. cyberdefenders |  CISA Director Jen Easterly took questions for nearly three hours with her CISA colleagues. (Kevin Dietsch/Getty Images) | | | A temporarily-posted three-hour call last week between government officials and private-sector cyber pros sheds light on the frustrations of critical infrastructure industries as they face cyberthreats. The call, between more than 13,000 industry workers and top officials from the Cybersecurity and Infrastructure Security Agency, provides insight into their tensions as the Biden administration warns that Russia could launch devastating cyberattacks on the United States amid the war in Ukraine. Here are five key takeaways: | 1. There was a scuffle over publicly releasing the call. | | For around 48 hours last week, the world got an unvarnished look at the call when CISA posted a recording of it online. CISA Director Jen Easterly apologized Thursday and the agency took down the full recording. Here's more from Easterly: | | The context: CISA has historically tried to maintain a cooperative relationship with industry, including keeping confidential voluntary reports about attempted and successful hacks. | | Attendees were told that the March 22 call would be recorded, but CISA Assistant Director for Stakeholder Engagement Alaina Clark also said the call was "not intended for members of the media, and the content is not for reporting purposes." The impact: Trust has been slower to develop between CISA and some industries. The scuffle over CISA's release of the audio could make that even harder to build — at a critical time for the nation's cybersecurity. | 2. CISA recommends lower thresholds for reporting cyberattacks voluntarily. | | CISA officials want organizations to lower their thresholds for reporting cyber incidents to federal authorities. That means they want organizations to report any unusual activity on their networks. "These are very unusual times," Easterly told one attendee. "We would typically not be saying 'report anomalous activity to us,' " she said, noting the potential for destructive cyberattacks. Easterly added: "We are very concerned to make sure that as much as possible, we can get ahead of understanding the threat environment so that we can warn and hopefully prevent people from suffering, or entities from suffering, becoming victims of a serious hack." The plea for more information comes after Congress passed legislation requiring critical infrastructure owners and operators to report hacks to CISA. But the rules could take years to go into effect, so CISA has to be persuasive now to get the reports voluntarily. For one, officials repeatedly stressed that sharing information would make critical infrastructure as a whole more safe. CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman also repeated President Biden's statement to business leaders that it's a "patriotic obligation" for companies to invest in building their cyberdefenses. But Easterly acknowledged some challenges, which could leave the agency with blind spots: | - Lawyers: "I know having just come from a big company that when something goes wrong, the first thing that happens is the lawyers get involved," Easterly said. "But at the end of the day, my plea to everybody on this call is to look at sharing of information as something that is for our collective cyberdefense."
- Burnout: "We know probably better than anybody as the nation's cyberdefense agency, how hard it is to sustain a very high operational tempo for long periods of time," she said. "I worry myself about things like vigilance, fatigue, but now is not the time to let our guard down. Now is the time to double down on everything that we've been doing to ensure we're postured to be able to deal with threats to our homeland."
| 3. Critical infrastructure operators are still confused about who to disclose hacks to. | | CISA officials also faced questions about how to report hacks, given that the FBI and CISA both asked for organizations to report cyber incidents to them. | | CISA said the information would be shared quickly within the federal government. "The information is all coming back to the same place," Hartman said. "So again, the key here is to notify CISA or FBI with haste and that we will take it from there." But some callers also said that communication has broken down between federal agencies, state authorities and local governments. Easterly is "sympathetic to the government sending confusing signals" given her previous experience in the private sector, she said. But at the end of the day, Easterly said, "we will make sure that we are well tied into" the agency's partners at the state and federal level. | 4. Industry is also frustrated by classified information. | | Some information about cyberthreats remains classified and difficult for many critical infrastructure organizations to access, they said. Some examples: | - One caller who said he's "responsible for a large part of critical infrastructure in the U.S." vented about not having the proper clearances to get some cybersecurity information from the federal government because he's a permanent resident, not a citizen.
- Another caller said CISA has recently held briefings only for holders of security clearances, and that has denied key sectors access to important cybersecurity information.
| | CISA has long received complaints from the private sector about the agency's inability to share more classified information with the private sector. The agency has argued that it can share information about vulnerabilities without sharing classified details about how it found out about them. "Obviously, we are going to do everything we can to get information out at the appropriate level, whether that's at the [top secret] level," Easterly said. "We're also pushing very, very hard to make sure that we can rapidly declassify information." Here's more from Dave Aitel, a former NSA security scientist who is a partner at Cordyceps Systems: | 5. Cyberdefenders begged CISA for faster resources. CISA's answer: 'We are working on it.' | | CISA provides organizations with cybersecurity tests and other services to help them make sure their cyberdefenses are strong. Those can be important for smaller critical infrastructure organizations, which don't have large cybersecurity teams to proactively look for weaknesses in their defenses. Some callers noted that CISA can't quickly schedule everyone in and asked for more resources. Here's Easterly: "We are working on it. Probably not fast enough for my liking, frankly, but working hard and absolutely agree with making sure we're pressing to be able to provide everything we can in terms of our resources." | | |  | The keys | | The FCC called Kaspersky a national security threat |  FCC Chairwoman Jessica Rosenworcel said the move is part of the FCC's efforts to "strengthen America's communications networks against national security threats" (Albert Gea/Reuters) | | | It's the first time the Federal Communications Commission has added a Russian firm to its list of companies that are threats to U.S. national security, Bloomberg News's Todd Shields reports. The designation means that federal subsidies can't be used to buy Kaspersky services. Kaspersky said it was "disappointed" by the FCC's decision and argued that it "is not based on any technical assessment of Kaspersky products — that the company continuously advocates for — but instead is being made on political grounds." The U.S. government has long had an eye on Kaspersky, which calls itself the world's largest privately owned cybersecurity firm: | - For years, the U.S. intelligence community has argued that Kaspersky software could operate as a spying tool for the Kremlin. The company has repeatedly denied the allegations.
| | The U.S. government ordered civilian agencies to remove the company's anti-virus software in 2017. | Russian troops' use of unsecured equipment makes them vulnerable to targeting |  Amateur radio enthusiasts have tuned into Russian military transmissions online. (Alexander Ermochenko/Reuters) | | | Russian troops aren't using secure communications technology because of uneven discipline, a lack of planning for a protracted war and Russian attacks on Ukrainian communications infrastructure that Russian troops are relying on as well, Alex Horton and Shane Harris report. There's evidence that the United States and its NATO allies have given Ukrainian forces equipment that can interrupt Russian transmission and let them target Russian command posts, Kostas Tigkos, a Russian military expert at the defense analysis firm Janes Group, told my colleagues. "By destroying Russia's communication nodes, the Ukrainians could pressure their adversaries to use less-secure equipment, he said, increasing the likelihood their conversations will be intercepted or their positions triangulated," they write. | U.S. and European officials reached a preliminary data privacy deal |  It's expected to be challenged in court (Reuters/Evelyn Hockstein) | | | The Trans-Atlantic Data Privacy Framework would allow data about Europeans to be stored in the United States, the Wall Street Journal's Daniel Michaels and Sam Schechner report. The deal tries to assuage European legal concerns by setting up a European appeals process that includes an independent Data Protection Review Court. The court would have the power to issue binding rulings. The deal is important for major technology companies who have been targeted by European privacy regulators over the transfer of their data to the United States. European and U.S. officials said that "the new U.S. data-protection court, along with a commitment to limit disproportionate signals intelligence collection, will be created via a U.S. executive order," Michaels and Schechner write. | | |  | Government scan | | | |  | Hill happenings | | | |  | Privacy patch | | | |  | Industry report | | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | National security watch | | | |  | Daybook | | - U.S. Secret Service Director of Cyber Policy and Strategy Matthew Noyes and Trellix chief executive Bryan Palma speak at a Center for Strategic and International Studies event today at 3 p.m.
- The House Judiciary Committee holds a hearing on oversight of the FBI's Cyber Division on Tuesday at 10 a.m.
- The German Marshall Fund of the United States hosts an event on information manipulation in France's upcoming presidential election on Tuesday at 10 a.m.
- The House Homeland Security Committee holds a hearing on securing critical sectors from Russian cyberattacks on Wednesday at 10 a.m.
- CISA's cybersecurity advisory committee meets on Thursday at 2 p.m.
- The Center for Strategic and International Studies hosts an event on the cybersecurity implications of U.S.-China technology decoupling on Thursday at 2 p.m.
- Homeland Security Secretary Alejandro Mayorkas and Dilan Yeşilgöz-Zegerius, the Netherlands's Minister of Justice and Security, speak at an Atlantic Council event on securing marine transportation systems on Friday at 10:30 a.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
