Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! We’re not publishing on Friday or Monday, so we look forward to next seeing you again Tuesday.
Below: Meta removes accounts linked to an Indian hacking-for-hire firm, and the agency that runs the Medicare program says a subcontractor was hit by ransomware. First:
Sen. Gary Peters (D-Mich.), chairman of the Homeland Security and Governmental Affairs Committee, told me his key cybersecurity priorities next year are fortifying cyberdefenses for small businesses, open-source software, federal agencies and vital technology used in industrial facilities.
Sen. Angus King (I-Maine), who co-led the congressionally created Cyberspace Solarium Commission, said in a separate interview that the key priorities ahead for him are improving cybersecurity threat information sharing and protections for the most important infrastructure.
Peters has played a leading role in a boom in cybersecurity legislation of late, while King’s Solarium Commission has gotten a ton of its recommendations enacted. So their plans could also set the cyber agenda for the Senate overall.
“I worked to elevate that as one of the top priorities for the committee,” Peters said. “Rest assured that cyber will continue to be a top priority for me and the committee. My hope is to be as productive the next two years as we were the last two years.”
Peters’s top cyber achievement came at the start of this year alongside the now-outgoing top Republican Rob Portman (Ohio) on the panel: legislation requiring critical infrastructure owners to disclose to the Cybersecurity and Infrastructure Security Agency when they suffer a major hack or pay ransoms to hackers.
Next legislative aims: In the fast-moving world of cybersecurity, Peters said he might have a different answer within a month. But for now:
Some of his plans are less legislative in nature, such as pressing state and local governments to continue moving toward the safer “.gov” domain and keeping watch over CISA’s implementation of the cyber incident reporting law.
He’ll be working with a new top panel Republican, Sen. Rand Paul (Ky.), too. “I’ve had an opportunity to sit down with soon-to-be ranking member Paul about priorities for the committee,” Peters said. “I’m confident we’ll have a working relationship that can get things done.” He noted that all of the cyber bills his committee had advanced did so unanimously.
The Solarium Commission is nearing 70 percent adoption of its recommendations since 2020, King boasted.
“If we were the center fielder for the Boston Red Sox with a batting average of .667, what do you think we’d get paid?” he quipped.
As in past years, the commission found a home for its ideas in the annual defense policy bill that’s nearing the finish line in Congress. Among them:
Some of the commission’s biggest recommendations didn’t make it into the final version of the defense bill, however.
That means King will have to start fresh on a pair of his priorities: protecting “systemically important” critical infrastructure and establishing a “Joint Collaborative Environment.”
The first idea, which involves labeling and safeguarding potential hacking targets that are essential to national security, the economy or public health, ran into opposition from industry groups that called the idea fatally flawed. “I’m not ready to give up,” King said.
The Joint Collaborative Environment idea — which King described as “a project to set up a kind of virtual meeting space for [the] private sector at the cross-section of federal agencies” — ran into opposition from the National Security Agency.
“Part of the problem is, some of the federal agencies aren’t sure they want to play with the others,” King said. “That’s the biggest one we didn’t get, and we’re going to stay after that.”
Indian company CyberRoot Risk Advisory Private has targeted people in Angola, New Zealand, Russia and the United Kingdom, with the company focusing on activists, journalists, executives and other people in Djibouti, Iceland, Kazakhstan, Saudi Arabia and South Africa, Facebook parent Meta said in a report this morning. Meta took down more than 40 Facebook and Instagram accounts that were part of the network, the company said.
“CyberRoot used fake accounts to create fictitious personas tailored to gain trust with the people they targeted around the world. To appear more credible, these personas impersonated journalists, business executives and media personalities,” Meta said. “In some cases, CyberRoot also created accounts that were nearly identical to accounts connected to their targets like their friends and family members, with only slightly changed usernames, likely in an attempt to trick people into engaging.”
Authorities charged six people with computer crimes relating to their alleged ownership of “booter” and “stresser” services that enable people to maliciously overwhelm websites with fake traffic in distributed denial of service (DDoS) attacks, journalist Brian Krebs reports. All told, the Justice Department seized 48 domains, Krebs reports.
“Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes,” Krebs writes. “For example, all of the above-mentioned booter sites contained wordy ‘terms of use’ agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.”
The Centers for Medicare and Medicaid Services said up to 254,000 of the Medicare program’s 64 million beneficiaries may have been impacted in the October breach at subcontractor Healthcare Management Solutions. People whose personal information “may have been put at risk as a result of the breach” will get updated Medicare cards, new Medicare numbers and credit-monitoring services, CMS said.
In a sample letter it posted on its website, CMS said the breach occurred Oct. 8. The next day, “CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved,” the agency said. “As more information became available, on Oct. 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees,” it said. “Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.”
Ex-Twitter employee convicted of spying gets 3 1/2 years in prison (Bloomberg News)
Putin to choose cyber warfare before nuclear weapons, former NSA chief says (The Hill)
Iranian hacking group expands focus to U.S. politicians, critical infrastructure, researchers find (CyberScoop)
China to ban deepfakes that aren’t properly labeled (The Record)
Senate passes bill banning TikTok from government devices (Wall Street Journal)
that's a big dog… pic.twitter.com/ENSlAwooJQ
Thanks for reading. See you next week.