Welcome to Cybersecurity 202! I had a particularly tasty grilled Beyond Burger yesterday. I make them at home sometimes and not so well, but even then they are still good. No m.
Sen. Warner’s cyber priority this year is healthcare
In a Q&A, Sen. Mark Warner emphasizes more cybersecurity in healthcare, describes his expanded TikTik concerns
Chairman of the Senate Intelligence Committee Mark R. Warner (D-Va.) is one of the leading cybersecurity lawmakers on the Hill and has long been on our list of people to interview.
A co-founder of the Senate Cybersecurity Caucus, he was one of the earliest proponents of requiring businesses to disclose to the federal government when they suffered a major hack in the wake of the massive SolarWinds hack that broke out in late 2020. Some of the ideas his made it into the cyber incident reporting bill that became law last year.
I interviewed him Tuesday morning in a discussion that touched on that law, but mostly looked forward to his immediate agenda.
This interview has been edited for length and clarity.
Cybersecurity 202: What are your cyber priorities for 2023?
Warner: My most important item on the agenda for 2023 is this white paper I published last year, cybersecurity in healthcare, where in recent years we have looked at the ransomware side [that] nothing is more valuable to cybercriminals than healthcare information, even more so than personal financial information.
Cyber security in the healthcare system has always been bolted on to existing systems. We need to figure out a way, even if it will be a patchwork system at first, that we build cybersecurity on the front end of healthcare. I don’t know if you saw the white paper, but there’s a great chart early on in there. It referred to 16 different entities, four different secretaries of state, struggling with this, and no one is in charge.
We have posted the message, and we have received approx. 60 different contributions from industry and experts. We sift through them, and there are other legislators who [Sens.] Bill Cassidy [R-La.] and Jacky Rosen [D-Nev.], they have some legislation. I have some ideas and may want to come up with a slightly more comprehensive approach.
My second priority is to continue to look at how we go after cyber risks to national security. I am still in many ways surprised that we have not seen more draconian actions from Russia in light of the Ukraine war. I certainly expected, and I think most of the intel community expected, that we would see more malicious NotPetya-type attacks against Ukraine or attacks potentially against America or European allies. There have been some attacks, but it’s not like we’ve seen the absolute A team of the Russian services.
So I want us to continue to think about how we respond when there is a nation state. The question I’ve been asked is: “Would it be a violation of Article 5 if Russia had attacked Ukrainian power systems, and that cut off power in an adjacent area of Poland, and that resulted in people dying in hospitals or something?” “
C202: You mentioned that no one was in charge. How would you address it?
Warner: I will try to be politically correct and say that we have gone from one extreme to the other, from the Trump administration to the Biden administration. Trump, the criticism from many in both parties was that he took a cyber adviser out of the White House, and now we have an abundance of cyber advisers, all very capable people. And we are actually adding more, for example at the level of the Ministry of Foreign Affairs.
I am still concerned that we do not know who is responsible. Whether you assign this to one of the existing White House posts, or even create another one, I’m still open to that. But I fear that one person is only responsible, say, at HHS [Health and Human Services]I’m not even sure the HHS person would be able to get the FDA [the Food and Drug Administration] for example to follow completely. Or how do you deal with, if someone was at HHS, what is their interaction with CISA [Cybersecurity and Infrastructure Security Agency]?
CISA has had a challenge in making sure we get the right talent, but I really think they got a good reputation. But I’m not sure CISA, as a kind of industry partner, would be the right place to bring the oversight because healthcare cyber is so complex. It’s easy to say you need someone in charge, but how and where to put that person in, with the complexity we already have, is easier said than done.
C202: You have talked about ban on TikTok. What do you think about TikTok? plans to alleviate concerns about Chinese ownership? And can you talk about your thoughts on looking at other technology, not just TikTok?
Warner: I think TikTok is trying to sort this out. We have not seen what, if any, conclusion CFIUS made [the Committee on Foreign Investment in the United States] has reached. I think we’ve seen, whether it’s intentional or not, TikTok represents [that] it would not be possible to get American data seen by Chinese engineers. They have just been proven false, repeatedly.
I started with the privacy concerns, but I’ve shifted more to the concerns of TikTok as a communication medium. I’m not accusing TikTok of creating content themselves. But boy, we damn well know that the algorithms that decide what you want to see or what you see are very much powered by TikTok. And the best example of that is TikTok that Chinese kids can see, which emphasizes things like VOICE [science, technology, engineering and mathematics]versus TikTok that our children and the rest of the world’s children see, [which] is dramatically different. There’s a lot of creativity on TikTok, but I don’t know how—as long as that code is being written in Beijing—how to put in place appropriate protections. Consider me skeptical about whether you can create these barriers.
When I think about Kaspersky, Huawei, TikTok, I try to think, is there a way we can look broadly at foreign-based technology applications that raise serious national security concerns? And have a forum where this can be evaluated, instead of the kind of ad hoc basis that we see it now. I would even argue that for some of this, that even CFIUS might not be the place to be.
C202: How satisfied were you with the final Cyber Incident Notification Act, and to the extent that you have followed it, how satisfied are you with the implementation process?
Warner: I wasn’t too happy. I felt, to keep the saddle [of Commerce]its support or non-resistance, we had to water it down. I am concerned about the implementation process in terms of regulations. It can extend to five years. I would very much not be surprised to have another major cyber event – like a Colonial Pipeline or a SolarWinds – to have something where we have a “holy shit” moment and then rush the implementation. My hope would be that we could go back to some of our friends in the industry and say, “Gee, guys, you know, five years is just too long.”
One of the active debates in healthcare is, should our standards be voluntary, or should they be mandatory? And it’s been interesting in the comments, as you’d expect, the trade associations and the lobby groups in the city have all said ‘voluntary’. We’ve had individual hospital systems say, “If you don’t make it mandatory, we’re just not going to get it done.” So I think a little bit of that is the yin and yang that we see in event notification.
Riot Games hackers demand $10 million
The hackers say that if the gaming giant accepts their “small request,” the hackers will remove the stolen data code from its servers and “provide insight into how the breach occurred and provide advice to prevent future breaches.” MotherboardJoseph Cox and Matthew Gault’s report. This week, Riot Games said the source code for its “League of Legends” and “Teamfight Tactics” games had been stolen in “social engineering attack,” along with “legacy” anti-cheat software. Here’s more from the company:
Today we received a ransom email. Needless to say, we don’t pay.
While this attack disrupted our build environment and may cause problems in the future, it is most important that we remain confident that no player data or player personal information was compromised.
— Riot Games (@riotgames) 24 January 2023
The hackers mocked Riot Games in their note. “We also want to remind you that it would be a shame to see your business publicly exposed, especially when you pride yourself on your security measures,” they wrote. “It is alarming to know that you can be hacked within hours by an amateur level hack.” Riot Games declined to comment to Motherboard beyond the company’s tweets.
Riot Games is the latest major video game company to be hacked. Last year, hackers breached Rockstar Games and released source code and videos from the highly anticipated video game “Grand Theft Auto VI.”
CISA provides schools with recommendations on cyber security
The Cybersecurity and Infrastructure Security Agency’s report is “a mix of achievable, individual actions and broader community calls for cultural change across school districts,” Axioswrites Sam Sabin. CISA was required to produce the report after Congress passed a law in 2021.
Chairman of the Senate Homeland Security Committee Gary Peters (D-Mich.), who helped draft the law, praised CISA’s report, saying in a statement that it is “an important step to help K-12 schools across the country protect against [cyberattacks] that puts personal information of students and staff at risk.” Peters added that “K-12 schools are increasingly targeted by criminal hackers, and this new resource from CISA makes easy-to-understand guidance on cybersecurity risks readily available to the schools that need it most .”
Administrator of RSOCKS proxy botnet pleads guilty (Krebs on Security)
Pakistani authorities investigate whether cyber attack caused nationwide blackout (The Record)
FBI says N. Korea-linked hacker group behind US crypto firm robs (Reuters)
French privacy chief warns against using facial recognition for 2024 Olympics (Politico Europe)
After Analyst1’s Jon DiMaggio wrote a report on the LockBit ransomware group, it seems the group has taken note. Here’s more from DiMaggio:
At least #lock bit used a flattering photo, lol. I admit I was about to spit out my coffee when I saw this today, lol. Well played.
— Jon DiMaggio (@Jon__DiMaggio) 24 January 2023
- The Senate Foreign Affairs Committee is holding a hearing on countering Russia on Thursday at 10.30am
- Cristiano Lima, host of The Technology 202 newsletter, moderates an R Street Institute event on privacy and security law Thursday at 4 p.m.
Thank you for reading. See you tomorrow.