— Lawmakers return to Capitol Hill this week to face a slew of cyber issues, including adapting agency budgets to face Russian threats and weighing which critical infrastructure sectors need more resources.
— A few newer cybersecurity companies flexed their lobbying muscles for the first time in the first quarter, while more established firms barely changed their budgets at all, per lobbying disclosures.
— A cyber warfare specialist breaks down what the targeted, prolonged phase of the war in Ukraine means for Western critical infrastructure and companies.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin, where I’m writing to you from sunny Miami. I’ll be here for a few more days for non-cryptocurrency, vacation reasons, so send any and all recommendations my way!
Before we dive in: Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:
ON YOUR MARKS, GET SET, GO — Lawmakers are returning from their two-week Easter recess to a long cyber policy to-do list. And with little time left on the congressional calendar before the midterm elections, MC checked in with a few lobbyists to see what they want lawmakers to prioritize as the countdown begins:
— Budget talks: The House is diving head first into budget talks this week, with hearings to discuss budgets for CISA, the National Security Agency and Cyber Command. With Russian cyber threats weighing heavily on the country, lawmakers could be more inclined to beef up the budgets of the administration’s top cyber defenders, especially since the Biden administration is already proposing a modest increase for several government cybersecurity projects.
— Hearings on critical infrastructure security: Andrew Howell, a cyber industry lobbyist at Monument Advocacy, told MC that he’s eager to see whether lawmakers decide to review the results from the administration’s three 90-day “sprints” for the electric, gas and water sectors to test the resiliency of their cybersecurity — especially given researchers’ discovery a couple of weeks ago of the PIPEDREAM malware, which is designed to target vulnerable critical infrastructure.
Howell, who is also the executive director of the recently formed trade association Operational Technology Cybersecurity Coalition, said he’s pushing for lawmakers to hold hearings on how the sprints went, which could inspire further discussions about any money and staffing needs at the agencies overseeing various critical infrastructure sectors and any further mandates lawmakers might need to consider.
“It seems like an appropriate time for Congress and the executive branch to take a step back and evaluate what’s happened, what’s worked and what needs improvement,” Howell said.
— Updating FISMA? Lawmakers had been trying to fast-track an update to cybersecurity rules for federal agencies as a part of a package that included mandatory cyber incident reporting. But now that the reporting program has advanced and become law on its own, lobbyists and other cybersecurity professionals have been eager to see whether there is a path forward for an update to the Federal Information Security Management Act.
So far, no one has a clear idea of what that path could look like, said Mike Hettinger, a cyber lobbyist and former congressional aide. But Hettinger said he’s hopeful there could be at least one solid path: the 2023 National Defense Authorization Act.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
HEY, MUST BE THE MONEY — The war in Ukraine has intensified discussions in Washington about closing holes in U.S. critical infrastructure’s cybersecurity defenses. But while cybersecurity issues became more prominent in Washington, quarterly lobbying filings submitted last week show a mix of lobbying activity levels among the most notable cybersecurity firms in the first quarter — with more established firms keeping their budgets unchanged (with a few exceptions) and newer firms entering the field for the first time:
— Newcomers: A few cyber firms also entered the lobbying fray in the last quarter. Nozomi Networks, which focuses on critical infrastructure cybersecurity, hired its first lobbying firm — Van Scoyoc Associates — in March and spent $20,000 to advocate on appropriations discussions and critical infrastructure cybersecurity issues.
Nozomi CEO Edgard Capdevielle told MC in a statement that the company decided to engage with Van Scoyoc now given the administration’s heightened interest in critical infrastructure: “Together, we can find new ways to protect owners and operators of critical infrastructure, with the shared goal of improving our homeland and national security,” he said.
This was also the first full quarter since Trellix formed out of the combined McAfee Enterprise and FireEye, and the combined entity spent $70,000 on lobbying during those three months. Mandiant, which spun out of FireEye, spent $86,000 in its own first quarter lobbying. Trellix started lobbying on federal IT issues and defense appropriations, while Mandiant said in its disclosure it focused on “issues pertaining to cybersecurity and cyberattacks affecting the departments of Defense and Homeland Security and threat intelligence.”
— Few exceptions: Compared to the first quarter last year, both Tenable and Palo Alto Networks substantially increased their lobbying budgets. Tenable spent $330,000 in the first three months of 2022, about $30,000 more than in the first three months of 2021. Palo Alto Networks spent $350,000 in the first quarter of 2022 — about $252,000 more than it did during the same period last year, but the same it spent in the last quarter of 2021. The increased spending suggests that Tenable and Palo Alto, like the newer companies entering the field, are also reevaluating their spending as cybersecurity becomes a hotter topic on Capitol Hill and in the executive branch.
— Old guard: Several big cybersecurity companies made little to no changes to their lobbying spending between the first quarter of 2021 and this year’s most recent quarter. Forescout Technologies, a critical infrastructure cyber firm, spent the same $90,000 it budgeted last year, while CrowdStrike and Rapid7 each spent $50,000, unchanged from last year. Both Forescout and CrowdStrike lobbied on annual appropriations, while Rapid7 focused on cyber incident reporting proposals.
Akamai and Cloudflare also both spent $40,000 lobbying on cybersecurity issues. Cloudflare focused on privacy legislation, discussions about encryption, cloud services’ position in competition policy and other cybersecurity issues. While Akamai’s disclosure didn’t specify the issues it focused on, company spokesperson Chris Nicholson told MC the lobbying dollars were used to focus on promoting zero trust frameworks and similar security protocols.
WHAT COMES NEXT — With the Russian war in Ukraine entering its third month, U.S. and European cyber officials have increasingly warned that the new phase of the war, which includes a more targeted Russian focus on eastern Ukraine, could lead to a more dangerous cyber landscape for Western countries, as well.
Chris Kubecka, a cyber warfare specialist who is advising some European governments, warned reporters on Thursday that could mean increased attacks on Western critical infrastructure and even possible increases in Russian cybercrime. Here’s what she said could be on the horizon:
— Targeted critical infrastructure attacks: As Russia’s retaliatory strategy takes form, expect a more “targeted” attack plan, Kubecka said, that could include attacks on critical infrastructure. The administration seems to agree, as it focuses on getting the word out about Russian hackers setting their sights on U.S. infrastructure with two interviews on CBS’s “60 Minutes” alone this month with top cybersecurity officials.
And if Ukraine is any indication, the attacks wouldn’t be one-offs: Ukraine’s cyber agency estimated in a report last week that the energy sector, alone, faced roughly 20,000 cyberattack attempts in a seven-day period.
— Cybercrime to fill Russian wallets: Kubecka — who has also helped governments respond to high-profile cyber incidents like the malware attack on Saudi Aramco — also said that as the West’s economic sanctions against Russia start to take hold, Russian state-sponsored hackers could also start turning to the strategy employed in North Korea, where cybercrime is meant to fill the government and wealthiest persons’ coffers.
“It certainly will help fill the wallets of oligarchs and certain powers that be so that they don’t feel too much pain,” she said.
— How to prepare: The best strategy for any company worried about cyber threats now is to keep an open dialogue with CISA and the FBI and pay attention to threat advisories, Kubecka said. “Some organizations are very scared to do too much data sharing because they think that they might run into legal or regulatory problems,” she said.
DIGITAL PICKPOCKETING — Researchers at Check Point Research released a report this morning warning about a vulnerability in the web version of the crypto wallet provider Ever Surf that could give hackers full control of someone’s wallet when exploited. Because the browser version of Ever Surf stores private key information in unprotected local databases, hackers could run a simple “infostealer” tool to steal any data in those storage spaces, use the key information to decrypt someone’s wallet and gain total control. Ever Surf has released an update to fix the vulnerability, and the company is estimated to have over 669,000 accounts worldwide.
I spy…. a new cyber challenge a-brewing at CISA’s Industrial Control Systems Cyber Emergency Response Team: “Capture the flag, coming your way from @CISAgov and @INL ! Participants will determine how attackers compromised #IT and #ICS networks & gather the information needed to stop the threat from inflicting lasting damage. Sign up today.”
— FBI Director Christopher Wray said in an interview with CBS’ “60 Minutes” that the bureau is “keenly watching for” Russian state-sponsored cyberattacks to become “more destructive and more severe.” (CBS)
— T-Mobile confirmed that the Lapsus$ data extortion group breached its systems “several weeks ago,” but the company has since severed the group’s access to all data sources. (BleepingComputer)
— The Department of Homeland Security said more than 450 vetted security researchers participated in its first bug bounty program and discovered 122 critical vulnerabilities.
— Employees at Swiss nonprofit Insecurity Insight received phishing messages “on a scale we had never experienced” on their cell phones after publishing a report about Russian attacks on hospitals in Ukraine last month, according to the company’s director. (CNN)
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]) ; Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).