— Authorization for one of the government’s most powerful surveillance capabilities is set to lapse at year’s end, but lawmakers are more divided than ever about the value of the program — and the agencies poised to wield it.
HAPPY TUESDAY, and welcome to Morning Cybersecurity! Washing down the heart-pounding drama of “Andor” with the croissant-like levity of “Emily in Paris” multiple nights running: That was the highlight of my holiday break.
Whoops — must be some transcription malware I’m dealing with here. What I really meant to say is: hanging with my Mom for the first time since I moved to D.C. topped my holiday.
Love you, Ma!
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
The 118th Congress meets for the first time today. All eyes are on the GOP, where a fight for the speakership could drag out for days.
702 REAUTH FIGHT BEGINS — With the start of 2023, the clock has officially started ticking for lawmakers to reauthorize one of U.S. spy agencies’ most important — and newly controversial — surveillance tools.
Unless Congress can come to an agreement by this time next year on Section 702 of the Foreign Intelligence Surveillance Act, what top U.S. spy agencies once called the nation’s “most significant tool in the NSA collection arsenal” could evaporate overnight.
Staking out the stakes — For years, supporters of Section 702 have successfully argued the privacy risks of the program — which permits spooks to surveil foreign persons located outside the country without a warrant and through the assistance of U.S.-based electronic communications service providers — pale in comparison to its security benefits.
But the slowdown in terrorist attacks on U.S. soil and frustration with federal law enforcement’s handling of a slew of politically charged investigations has eroded support for the program among Republicans, argued Adam Klein, former chair of the Privacy and Civil Liberties Oversight Board, in a recent Lawfare op-ed.
The GOP’s growing skepticism of what it deems to be left-leaning federal law enforcement could make this “the hardest reauthorization” battle yet, wrote Klein, even though Republican concerns primarily stem from surveillance activity conducted under a separate section of FISA, which requires court-approved warrants and is not up for reauthorization this year.
Tilting the scales — Clear battle lines around Section 702 might not form until later this spring, when the PCLOB releases a report with recommendations to Congress and the intelligence community about how to improve privacy safeguards for the program.
In and of itself, that report could be a touchstone for Congressional debate. The executive branch watchdog will also work with the intelligence community to determine “what further information can be declassified in the public interest…in order to explain the value of the program,” current PCLOB chair Sharon Bradford Franklin told MC over the holiday.
If those disclosures come to fruition, they could shape the reauthorization discussion in Congress. And given the growing salience of cybersecurity threats like ransomware to the intelligence community’s mission, they might even shed light on how the program helps track and defuse cyber threats.
PUMPED UP ABOUT DEVICE SECURITY — The chief of the FDA unit that oversees medical device cybersecurity is “over the moon” about new authorities granted her agency in the just-passed omnibus spending bill, calling lawmakers’ decision to empower the FDA’s cybersecurity work a “huge milestone” for the health care sector.
Same disease, new treatment — Authorizing text in the year-end omnibus enhances FDA’s ability to enforce better security practices for the sector “in a very significant way,” said Suzanne Schwartz, director of the office of strategic partnerships and technology innovation at the FDA’s center for devices and radiological health.
For years, the FDA has recommended that vendors of life-saving devices like insulin pumps and ventilators provide better security protections for their products, such as delineating a clear process for disclosing security bugs and producing a software ingredients list. But because that guidance was voluntary, only a “fraction” of medical device manufacturers adopted the practices, said Schwartz.
Promising prognosis — That’s set to change following the passage of the $1.7 trillion spending bill, which grants FDA the right to stipulate which cybersecurity requirements manufacturers must meet before bringing internet connected devices to market and enforcing stricter security upkeep for approved products.
While FDA won’t stipulate what those new requirements look like until it has had more time to study the bill — a process Schwartz expects to wrap up by this spring — she praised the “total product life-cycle approach” of the bill.
For years, the FDA has been trying to “break that cycle of brittle legacy devices that cannot be patched or updated,” she said. The authority to compel manufacturers to maintain security protections over the life cycle of a device therefore “makes a huge difference.”
Not just a placebo — Another reason for optimism about the vote of confidence for FDA from Congress? The omnibus granted $5 million to FDA’s cyber mission. With time, those funds will allow Schwartz to grow her “very, very skeletal team” and enforce the agency’s new authorities.
MIXED BAG — If one of your resolutions for 2023 was to bring down ransomware like the Rohirrim bring down Oliphaunts, you’re likely heading into the New Year feeling a welter of confusing emotions. Here’s why:
Bad news first — Unlike 2021, 2022 capped a full year in which the U.S. government was locked in on countering ransomware. Yet digital extortion still looked like a case of “same old, same old” last year, according to the ransomware sages at cybersecurity firm Emsisoft.
The number of attacks on the education, health care and government sectors have more or less remained constant since 2019, found the researchers, who focused their analysis on areas where stricter reporting requirements provide more confidence in the accuracy of the data.
Good news second — The Australian-led international counter-ransomware task force will become operational this month, a senior administration official confirmed to CyberScoop last week.
The latest entrant to a growing list of government-backed extortion-fighting efforts is expected to lead the international members of the White House’s Counter Ransomware Initiative in taking the fight to ransomware groups. Though it won’t solve the problem overnight, it’s the latest sign cybercrime has become an international priority for law enforcement.
Caveats saved for last — Emsisoft researchers acknowledge it’s unclear what’s really happening in the ransomware ecosystem.
But that’s part of the problem: only a “minority” of private sector victims disclose attacks, meaning the best bellwether of recent counter-ransomware initiatives — the total dollar losses resulting from attacks, according to the researchers — is difficult to ascertain.
Ransomware attacks against hospitals are becoming a regular occurrence, an alarming trend security experts continue to sound the alarm on and one which my colleague Maggie Miller wrote about over the holiday.
— Why a recent breach at LastPass might mean it is “time to ditch” the password manager. (Wired)
— Russian cyber forces have increasingly set their sights on Poland. (The Record)
— Exploiting a now-fixed vulnerability, hackers appear to have filched the phone numbers and emails of roughly 400 million Twitter users. (Bleeping Computer)
— Ukraine’s top cybersecurity agency has a new report on Russian cyberattacks.
Getting back into the swing of things and fighting post-holiday blues.
Stay in touch with the whole team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).