Was this forwarded to you? Sign up here.
Below: A House panel circulates details about a plan to reform a surveillance authority, and the FBI struggles to rein in a high-profile hacker group. First:
These Republicans want to reverse an SEC cybersecurity rule that industry opposes
Capitol Hill Republicans intensely opposed to a Securities and Exchange Commission cybersecurity rule are using a rare congressional procedure to try to reverse it, with industry groups cheering the lawmakers’ maneuver.
In a Biden administration that has prioritized baseline cybersecurity standards, the SEC has drawn more industry ire with some of its cyber regulatory proposals than other federal agencies. The rule that the GOP lawmakers are challenging, which the SEC approved in July, would require publicly traded companies to disclose within four days when they suffer a cyber incident of a severity that could affect the decisions of potential investors.
Rep. Andrew R. Garbarino (R-N.Y.), who chairs the House Homeland Security subcommittee that oversees cybersecurity, and Sen. Thom Tillis (R-N.C.) are leading the Congressional Review Act resolution that would overturn the SEC rule. Both members sit on their chambers’ respective committees with jurisdiction over banking and financial services matters.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Garbarino said. The rule, he added, would “create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland.”
Advocates contend that the rule will not only give vital information to investors, but it will also help companies combat significant cyberattacks that other companies have encountered and disclosed.
The procedure that Garbarino, Tillis and other allies are advancing is both rarely used and rarely successful. It still serves as a bellwether of the degree of resistance from the GOP and industry groups to the SEC rule.
The rule and the resolution
The rule the SEC voted to advance in July would allow exceptions to the four-day reporting timeline if the attorney general affirms that disclosure would jeopardize national security, a response to criticism from industry that disclosure could do more harm than good. In annual reports, companies would also have to identify cyber risks and describe how they manage them.
Under the Congressional Review Act (CRA), established in 1996, Congress can put forward a joint resolution of disapproval to overturn a rule. The House and Senate have to approve the resolution and the president has to sign it — or, if the president vetoes it, the House and Senate would have to overturn that veto.
With a Democratic-controlled Senate, the resolution would be tough to get through that chamber, and Biden is highly unlikely to overturn a rule his SEC advanced.
And such resolutions already have a limited track record of victory.
“Due to the CRA’s structure … it has been seldom used as to be successful, and it typically must be used when a new president from a different party than the predecessor enters the White House and the new president’s party fully controls Congress,” according to a tracker from the conservative American Action Forum.
- In the current Congress, there have been resolutions addressing 21 rules, but none have been signed into law and seven have been vetoed.
- A February tally by the Congressional Research Service counted 20 instances of the CRA overturning rules in its history, including three in the last session of Congress from 2021 to 2022.
Still, the GOP lawmakers saw fit to introduce their resolution on the SEC cyber rule.
“As we have continuously seen, Gary Gensler’s SEC is doing their best to hurt market participants by overregulating firms into oblivion,” said Tillis, who called the rule an “overreaching” measure “that creates unrealistic timelines and unnecessary red tape that will ultimately make markets less safe overall.”
The SEC declined to comment on the resolution.
Three industry groups signaled their support for what Garbarino and Tillis are trying to achieve.
- “Banks strongly support sharing information on cyberthreats and are in ongoing contact with regulators and government agencies following an incident,” said Heather Hogsett, senior vice president of technology and risk strategy for BITS, the technology policy arm of the Bank Policy Institute. “We believe there are better ways to promote transparency, protect investors and mitigate contagion risk than by publicly sharing detailed vulnerability information with criminals and hostile nation states while remediation is ongoing.”
- “Fighting cyberattacks is critically important, but the new cyber disclosure rule could force important information to be reported before the problem is fixed and could interfere with the efforts by law enforcement and intelligence agencies to stop attackers,” said Christopher Roberti, senior vice president for cyber, space and national security policy at the U.S. Chamber of Commerce. “We believe it is out of sync with what Congress and the Administration have worked to achieve.”
- “No industry is as committed as the banking industry to protecting customers and their data from cyberattack, and banks are already required to report any hack to their primary regulator and notify their customers if their data is stolen,” said Kirsten Sutton, executive vice president of congressional relations and legislative affairs for the American Bankers Association. “The SEC’s rule could actually make things worse by publicly identifying the business that’s been hacked and inviting other bad actors to target the same business.”
House intel lawmakers circulate 702 reform option, but privacy advocates push back
House Intelligence Committee lawmakers have been circulating details about a proposal to reform a contentious surveillance authority set to expire at the end of the year, but it’s already running into pushback from privacy advocates, Politico’s Jordain Carney reports.
- The authority known as Section 702 of the Foreign Intelligence Surveillance Act allows the FBI and National Security Agency to gather electronic data without a traditional warrant based on probable cause when the target is a foreigner overseas and if the data-gathering is for foreign intelligence purposes. But those intercepted exchanges sometimes include conversations with Americans, raising skeptics’ fears that American communications are warrantlessly swept up in the process.
The discussion points from the committee obtained by Carney detail forthcoming legislation that would reauthorize the spying power but require the intelligence community to seek a warrant for subsets of searches for Americans’ data that is swept up in the collection process.
- “It’s going to have the support of the intelligence committees, of both chambers on both sides of the aisle,” House Intelligence Committee member Brian Fitzpatrick (R-Pa.) told Politico. “I think we’re going to get it done.”
He later added that he expects the Biden administration — which has disputed previous reform proposals involving a warrant requirement on grounds that it would undermine the intelligence community’s ability to use the tool — would accept the proposal because it “would only impact a small subset of U.S. person searches,” according to the report.
The committee’s bill would narrow the FBI’s ability to invoke a 702 query, requiring surveillance involving a U.S. citizen to be for “evidence of crime” purposes, according to the discussion document.
That has already seen pushback from some privacy hawks. “The vast majority of 702 abuses we have seen were ostensibly for foreign intelligence purposes, which means not only does HPSCI’s proposed bill fail to establish meaningful new privacy protections for Americans, it mostly fails to even address the ongoing and already documented misuse of this powerful spying law,” James Czerniawski, a senior policy analyst for Americans for Prosperity, told Politico.
- Among several areas, the bill would also cut the number of FBI staff able to perform 702 queries for Americans by over 90 percent and mandate independent audits of FBI queries for U.S. citizens. But the measure is not expected in its final form until after the House’s week-long Thanksgiving break.
- Intelligence leaders are expected to testify to the House Homeland Security Committee in support of keeping 702 at a Wednesday hearing on worldwide threats to the U.S., according to prepared testimony posted by the committee.
Russian national pleads guilty to building now-dismantled IPStorm botnet
The FBI announced the takedown of a botnet proxy that infected tens of thousands of machines around the world, after arresting and charging the alleged creator of the network, The Register’s Brandon Vigliarolo reports.
Russian and Moldovan national Sergei Makinin “was cuffed in Florida in January and sent to Puerto Rico, where he pleaded guilty in September,” Vigliarolo writes, citing a Justice Department posting. “Makinin specifically coughed to three counts of violating Title 18 1030(a)(5)(A) of the U.S. Code, which makes it illegal to knowingly transmitting computer software that intentionally causes damage to protected systems,” the report adds.
- He admitted to creating the botnet known as IPStorm, which got its name from the InterPlanetary File System (IPFS) protocol that allows for ease-of-use in storing and sharing files across networks.
- “The main purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites,” the Justice Department said in a statement. “Through those websites, Makinin sold illegitimate access to the infected, controlled devices to customers seeking to hide their Internet activities.”
- The FBI has sought to disable botnets that have helped enable cybercrime like ransomware, though some researchers have observed remnants of them still operating.
FBI struggling to take down hacking group linked to casino breaches
The FBI has struggled to rein in an aggressive cybercrime operation responsible for hacks against a pair of recent casino breaches and other American companies over the past two years, Reuters’s Zeba Siddiqui, Christopher Bing and Raphael Satter report, citing nine cybersecurity responders, digital crime experts and victims.
They write: “For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.”
- Industry executives are surprised at the lack of arrests made in connection to the hacking group, known as Scattered Spider. “I would love for somebody to explain it to me,” said CrowdStrike President Michael Sentonas to Reuters. “For such a small group, they are absolutely causing havoc,” added the executive, whose company is helping lead response efforts to the group’s cyber activity. MGM and Caesars did not return the outlet’s requests for comment.
After the casino hacks, “the FBI’s investigation took on new urgency. FBI officials first began looking at the hackers’ operations more than a year ago,” five insiders with knowledge of the matter told Reuters. CrowdStrike, alongside Mandiant, Palo Alto Networks and Microsoft are among the main American cybersecurity firms responding to private company breaches by the hackers and are assisting law enforcement, according to the report.
- The FBI declined to comment on where the investigation stands. The Justice Department also declined to comment.
New York proposes cybersecurity regulations for state’s hospitals (StateScoop)
Cyber policy vets Todt, Montgomery spar over role of CISA-led interagency body focused on critical infrastructure security (Inside Cybersecurity)
House punts effort to impeach Biden cabinet secretary (Nextgov/FCW)
Meta allows ads claiming rigged 2020 election on Facebook, Instagram (Wall Street Journal)
Judge allows Trump on Michigan primary ballot as critics try to bar him (Patrick Marley)
Intel fixes high-severity CPU bug that causes “very strange behavior” (Ars Technica)
File-transfer services, rich with sensitive data, are under attack (Cybersecurity Dive)
Andreessen Horowitz invests in Civitai, which profits from nonconsensual AI porn (404 Media)
China receives U.S. equipment to make advanced chips despite new rules, report says (Reuters)
Israel’s NSO unleashes controversial spyware in Gaza conflict (Axios)
Finland, Estonia send legal letter to China over Baltic Sea drama (Politico)
Palestinian hackers are getting smarter. When will they enter the war with Israel? (The Messenger)
The Mirai Confessions: Three young hackers who built a web-killing monster finally tell their story (WIRED)
Hackers are exploiting ‘CitrixBleed’ bug in the latest wave of mass cyberattacks (TechCrunch)
New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs (Bleeping Computer)
Chelsea Manning: Tech more efficient than laws to ensure privacy (Reuters)
Cops are giving people free car-tracking devices to combat thefts (Motherboard)
- DHS Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify to the House Homeland Security Committee on worldwide threats at 9 a.m.
- The Aspen Institute kicks off its Aspen Cyber Summit in New York beginning at 9 a.m.
- Ambassador at Large for Cyberspace and Digital Policy Nathaniel Fick testifies to the Senate Foreign Relations Committee about AI and strategic competition at 10 a.m.
- The Senate Homeland Security Committee considers Harry Coker’s nomination to be National Cyber Director at 11 a.m.
- The House Science Committee marks up the National Quantum Initiative Reauthorization Act at 10 a.m.
- The FCC holds its November open meeting at 10:30 a.m.
- House Energy and Commerce Chair Rep. Cathy McMorris Rodgers (R-Wash.) speaks with New America on federal privacy legislation and AI governance at 2 p.m.
- CyberScoop’s CyberWeek series continues throughout this week
Thanks for reading. See you tomorrow.