Editors Note: Weekly Cybersecurity is a weekly version of POLITICO Pros daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.
MC has your first look at the Biden administrations new plan for protecting the government with zero-trust networking.
Two Senate committees will have to iron out their differences on cyber incident reporting soon if they want to hitch a ride on a must-pass bill.
The Biden administration and the European Union are making plans to tackle challenges posed by encryption.
HAPPY TUESDAY, and welcome back to Morning Cybersecurity! If youre reading this message, it means that we got through the long Labor Day weekend without any devastating cyberattacks. Maybe everyone really listened to Anne Neuberger after all. Sam will be back tomorrow, so send your thoughts, feedback and especially tips to [emailprotected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
FIRST IN MC: DONT TRUST, VERIFY The White House this morning is releasing for public comment a draft version of its strategy for implementing zero trust principles across federal networks. The Biden administration sees zero-trust networking in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users access to data and protect network traffic from prying eyes.
Among the 18 steps required by the end of fiscal 2024: Every agency will have to use one single sign-on service to let employees access all of its applications; ditch multi-factor authentication systems such as codes delivered by text message that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. Theyll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers cant easily slip from one application to another. And theyll have to make one internal system securely accessible from the internet to reduce the use of VPNs.
Along with the draft zero-trust strategy, CISA is also releasing a maturity model that provides a roadmap for agencies implementation of zero-trust policies, as well as a guidance document to help agencies securely migrate their applications to the cloud.
The zero-trust plan is part of President Joe Bidens cyber executive order, which also launched several other initiatives that have impending due dates. By Thursday, for example, agencies must submit progress reports on their rollout of multi-factor authentication and encryption. CISA has until Thursday to develop a cyber incident response playbook that every agency can use. And DHS and OMB have until Thursday to set up procedures to ensure that contractors report cyber incidents to the appropriate agencies.
SENATE SHOWDOWN As Congress summer recess nears its end, lawmakers face a big question: How will they reach agreement on the best way to require companies to report hacks? And more specifically, what will happen to the Senate Intelligence Committees cyber incident reporting bill now that the Senate and House homeland security panels have teamed up on more industry-friendly legislation?
Senate Intelligences bill differs widely from the Senate Homeland measure that yours truly scooped last week, especially in terms of its minimum reporting timeframe, the types of companies covered and the punishments for noncompliant companies. In letters to Congress and at last weeks hearing, industry groups criticized the Intelligence bills provisions.
There is strong industry support for the House and Senate Homeland bills approach, said Ron Bushar, an executive at the cyber firm FireEye who testified on the House bill last week. And Senate Homeland has another advantage over Senate Intelligence it has jurisdiction over any reporting bill, so it will play a significant role in shaping whatever legislation emerges. FireEye CEO Kevin Mandia will meet with Senate Homeland Security Chair Gary Peters (D-Mich.) on Wednesday, according to Stacy OMara, the companys director of government affairs.
But the Senate Intelligence bill has powerful sponsors, including perennial swing vote Susan Collins (R-Maine) and committee chair Mark Warner (D-Va.), an influential voice on national security. Warner and his colleagues are still revising their bill, and his office says its having productive meetings with interested parties.
The homeland-security panels are collaborating closely on their bills, according to an aide for the House panel. And Senate Homeland Security ranking member Rob Portman (R-Ohio) has been talking to the Senate Intelligence bills sponsors, a Senate aide said. Both aides requested anonymity to discuss legislative negotiations.
Its critical for Congress to listen to industry stakeholders and ensure whats written into law in Washington makes sense practically when implemented in the real world, House Homeland Security ranking member Andrew Garbarino (R-N.Y.) told MC.
Homeland and Intelligence face a tight deadline to resolve their differences. Multiple people tracking the process said the best hope for incident reporting legislation was to attach it to the fiscal 2022 defense policy bill, which is being marked up now. Senate Homelands outreach to industry included a request for feedback by Sept. 14.
Another reason to hurry is that implementation will take a while. You're looking at a minimum of half a year anyway between passage of a bill and standup of a reporting platform, Bushar said. The longer you delay the bill, the more time it takes before you can have a regime in place that can actually start to have an impact.
BOTH FORMS OF CRYPTO The Biden administration and the European Union have recommitted to collaboratively seeking a solution to the encryption debate, a top EU official told MC, suggesting that while this policy challenge has simmered under the surface for several years, its still top of mind for policymakers behind closed doors.
Encryption is important, but we have to always avoid a black-or-white discussion, EU Home Affairs Commissioner Ylva Johansson said in an interview after meetings in Washington with DHS Secretary Alejandro Mayorkas and Attorney General Merrick Garland. It's not like we should protect privacy or protect vulnerable children. We need to do both.
Johansson, who discussed encryption with Garland, said that while the attorney general didnt reveal the Biden administrations agenda for resolving the long-running crypto wars, the EU and the U.S. are very much close to each other on these issues. Both leaders, she said, agreed that tech companies need to take their responsibility to develop proper technical solutions for this.
Apple has received withering criticism from security experts over a proposal to identify child sexual abuse imagery on its customers phones. On Friday, the company said it was pausing the rollout of that feature to collect input and make improvements. Speaking before that news broke, Johansson applauded the companys effort. Apples solution might not be the perfect one, she said, but I welcome a company that really tries to find a balanced approach protecting both privacy and children.
Johansson and her U.S. counterparts also agreed on the scope for a common working group on ransomware, she said. The new group will focus on investigative cooperation, tracing ransom payments (which Johansson identified as a particular priority) and building digital resilience against hackers. The group will present its initial report at the next EU-U.S. Ministerial Meeting on Justice and Home Affairs later this year.
STILL EVADING The U.S. government continues to brush off suggestions that it was involved in firewall maker Juniper Networks use of an encryption algorithm backdoored by the NSA, despite a Bloomberg story saying the Pentagon leaned on the company to adopt the code. Asked about Bloombergs reporting during Thursdays White House press briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the Juniper/NSA saga as an old story thats been reported, and I think weve continuously noted that there isnt substantiation for it.
Security experts first proposed a link between the NSA and the backdoored Juniper code in 2015, several months after the company announced that sophisticated hackers had breached its systems by modifying that code. But until last weeks Bloomberg story, it remained unclear why Juniper had used the widely criticized code in the first place. NIST told companies to stop using it in 2014, one year after leaked documents revealed that the NSA had secretly tampered with it and paid a leading vendor $10 million to use it.
During MCs break, yours truly conducted the first in-depth interview with inaugural National Cyber Director Chris Inglis. Pros can read the story about his priorities and the full Q&A. He also revealed that the Biden administration is pushing Microsoft to make full log data free for all customers.
University of California, Berkeley computer science professor Nicholas Weaver with some real talk: The Ivermectin of Computer Science is Blockchain
How Kuwait punished a security expert for revealing a major banks embarrassing hack. (CyberScoop)
Nextgov interviewed Allan Friedman, the man behind the governments software bill of materials campaign, as he moves from NTIA to CISA to bring SBOMs to life.
The Justice Department launched a cyber fellowship program for prosecutors.
NIST wants feedback on its proposed criteria for an internet of things security labeling program.
Stay in touch with the whole team: Eric Geller ([emailprotected]); Bob King ([emailprotected]); Sam Sabin ([emailprotected]); and Heidi Vogt ([emailprotected]).
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021
- Data Encryption Standard (DES)? - All You Need to Know | Techfunnel - TechFunnel - October 4th, 2021
- XSOC CORP Recognized by CyberSecurity Breakthrough Awards Program for Overall Encryption Solution of the Year - Business Wire - October 4th, 2021
- Encryption: Why security threats coast under the radar - Express Computer - October 4th, 2021
- Hardware Encryption Devices Market 2021 Technology Development, Key Manufacturers, Forecast Based on Major Drivers and Trends Up to 2027 - Digital... - October 4th, 2021
- Container security without governance is neither secure nor governed - The Register - October 4th, 2021
- Sectigo Certificate Manager Wins 2021 CyberSecurity Breakthrough Award for Overall Encryption Solution Provider of the Year - PRNewswire - October 4th, 2021
- Customs and Border Protection Signs Major Contract With Amazon-Owned Encrypted Chat App Wickr - Gizmodo - October 4th, 2021
- Encryption cant be used as excuse to deny sharing details to law enforcement: Govt - The Financial Express - October 4th, 2021
- Facebook announces WhatsApp end-to-end encrypted (E2EE) backups - Techiexpert.com - TechiExpert.com - October 4th, 2021
- Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores - PR Web - October 4th, 2021
- Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 - ZDNet - September 24th, 2021
- Tide encryption is ready to end the cyber breach pandemic - TechCrunch - September 24th, 2021
- The FBI has kept the presence of the encryption key secret from Casey for three weeks. - Cheraw Chronicle - September 24th, 2021
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021
- 5 ways to stay ahead of government-targeted ransomware - GCN.com - September 24th, 2021
- Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -... - September 24th, 2021
- What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store - September 24th, 2021
- Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet - September 24th, 2021
- Brave, the startup behind untracked browser-based video conferencing tool is out of beta - Security News - BollyInside - September 24th, 2021
- Hardware Encryption Devices Market Is Expected To Witness Healthy Growth At A CAGR Of More Than 40% - Herefordshire Live - Herefordshire Live - September 24th, 2021
- WhatsApp launches encryption in iCloud and Google Drive backups - InTallaght - September 24th, 2021
- WhatsApp boosts end-to-end encryption - BusinessTech - September 17th, 2021
- WhatsApp to offer encryption on cloud backups: Heres all you need to know - India Today - September 17th, 2021
- London's Top Cop Says 'Big Tech,' Encryption Are Letting The Terrorists Win - Techdirt - September 17th, 2021
- Zoom unveils new security features including end-to-end encryption for Zoom Phone, verified identities and... - ZDNet - September 15th, 2021
- Insights on the Hardware Encryption Global Market to 2026 - by Algorithm & Standard, Architecture, Product, Application and Region - PRNewswire - September 15th, 2021
- Light Start: WhatsApp rolls out backup encryption, LG is more attractive, Google goes dark and iPhones only laak gud vaabs Stuff - Stuff Magazines - September 15th, 2021
- Revenant REvil. WhatsApp offers encryption. Hortum spyware in Turkey. Update on the UN data breach. Healthcare breaches disclosed. - The CyberWire - September 15th, 2021
- How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register - September 15th, 2021
- Secure cloud storage: which are the most secure providers? - ITProPortal - September 15th, 2021
- WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive - Buzz.ie - September 15th, 2021
- WhatsApp is adding encrypted backups - The Verge - September 11th, 2021
- What Is Fully Homomorphic Encryption (FHE)? - CIO Insight - September 11th, 2021
- WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica - September 11th, 2021
- UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac - September 11th, 2021
- VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire - September 11th, 2021
- Future in the cloud for encryption - Capacity Media - September 8th, 2021
- WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo - September 8th, 2021
- Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective - September 8th, 2021
- WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard - September 8th, 2021
- Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown - September 8th, 2021
- Priti Patel backs ad campaign that criticises Facebook's stance on end-to-end encryption - Graham Cluley Security News - September 8th, 2021
- 3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security - September 8th, 2021
- Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online - September 8th, 2021
- IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register - September 8th, 2021
- The adoption of multi-cloud drives the need for better data protection and management of encryption keys an... - Security Boulevard - August 26th, 2021
- Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight - August 26th, 2021
- Why you should encrypt your data on your computer and how to do it - The Star Online - August 26th, 2021
- Video end-to-end encryption on Ring to be available worldwide - ITP.net - August 26th, 2021
- What is a Vocoder? How an audio encryption device used in WW2 became the sound of electro and modern pop - Mixdown - August 26th, 2021
- Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security - August 26th, 2021
- R400m cocaine-in-a-boat accused used encryption app to communicate - TimesLIVE - August 26th, 2021
- Evervaults encryption as a service is now open access - TechCrunch - August 24th, 2021
- How to Encrypt Your Own Windows and Mac Devices (and Why You Need To) - Lifehacker - August 24th, 2021
- Why encryption is the key to digital fitness, according to Thales - iTnews - August 24th, 2021
- How to check each of your WhatsApp chats are ACTUALLY private right now and not being intercepted by h... - The Sun - August 24th, 2021
- WebCam: How Australia paved the way for Apple's encryption backflip - Crikey - August 24th, 2021
- Staggering 400% rise in child sexual abuse images detected by Facebook as fears over encryption plans g... - The Sun - August 24th, 2021
- Hardware-based Full Disk Encryption Market 2021 and Analysis to 2027 Micron Technology Inc, Seagate Technology PLC, Toshiba, Intel - The Market... - August 24th, 2021
- WhatsApp could soon have an iPad app for the first time - Engadget - August 24th, 2021
- Facebook is bringing end-to-end encryption to Messenger calls and Instagram DMs - TechCrunch - August 14th, 2021
- Apple opens the encryption Pandora's box - Axios - August 14th, 2021
- How to encrypt your computer (and why you should) - Mashable - August 14th, 2021
- Protects User Privacy With Encryption and Authentication - Security Magazine - August 14th, 2021
- An Overview of Blockchain in Supply Chain: Whats the Link? - JD Supra - August 14th, 2021
- Facebook introduces end-to-end encryption for its voice & video call features - Techstory - August 14th, 2021
- Hardware Encryption Devices Market Research Report 2021 Elaborate Analysis With Growth Forecast To 2027 Intel, Toshiba, Micron Technology Inc,... - August 14th, 2021