White House wants stronger oversight of the cloud
— The White House is eyeing new ways to police the cybersecurity practices of the cloud services industry.
HAPPY MONDAY, and welcome to Morning Cybersecurity! I haven’t seen “The Last of Us” finale, so don’t spoil it.
But I am all caught up on Mel Brooks’ “A History of the World Part II,” which is all kinds of amazing.
Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
House Homeland Security Chair Mark Green (R-Tenn.) delivers remarks on collective cyber defense at a ServiceNow and MeriTalk federal forum. 12:40 p.m.
HEAD IN THE CLOUD — As the White House races to plug porous cyber defenses everywhere from hospitals to power stations, it is finally setting its sights on the cloud providers, as I reported this weekend.
In doing so, the White House is seeking to narrow the growing chasm between the immense power that companies like Microsoft, Amazon, Google and Oracle wield over the country’s digital fortunes — and what few tools the government has to ensure their cybersecurity practices keep more than their own pocketbooks in mind.
“We’re now at a point where we’re not talking about something that is growing but something that is absolutely critical to the U.S. economy,” Rob Knake, deputy national cyber director for strategy and budget, told me. “And so therefore, [the cloud] needs to have a regulatory structure around it.”
Same theme, different problems — Behind the push to regulate the cloud industry is not one goal, but three, Knake and staff in the Office of the National Cyber Director told POLITICO during exclusive conversations over the last three weeks.
First, the government wants more help from the cloud providers to prevent criminal and nation-state hackers from abusing their services to stage attacks within the U.S. — an issue MC highlighted two weeks ago.
Second, White House officials view the cloud providers as the most efficient way to fast-track enhanced security to mom-and-pop businesses and under-resourced government agencies across the country, even as they worry that cloud giants often upcharge customers for security products.
Above all, there is increasing concern within the White House that the U.S. economy is growing too reliant on a small number of companies whose risk management processes no one — at least not anyone outside the companies — seems to have much insight into.
Catch-22 — The White House has only a hodgepodge of tools to throw at those problems, Knake said. Moreover, solving one problem can come at the expense of another.
For example, pushing companies and government agencies to migrate to the cloud can rapidly improve the country’s short-term security posture, Kemba Walden, acting national cyber director told me. But it risks exacerbating the long-term dependency problem the White House is concerned about.
Moving to the cloud can “take a lot of the security burden off of end users,” Walden said. But, she cautioned, “if we’re going to do this … if migrating to the cloud is a good idea, then we have to make sure that cloud doesn’t fail.”
About that failure — It’s the collapse of a major cloud provider that seems to most worry the White House. It’s also the problem the government seems furthest from addressing.
A 2018 study from the insurance giant Lloyd’s assessed that a three-to-six-day outage at one of the top three cloud providers could cause $15 billion in damages in the U.S. The risk has undoubtedly grown since then, though no one has a firm grasp on the scale of the problem — or what companies are doing to address it.
In a study last month, the Treasury Department warned that banks and regulators were unable to assess “the significance of the concentration in cloud services across the sector” due to inadequate transparency from the cloud providers.
“Even if we assume that [their security] was just perfect … We need to know that they’re doing that right,” said Knake. “If a major provider goes down and our critical infrastructure depended on it, that’s a problem.”
Betting on yourself — In the coming months, Walden, Knake and ONCD staff will undertake a study of how best to resolve these problems.
And while they have no illusions about the difficulty of the task ahead, it’s clear the stakes are high not just for the cloud providers but for the office that wants to regulate them.
The cloud is “quite central to our strategy,” said Walden, in reference to the administration’s just-released National Cybersecurity Strategy. “It’s not the only constituency that’s central to our strategy,” she qualified, “but it is one of the most important.”
BIPARTISAN INTEL GROUP EYES FISA REFORMS — To prevent one of the intelligence community’s most valued spy programs from lapsing at year’s end, a group of three Republicans and three Democrats on the House Intelligence Committee is hatching a plan to reform it, the chair of the panel told POLITICO.
Notably, the bipartisan working group charged with overseeing the committee’s effort to save Section 702 of the Foreign Intelligence Surveillance Act will also consider legislative fixes outside the controversial electronic surveillance program, Rep. Mike Turner (R-Ohio) said in a Friday phone interview.
The group “will take up meaningful reforms, even beyond 702 to the FISA framework itself, that can restore both Americans’ confidence and congressional confidence in the intelligence community, and more specifically the FBI,” said Turner.
Three-part plan — In addition to brainstorming statutory fixes to FISA, Turner said the working group will work to educate the rest of Congress about the importance of 702 and the “need” for its renewal. Finally, it will push the intelligence community to be “more engaged and participate in vigorous oversight of FISA.”
Reforms on the table? — Turner would not comment on what specific reforms the working group was eyeing — with one major exception.
He said the committee will seek to codify new safeguards the FBI introduced in 2021 that allegedly produced a “dramatic” reduction in the number of times agency personnel searched 702 data for information on Americans, as I reported on Friday.
The move would not preclude other reforms, Turner said. Its goal would be to prevent “backsliding” within the Bureau in the event of a leadership change.
Rounding out the team — While the three Republicans in the working group have been preparing for the 702 reauthorization fight since last fall, Turner only announced the addition of the three Democratic members during a committee hearing on Thursday.
In a Friday phone interview with POLITICO, ranking member Rep. Jim Himes (D-Conn.) said he plans to select those members in the coming weeks, but was not yet ready to share names.
He did say he’ll look for members who have “good relationships” with the Progressive Caucus and that he plans to talk to privacy and civil liberties groups about the reform effort.
THE MYSTERY OF THE CYBER SMACKDOWN — The cyber world’s Twitterati are asking two uber-important questions these days: Why is WWE star John Cena following so many of us, and at what point will he lay the Five Knuckle Shuffle on some cyber criminals?
The backstory — It recently came to light that Cena follows a LOT of cyber experts on Twitter. And while he follows plenty of people in general — more than 557,000, to be precise — things recently got to the point where cybersecurity experts were concerned what it meant if they weren’t followed by the former WWE headliner.
So what gives? — Cena did not respond to a request for comment from MC. (Yes, I actually tried.) But a tantalizing new hint came over the weekend.
“Can’t see me in the ring, can’t hack me in the cyberspace. Excited to begin my new journey in #cybersecurity! #Infosec #NeverGiveUp,” Tweeted a new account called Cena on Security.
Too good to be true? I’m not sure, and no, I didn’t look into it.
I’m afraid to learn the truth.
The winner (in my opinion) of Rob Joyce’s weekend cyber caption contest:
— German newspaper Der Spiegel has the story of a German spy who was leaking sensitive intelligence information to Moscow.
— Why “annoying” password rules can be bad for security. (The Wall Street Journal)
— SEC levies $3 million fine on company that misled investors following ransomware attack. (The Record)
— D.C. health exchange breach affects former national security official. (CyberScoop)
— North Korea hackers are conducting social engineering campaigns via LinkedIn. (CyberScoop)
Chat soon.
Stay in touch with the whole team: Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).
~~~~~
Source: https://www.politico.com/