The Washington Post receives a top secret report

Welcome to The Cybersecurity 202! How do you feel about the “improbable hacker character” as a plot cliche? They're at least … kind of fun, right?

Below: Numerous government leaders in several countries are scrutinizing Pegasus spyware. And we have an exclusive on legislation that intends to safeguard federal agencies' data centers.

Congress and the Biden administration are moving on parallel tracks to whittle down the list of U.S. hacking targets to no more than a few hundred they say need extra protection because attacks on them would have dire ramifications for national security, health, public safety or the economy.

It’s an idea floated among cybersecurity policy wonks for a few years, but it’s now making substantial progress on Capitol Hill and at the Department of Homeland Security. Still, some in industry harbor fears of how Congress in particular might apply the concept to them.

Their argument: While the U.S. has for decades maintained 16 categories of the most “critical” infrastructure that the federal government prioritizes for protection — like chemical plants, pipelines and government facilities — the concept has its limits.

“We have diluted the definition of critical infrastructure to [include] a lot of different things that can argue that they're critical infrastructure, and it makes it harder to take a risk-based approach,” Bob Kolasky, a former Cybersecurity and Infrastructure Security Agency official who worked on the project there, told me. 

As CISA Director Jen Easterly likes to say, “If everything’s a priority, nothing’s a priority.” 

“We need to have a way when there's a really bad day to figure out how to allocate government resources and focus to understand cascading impacts of an attack on one set of infrastructure, because we know you can't just think about one sector,” she said in our interview this week. “You have to think cross-sector.”

• The congressionally created, bipartisan Cyberspace Solarium Commission helped kick off the rethink with a 2020 recommendation about what it called “systemically important critical infrastructure,” or “SICI.” Under the commission’s proposal, the federal government would compile a list, then institute both “benefits and burdens” to help or prompt infrastructure owners to improve their defenses.
• As legislation establishing SICI into law has yet to advance, CISA has moved forward on its own ongoing compilation of such infrastructure, which it instead calls “primary systemically important entities” or “PSIEs” (pronounced “Pisces”).

Examples of entities likely to fall under the designation — whatever the final name — are big banks, sprawling information technology firms and major suppliers of electrical power.

Rep. Jim Langevin (D-R.I.), who was a Solarium commissioner, this month won approval for an amendment to the House’s annual defense policy bill that offers a modified version of what the commission proposed. Federal agencies would initially identify up to 150 organizations to label as especially critical, swiftly share threat information with them and study possible security goals for them to meet. Entities labeled as such would have to report to the government on their most important digital assets and their supply chain security practices.

Financial services lobbying groups complained about earlier versions of the idea, saying it would force heavily-regulated banks to comply with duplicative demands from agencies. In response, Langevin’s amendment included a provision to determine whether reports submitted elsewhere would suffice for DHS’s purposes.

Some industry officials remain unpersuaded by Langevin’s effort.

“Collaborative partnerships between industry and government must be formed to mitigate significant cyberattacks, but the current SICI effort has not fully addressed this,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce. “Also, many business policy objectives, including legal liability protections and express national preemption, are left out of the amendment.” 

One banking industry official, speaking on the condition of anonymity because they are still reviewing the language of Langevin’s proposal, said: “We don't have a report that we share with regulators that could just be handed over to CISA. It would basically duplicate and add yet an additional layer of government reporting to what we already do that introduces risk without providing a clear benefit.”

Another industry official, speaking on the condition of anonymity as they continued to review the Langevin amendment, criticized the bill’s proposed studying of performance goals. “Everybody who writes bills has been around the policymaking process for a while [and] knows that studies are a precursor to developing requirements,” they said.

Easterly, meanwhile, says CISA is looking on its own at a list of between 150 to 300 entities. They’re in a “decomposition” process to divide up “primary” entities and “other” entities that serve crucial national functions like distributing goods or managing hazardous materials, she said. Entities on the primary list could receive benefits such as threat intelligence, incident response or CISA teams who could hunt for vulnerabilities, she added.

CISA has some authority to meet the goals of the concept, but it’s more limited without Congress, according to Kolasky, who now works at supply chain risk-management company Exiger. 

Langevin is still huddling with industry over the language and teaming with Sen. Angus King (I-Maine), another Solarium commissioner, to include his provisions in the Senate’s version of the defense bill, Langevin told me.

“The consequences of our inaction could be severe,” Langevin said.

Foreign spyware poses national security and privacy risks, House Intelligence Committee Chairman Adam B. Schiff (D-Calif.) said at a hearing, CyberScoop’s Suzanne Smalley reports. “Schiff suggested more action will be coming from the committee, saying he believes the U.S. needs to put a ‘greater emphasis on this’ and ‘respond to this threat with urgency,’” Suzanne writes.

• Microsoft, meanwhile, says Austrian firm DSIRF was behind spyware used to target “law firms, banks and strategic consultancies in countries such as Austria, the United Kingdom and Panama,” Reuters reported. Microsoft also said it had patched a previously-unknown vulnerability used by DSIRF. DSIRF didn’t respond to Reuters's requests for comment.

European investigators have found evidence that some European Commission staffers were hacked with Pegasus, E.U. Justice Commissioner Didier Reynders said in a letter to European lawmaker Sophie in ‘t Veld obtained by Reuters’s Raphael Satter. Apple warned Reynders last year that his phone may have been hacked with Pegasus, Reynders wrote in the letter. It’s not clear who was responsible for the hacks and the investigation is ongoing, Reynders reportedly wrote.

• Reynders didn’t respond to Reuters’s request for comment. NSO told the outlet that it would cooperate with a European investigation. “Our assistance is even more crucial, as there is no concrete proof so far that a breach occurred,” an NSO spokeswoman told Reuters. “Any illegal use by a customer targeting activists, journalists, etc., is considered a serious misuse.”
• In ‘t Veld is the rapporteur of a European committee investigating Pegasus and other spyware. Last week, the committee said 14 European governments have purchased technology from NSO. Officials in Hungary, Poland and Spain are being — or already have been — questioned about their use of Pegasus, Reynders reportedly wrote in the letter.
• Reynders’s letter emerged just after a Greek member of the European Parliament, Nikos Androulakis, said he had been informed by European investigators that he had been targeted with another type of spyware called “Predator.” It’s not clear who was behind the hacking attempt, but a European Commission spokesperson told Euractiv that “any attempts by national security services to illegally access data of citizens, including journalists and political opponents, if confirmed, is unacceptable.”

Lawmakers in Canada are also going to investigate how Canadian police use spyware, Politico’s Maura Forrest reports. It comes after the RCMP last month disclosed that it has used spyware in criminal investigations, Politico previously reported. The RCMP says it only uses hacking tools in serious cases and gets approval from a judge.

• The lawmakers want to know if the RCMP use NSO spyware, Forrest reports. They plan to hold two days of hearings in the country’s parliament next month.

Bipartisan legislation unveiled today would task federal officials to come up with new cybersecurity guidelines for federal agencies’ data centers. The bill is being introduced by Sen. Jacky Rosen (D-Nev.), Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) and Sen. John Cornyn (R-Tex.).

The legislation calls for officials to consult with the director of CISA and the national cyber director in creating cybersecurity requirements, according to a copy of the legislation obtained exclusively by The Cybersecurity 202.

“The sensitive information stored on federal systems cannot be left open to vulnerabilities like cyberattacks or natural disasters,” Cornyn said in a statement. “This legislation would help secure federal data and encourage optimization, which will save taxpayer dollars and protect Americans who entrust their information to the federal government.” 

• Matthew G. Olsen, who leads the Justice Department’s National Security Division, testifies before the House Judiciary Committee today at 10 a.m.
• A House Science Committee panel holds a hearing on cybersecurity of space systems Thursday at 10 a.m.
• Deputy national security adviser Anne Neuberger speaks at an event hosted by the Center for a New American Security on Thursday at 11:30 a.m.

Thanks for reading. See you tomorrow.