Previewing the annual CISA cyber summit

With help from Eric Geller

Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.



Quick Fix


— Health care cybersecurity and CISA’s goals will both get attention on the opening day of CISA’s annual cybersecurity summit beginning this week, based on a MC sneak peak at some of the opening day speeches..

— Exclusive: Approximately 70 different names from the security research community and elsewhere took issue with mobile voting company Voatz for siding against narrowing the main federal anti-hacking law.

— The House is scheduled today to take up an internet of things security bill, as well as an election security measure.

HAPPY MONDAY and welcome to Morning Cybersecurity! Surely, RT’s intentions are pure. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

Driving the Day

‘WHERE BITS AND BYTES MEET FLESH AND BLOOD’ — The third annual CISA National Cybersecurity Summit begins on Wednesday with a kickoff speech focused on health care followed by a keynote from Director Chris Krebs to begin the day. Unlike past editions, the event isn’t compressed into a day or three at an off-site location, but will instead take place once a week for four weeks and will be entirely virtual.

— The agenda: Each week of Wednesday webinars has a theme, and the Sept. 30 focus on diversity — a topic that often gets less attention than, say, election security, even at a conference where it’s a devoted subject — is a big deal, said Joshua Corman, CISA senior adviser for Covid and safety critical issues. “We need as diverse a set of backgrounds, skills and personalities as humanly possible to make sure we leave no stone unturned,” Corman told MC. “Conventional thinking is not going to get us there.” Before that, though, first up is “Key Cyber Insights,” followed by “Leading the Digital Transformation,” “Diversity in Cybersecurity” and “Defending our Democracy.”

— Summit opener: That Corman — who specializes in health care cybersecurity as a founder of the grassroots hacker organization I Am the Cavalry — is speaking first signals the dedication the conference will have to that issue, he said. He’ll talk about the “circumstances and gravity of the Covid crisis and the role that cyber plays in subordination of that.” There had been plenty of “wakeup calls” on health care cybersecurity before, Corman said, like the 2017 WannaCry cyberattack hampering the U.K. National Health Service or the NotPetya attack costing pharma giant Merck more than $1 billion in damages.

It’s all the more important now, with government-industry initiatives like Operation Warp Speed seeking to develop Covid-19 vaccines and treatments, and with researchers threatened by foreign nation hackers. “Even a one month delay could affect 5 million people at current infection rates,” Corman said. ”The world is depending on us more than ever to get this right.” But he’s seeing progress on the need to deepen ties between government and the private sector; whereas once he said, “the cavalry isn’t coming,” Corman now believes “the cavalry is forming.”

— Krebs excerpt: An excerpt of Krebs’ first day keynote speech shared with MC emphasizes the role of CISA as “the nation’s risk adviser” bringing people together and giving them information, and its goal of being a “force multiplier.” CISA manages 2.3 million connected devices across the federal government, Krebs is expected to say, and captures 7.2 terabytes of net flow records daily, with 100 million malware submissions every day, too.

“The point is we have an incredible amount of data and we’ve got to be able to do something with it. We have to be able to extract insights to provide value. This is what I call — the CISA public dividend,” the prepared remarks read. “So one dollar invested in me at CISA… I’ve got to figure out how to have a force multiplier, to get you, out there in government, industry, wherever you are, a security outcome from this investment that the American taxpayers make in us here at CISA.”

FIRST IN MC: REBUTTAL TO VOATZ IN SUPREME COURT CFAA CASE — A broad coalition of security researchers, voting tech company employees and even government personnel signed a response to mobile voting vendor Voatz’s Supreme Court brief on a case that could narrow or broaden the parameters of the chief federal anti-hacking law, the 1985 Computer Fraud and Abuse Act.

The coalition strongly disagrees with Voatz’s opposition to narrowing the law in a case that centers on the definition of “authorized access,” and when someone exceeds it. Voatz’s fundamental argument is that, "Necessary research and testing can be performed by authorized parties." The coalition’s response to Voatz argues that Voatz’s own behavior demonstrates threats to independent security research: The company reported a researcher to state authorities even though that student was operating within the rules of a Voatz program that pays bounties to researchers who discover security flaws, only for the company to retroactively change the rules of that program, the response reads. Furthermore, Voatz argued that a critical MIT report was the result of research conducted on an “unauthorized basis,” implying activity that might be illegal if CFAA isn’t narrowed by the Supreme Court.

“Voatz’s actions threatening good-faith security research are indicative of what may come should the Court decide that a breach of contractual terms constitutes a criminal CFAA violation,” the response says. “We cannot afford to lose the benefits of security research on our digital and physical safety, and our democracy as a whole.”

Jack Cable, a celebrated young ethical hacker, organized the response published on disclose.io, whose signatories include both those speaking on behalf of their organization and some not. Among those signing on behalf of their organizations were bug bounty platforms BugCrowd and HackerOne, the latter of which Voatz touted working with in its brief, even though HackerOne cut ties with Voatz earlier this year, saying it prioritized working with companies that operate in “good faith” toward researchers. Another company that once worked with Voatz, Trail of Bits, also signed.

Cable told MC he was motivated to organize the response because Voatz took a posture that it was arguing on behalf of security research rather than against it. He said a favorable Supreme Court ruling would be huge. But if it’s the opposite, “Every user of the internet should be nervous,” as a wide range of online activities could become illegal, Cable warned.

In Congress

BETTER LATE THAN NEVER? — A bill to improve the federal government’s use of internet of things devices will finally reach the House floor today, after languishing for nearly a year and a half in the void between committee passage and floor consideration. The IoT Cybersecurity Improvement Act (H.R. 1668), which would require NIST to develop standards for agencies’ use of IoT devices and their handling of vulnerabilities in those devices, is on the schedule as a suspension bill, meaning that amendments are prohibited and the measure must receive two-thirds support to pass.

It’s been a long road for this bill. Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), the former leaders of the House Oversight Committee’s IT subcommittee, first introduced the bill in March 2019, and it passed the full committee three months later.

The House is also slated to consider another suspension bill, H.R. 4990, today that the Science panel first approved in December that would expand the research roles of NIST and the National Science Foundation in election security. It would also amend the 2002 Help America Vote Act definition of "voting systems" to include electronic pollbooks and voter registration systems so that NIST and the Election Assistance Commission may establish further security guidelines for them.

THREAT BRIEFING THREATENED — The worldwide threat briefing kerfuffle that’s bedeviled congressional intelligence panels has spread to the House Homeland Security Committee. The panel is scheduled to hold its annual hearing on threats to the homeland on Thursday, but it issued a subpoena for acting DHS secretary Chad Wolf on Friday after Democrats said he reneged on his commitment to testify. The department instead offered Ken Cucinnelli, the “senior official performing the duties of deputy secretary,” saying it’s unusual for nominated officials to testify on the Hill and noting that the Senate Homeland Security panel has accepted the offer.

House Homeland Security Democrats who have been talking to DHS about testifying since June countered that Wolf hasn’t been formally nominated, and that it’s a “self-imposed limitation” to forbid him from testifying even if nominated. “From the coronavirus pandemic to the rise of right-wing extremism to ongoing election interference, there are urgent threats requiring our attention,” Chairman Bennie Thompson (D-Miss.) said.

WHO ARE YOU — A bipartisan quartet of House members have introduced draft legislation designed to bolster secure methods of validating identities in government agencies' digital infrastructure. Rep. Bill Foster (D-Ill.) introduced the legislation with Rep. John Katko (N.Y.), top Republican on the Homeland Security Committee's cyber subpanel as well as Congressional Cybersecurity Caucus Co-Chair Jim Langevin (D-R.I.) and Rep. Barry Loudermilk (R-Ga.). "So much of peoples' daily lives are spent conducting business online — whether it's banking, investing, shopping, or even communicating with doctors,” Foster said. “It's become vitally important to ramp up safeguards to protect against identity theft and fraud."

TWEET OF THE WEEKEND — Problem solved.

RECENTLY ON PRO CYBERSECURITY — On election interference, Russia is sneakier than ever, but it’s not the only one playing in the sphere. … Facebook filed an appeal against an expected ruling in Ireland that would block it from transferring data on European users to the U.S. … Conflicting messages from the Trump administration and congressional Democrats have muddled the foreign election meddling picture for voters. … “Trump’s order that TikTok’s parent company, Beijing-based ByteDance, sell off its U.S. operations — initially seen as a potential opportunity for an American company — has turned into a quagmire.” … That said: “ByteDance picks Oracle in high-profile bid for video app TikTok.”

Quick Bytes

— The U.S. Postal Service used apps that had "catastrophic" bugs, its inspector general said earlier this year. Motherboard

— A cyber insurance vendor said nearly half of claims filed in the first part of 2020 were due to ransomware. CyberScoop

— TikTok fixed some Android-related bugs. TechCrunch

— The IRS is offering as much as $1 million for technology to track some cryptocurrency transactions. Motherboard

That’s all for today.

Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); Tim Starks ([email protected], @timstarks); and Heidi Vogt ([email protected], @heidivogt).