THE KEY
Want more cybersecurity news and analysis in your inbox? Sign up for The Cybersecurity 202 newsletter.
Kirstjen Nielsen’s resignation as secretary of homeland security could deal a blow to the Trump administration’s cybersecurity efforts — as she was one of the last civilians in its top ranks with extensive cybersecurity expertise.
That’s a dangerous position, experts say, as the nation barrels toward a 2020 election that will likely be targeted by Russian hackers and the Homeland Security Department launches a major campaign to get government and industry to stop buying technology from China’s Huawei and other companies deemed national security threats.
“Hopefully whoever runs DHS will prioritize its vital cybersecurity mission, but it makes a difference if the person at the top has a background in cyber and knows from experience how important it is rather than just being told,” former State Department cyber coordinator Chris Painter told me. “DHS is spread thin among multiple priorities as it is, and without a clear mandate from department leadership that cybersecurity is a prime mission, their efforts risk being sidelined.”
Nielsen – who The Post reported was forced to step down because Trump was dissatisfied with her handling of the border — had, by far, the longest cybersecurity resume of any DHS secretary in history. She advised President George W. Bush on cybersecurity and homeland security issues, founded a consulting group called Sunesis Consulting focused on cybersecurity and critical infrastructure, and served as a senior fellow at George Washington University’s Center for Cyber and Homeland Security.
Her acting successor, U.S. Customs and Border Protection Commissioner Kevin K. McAleenan, by contrast, has no substantial background in the field.
Her resignation also comes after the high-profile departure last year of Tom Bossert, a cybersecurity savvy Homeland Security Adviser, and Rob Joyce, the White House cybersecurity coordinator, whose job was eliminated when he returned to work at the National Security Agency.
That leaves Chris Krebs, director of DHS’s cybersecurity division, as the highest-ranking official who regularly speaks publicly about major civilian cybersecurity initiatives.
“Bossert, Joyce, and now Nielsen,” Paul Rosenzweig, a former top DHS policy official, told me. “I am sure the professional staff will continue to do their level best and there is no reason to think that McAleenan is not willing to engage. But at the same time the lack of high-level commitment to the issue is evident.”
Nielsen made cybersecurity a priority at DHS, frequently describing cyberattacks as a greater danger to the nation than terrorism. She lobbied industry to help government fight digital attacks from China and Russia.
During her tenure, Congress approved a plan to elevate and rename DHS’s clunkily-titled cybersecurity division – previously called the National Protection and Programs Directorate – to the Cybersecurity and Infrastructure Security Agency, or CISA.
That change – which DHS officials had sought since the Obama administration — “should give cybersecurity some insulation from changes in DHS headquarters,” said another former top DHS cybersecurity official, Phil Reitinger.
Nielsen also helped smooth tensions with states over election security that flared up in the wake of Russian efforts to interfere in the 2016 election — and her efforts seem to have paid off.
At the low point of that relationship, in February 2017, the National Association of Secretaries of State approved a resolution opposing former DHS Sec. Jeh Johnson’s decision to designate election systems as critical infrastructure – a move they saw as a power grab aimed at imposing federal authority over state-run elections.
By the time the 2018 midterms rolled around, however, all 50 states were consulting with DHS about hacking threats and many of them had invited the agency to test the cybersecurity of their election systems.
And there was no evidence that Russia or any other nations successfully undermined the 2018 elections, according to intelligence officials – a fact Nielsen made sure to tout in her resignation letter she posted to Twitter.
Even though she oversaw controversial changes to border policy, and the government’s response to numerous hurricanes and other natural disasters, Nielsen devoted more ink to cybersecurity in that letter than to any other single topic.
“We have prevented the disruption of U.S. elections and guarded against foreign interference in our democracy,” she wrote. “We have replaced complacency with consequences in cyberspace, we are holding digital intruders accountable, and we are stepping up our protection of American networks.”
Correction: A previous version of this article incorrectly described a National Association of Secretaries of State resolution opposing designating election systems critical infrastructure. It was approved without a recorded vote.
Its been an honor of a lifetime to serve with the brave men and women of @DHSgov. I could not be prouder of and more humbled by their service, dedication, and commitment to keep our country safe from all threats and hazards. pic.twitter.com/lIQ5iqGDmF
— Secretary Kirstjen M. Nielsen (@SecNielsen) April 7, 2019
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. |
| Not a regular subscriber? |
PINGED: A former Democratic congressional staffer pleaded guilty Friday to publishing the personal information of four Republican senators on Wikipedia — in hackers’ parlance, “doxing” them — out of anger over his own firing and Republican actions during the confirmation hearings of Supreme Court Justice Brett M. Kavanagh.
Jackson A. Cosko, 27, who had been fired before the incident by Sen. Maggie Hassan (D-N.H.), also threatened another staffer who caught him on a computer after hours in Hassan’s office, my colleague Spencer S. Hsu reported.
The GOP senators he doxed were Senate Judiciary Committee members Lindsey O. Graham (S.C.); Mike Lee and Orrin G. Hatch of Utah; and Sen. Rand Paul and Senate Majority Leader Mitch McConnell of Kentucky.
Cosko “pleaded guilty to two counts of making public restricted personal information and one count each of computer fraud, witness tampering and obstruction of justice,” Spencer reported.
Cosko’s lawyer Brian W. Stolarz said in a statement: “Mr. Cosko takes full responsibility for his actions and is sincerely remorseful. Sadly, Mr. Cosko’s ongoing struggle with drugs contributed to a regrettable course of conduct. He is committed to rehabilitating his life, his reputation, and addressing his addiction.”
PATCHED: WikiLeaks founder Julian Assange is not being expelled from the Ecuadoran Embassy in London where he has spent the past seven years, Ecuadoran officials said late Friday, according to a Reuters report.
According to Reuters: “Assange was ‘prepared’ for expulsion from the building, a British friend of his said on Tuesday, after Ecuador’s President Lenín Moreno said he had ‘repeatedly violated’ the terms of his asylum. Moreno accused Assange of harming Ecuador’s relations with other countries by intervening in their politics and said he did not have the right to ‘hack private accounts or phones.’ WikiLeaks said Moreno’s remarks were in retribution for WikiLeaks having reported on corruption accusations against Moreno, who denies wrongdoing.”
Ecuador’s Foreign Ministry denied those claims, however, saying the nation “categorically rejects the fake news that have circulated recently on social networks, many spread by an organization linked to Mr. Julian Assange, about an imminent termination of the diplomatic asylum granted to him since 2012.”
The ministry added that it reserved the right to terminate Assange’s asylum when it considered it justified, Reuters reported.
PWNED: A federal commission that helps states combat hacking and digital interference in their elections is hampered by a lack of security clearances, Politico’s Eric Geller reports.
Just half the members of the Election Assistance Commission have security clearances, Eric reported, and none were cleared during the 2018 election cycle or the 2016 cycle — which was undermined by Russian hacking efforts.
“The delay in issuing security clearances for commission members is part of a massive backlog of application approvals throughout the entire federal government. But it’s a particularly acute problem for the EAC, one of the key agencies offering guidance to state and local officials about how to protect themselves from security risks,” Eric reported.
Sen. Ron Wyden (D-Ore.), who has sponsored election security bills, compared asking EAC members to help protect elections without a clearance to “making a baseball player hit without a bat,” according to the story.
“Vermont Secretary of State Jim Condos, who previously led a national group of secretaries that works closely with the EAC, called it ‘imperative’ that the commissioners receive their clearances ‘so that we can all be rowing in the same direction to defend our democracy against our foreign adversaries,’ ” Eric reported.
Cybersecurity news from the public sector:
What percentage of critical infrastructure is owned by the private sector versus the government? Well, it’s certainly a lot, but the oft-cited figure of 85 percent has no real basis in research as four former government cybersecurity officials noted in a Twitter exchange this weekend. It started with former DHS official Phil Reitinger:
My favorite is how the Internet turns wild conjecture into fact, like 85% of critical infrastructure is privately owned. Circular reporting and cross referencing create unassailable fact. https://t.co/NZ868GPVS5
— Phil Reitinger, Principle Engineer (@CarpeDiemCyber) April 6, 2019
Then former State Department Cyber Coordinator Chris Painter joined in:
How much is owned by the private sector? A bunch. Most. A lot. 85 percent?— pure conjecture reinforced by constant repetition (hmm, sounds like something we’ve been experiencing elsewhere of late). https://t.co/IJPK5v5oLP
— Chris Painter (@C_Painter) April 6, 2019
Followed by former White House Cyber Coordinator Michael Daniel:
As one OMB examiner famously put it in a Director’s Review: we made these numbers up several years ago and we’ve been tracking them ever since. https://t.co/PyNed96Hb6
— J. Michael Daniel (@CyAlliancePrez) April 7, 2019
And here’s former DHS cybersecurity official Paul Rosenzweig who did some research on the figure but still couldn’t find a definitive origin.
Cybersecurity news from the private sector: