December 1, 2022


A Code for Advancement

Easterly and Inglis have led U.S. cybersecurity for one year. How’d they do?


Good morning and happy first work anniversary to Jen Easterly and Chris Inglis — they had a busy year! Send me tips, suggestions and predictions for what’s going to happen over the next year in the world of cybersecurity: [email protected]

Below: A third Colorado elections official has been arrested in connection with a security breach, and hackers target a top European official. First:

Top U.S. cybersecurity officials get good reviews from lawmakers after a busy first year

Top lawmakers are praising CISA Director Jen Easterly and National Cyber Director Chris Inglis for their first year of work as the U.S. government’s premier civilian cybersecurity officials.

  • “Thanks to their actions, there is no question our nation is more prepared to deter online attacks and hold foreign adversaries and criminal hackers accountable for targeting our networks,” Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) said in a statement.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, said in a statement that he has “been pleased to see them reach across party lines to build cooperation, awareness, and support for their critically important work.”

In the year since Easterly and Inglis began their work, they’ve dealt with everything from major software flaws to the war in Ukraine and drama on Capitol Hill. There have been successes along the way, but some hiccups as well.

They raced to fix a vulnerability in the popular log4j software library that Easterly called the “most serious vulnerability I have seen in my decades-long career.”

  • The response probably at least partially staved off serious hacks regulating from the vulnerability, this newsletter reported in January.
  • Log4j pushed the security of open source software to the fore. The White House hosted a meeting with industry leaders about the subject.
  • That has also boosted interest in ingredients lists for systems that organizations can consult to check if bugs are lurking within software.

Cybersecurity officials also tried to warn organizations that they could be targeted in the wake of Russia’s invasion of Ukraine and need to be prepared. In mid-February, CISA told organizations to put their “shields up”; the warning has persisted for the last 150 days.

  • Inglis and Easterly said in an op-ed last month that “our shields will likely be up for the foreseeable future.” They also warned that the “prospect of cyberattacks here at home — whether by Russia or other malign state and nonstate actors — will not dissipate anytime soon.”
  • CISA has also sought to boost cybersecurity practices like multifactor authentication, which can help protect accounts and networks from hacks.

They’ve also focused on workforce issues as the government faces a major shortage of cybersecurity workers. The Cyberspace Solarium Commission has recommended overhauling the process for hiring cybersecurity workers, and Inglis appeared at an event last month where the report was released. (The creation of Inglis’s office was a previous recommendation from the commission, and Inglis was a member of the commission before he became national cyber director.) 

But cybersecurity officials have also experienced some hiccups that have threatened to hurt interagency collaboration and trust with industry partners.

In March, Deputy Attorney General Lisa Monaco and FBI Director Christopher A. Wray issued rare statements arguing that legislation requiring critical organizations to report hacks would leave the country less safe because it only required organizations to report cyberattacks to DHS and not also the FBI. The statements came after the requirements passed the Senate.

Easterly appeared to defuse immediate tensions in a tweet a couple days later. President Biden signed the bill into law that month.

Later that month, CISA published an unredacted, three-hour call that it conducted with more than 13,000 workers from critical organizations about being on the lookout for cyberattacks in the wake of the Ukraine invasion.

Easterly initially defended publishing the call, citing transparency and making sure the information provided in the call was “widely available.” But around 48 hours later, CISA removed the recording of most of the call and Easterly publicly apologized — and seemingly acknowledged that publishing questioners’ sensitive inquiries about the threats they have faced could harm trust.

CISA has rolled out new programs to bolster information sharing and the cyber defenses of government agencies and other organizations as they respond to ransomware and other cyberthreats.

  • In August, CISA announced the launch of the Joint Cyber Defense Collaborative, an information-sharing hub that grew out of a congressional requirement and has more than 20 private-sector members.
  • The agency has also posted a list of software vulnerabilities that have been exploited by malicious hackers. It has required federal agencies to fix those flaws and alongside other agencies, has urged the private sector to do so as well.

The Department of Homeland Security has also slapped new cybersecurity rules on the pipeline, rail and aviation sectors so that they can plan for and quickly report hacks to the government.

  • The Transportation Security Administration’s pipeline regulations got pushback from some experts and industry officials, who said they were a mix of being overly prescriptive and too vague. Some also criticized the engagement and transparency of the process of creating the rules. The government is preparing to update the rules.

CISA has deployed long-awaited cybersecurity tools across the federal government to give the agency visibility into the threats that most of the civilian government is facing.

Another Colorado elections official has been arrested over breached voting machines

Former Mesa County elections manager Sandra Brown is the third person to be arrested for helping breach the county’s voting machines last May, the Grand Junction Daily Sentinel’s Charles Ashby reports. Brown has been accused of conspiring to commit criminal impersonation and trying to influence a public official. Brown was fired by Mesa County last year, Ashby reports.

The charges against Brown are similar to some of the charges that Mesa County Clerk Tina Peters and her deputy, Belinda Knisley, are facing.

Peters sought the Republican nomination to be Colorado’s top election official last month, but she lost handily. A judge has barred her from overseeing elections this year because of the allegations against her.

But there was another revelation in Ashby’s story, my colleague Emma Brown writes:

Hackers unsuccessfully attempted to hack the head of the European Central Bank by impersonating Angela Merkel

Hackers “recently” tried to impersonate former German chancellor Angela Merkel in a message to European Central Bank President Christine Lagarde, but the attack was “identified and halted quickly,” the bank told the Associated Press. It declined to comment, citing an ongoing investigation.

German authorities have warned lawmakers that they could be targeted in similar “social engineering” attacks, Business Insider’s Lars Petersen reports. Petersen first reported that Lagarde was targeted.

Election officials fear copycat attacks as ‘insider threats’ loom (Politico)

The nonstop scam economy is costing us more than just money (Heather Kelly)

IT giant restores systems after ‘malware attack’ crippled operations (The Record)

Germany bolsters defenses against Russian cyber threats (DW)

The FBI keeps losing desktop computers (Motherboard)

Congress has Roger Stone’s encrypted chats with Proud Boys and Oath Keepers (Vice News)

Thanks for reading. See you tomorrow.