The Cybersecurity 202: Democrats’ new infrastructure bill highlights cybersecurity concerns

A recent string of high-profile cyberattacks pushed long-neglected cybersecurity issues to the center of national policy discussions.

“The infrastructure in the United States is in sore need of updates and the fact that Congress is now recognizing the importance of upgrading not just physical infrastructure but cybersecurity infrastructure is a sign of a new importance and awareness of cybersecurity,” says John Gilligan, president and CEO of the Center for Internet Security, a cybersecurity nonprofit.

Key cybersecurity-related investments in the bill include $10 billion to help hospitals guard against cyber criminals and roughly $3.5 billion for electric grid security.

“Over the last year, we’ve seen the devastating results of inaction: major power outages, water shortages, health care facilities stretched to the limit, and communities left behind due to the digital divide,” Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said in a statement introducing the bill. 

In February, Florida police revealed that a hacker tried to poison the water supply of the town of Oldsmar. And although not the result of a cyberattack, the fallout of a mass grid failure in Texas raised alarms from researchers and lawmakers about cybersecurity weaknesses in America’s power systems that could lead to a much worse outage. 

During the coronavirus pandemic, hospitals have been hit with a surge of dangerous attacks in which attackers locked up data and systems in exchange for a ransom, leaving hospital services unavailable.

Congress is also scrambling to respond to a Russian attack on software company SolarWinds, which resulted in the hacking of at least nine federal agencies, as well as a recent Chinese-tied campaign against a vulnerability in Microsoft software. Both are used heavily by the government and critical industries including the energy sector. 

Biden last month signed an executive order requiring a review of the security of America’s supply chains and is expected to sign another executive order addressing cybersecurity improvements in critical software systems.

A bipartisan group of members of the House Committee on Homeland Security yesterday introduced a bill that would cement the role of the Cybersecurity and Infrastructure Security Agency in protecting critical infrastructure. 

Incidents such as the one in Florida are a wake-up call that the U.S. government needs to do more to defend critical infrastructure, said the committee’s ranking Republican, Rep. John Katko (N.Y.), who led the bill.

“These systems operate many vital components of our nation’s critical infrastructure and remain under constant attack from cyber criminals and nation state actors,” he said in a statement.

The bill will give CISA  more authority in responding to cyberattacks against critical industries and a leading role in coordinating the critical infrastructure providers about attacks. 

The idea is that codifying the responsibility will help the agency acquire more funding from Congress. Although CISA got a $650 million boost in the most recent stimulus package, its acting director Brandon Wales told Congress Wednesday that amount is just a “down payment” on the work the agency needs to do.

The bill is co-sponsored by Homeland Security Committee Chairman Bennie Thompson (D-Miss.), Cybersecurity Subcommittee Chair Yvette D. Clarke (D-N.Y.), and four other Republicans and one Democrat.

Currently, there are still tens of thousands of Microsoft Exchange servers not yet secured to protect against the vulnerability, meaning that the number of ransomware victims could be devastating.

Since Microsoft first announced the vulnerability earlier this month, researchers have warned that hackers would likely exploit the weakness to try to plant malicious software that allows them to lock up systems and extort victims for money. 

Molson Coors said its brewing operations and shipments were disrupted as a result of the incident, the AP’s Dee-Ann Durbin reports. Employees at a company plant in Georgia told local television station WALB that they were told to go home and not try to log in to any company websites. 

“Molson Coors experienced a systems outage that was caused by a cybersecurity incident,” Adam Collins, the Molson Coors chief communications and corporate affairs officer, told WALB in a statement. “We have engaged a leading forensic IT firm to assist our investigation into the incident and are working around-the-clock to get our systems back up as quickly as possible. We will continue to communicate with our business partners with updates.”

Attacks on K-12 institutions increased 18 percent last year and hit schools especially hard as they pivoted to remote learning, the Hill’s Maggie Miller reports. The most widespread attacks held networks for ransom, and other attackers infiltrated online classes and disrupted them, according to a report by the K-12 Cybersecurity Resource Center.

“Cybercriminals have no reluctance to attack our schools and our hospitals and our businesses,” Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s cyber panel, said, according to EdScoop. “We’re getting our house in order to develop a national strategy.” Langevin said he plans to reintroduce legislation with Rep. Doris Matsui (D-Calif.) to create cybersecurity grants for schools and create a clearinghouse for information sharing.

The Microsoft-owned website, which hosts computer code, said that it removed security researcher Nguyen Jang’s proof-of-concept code “following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited,” Motherboard’s Lorenzo Franceschi-Bicchierai reports. Three security researchers told the Record that the hacking tool was able to exploit Microsoft email software with some minor adjustments.

Researchers have identified hacking groups taking advantage of the software flaw in Microsoft Exchange software since Microsoft announced it last week. The company and federal authorities have encouraged organizations to update their software.

TrustedSec and Binary Defense Systems founder Dave Kennedy criticized GitHub’s decision: 

Security researcher Marcus Hutchins disagreed:

Today’s hearing comes nearly two weeks after the National Security Commission on Artificial Intelligence released a report saying the U.S. government is unprepared for the battle over AI technology with China. 

“This will be expensive and requires significant change in mind-set at the national, and agency, and Cabinet levels,” the commission’s vice chair, Robert Work, said as the report was released. “America needs White House leadership, Cabinet member action, and bipartisan congressional support to win the AI competition and the broader technology competition.”

“Clearly, cybersecurity has become synonymous with national security,” Rep. Stephen F. Lynch (D-Mass.), the chairman of the Oversight Committee’s national security panel, plans to say at the 11 a.m. hearing, “and our fundamental duty to protect our democracy requires that we become ‘AI-ready’ with the resources, personnel, and strategies necessary to meet these urgent challenges.”

• A House Judiciary committee panel holds a hearing on technology competition and the press today at 10 a.m. Microsoft president Brad Smith, whose company said China and other hackers attacked its email software recently, is expected to testify.
• Former Google CEO Eric Schmidt, the chairman of a government commission on artificial intelligence, testifies with other commissioners at a joint hearing today at 11 a.m.
• Homeland Security Secretary Alejandro Mayorkas testifies before the House Homeland Security Committee at 9:30 a.m. on March 17.