Almost two years ago, Congress directed the Biden administration to develop a similar plan to keep the economy functioning in the event of a national-level cyberattack. It’s been crickets ever since.
On Tuesday, Rep. Andrew R. Garbarino (R-N.Y.) asked Department of Homeland Security Secretary Alejandro Mayorkas again about progress on the “continuity of the economy” plan. His answer:
“I’ll look forward to following up on that for you and responding swiftly,” Mayorkas said at a hearing of the House Homeland Security Committee. “I’ll have to look into that, where the report that is due to you is.”
The question probably shouldn’t have surprised Mayorkas, since Garbarino and Rep. Mike Gallagher (R-Wis.) asked Mayorkas and other administration officials about it in a letter two weeks ago, too.
Congress gave the administration two years to develop the plan, but with the deadline approaching in less than two months, the administration hasn’t made so much as a peep about it.
Garbarino wrote in his letter that as of spring this year, the White House had tasked DHS’s Cybersecurity and Infrastructure Infrastructure Security Agency with leading the development of the plan.
- The White House referred me to CISA when I asked about it Tuesday, and CISA referred me to DHS, which didn’t add anything to what Mayorkas said.
That decision to send the job to CISA was “pretty much setting the agency up for failure,” coming 15 months after Congress originally asked the administration to take action, Garbarino said.
But developing the plan “is a national security imperative for the safety, security and prosperity of the United States,” Garbarino said.
Like much of congressional cybersecurity action in recent years, the idea for a continuity of the economy plan sprung from the Cyberspace Solarium Commission, which Congress established to study cyber policy questions and develop recommendations.
“We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack,” the March, 2020 final report reads. “Such a plan is a fundamental pillar of deterrence — a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.”
The 2021 fiscal year defense policy bill, signed into law in January of last year, said the cyber plan should, among other steps:
- Examine how goods and services that the United States would need to function during a catastrophe are distributed across the country.
- Identify the economic functions that, if severely disrupted, would have a debilitating impact on national security, economic security, defense readiness and public health.
- Figure out the key distribution mechanisms for each economic sector that should take priority during a huge attack, like electric transmission systems and interstate trade.
- Use practices similar to those for continuity of government and operations established during the Cold War and beyond.
- Assess whether DHS, the National Guard and Defense Department have the authority to help the United States recover.
Garbarino, the top Republican on the Homeland Security panel’s cybersecurity subcommittee, also asked CISA Director Jen Easterly and others about progress on the plan in December of last year, but said he didn’t get an answer then, either. Congress has given CISA $200,000 to help develop the plan, he said in his more recent letter.
“As the Great Power Competition with Russia and China continues to unfold on the world stage, the United States faces cyberthreats across all sectors of our economy from adversarial nations who seek to sow discord within the Homeland and reduce our ability to flow forces and project power,” the letter states. “Given this reality, it is unfathomable that since you received the requirement to develop a COTE plan in January 2021, there appears to be little to no progress on the implementation of this authority.”
It might seem a bit wonky that simply developing a plan could be such a big deal. But at a panel discussion I moderated in August, Gallagher, who co-chaired the Cyberspace Solarium Commission, said it was the top unfinished recommendation he wanted to see completed.
It’s not likely at this point that CISA will meet the congressional deadline, Mark Montgomery, who served as executive director of the Solarium panel, told me.
As originally conceived, DHS would be just one of the Cabinet agencies advising the president on the plan, alongside the departments of Commerce, Transportation and others. Despite the additional money from Congress, CISA’s team might still be “under-resourced,” Montgomery said.
“You don’t send a whole-of-government issue to one federal agency,” said Montgomery, who is now the executive director of the organization tracking progress on Solarium recommendations and senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies think tank. “That kind of shortchanges the system.”
“My guess is that the best that they’ll have in January is a plan for a plan,” he said. “That’s a partial success.”
FBI has national security concerns about TikTok, Wray says
FBI Director Christopher A. Wray told lawmakers at a House Homeland Security Committee hearing that the FBI has “national security concerns” about the popular video app, including the Chinese government’s potential ability to collect data on users or control the app’s algorithms or software. TikTok, which has denied that it poses such a threat, has agreed on some initial terms for a deal with the U.S. government’s Committee on Foreign Investment in the United States (CFIUS), but the deal isn’t close to a clear outcome, my colleagues reported last month.
“The FBI’s foreign investment unit working through the Department of Justice is part of the CFIUS process and would be relevant,” Wray said in response to questions from Rep. Diana Harshbarger (R-Tenn.). “Our input would be taken into account in any agreements that might be made to address the issue.”
Authorities arrest alleged Zeus hacker in Switzerland
Vyacheslav “Tank” Penchukov was arrested in Switzerland three weeks ago — around eight years after U.S. prosecutors unveiled criminal charges against Penchukov and other alleged hackers who they accused of targeting companies with Zeus malware, journalist Brian Krebs reports. Penchukov evaded capture for years, partly by being well-connected, Krebs writes.
“Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years,” Krebs writes. “The late son of former Ukrainian President Viktor Yanukovych (Viktor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.” The FBI declined to comment to Krebs.
- Rep. John Katko (R-N.Y.) and officials from the Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and FBI speak at the WaterISAC’s H2OSecCon security conference from today through Thursday.
- Top U.S. cybersecurity officials speak at the Aspen Institute’s annual Aspen Cyber Summit today.
- The Senate Judiciary Committee holds a hearing on oversight of the Department of Homeland Security today at 10 a.m.
- The Center for Democracy and Technology hosts an event on online harassment and targeted disinformation aimed at women of color candidates in U.S. elections today at 11 a.m.
- The Senate Homeland Security Committee holds its hearing on worldwide threats on Thursday at 10:15 a.m.
- Google Cloud chief information security officer Phil Venables and Elliptic founder and chief scientist Tom Robinson speak at a Washington Post Live event on Thursday at 10:30 a.m.
- Rep. Jim Himes (D-Conn.) discusses spyware at a Center for a New American Security event on Thursday at noon.
- Doreen Bogdan-Martin, the newly elected secretary general of the International Telecommunication Union, and National Archives and Records Administration innovation chief Pamela Wright speak at an American University event on Friday at 8:30 a.m.
Thanks for reading. See you tomorrow.
