Getting serious about cyber-security

Getting serious about cyber-security

by digby




Marcy Wheeler has a fascinating look in the New Republic at the new cybersecurity bill proposed in congress. It appears to be pretty tough. I trust Wheeler's analysis about the civil liberties implications, which exist, but she seems to think that with some exceptions (particularly the Wikileaks provision) the bill is necessary and reasonable, the main question being whether Trump will sign it. And that's not just because he almost certainly wants Russia's help in upcoming elections:
Russia and WikiLeaks are not the bill’s only targets. It also includes two provisions that would constrain any plans Trump might have to cozy up to the Russians. One would defund any scheme to partner with Russia on cybersecurity, which Trump has pledged to do. The second would impose a review of the risks of returning diplomatic compounds seized from Russia in December under the Obama administration, which was retaliating against Russia’s interference in the election. Russia has put heavy pressure on Trump to give the compounds back.

The intelligence authorization includes a range of other measures to fix known weak points. It establishes a task force that will identify risks to the government’s supply chain, such the widespread use of software produced by Russian anti-virus company Kaspersky. It establishes a working group to develop a national strategy to protect energy infrastructure, especially its industrial control systems. That effort comes in the wake of reports that Russian hackers were targeting engineers with access to the control systems of energy facilities, including nuclear power plants. And finally, the bill mandates a review of whether the intelligence community had the information it needed on the Russian threat and shared it effectively.

All told, the Intelligence Authorization mentions Russia 34 times, and includes a number of other provisions, such as the supply chain review and the energy infrastructure task force, that don’t name Russia but respond to U.S. vulnerabilities that Russia is suspected of exploiting. While neither the intelligence community nor the White House have weighed in on the bill yet, in its current form it represents a focused response to a threat to the U.S., and a concrete effort to improve America’s security generally.

That’s important for two reasons. First, it’s a tangible response to the Russian hack, and it comes as the president and House Intelligence Committee Chair Devin Nunes continue to undermine the investigations of four congressional committees and Robert Mueller’s special counsel team.

Just as importantly, the bill makes a number of common-sense changes—like higher salaries for top cybersecurity positions at NSA, congressional oversight over the vulnerability equities process, and a strategic plan to make the most of bounties paid to “white hat” hackers who find weaknesses in government systems—that will likely have a real impact on cybersecurity. These were all pitched back in 2015, when Congress focused instead on information-sharing between various intelligence agencies, an effort that still hasn’t shown great returns.

The Senate Intelligence Committee is by no means perfect. It rushed through the confirmation of CIA Director Mike Pompeo, who in April came up with the term “non-state hostile intelligence service” that Wyden now objects to. The Senate confirmed Pompeo even though he, like the president, cheered this non-state hostile intelligence service when it served his purposes. But the committee has at least shown where it stands on the issue of Russian interference in U.S. elections, which is more than we can say for Pompeo and Trump.

It's a good read, I highly recommend it.

I think it's worth noting that as weak as the Republicans have been in dealing with the narcissist in chief, they have taken some pretty strong action with respect to this Russian interference in the election and other possible cyber-threats. And in the process they have revealed, once again, Trump's weird obsession with stopping them from doing it.

I imagine that this bill will get a strong bipartisan backing which, like the sanctions bill, would be a serious constraint on the president who insists that what happened in 2016 was no big deal and that it's all Democratic sour grapes. It will be interesting to see if he calls up GOP senators and curses at them about this one too.

And, more importantly, it will be interesting to see if he signs the bill.  It took him days to sign the sanctions bill which was passed with an overwhelming bipartisan voter. And he did it grudgingly. In secret. Maybe he thought the Russian government wouldn't notice.

.