The White House is on a cyber bender

Earlier this week, the White House issued an executive order on vetting foreign investments in the United States for cybersecurity and other risks, published a memo on the development of secure software and followed through on a threat to take action against Iranian hackers.

But the steps have, in some cases, have gotten a mixed reception.

A billion-dollar pot of money

Today the Biden administration is spelling out the application process and award timelines and providing more details about implementing a $1 billion cybersecurity fund for state and local governments allocated in last year’s bipartisan infrastructure law, Department of Homeland Security (DHS) Secretary Alejandro Mayorkas told reporters Thursday.

“The grants will significantly improve national resilience to cyberthreats by giving state, local and territorial governments much-needed resources to address network security and take steps to protect against cybersecurity risks to help them strengthen our communities,” Mayorkas said. The tribal grant program will be released later in the fall, he said.

The four-year fund will release $185 million for fiscal year 2022, said Mitch Landrieu, White House infrastructure coordinator. Each state will be eligible for a minimum of $2 million to develop a cybersecurity plan and begin assorted projects (including, potentially, election security projects), and states must allocate at least 80 percent of the funding to local and rural communities and 3 percent to tribal governments.

State and local governments have been awaiting the administration to turn on the spigot for a long time, and many don’t believe $1 billion spread across the whole country to be nearly enough.

The administration will evaluate the execution of the state cybersecurity plans and consider further needs at the end of the second and third years of the fund, said a DHS official who spoke on the condition of anonymity as part of the rules of the reporter briefing.

Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.), who pushed for the funding. said this: 

• “State and local governments in Michigan and across the country often lack the necessary resources to defend against cyberattacks, which can cost taxpayers millions of dollars and compromise sensitive personal data. … Today’s announcement means that local communities will be able to obtain increased federal resources that will help them identify cybersecurity threats and mitigate the effects of online attacks.”

Threats in the skies

The White House met with representatives of the aviation sector on Thursday to share sensitive information with them on cyberthreats and talk about industry security mandates, said a senior administration official who spoke on the condition of anonymity as part of the rules of the briefing. There is no specific imminent threat at this time, though, the official said.

The meeting “is part of our broader effort to work with the private sector — sector by sector — to show them where we see gaps in their cybersecurity, and then work together to close those gaps,” the official said.

The administration has had similar briefings for two other sectors so far: railroad executives, and oil and gas executives.

As far as industry security mandates go, though, they haven’t been well-received by the aviation sector.

The executive order

President Biden signed an executive order Thursday expanding the national security factors a federal review panel should consider when deciding whether to authorize major foreign investments in U.S. companies.

One of them is cybersecurity. According to the order, the Committee on Foreign Investment in the United States (CFIUS) should take into account whether foreign investors pose cybersecurity risks that could harm U.S. national security, as well as the cybersecurity practices of all parties in the transaction. The committee also should evaluate risks to the sensitive data of Americans, the order says.

The document had generated some hand-wringing from cyber experts before its publication, as Suzanne Smalley wrote for CyberScoop, and was largely seen as stemming from fears about China’s investments in U.S. companies. 

Notably, “This E.O. does not change CFIUS processes or legal jurisdiction,” according to a White House fact sheet. Here’s Brandon Van Grack, a former federal prosecutor who is a partner at Morrison Foerster:

Iran, secure software development

Last week, the White House threatened unspecified action taking aim at Iranian hackers whom the Albanian government blamed for a July cyberattack. As I wrote Thursday, the Biden administration followed through with indictments, sanctions and more. 

I also wrote this week about the White House’s Office of Management and Budget releasing a much-anticipated memo intended to steer agencies and government contractors toward complying with common cybersecurity practices. 

Bloomberg News’s Katrina Manson captured some of the industry response to the memo, while FedScoop’s Dave Nyczepir explored the debate about the guidance calling for contractors to vouch for the cybersecurity of their products rather than using third-party auditors.

The keys

Massive trove of Americans’ data stored in Customs and Border Protection database

The U.S. government adds data from as many as 10,000 devices every year to a massive database compiled with devices seized at airports, seaports and border crossings, Drew Harwell reports. The data is maintained for 15 years and thousands of Customs and Border Protection (CBP) officers can access it without a warrant, raising alarm in Congress.

“CBP’s inspection of people’s phones, laptops, tablets and other electronic devices as they enter the country has long been a controversial practice that the agency has defended as a low-impact way to pursue possible security threats and determine an individual’s ‘intentions upon entry’ into the U.S.,” Drew writes. “But the revelation that thousands of agents have access to a searchable database without public oversight is a new development in what privacy advocates and some lawmakers warn could be an infringement of Americans’ Fourth Amendment rights against unreasonable searches and seizures.”

CBP conducts “border searches of electronic devices in accordance with statutory and regulatory authorities” and has rules to make sure the searches are “exercised judiciously, responsibly, and consistent with the public trust,” CBP spokesman Lawrence “Rusty” Payne said in a statement.

The system was revealed in a letter from Sen. Ron Wyden (D-Ore.) to CBP Commissioner Chris Magnus. In the letter, Wyden criticized the agency for “allowing indiscriminate rifling through Americans’ private records” and called for stronger privacy protections.

FBI seizes phone from election denier with ties to Lindell

Ohio math and science teacher Douglas Frank, who claims to have found secret algorithms used to flip the 2020 election, said two FBI agents served him with a warrant as he stepped off a plane, Emma Brown and Jon Swaine report. The FBI’s Denver office acknowledged that a warrant approved by a court had been served, but it didn’t provide specifics.

Frank is an associate of MyPillow chief executive Mike Lindell, whose phone was seized by the FBI hours earlier. In April 2021, Frank met with Mesa County, Colo., clerk Tina Peters and “showed her how her election was hacked,” he previously told The Post. Frank told Peters that an upcoming update to Dominion voting machines could erase data needed to prove that the election was stolen, and he forwarded Peters’s request for help copying data to someone in Lindell’s circle, he said.

• In March, Peters was indicted. She’s accused of helping an outsider copy sensitive data from the county’s elections systems in May 2021.

“I did nothing illegal,” Frank said when asked about the warrant served on Lindell. He didn’t respond to requests for comment on Thursday. Lindell told The Post he wasn’t involved in copying data from Mesa County’s election management system and didn’t meet with Peters during his August 2021 “cyber symposium.”

Senate confirms first ambassador at large for cyberspace and digital policy

Nate Fick will lead a new office at the State Department while juggling international diplomacy, threats and conflict. Fick has been a cybersecurity executive, author and Marine.

Fick will oversee three international policy units that are focused on the security of cyberspace, international communications policy and digital freedom. Jennifer Bachus, a career diplomat, has been leading the bureau since it launched in April.

Sen. Angus King (I-Maine), a co-chair of the Cyberspace Solarium Commission, called Fick’s confirmation a “historic, long overdue step to address our rapidly changing cyber environment.” Here’s Rep. Jim Langevin (D-R.I.):

Cyber insecurity

Uber suffers computer system breach, alerts authorities (Faiz Siddiqui)

Global cyberspace

Record Chinese cyber breach spurs eruption in data for sale (Bloomberg)

EU wants to toughen cybersecurity rules for smart devices (Associated Press)

Daybook

• A House Oversight and Reform Committee panel holds a hearing on federal IT today at 9 a.m.
• Rep. Michael R. Turner (Ohio), the top Republican on the House Intelligence Committee, speaks at a Heritage Foundation event on countering foreign misinformation and disinformation while protecting civil liberties Monday at 1 p.m.
• Juliane Gallina, the associate deputy director of the CIA’s digital innovation directorate, speaks at an INSA event on Tuesday at 9 a.m.
• The RH-ISAC hosts its cyber intelligence summit Tuesday and Wednesday in Plano, Tex.
• Your newsletter host moderates a discussion with Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of Cyberspace Solarium Commission 2.0, at a Foundation for Defense of Democracies event Wednesday at 8:30 a.m.

Secure log off

Thanks for reading. See you tomorrow.