Welcome to The Cybersecurity 202! “Poker Face” ended its first season well. There was a bit of overseriousness tonally in the episodes building up to the end. I mean, I get it, it’s about murder. Murder is serious. But it’s good to have some fun mixed in with whodunits.
Below: A congressman accuses the FBI of using surveillance powers to spy on him, and a Catholic group worked to obtain dating app data to identify gay priests. First:
Biden’s budget proposal shows the president’s cyber priorities
President Biden on Thursday proposed a fiscal 2024 budget that emphasizes his cybersecurity priorities, from new ideas like supporting his national cyber strategy to continuations of old ones, like providing further cyber assistance to Ukraine.
“The budget continues to invest in cybersecurity programs recognizing that cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national security,” a White House fact sheet reads.
Every president’s budget is more of an agenda-setting blueprint or wishlist than a likely outcome, especially with a Democratic president working with a politically split Congress to pass appropriations bills. The administration also hasn’t yet published budget proposal documents that provide more specific details — or even the estimated total — of civilian agency spending on cyber.
But based on what Biden put out Thursday, “I think it’s good positive momentum for cybersecurity generally,” Mike Hettinger, a tech lobbyist, told me. When the administration puts out more details, “We’re going to really see where the rubber hits the road.”
Some things new
The budget document makes several references to the national cybersecurity strategy that the administration only rolled out last week. The strategy forecast that it would need money from Congress to implement it.
For instance, the budget seeks $63 million for the Justice Department for more agents, as well as intelligence collection, response and analysis capabilities.
“These investments are in line with the National Cybersecurity Strategy that emphasizes a whole-of-nation approach to addressing the ongoing cyberthreat,” it reads.
The State Department would get $395 million “to advance global cyber and digital development initiatives,” including funding for the Bureau of Cyberspace and Digital Policy established only last year.
- That funding has critics, though. It’s an example of a misplaced priority in a budget that on the whole represents a “positive investment in federal cybersecurity,” said Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute. “Helping our allies is positive, but American businesses and state and local governments are in desperate need of cyber assistance,” he told me.
Congress last year enacted legislation requiring critical infrastructure owners and operators to report major cyber incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours. The Biden budget would give CISA $98 million to implement that law, due for completion in 2025.
Also looking ahead to future years: The Secret Service would receive $191 million for protecting presidential candidates and their families during the 2024 race, some of which would inevitably be for digital protections.
CISA would also get “$425 million for the new Cyber Analytics Data System which is a robust and scalable analytic environment capable of providing advanced analytic capabilities to CISA’s cyber operators,” according to a Department of Homeland Security summary.
Some things old
CISA’s budget has been on the rise for years. Biden’s budget would give CISA $3.1 billion, or $149 million more than it received for fiscal 2023, according to DHS. Congress, though, has in recent years often been giving CISA more than the administration seeks. For example, the Biden budget for fiscal 2023 proposed $2.5 billion and Congress ended up giving it $2.9 billion.
Some cybersecurity companies are also seeing the budget as a positive step. “We’re pleased to see CISA get an increase in particular because they have a very important role to fill this year,” said Jamie Brown, senior director of government affairs at cybersecurity firm Tenable. “Their mission is continuing to expand,” including with implementation of the incident reporting law, he said. “We don’t know exactly what is the right amount” to implement that law, Brown said.
Recently retired congressman John Katko, who was the top Republican on the Homeland Security Committee, has said CISA’s budget needs to get to $5 billion.
- “CISA plays a critical role in our nation’s cyberdefense, and its responsibilities have been growing steadily,” Katko, now a senior adviser at the HillEast Group, told me via email. “I've long said that the agency should receive more funding as it matures, and as the demands on it grow. This budget is in line with that and I think there will be a receptive ear in Congress toward an increase in funding.”
The Biden budget seeks $753 million “for Ukraine to continue to counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience.” The administration has touted its cyber assistance to Ukraine.
Assorted budget documents talk money for federal agencies to move toward a “zero-trust” model, which requires users to continuously validate themselves at every part of a network. That’s a continuation of a priority that a 2021 executive order put into place.
Both Hettinger and Brown said they’d be watching closely for more details on the administration’s zero-trust approach in future fiscal 2024 budget documents.
Next, Congress takes the budget proposal and looks to translate it into appropriations bills. Lawmakers have been tardy in doing so for years, a subject that cyber officials testified this week makes it harder for them to do their jobs well.
WATCH: When we fail to pass a budget on time, we aren’t just wasting money – we’re putting our national security at risk. This week, I questioned U.S. defense & cyber officials on the economic & security advantages of a timely budget. pic.twitter.com/8z1F5TfeKb
— Senator Joe Manchin (@Sen_JoeManchin) March 8, 2023
The keys
Catholic group spent millions on app data to find gay priests
A Denver nonprofit called Catholic Laity and Clergy for Renewal obtained dating and hookup app tracking data to identify gay priests without their knowledge. The group later shared the information with bishops across the country, according to a Washington Post investigation, our colleagues Michelle Boorstein and Heather Kelly report.
According to tax records, the secretive effort was aimed at enabling “the church to carry out its mission” by giving bishops “evidence-based resources” for identifying weaknesses in training priests.
Two people involved with the church in Colorado, who spoke on the condition of anonymity because the project is not supposed to be public, said they saw it as spying and coercive. U.S. data privacy laws don’t ban the sale of such data.
“One report prepared for bishops says the group’s sources are data brokers who got the information from ad exchanges, which are sites where ads are bought and sold in real time, like a stock market,” Michelle and Heather write. “The group cross-referenced location data from the apps and other details with locations of church residences, workplaces and seminaries to find clergy who were allegedly active on the apps, according to one of the reports and also the audiotape of the group’s president.”
A spokesperson for Catholic Laity and Clergy for Renewal told The The Post that its president, Jayd Henricks, would eventually agree to an interview, but Henricks did not respond to requests to comment. After The Post again reached out, Henricks wrote on a website that he was proud to be part of the nonprofit, which aims “to love the Church and to help the Church to be holy, with every tool she could be given,” including data. The group has done other work in addition to its app analysis, Henricks wrote.
Congressman says his name was wrongly searched by FBI
Rep. Darin LaHood (R-Ill.) on Thursday said the FBI had wrongly searched him using data from soon-to-expire surveillance powers known as Section 702, which are used by the intelligence community to investigate threats, our colleagues Devlin Barrett and Shane Harris report.
During an annual House Intelligence Committee hearing about national security, LaHood cited a recently declassified government report that describes an incident that occurred on more than one occasion in which an analyst searched 702 data “using only the name of a U.S. congressman.”
FBI Director Christopher A. Wray did not dispute LaHood’s assertion that he was the one who had been wrongly queried.
The Justice Department found that those searches were “wholly inappropriate, noncompliant, and a violation, because they were overly broad,” LaHood said. Overall, the report listed governmental misuses of the Section 702 authority.
It comes as Congress is deciding whether to renew the critical law, with LaHood saying that it will not be reinstated without lawmakers making changes.
A former TikTok employee is secretly fighting the company on Capitol Hill
“A former risk manager at TikTok has met with congressional investigators to share his concerns that the company’s plan for protecting U.S. user data is deeply flawed, pointing to evidence that could inflame lawmakers’ suspicion of the app at a moment when many are considering a nationwide ban,” our colleague Drew Harwell reports.
In an exclusive interview with The Washington Post, the staffer, who worked at the company until early 2022, said he could identify issues that have the potential to expose Americans’ data to the app’s China-based parent company, potentially undermining TikTok’s $1.5 billion U.S. based data security restructuring plan.
The former employee, who spoke on the condition of anonymity due to fear of retaliation, shared a piece of code with The Post that he said could connect the platform with Toutiao, a popular Chinese new app owned by TikTok parent ByteDance. His allegations could fuel additional momentum against TikTok as Congress lines up bills to ban the app over concerns that China might be able to meddle in U.S. data.
TikTok officials say that the former employee misunderstood the plan and that they were terminated before TikTok’s data restructuring plan was finalized, meaning he “would have no knowledge of the current status of Project Texas and the many significant milestones the initiative has reached over the last year.” TikTok officials also said his claim about Toutiao was “unfounded” and that the code is “nothing more than a naming convention and technical relic.”
Government scan
Hill happenings
Industry report
Global cyberspace
Cyber insecurity
Secure log off
🔥⚙️💨 #BattleBots pic.twitter.com/EOOiV4zqGn
— Discovery (@Discovery) March 10, 2023
Thanks for reading. See you next week.
