Editor’s Note: Cybersecurity Weekly is a weekly version of POLITICO Pro’s daily cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a political intelligence platform that combines the news you need with tools you can use to take action on the biggest stories of the day. Take action on the news with POLITICO Pro.
– As schools prepare for a new school year, their districts remain sitting ducks for ransomware actors looking for a salary, experts say.
– Review of Apple’s New Child Abuse Measures escalated over the weekend as an open letter criticizing the move garnered more than 5,400 signatures from tech experts.
– The infrastructure package remains a slow train, but if it passes, defenders of grid security will have much to celebrate.
HELLO MONDAY and welcome to Morning Cybersecurity! I am your host, Sam Sabin. Start your week off on the right foot by sending ideas, comments and most importantly story tips to [email protected]. To pursue @POLITICOPro and @MatinCybersec. Full team contact details below.
RANSOMWARE BACK TO SCHOOL – The Delta Covid variant isn’t the only thing threatening the safety of school reopens this month. A wave of ransomware attacks targeting school systems could also prevent students from having a “normal” school year again.
So far this year, ransomware attacks have disrupted 58 educational organizations and school districts in the United States, including 830 individual schools, according to Brett Callow, Threat Analyst at Emsisoft, last month. Compare that to 2020, when Emsisoft estimates that 84 incidents disrupted learning at 1,681 schools, colleges and universities.
And the start of the school year is prime time for cybercriminals targeting schools, said Doug Levin, national director of the K-12 Security Information Exchange.
“Back to school, especially for ransomware, is a difficult time – especially over the past two years, when ransomware players have really started to focus on national and local government agencies, including school districts.” , Levin said.
For example, last year schools in Hartford, Connecticut postponed the first day of school for their 18,000 students due to a ransomware attack. The previous year, Louisiana Governor John Bel Edwards declared a state of emergency about a month before school started after ransomware attacks targeted three school districts in a week.
– Don’t help things: Much like attacks on critical infrastructure, ransomware players have attacked larger school districts over the past year, Levin said. And with the popularity of distance learning during the pandemic, ransomware criminals have demanded even higher payments in some cases, acknowledging that schools will feel even more pressure to pay.
Among school district IT managers, The threat of ransomware has become a growing concern, Levin said, but institutional issues pose a challenge to making major changes to security protocols. “Just because IT is concerned that doesn’t mean superintendents and school board members are concerned,” he said. “They are the ones who set the neighborhood’s priorities and they are the ones who take care of the purse strings.
– A glimmer of hope : The growth of cyber insurance is forcing some schools to make security a priority. If districts want lower policy or premiums, they must meet certain security standards, such as implementing multi-factor authentication.
“If these big companies can’t stand up for themselves, and even members of the federal government are affected by this stuff, school districts really don’t stand a chance against a qualified and motivated player,” Levin said.
THE SNOW OF APPLE PRIVACY – Since Apple announced last week that it would start scanning hashes of iCloud photos of iPhone users for signs of known cases of child abuse, concerns that the new tool could create a dangerous precedent among government agencies has only grown.
Over the weekend, more than 5,400 tech experts and privacy advocates signed an open letter calling on Apple to end its plans and issue a statement “reaffirming [its] commitment to end-to-end encryption and user privacy. WhatsApp Director Will Cathcart said on Friday the app is not working plans to replicate Apple systems because “the approach they are taking introduces something of great concern to the world.” Epic Games CEO Tim Sweeney, who is engaged in an antitrust lawsuit against Apple, said on Saturday that “Inevitably, this is government spyware installed by Apple on the basis of a presumption of guilt.”
At the same time, Lawmakers and government officials applaud this decision: Senator Richard Blumenthal (D-Conn.) Called Apple’s new tools a “Welcome, innovative and daring step”. “It’s time for others – especially @Facebook – to follow their lead”, Sajid Javid, UK Secretary of State for Health and Social Affairs tweeted friday.
– This creates a difficult dynamic for Apple to navigateOn the one hand, it’s been pushing the idea across Silicon Valley for years that it’s the only Big Tech company that cares about user privacy and encryption. On the other hand, government agencies have urged the company for years to provide a “back door” to its encryption to help investigate cases of child abuse and terrorism.
Either way, privacy advocates say the new tool sends a very different message from typical Apple privacy and surveillance practices. Remember when the company bought a billboard at CES 2019 in Las Vegas that said “What happens on your iPhone stays on your iPhone”?
KEEP LIGHTS ON – As debate continues this week over the $ 550 billion infrastructure package, one cybersecurity provision is exciting for cybersecurity experts: provisions testing the cyber resilience of the country’s power grid.
“This is the target that you could do the most damage in the United States if you attack them and it is a target that we know is vulnerable,” said Jim Lewis, senior vice president and program director at the Center for Strategic and International Studies.
The infrastructure bill includes two provisions specifically targeting the security of the electricity network:
– The first is the wording of the law on improving grid security through public-private partnerships, which was passed by the House last month and requires the Ministry of Energy to put in place a program to facilitate public-private partnerships to audit and assess the physical security and cybersecurity of public services. . It’s similar to a 100-day program that the Department of Energy launched in April.
– And the second is creating a Cyber Sense program at DOE to test the cybersecurity of products used in the bulk feed system. A bill implementing the program was also passed in the House last month.
Network security has long been a concern among experts in cybersecurity and energy policy. When Russia remotely accessed the three Ukrainian energy utilities in 2015, 200,000 consumers lost service. And the Government Accountability Office warned in March that power grid distribution systems “are becoming more vulnerable to cyber attacks, in part due to the introduction and reliance on monitoring and control technologies.”
Energy Secretary Jennifer Granholm said adversaries already have the capacity to dismantle the grid.
And Washington has been looking for solutions for years to strengthen distributors’ systems against any cyberattack before it was a tool: a House oversight subcommittee looked into the problem last month, and the Energy Ministry’s cyber office undertook in April a 100-day plan for operators and owners of electric utilities to upgrade their critical industrial systems. cybersecurity of control systems.
Thus, the infrastructure provisions were widely seen as a step forward. in the right direction to defend the power grid.
“At present, the power sector is the only sector in existence with mandatory regulatory compliance and, although it has improved the security posture of the power sector, it is still not at the level necessary to make them defensible” , Ben Miller, vice president of professional services and research and development at cybersecurity firm Dragos, MC said in a statement.
CLIMB THE LADDER – As part of the Department of Homeland Security’s broader effort to recruit and retain cybersecurity workforce, CISA on Friday released a workforce training guide to help all future and current Federal, state and local cybersecurity officers to determine what their path to follow in government jobs might look like. . The training guide includes possible certifications, training opportunities, and opportunities for observation or rotation across the federal government.
– The guide’s release comes after DHS secretary Alejandro Mayorkas touted the new cyber talent management system in his remarks on Black Hat last week. DHS also hired nearly 300 cybersecurity professionals during a 60-day cybersecurity sprint in May and June.
From Georgetown computer science professor Matt Blaze: “Let’s assume that everything will always work as expected,” said no one with more than 10 minutes of security experience.
– A call center that counts Apple, Amazon and Uber as customers needs AI-powered cameras to monitor employees inside their own homes, causing surveillance issues. (NBC News)
– “Washington is waking up under the influence of crypto in the midst of the fight against infrastructure.” (POLITICS)
– AI is now able to write phishing emails, warned researchers at Black Hat and DEF CON. (Cable)
– Cyber security workers are wearing themselves out amid an increase in attacks. Here is how the experts in the workplace try to fight it. (Initiated)
– “” It’s huge “: inside the black market for counterfeit COVID vaccine passports” (Fortune)
– Australian government warns that attacks by the recently launched LockBit 2.0 ransomware gang are on the rise. (Sound computer)
We’ll talk later.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).