More Trump admin CISA drama: DHS recently asked CISA to provide confidential SolarWinds data shared by private companies. CISA refused, fearing harm to industry partnerships if companies don't trust its confidentiality promises.
When companies share technical data about cyber intrusions to help CISA understand the activity, the data sometimes contains proprietary business information.
To encourage companies to feed it insights, CISA promises not to share confidential data with other agencies.
Neither DHS nor CISA denied our reporting, although both agencies emphasized that CISA regularly shares cyber info with DHS.
Add this to the list of strains that have emerged in the relationship between CISA and WH/DHS political appointees late in the Trump administration.
So far, hearing that cyber risks of the Capitol attack were low.
* Congress isn't one big network
* Vulnerable machines held unclassified files
* Hill leaks so much already that truly sensitive stuff is walled off
* Rioters weren't there long enough for thorough, careful access
The only computer reported stolen so far was from Senator Merkley’s office. His staff declined to share details, citing an ongoing investigation.
For those wondering about the SCIFs, used for classified files and conversations, their doors were built to withstand embassy sieges, and they’re swept for bugs before every use.
We haven’t seen any indication that they were even targeted, much less seriously attacked.
So I'm just now seeing that @OversightDems has published the latest Plum Book (govinfo.gov/content/pkg/GP…), and there are a bunch of errors. Most are attributable to the June 30 "as of" date, but not all — it says we don't have an NSA director!
Unsurprisingly, it still lists Krebs & Travis at CISA. It also lists Suzette Kent, who resigned as federal CIO in July (though she announced it before the Plum Book's "as of" date).
Maybe I'm missing something, but shouldn't it list the assistant directors at CISA? They're PAs.
Organizationally, there are some interesting choices, like listing the CISA director at the end of the agency's section and doing the same with the federal CIO in the relevant OMB section.
Isn't part of the value of this document that it conveys a sense of hierarchy?
I want to highlight a few of the things that stood out to me.
Hopefully we'll learn these lessons in time for the next crisis.
First, it's impossible to overstate the damage wrought by ignorance, incompetence, and antipathy. Trump appointees simply didn't do what the country desperately needed them to do.
The states haven't needed a strong, engaged federal government this badly since World War II, and yet the Trump administration routinely failed to help or actively made things worse.
Biden is answering press questions now and just talked SolarWinds.
"The Defense Department won't even brief us on many things. ... I know of nothing that suggests it's under control."
"We need international rules of the road on cybersecurity."
"The question of the damage done remains to be determined," Biden said of SolarWinds.
The hackers "can be assured that we will respond and probably respond in kind," he said. "There are many options which I will not discuss now."
"I promise you, there will be a response."
"It may take billions of dollars to secure our cyberspace," Biden says when asked about the practical implications of running a govt whose weaknesses remain unknown. "It may take a great deal to get it done."