In 2021, Congress gave state and local governments $1 billion for cyber improvements.

The program has been transformative, but it expires next year. My new @TheRecord_Media story explores what it's accomplished and what will happen if it isn't renewed: therecord.media/federal-money-… I talked to folks from @NASCIO, @NACoTweets, @CTDEMHS, and @MontanaDES about the grant program.

They all said it's been a vital lifeline for cash-strapped, hack-plagued government agencies.

It "has been a game-changer," said CT emergency management director William Turner.

New from me: Inside @CISAgov as Trump prepares to take power.

Employees are worried that he'll end key projects, drive away star talent, and generally weaken the agency's role in protecting the government and the nation from hackers.

My @WIRED story: wired.com/story/cisa-cut… CISA staffers expect Trump to spurn efforts to raise the tech industry's security baseline.

"Compliance efforts like secure-by-design may not have the support that they currently benefit from," one employee said.

Also at risk: Election security aid and incident reporting rules.

The White House just held a press call to discuss the latest on China's "Salt Typhoon" hacking campaign against telecommunications companies.

New detail: "At least eight" U.S. telcos have been hacked, deputy national security adviser for cyber Anne Neuberger said. The Salt Typhoon activity "has been underway for some time," a senior administration official said -- "likely one to two years." China has hacked telcos in "a couple of dozen" countries during that time.

Senior CISA and FBI officials just held a background call to brief reporters on the status of their investigation into Chinese hacking of U.S. and foreign telecom companies.

It sounds like telecoms are a long way from being able to evict the Chinese hackers from their networks. "The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign," a senior FBI official said.

Investigation began late spring/early summer and has involved meetings with "scores" of U.S. telcos.

"As we head into tomorrow," @CISAJen says on a press call happening now, "I can say with great confidence that our election infrastructure has never been more secure and that the election community has never been better prepared to deliver safe, secure, free, and fair elections." Easterly: "From the national level, during the early-voting period, we have observed small-scale incidents resulting in no significant impacts to election infrastructure."

Six years after @CyberSolarium urged Congress to make software vendors legally liable for product failures, very little has been done.

My new story for @TheRecord_Media explores the legal, technical, and political challenges facing software liability: therecord.media/cybersecurity-… Problem #1: Software vendors have been protected from virtually any form of legal accountability for decades, dating back to when policymakers were afraid of stifling the nascent industry.

Licenses disclaim liability.

It's "a golden-child industry," one legal expert told me.

I guess I'll watch the thing.

https://twitter.com/DanielStrauss4/status/1806492700490781109

I like the detail that the candidates' positions on the left or right were determined by a coin toss. Is there a better side that both of them really wanted? #Debates2024

NEW: Citing natsec concerns, U.S. bans Russian cyber firm @kaspersky from selling its products in the U.S. New sales end 7/20, software updates to existing customers end 9/29.

First use of Trump-era authorities. Move could jolt many businesses.

My story: wired.com/story/us-bans-…
@CommerceGov knows roughly how many organizations use Kaspersky and will work with DHS and DOJ to brief them on alleged national security risks and help them transition to other vendors.

@CISAgov will lead outreach to critical infrastructure orgs, some of which do use Kaspersky.

The House Homeland Security Committee is beginning its hearing with Microsoft President @BradSmi about the company's "cascade of security failures":

Background reading for those catching up: homeland.house.gov/hearing/a-casc…
dhs.gov/news/2024/04/0… Chair Mark Green calls the CSRB report's findings "extremely concerning."

"It falls to this committee to do the due diligence and determine just where Microsoft sits and how it's taken this report to heart."

The Senate Intelligence Committee is holding a hearing on threats to the 2024 election, with DNI Avril Haines, @CISAJen, and FBI National Security Branch chief Larissa Knapp testifying. intelligence.senate.gov/hearings/open-… SSCI Chair Mark Warner delivers an opening statement summarizing the many different kinds of foreign election interference we've seen, from Russia in 2016 to Iran in 2020 to China now. He also describes Russian interference in other countries' elections.

.@ONCD has released two updates on Biden admin's efforts to implement the National Cybersecurity Strategy: a report on the U.S.'s cyber posture (including actions taken in 2023 and early 2024) and a second NCS implementation plan.



whitehouse.gov/wp-content/upl…
whitehouse.gov/wp-content/upl…


The cyber posture report, required by the FY21 NDAA that created ONCD, describes actions taken by agencies to further the Biden administration's cybersecurity agenda, future agenda items, the threat landscape over the past year-ish, and future challenges.

whitehouse.gov/wp-content/upl…

The House Homeland Security cyber subcommittee is holding a hearing on CISA's implementation of its cyber incident reporting rule:

There are witnesses from the financial services, energy, and telecom industries, along with @AmitElazari.homeland.house.gov/hearing/survey… The U.S.'s current "confusing and reactive, rather than proactive, reporting regime increases the risk of the security of our homeland," Chair @RepGarbarino says.

Scoop: @CISAgov is asking software companies to sign a pledge committing them to implementing seven key "secure-by-design" goals.

CISA plans to announce the pledge with ~50 signatories at RSA next week.

Major test of efficacy of CISA's SBD campaign.

wired.com/story/cisa-cyb…
The previously unreported secure-by-design pledge includes goals such as increasing the use of multi-factor authentication, eliminating default passwords, creating vulnerability disclosure programs, and providing free access to network visibility features like log data.

The Senate Finance Committee is holding a hearing on the Change Healthcare hack, with parent company UnitedHealth Group CEO Andrew Witty testifying. finance.senate.gov/hearings/hacki… "This corporation is a health-care leviathan," Chair @RonWyden says. "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers."

Resharing my story about Microsoft.

One thing I wish I could have expanded upon in my story is how the Biden admin's secure-by-design strategy has left the USG unprepared to wield any sort of influence over Microsoft, even as the company doesn't meet SBD expectations. (cont'd)

https://twitter.com/ericgeller/status/1779858961581138187

As one cyber expert told me, "There are good regulators and good enforcement mechanisms around [federal] IT procurement on security ... and the fact that CISA and the SBD team have chosen not to connect that work to those other entities has left it in a very limited position."

The U.S. government has a Microsoft problem.

Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.

My new @WIRED story: wired.com/story/the-us-g…
I asked cyber experts, lawmakers, fmr govt officials, & employees of Microsoft's competitors why the company has struggled w/ security and why those woes haven't threatened its business.

Their comments and criticisms mirrored the recent findings of the Cyber Safety Review Board.

The House Homeland maritime security subcommittee is holding a hearing on U.S. port cybersecurity:

The hearing, w/ witnesses from DHS, USCG, & Transportation Command, comes a week after a big Biden admin push on port cybersecurity: homeland.house.gov/hearing/subcom…

https://twitter.com/ericgeller/status/1760288400198742257

Subcommittee chair Carlos Gimenez says U.S. ports' use of Chinese-made equipment "introduces significant supply chain vulnerabilities into our maritime transportation system."

Biden has signed his AI executive order. As we await its release, here's what the fact sheet says about "the most sweeping actions ever taken to protect Americans from the potential risks of AI systems"... 🧵whitehouse.gov/briefing-room/… Developers of any LLMs with the potential to pose serious risks will have to red-team them for safety and security issues—based on standards developed by NIST—and share the results with the government. Biden is using the Defense Production Act for this.

This week’s #Ahsoka episode was one of the finest episodes of Disney Star Wars TV so far. Sabine emerges as the real main character, Thrawn and Ezra’s long-awaited introductions absolutely deliver, and it’s no coincidence that Ahsoka’s best ep yet barely features Rosario Dawson. Let's start with Sabine, because she continues to be far and away the best character. Natasha Liu Bordizzo must be exhausted from carrying this show on her shoulders.

.@lilyhnewman is moderating a Black Hat keynote with @CISAJen and @VZhora. @lilyhnewman @CISAJen @VZhora Zhora says Ukraine has observed “a shift" in Russian cyberattacks "from disruptive and chaotic attacks to more focused activity [like] cyber espionage and data collection."

Exclusive: While some water utilities have made important progress on cybersecurity, many others struggle to implement complex or time-consuming defenses, according to EPA data I obtained through FOIA.

Meanwhile, the EPA has stopped collecting this data.

themessenger.com/tech/exclusive… The document I obtained is an EPA dashboard summarizing inspections conducted from spring 2020 to spring 2023 — initial assessments of 249 utilities, plus 6- and 12-month follow-ups with about half of them.

You can browse the full dashboard here: https://t.co/nO4fddefLmonedrive.live.com/view.aspx?resi…