"As we head into tomorrow," @CISAJen says on a press call happening now, "I can say with great confidence that our election infrastructure has never been more secure and that the election community has never been better prepared to deliver safe, secure, free, and fair elections." Easterly: "From the national level, during the early-voting period, we have observed small-scale incidents resulting in no significant impacts to election infrastructure."

Six years after @CyberSolarium urged Congress to make software vendors legally liable for product failures, very little has been done.

My new story for @TheRecord_Media explores the legal, technical, and political challenges facing software liability: therecord.media/cybersecurity-… Problem #1: Software vendors have been protected from virtually any form of legal accountability for decades, dating back to when policymakers were afraid of stifling the nascent industry.

Licenses disclaim liability.

It's "a golden-child industry," one legal expert told me.

I guess I'll watch the thing.

https://twitter.com/DanielStrauss4/status/1806492700490781109

I like the detail that the candidates' positions on the left or right were determined by a coin toss. Is there a better side that both of them really wanted? #Debates2024

NEW: Citing natsec concerns, U.S. bans Russian cyber firm @kaspersky from selling its products in the U.S. New sales end 7/20, software updates to existing customers end 9/29.

First use of Trump-era authorities. Move could jolt many businesses.

My story: wired.com/story/us-bans-…
@CommerceGov knows roughly how many organizations use Kaspersky and will work with DHS and DOJ to brief them on alleged national security risks and help them transition to other vendors.

@CISAgov will lead outreach to critical infrastructure orgs, some of which do use Kaspersky.

The House Homeland Security Committee is beginning its hearing with Microsoft President @BradSmi about the company's "cascade of security failures":

Background reading for those catching up: homeland.house.gov/hearing/a-casc…
dhs.gov/news/2024/04/0… Chair Mark Green calls the CSRB report's findings "extremely concerning."

"It falls to this committee to do the due diligence and determine just where Microsoft sits and how it's taken this report to heart."

The Senate Intelligence Committee is holding a hearing on threats to the 2024 election, with DNI Avril Haines, @CISAJen, and FBI National Security Branch chief Larissa Knapp testifying. intelligence.senate.gov/hearings/open-… SSCI Chair Mark Warner delivers an opening statement summarizing the many different kinds of foreign election interference we've seen, from Russia in 2016 to Iran in 2020 to China now. He also describes Russian interference in other countries' elections.

.@ONCD has released two updates on Biden admin's efforts to implement the National Cybersecurity Strategy: a report on the U.S.'s cyber posture (including actions taken in 2023 and early 2024) and a second NCS implementation plan.



whitehouse.gov/wp-content/upl…
whitehouse.gov/wp-content/upl…


The cyber posture report, required by the FY21 NDAA that created ONCD, describes actions taken by agencies to further the Biden administration's cybersecurity agenda, future agenda items, the threat landscape over the past year-ish, and future challenges.

whitehouse.gov/wp-content/upl…

The House Homeland Security cyber subcommittee is holding a hearing on CISA's implementation of its cyber incident reporting rule:

There are witnesses from the financial services, energy, and telecom industries, along with @AmitElazari.homeland.house.gov/hearing/survey… The U.S.'s current "confusing and reactive, rather than proactive, reporting regime increases the risk of the security of our homeland," Chair @RepGarbarino says.

Scoop: @CISAgov is asking software companies to sign a pledge committing them to implementing seven key "secure-by-design" goals.

CISA plans to announce the pledge with ~50 signatories at RSA next week.

Major test of efficacy of CISA's SBD campaign.

wired.com/story/cisa-cyb…
The previously unreported secure-by-design pledge includes goals such as increasing the use of multi-factor authentication, eliminating default passwords, creating vulnerability disclosure programs, and providing free access to network visibility features like log data.

The Senate Finance Committee is holding a hearing on the Change Healthcare hack, with parent company UnitedHealth Group CEO Andrew Witty testifying. finance.senate.gov/hearings/hacki… "This corporation is a health-care leviathan," Chair @RonWyden says. "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers."

Resharing my story about Microsoft.

One thing I wish I could have expanded upon in my story is how the Biden admin's secure-by-design strategy has left the USG unprepared to wield any sort of influence over Microsoft, even as the company doesn't meet SBD expectations. (cont'd)

https://twitter.com/ericgeller/status/1779858961581138187

As one cyber expert told me, "There are good regulators and good enforcement mechanisms around [federal] IT procurement on security ... and the fact that CISA and the SBD team have chosen not to connect that work to those other entities has left it in a very limited position."

The U.S. government has a Microsoft problem.

Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.

My new @WIRED story: wired.com/story/the-us-g…
I asked cyber experts, lawmakers, fmr govt officials, & employees of Microsoft's competitors why the company has struggled w/ security and why those woes haven't threatened its business.

Their comments and criticisms mirrored the recent findings of the Cyber Safety Review Board.

The House Homeland maritime security subcommittee is holding a hearing on U.S. port cybersecurity:

The hearing, w/ witnesses from DHS, USCG, & Transportation Command, comes a week after a big Biden admin push on port cybersecurity: homeland.house.gov/hearing/subcom…

https://twitter.com/ericgeller/status/1760288400198742257

Subcommittee chair Carlos Gimenez says U.S. ports' use of Chinese-made equipment "introduces significant supply chain vulnerabilities into our maritime transportation system."

Biden has signed his AI executive order. As we await its release, here's what the fact sheet says about "the most sweeping actions ever taken to protect Americans from the potential risks of AI systems"... 🧵whitehouse.gov/briefing-room/… Developers of any LLMs with the potential to pose serious risks will have to red-team them for safety and security issues—based on standards developed by NIST—and share the results with the government. Biden is using the Defense Production Act for this.

This week’s #Ahsoka episode was one of the finest episodes of Disney Star Wars TV so far. Sabine emerges as the real main character, Thrawn and Ezra’s long-awaited introductions absolutely deliver, and it’s no coincidence that Ahsoka’s best ep yet barely features Rosario Dawson. Let's start with Sabine, because she continues to be far and away the best character. Natasha Liu Bordizzo must be exhausted from carrying this show on her shoulders.

.@lilyhnewman is moderating a Black Hat keynote with @CISAJen and @VZhora. @lilyhnewman @CISAJen @VZhora Zhora says Ukraine has observed “a shift" in Russian cyberattacks "from disruptive and chaotic attacks to more focused activity [like] cyber espionage and data collection."

Exclusive: While some water utilities have made important progress on cybersecurity, many others struggle to implement complex or time-consuming defenses, according to EPA data I obtained through FOIA.

Meanwhile, the EPA has stopped collecting this data.

themessenger.com/tech/exclusive… The document I obtained is an EPA dashboard summarizing inspections conducted from spring 2020 to spring 2023 — initial assessments of 249 utilities, plus 6- and 12-month follow-ups with about half of them.

You can browse the full dashboard here: https://t.co/nO4fddefLmonedrive.live.com/view.aspx?resi…

Old but interesting document that I recently got via FOIA: The September 2016 Intelligence Community Assessment of cyber threats to U.S. election systems, ordered by then-President Barack Obama amid Russian hacking fears.

documentcloud.org/documents/2382… This ICA, an unclassified version of a classified analysis that ODNI wouldn't give me, is one of the first U.S. government assessments of the country's election security posture. Its conclusions match what subsequent reports have said about likely and unlikely attacks and risks.

At #HackTheCapitol, EPA cyber branch chief Nushat Thomas says the EPA understands complaints from states and utilities that they lack the resources to comply with a new water cyber assessment rule.

She lists a bunch of resources and services that EPA offers. Thomas: "We have training in place for those states who actually want to conduct the...assessment themselves." EPA developed a water-specific cyber checklist based on CISA's cross-sector cyber performance goals, "and we're training the states on how to utilize that checklist..."

The House Appropriations homeland security subcommittee is holding a hearing on CISA's FY2024 budget request, with @CISAJen testifying: appropriations.house.gov/legislation/he… "We've received sustained, generous, bipartisan investment from Congress and invaluable new authorities," Easterly says.

She describes how CISA is using its funding to improve its visibility into threats, implement cyber incident reporting rules, and more.

So this week's episode of #TheMandalorian was fine. Not great. The Grogu Order 66 flashback was the best part. Thrilled to see Ahmed Best take the spotlight like that. He deserves the world. (Also nice to see Naboo security forces doing their part ... perhaps Jar Jar sent them?) As for the stuff at the Mando covert, it was fairly boring. Especially the rescue sequence. I felt like I was supposed to care about that kid and I just ... didn't. Felt like a waste of time. Could have established Bo-Katan's team spirit more economically.