Hello! I’m your new Cybersecurity 202 author, Tim Starks. It’s my honor to take over this newsletter and its mighty tradition. Allow me to introduce myself.

I join The Post from CyberScoop, where I served as senior editor. Before that, I helmed Politico’s cybersecurity newsletter for five years. I started covering this topic back in 2003, and while I’ve done some other things in between, cybersecurity has been my home base for about 15 years. Over that time, I’ve only gotten more enthused about reporting on it. It’s a crucial topic and still feels like it hasn’t hit the ceiling of how much it can grow in importance.

It’s my hope you’ll join us each day for all the latest in the cybersecurity world (along with asides from yours truly about octopuses, music, the NBA, robots, TV/movies and various other subjects that fascinate me). Don’t be shy about dropping me an email with feedback and news tips.

For today, we’ll be talking about how U.S. lawmakers are beginning to tackle the foreign spyware phenomenon, updated cybersecurity rules for pipelines and whether a Chinese telecommunications company can eavesdrop on U.S. nuclear facilities.

Congress is starting to take a hard look at foreign spyware

Congress has taken relatively little action so far to counter advanced foreign spyware that has eavesdropped on U.S. officials, activists and journalists.

But that appears to be changing, with a rare open House Intelligence Committee hearing this week on the secretive industry.

Companies such as Israel-based NSO Group sell software that can remotely snoop on mobile phones, and it doesn’t even require tricking a user into clicking on something for access. While NSO Group says it only authorizes sales of its Pegasus product to governments for fighting terrorism and crime, reporters and watchdog groups have nonetheless discovered abuses.

Evidence is mounting that foreign spyware is proliferating beyond obvious victims, too, including friends and relatives of those targets. For instance, the University of Toronto’s Citizen Lab said in 2017 that Pegasus spyware targeted the teenage son of a Mexico-based CNN journalist.

  • “I’m frightened that the existence of this technology and the ability of … dictatorships to access this technology makes all of us very vulnerable, and it makes no Americans safe, really, if they can do this so easily,” Carine Kanimba, a reported Pegasus victim who’s set to testify before the House panel Wednesday, told me. Her father is the imprisoned Paul Rusesabagina, the famed activist whose story became the film “Hotel Rwanda.”

The No. 2 Democrat on the House Intelligence Committee, Rep. Jim Himes (Conn.), told me Congress has been slow to act for a few reasons. Foreign spyware is not a “kitchen-table” conversation for most Americans. Few lawmakers are able to gain insight into the clandestine topic. And Congress has historically taken time to catch on to how cutting-edge technology is changing the world.

Now, though, the threat is growing clearer, he said. “I’m not sure that five years ago we ever imagined that a small country in Africa could turn NSA-like capabilities on the U.S. ambassador,” he told The Cybersecurity 202.

A couple developments in recent months have amplified the congressional focus.

  • A U.S. company, L3Harris, almost purchased NSO Group before the White House raised concerns. The New York Times reported that L3Harris executives said they had the backing of U.S. spy officials to make the acquisition. L3Harris did not answer a request for comment from The Cybersecurity 202.
  • The FBI acknowledged that it tested Pegasus spyware, although FBI Director Chris Wray said the bureau never used it.

“The moment we know that it’s out there and we don’t like it, the very next moment we need to buy it,” Himes said of the intelligence community’s mind-set. “The FBI has not been as forthcoming as we would have liked on the nature of their purchase.” Lawmakers have repeatedly pressed Wray for more answers.

One of Congress’ first actions on foreign spyware came last year, when lawmakers passed legislation requiring the State Department to compile a list of spyware purveyors whose reputations merit the department not doing business with them.

Besides this week’s hearing, the House has in the past two weeks included provisions in two bills — the annual defense and intelligence policy measures — that would make it harder for U.S. firms to purchase companies on a Department of Commerce trade restriction list. NSO Group is on that list, as is fellow Israeli company Candiru, whom cybersecurity firm Avast said last week had exploited a once-unknown vulnerability in the Google Chrome browser to spy on Middle Eastern journalists.

As Congress has ramped up its attention to foreign spyware, so has the Biden administration, beyond merely placing NSO Group and Candiru on its “entity list.” National Security Council spokesperson Adrienne Watson touted an “unprecedented, government-wide effort to counter the proliferation of foreign commercial hacking tools among actors who misuse them.” That includes working to implement a ban on U.S. government purchase or use of commercial foreign spyware that has been abused or that poses a counterintelligence threat.

That doesn’t mean more can’t be done. Himes said the United States needs to invest in detection capabilities for hard-to-discover spyware and share threat information with its allies. Kanimba said the United States should scrutinize foreign aid to nations that deploy spyware, like Rwanda. 

Citizen Lab Senior Researcher John Scott-Railton, who also will testify Wednesday, said the United States should establish lifetime bans preventing former government officials from working for spyware companies, and said no U.S. taxpayer dollars should go to those firms; some state pension funds have made investments in related businesses. 

Still, Wednesday’s hearing “sends a clear signal to everybody watching that this issue is on the radar of the intelligence community and on the radar of the people in Congress who pay attention to intelligence,” Scott-Railton said.

“This is an opportunity for the U.S. to really set some standards and some norms,” he said. “We’ve seen that the European Parliament has an ongoing committee also investigating Pegasus. … And I’ve been heartened to see the kinds of signals that are coming out of the administration and Congress on this issue.”

TSA revamps cyber guidelines for pipelines, opting for less prescriptive measures

The new rules require pipeline owners and operators to get approval from the Transportation Security Administration about the cybersecurity measures they plan to apply to their networks. The rules, which the TSA described as being part of an “innovative, performance-based approach,” come after criticism of the previous version of the rules, which were issued in the wake of a ransomware attack on Colonial Pipeline and a widespread public attention on the importance and vulnerability of pipeline systems.

The TSA said they were “urgently needed,” but some experts told The Post that they were overly prescriptive, for example, by requiring pipeline operators to patch software vulnerabilities or run anti-virus systems — steps that don’t necessarily make sense on the types of networks that run the pipes.

The TSA published the new rules online. The previous guidelines were first published by The Post, which obtained them through a Freedom of Information Act request.

Authorities investigate whether Huawei technology could allow China to monitor, disrupt U.S. nuclear facilities

The FBI found that Huawei telecommunications equipment on cell towers near U.S. military bases could eavesdrop on — and disrupt — sensitive military communications, CNN’s Katie Bo Lillis reports. It’s not clear if the equipment has actually been used to listen in on those communications, and such an assertion would be difficult to prove. The Commerce Department is investigating the matter, Reuters first reported.

Among the concerns: Telecom provider Viaero has installed Huawei equipment across its cell towers. “By examining the Huawei equipment themselves, FBI investigators determined it could recognize and disrupt DoD-spectrum communications — even though it had been certified by the FCC,” Lillis writes.

  • Huawei denied to CNN that its technology can operate in the Defense Department’s communications spectrum.

Viaero also shares live video feeds from its towers with news organizations, which could give China an intimate look at movements to and from sensitive military installations. “The intelligence community determined the publicly posted live-streams were being viewed and likely captured from China,” Lillis writes, citing three people familiar with the matter.” Two sources briefed on the investigation at the time said officials believed that it was possible for Beijing’s intelligence service to ‘task’ the cameras — hack into the network and control where they pointed. At least some of the cameras in question were running on Huawei networks.”

Viaero chief executive Frank DiRico told CNN that he was “never told to remove the equipment or to make any changes.” He said he learned about U.S. government warnings about Huawei from the news and hasn’t been briefed on the issue. He told CNN the company monitors its network “pretty good” and would have “a pretty good idea if there’s anything going on that’s inappropriate.”

The unsolved mystery attack on internet cables in Paris (WIRED)

Ukrainian radio broadcaster hacked to spread fake news about Zelensky’s health (The Record)

Cyberattacks on Port of Los Angeles have doubled since pandemic (BBC News)

Online insurer Policybazaar says customer data was exposed by ‘unauthorized access’ (TechCrunch)

Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record)

Uber admits covering up 2016 hacking, avoids prosecution in U.S. settlement (Reuters)

T-Mobile settles to pay $350M to customers in data breach (Associated Press)

US bolsters cyber alliance to counter rising Iran threat (The Hill)

Report: Relocation of Cyber Command to Fort Gordon will have huge impact on region (The Post and Courier)

  • Arizona Secretary of State Katie Hobbs (D) speaks at a Brookings Institution event on election integrity Tuesday at 10 a.m.
  • The Atlantic Council hosts an event on ransomware on Tuesday at 12:30 p.m.
  • The House Intelligence Committee holds a hearing on the national security risks of spyware Wednesday at 10 a.m.
  • The Committee on House Administration holds a hearing on disinformation Wednesday at 10 a.m.
  • A House Homeland Security Committee panel holds a hearing on U.S. Customs and Border Protection’s use of facial recognition technology on Wednesday at 2 p.m.
  • Deputy national security adviser Anne Neuberger speaks at an event hosted by the Center for a New American Security on Thursday at 11:30 a.m.
  • A House Science Committee panel holds a hearing on cybersecurity of space systems Thursday at 10 a.m.
  • The House Judiciary Committee holds a hearing on the Justice Department’s National Security Division on Thursday at 10 a.m.

Thanks for reading. See you tomorrow.