What to expect from NASS and NASED conferences – Politico

With help from Martin Matishak

Editors Note: Weekly Cybersecurity is a weekly version of POLITICO Pros daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.

State and local officials are meeting this week to discuss how to approach cybersecurity and election security issues in a chaotic time.

Two House panels announced the lawmakers who will lead key cyber subcommittees during this Congress.

Democratic lawmakers want answers from the NSA about an old scandal that they say has taken on new urgency in light of SolarWinds.

HAPPY MONDAY and welcome to Morning Cybersecurity! Cant believe we banished Pluto from the planet club when it was already dealing with this. Send your thoughts, feedback and especially tips to [emailprotected] and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

STATES TAKE STOCK The 2020 election may (finally) be over, but election security remains a top issue for state officials, and its one of several cyber topics that they plan to discuss at a pair of conferences this week. The National Association of State Election Directors is meeting all week, while the National Association of Secretaries of State meets Tuesday through Friday. To say that officials have their plates full would be an understatement, but scattered in between panels about online notarization, corporate transparency and pandemic emergency orders are sessions that will help shape states cybersecurity priorities for the next year and beyond.

Secretaries of state will hear from the lawmakers whose committees oversee elections, including the Democrats pushing a sweeping election security and reform bill and the Republicans vehemently opposing it. House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) and incoming Senate Rules Committee Chairwoman Amy Klobuchar (D-Minn.) are likely to receive a frosty reception as they discuss the For the People Act (H.R. 1 and S. 1), a Democratic bill that includes major election security provisions. State election officials have consistently opposed new federal rules covering voting technology and election administration.

NASS will also hear from Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, which coordinates cybersecurity assistance to states on issues including ransomware and election security. And secretaries will meet behind closed doors to discuss the cybersecurity lessons from the 2020 election cycle.

Over at NASED, two top CISA officials overseeing election security work will discuss lessons from 2020 and priorities for 2021. Other NASED sessions will cover information sharing, incident response, misinformation and pandemic disruptions. Speaking of misinformation, NASS will hold a session about strategies for correcting false election claims.

NASS cybersecurity committee will hear about the value of collaborating with independent security researchers. State IT officials will discuss their collaborations with security companies, including two that run vulnerability disclosure programs. Researchers have spent years urging state officials to launch VDPs so good-faith experts can report flaws in state government systems, and officials are increasingly overcoming their doubts about trusting outside researchers.

Election officials across the country are committed to protecting the sanctity and integrity of the vote, and Im looking forward to this opportunity to share best practices with my colleagues, Iowa Secretary of State Paul Pate, a co-chair of the cyber committee, told MC.

A second panel discussion during the cyber committee meeting will look at the state and local cybersecurity landscape. From ransomware to pandemic-related digital services, state and local officials face a growing array of cyber challenges, and multiple organizations have repeatedly urged Congress to provide grant funding.

MEET THE GAVEL-WIELDERS We now know who will be leading two key cyber-related subcommittees in the 117th Congress, giving outside experts, federal officials and fellow lawmakers a sense of who theyll need to persuade to advance priorities from international norms to bolstering CISA.

Yvette Clarke (D-N.Y.) will chair the House Homeland Security Committees Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, panel chair Bennie Thompson (D-Miss.) announced on Friday. Clarke, who previously led the subcommittee during the 111th Congress, is no stranger to cyber issues, having sponsored or cosponsored bills to improve critical infrastructure security and expand the cyber workforce. She has also urged a focus on cyber hygiene and a nuanced approach to regulation informed by industry input.

Andrew Garbarino (R-N.Y.), a freshman lawmaker, will be the cyber subcommittees top Republican, according to a statement from panel ranking member John Katko (R-N.Y.). Republicans promised to prioritize cybersecurity as the pre-eminent national security threat of our time that demands an evolved approach. Fun fact: Three of the four leaders of the full committee and cyber subcommittee now hail from the same state for what appears to be the first time.

The homeland panels cyber subcommittee will have its hands full in this Congress as it deals with the SolarWinds cyber espionage campaign, CISAs response to SolarWinds and the agencys overall readiness, the supply chain threats posed by foreign-linked telecom companies and many other issues.

William Keating (D-Mass.) will lead the House Foreign Affairs Committees Europe, Energy, the Environment, and Cyber Subcommittee, according to the panels chair, Gregory Meeks (D-N.Y.). Democrats just added cyber to this subcommittees name for the first time, although it already handled the issue as part of its previous emerging threats mandate. Keating hasnt said much about cybersecurity, but in 2017, he criticized then-President Donald Trumps refusal to acknowledge Russias responsibility for its 2016 election cyberattacks.

Among the issues on Keatings plate will be scrutinizing the State Departments creation of its new cyber diplomacy bureau. The outgoing Trump administration green-lit a plan to create the bureau in its final days, but Democratic lawmakers, the Government Accountability Office and some former officials have raised concerns about the plan, saying it fails to coordinate the full spectrum of cyber issues. Republicans have not yet announced their ranking member for the foreign affairs panels cyber subcommittee.

ONCE IS A FLUKE, TWICE IS A COINCIDENCE A group of House and Senate Democrats is pressing the NSA for answers about the spy agencys involvement in the creation of a digital vulnerability that made its way into the firewalls of technology vendor Juniper Networks. Their missive signals a growing awareness on the Hill of the dangers of supply chain attacks, in which hackers compromise software used by their real targets. In a Jan. 28 letter to NSA Director Gen. Paul Nakasone, the lawmakers led by incoming Senate Finance Committee Chair Ron Wyden (D-Ore.) and including new House cyber subcommittee chair Clarke asked for details about the NSAs probe of the Juniper breach.

The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks, the lawmakers wrote. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the companys software updates.

The group asked Nakasone to answer a series of questions and made requests for additional information, including a Juniper lessons learned report that an NSA official mentioned to Wyden, a senior member of the Senate Intelligence Committee, during a 2018 briefing. The spy agency has yet to make the report available.

MAKING GOOD PROGRESS A U.N. group charged with developing international norms of responsible behavior in cyberspace wrapped up its latest session last week, and the State Departments cyber team praised the groups chief for presiding over a valuable meeting. We appreciate Brazilian Ambassador Guilherme Patriota for effectively chairing the latest session of the @UN Group of Government [sic] Experts on #cyber this week, the cyber office said on Twitter, adding that the GGEs work will help all UN member states understand the importance of cyber norms and the value of helping developing nations build the capacity to defend themselves.

The GGE, a small group championed by the U.S. and other Western nations, faces competition from a separate U.N. body created in 2018 at the urging of Russia. The newer Open-Ended Working Group, or OEWG, has drawn criticism from Western diplomats and independent cyber experts, who accuse Russia of using it to launder dangerous policies that would restrict internet freedom.

HERES TO YOU Colorados chief election official has bestowed an award on former CISA Director Chris Krebs for his leadership of the governments cyber agency during the 2020 election cycle. Krebs fought back against election domestic and foreign misinformation, and fortified election cybersecurity, Colorado Secretary of State Jena Griswold (D) said in a statement. At times Krebs pushed back on misinformation spread by the former President, which ultimately cost him his job. His courage, commitment, and leadership are one of the reasons the 2020 Election was the most secure in our nations history.

PEOPLE ON THE MOVE:

Ian Wallace has joined the State Department as a senior adviser in its cyber office. Wallace previously served as a senior fellow in the digital innovation and democracy program at the German Marshall Fund.

TWEET OF THE DAY Patch your bodies as soon as possible!

Nearly a third of victims in the SolarWinds campaign didnt use SolarWinds software and were instead hacked through a different vector. (Wall Street Journal)

By breaching the federal court system, the SolarWinds hackers may have accessed highly sensitive sealed documents. (Associated Press)

A far-right activist with a security clearance helped Russian hackers spread hacked documents stolen during Frances 2017 election. (Southern Poverty Law center)

A social media campaign used fake, AI-generated profiles to attack Belgiums plan to ban Huawei from its 5G network. (CyberScoop)

If hackers stole your identity and used it to get unemployment benefits, you might soon get a shocking tax bill. (Krebs on Security)

Thats all for today.

Stay in touch with the whole team: Eric Geller ([emailprotected], @ericgeller); Bob King ([emailprotected], @bkingdc); Martin Matishak ([emailprotected], @martinmatishak); and Heidi Vogt ([emailprotected], @heidivogt).