Alarmed by Chinese hacks, Republicans mute attacks on cybersecurity agency
President Donald Trump named the first director of the new Cybersecurity and Infrastructure Security Agency in 2018 and fired him two years later, after he declared that Trump’s loss in the 2020 election wasn’t down to fraud. Ever since, Republicans have targeted the top U.S. cyberdefense agency for downgrades or deep cuts. In November, Republican Sen. Rand Paul of Kentucky, who now leads the Senate committee overseeing CISA, even mused about killing it altogether.
But with Trump back in office, the direst fates appear off the table. Homeland Security Secretary Kristi L. Noem, who oversees the agency, and other Republicans now say they see an essential mission in CISA protecting critical infrastructure from mounting ransomware and nation-state hacking attacks, especially those from the Chinese military and spies.
While Trump has rescinded many of his predecessor’s late-term executive orders, he has so far allowed President Joe Biden’s last one on cybersecurity to stand. It requires that software vendors to U.S. agencies prove they meet security standards that can better withstand China’s unprecedented rash of successful cyberattacks, including the massive Salt Typhoon hack into America’s telecom systems.
Republicans are finding CISA easier to defend since it steered away from calling out disinformation in the last election cycle, only joining in a handful of FBI advisories about foreign tactics.
Meanwhile, the man most often reported to be among the new administration’s lead candidates for CISA director, Sean Plankey, is widely seen not as a creature of politics but as a steady hand, having had cybersecurity roles in the Department of Energy and the White House after holding top security posts in industry and the military. “Sean is a trusted leader in the cyber domain who knows exactly what must be done to secure our critical infrastructure and address vulnerabilities,” said Erik Conatser, who worked under Plankey at U.S. Cyber Command.
In another sign of continuity — rare in this presidential transition — the Republican chair of the House Homeland Security Committee pledged to work with Democrats to improve the country’s electronic defenses and dedicated his first hearing of the new Congress to cyberthreats.
“Cyberspace has increasingly become the battlefield on which America’s adversaries undermine our sovereignty and threaten the services that underpin the everyday lives of Americans,” Mark Green (R-Tennessee) said in an opening statement focused on the Chinese government-backed hackers who have burrowed deep inside U.S. telecommunications companies for spying and, more ominously, inside utilities and ports, where they could wreak chaos if war breaks out over Taiwan.
“The CCP is strategically pre-positioning itself in the event of escalation in the Indo-Pacific — and we must do more to prepare,” Green said at the hearing, using the initials for the Chinese Communist Party. Perhaps more surprisingly, Green said he agreed with departing CISA Director Jen Easterly’s long-term campaign to broaden the burden of responsibility for hacks beyond the targeted companies to include the makers of vulnerable programs.
“We do not expect companies to protect themselves from sophisticated nation-state actors,” Green told The Washington Post. “We do expect them to uphold the strongest cybersecurity practices.”
Though it does not get the same headline treatment as ransomware attacks on schools and hospitals or China’s Salt Typhoon spying effort, unsafe software is one of the most fundamental problems in securing U.S. facilities, veteran defenders say.
“We have to stop focusing on the proximate cause of someone failing to patch the infrastructure and start asking, ‘Why did that infrastructure need so many patches?’” Easterly told The Post. “It’s just getting worse and worse and worse. And why? Because it’s not that hard for [attackers]. We’ve normalized vulnerabilities in our software.”
Changing that will take years, but Easterly got started by speaking to Green as well as his subcommittee head for cybersecurity and others about that issue. She also rounded up software-makers to sign a voluntary “Secure by Design” pledge, agreeing that they have a greater role to play in fending off cyberattacks, and helped launch a program to recognize trustworthy tech products, starting with smart home devices.
The giant step — establishing legal liability for bad software, along with protections for vendors that follow best practices — would take Congress.
“A software liability regime that’s rooted in an articulable standard of care, that has safe-harbor provisions for those who responsibly innovate — we have to get there,” Easterly said.
Despite the dominance in Washington of pro-business, anti-lawsuit Republicans, that big idea has a chance. More corporations buy software than make it. And the buyers have been on the receiving end of disastrous ransomware and extortion attacks, along with terrible brand damage, that are made possible by security flaws in software.
“The biggest progress we’re going to make is by having bipartisan support for baseline security measures,” said Amit Elazari, former cybersecurity policy chief at Intel and co-founder of Disclose.io, a nonprofit aiming to standardize vulnerability disclosure practices. Early signs suggest that a spur for such cooperation could lie in the continuing threat from Chinese espionage, as well as from hackers extracting $1 billion a year in ransom and extortion payments.