At a glance.
- Unfinished business at the Russo-US summit.
- Canada's CSE is also imposing costs on the opposition.
- US will use False Claims Act to prosecute cyber fraud.
- NDAA enacts some cyber measures, but not mandatory reporting.
Little progress made in yesterday’s Russo-US summit.
Tensions between Russia and the West are the worst they’ve been since the Cold War, and reports show that very little compromise was reached during yesterday’s virtual talk between US President Joe Biden and Russian President Vladimir Putin. Biden warned that if Russian forces invade Ukraine, the US would not only impose economic sanctions on Russia and provide additional defensive support to Ukraine, but he also threatened to disrupt the Nord Stream 2 gas pipeline to Europe. The White House has previously stated opposition to the pipeline, as it could strip Ukraine of revenue and give the Kremlin undue influence over the continent’s energy supply. The Washington Post explains that, according to Undersecretary of State for Political Affairs Victoria Nuland, the German government has already threatened to discontinue the pipeline if Russia invades Ukraine.
Before the talks, Kremlin spokesman Dmitry Peskov told the Guardian, “Russia isn’t going to attack anyone, but we have our own concerns and our own red lines. [Putin] has made them clear.” Yesterday, Putin expressed his frustrations about Western presence in the Near Abroad and pressed for a legally binding pledge that NATO forces would not continue pushing east. Jake Sullivan, Biden's national security adviser, told Reuters, that the US president "made no such commitments or concessions. He stands by the proposition that countries should be able to freely choose who they associate with." The US embassy in Kyiv also denied reports that personnel were being evacuated.
The New York Times adds that directly after the call, Biden spoke with France, Germany, Italy and the UK in order to gain reassurance of their support in deterring Russian forces and reaffirm the trans-Atlantic alliance. “We have experts from the Treasury Department, the State Department and the National Security Council in daily contact with the key capitals and with Brussels” to discuss what punitive steps could be taken jointly against Russia,” Sullivan said.
Canadian signals intelligence agency goes on the counteroffensive against cyber threats.
Canada’s Communications Security Establishment (CSE) for the first time publicly acknowledged it could engage in both offensive and defensive cyber operations against foreign threat actors. A CSE spokesperson told Global News, “Although we cannot comment on our use of foreign cyber operations (active and defensive cyber operations) or provide operational statistics, we can confirm we have the tools we need to impose a cost on the people behind these kinds of incidents.” As the agency’s operations remained shrouded in secrecy until Edward Snowden’s 2013 disclosures forced them into public eye, this new admission is considered a major milestone. CSE’s admission of imposing costs on cybercriminals is significant in that it implies the agency is not only focused on combating attacks, but also on deterring them. “It’s a big day in Canadian cybersecurity history,” Carleton University professor and security researcher Stephanie Carvin stated.
US DOJ launches initiative to combat cyber fraud.
JD Supra reports that the US Department of Justice has announced the institution of the Civil Cyber-Fraud Initiative, which will leverage the False Claims Act to pursue “cybersecurity-related fraud by government contractors and grant recipients.” The goal is to target federal contractors and healthcare providers who participate in federal healthcare programs related to data privacy and consciously provide deficient cybersecurity products or services, intentionally misrepresent their cybersecurity practices or protocols, or knowingly neglect to monitor and report cybersecurity incidents. The False Claims Act broadly prohibits anyone from, among other things, knowingly presenting, or “causing to be presented” a false claim for payment if the claim will be paid directly or indirectly by the federal government. The False Claims Act is the government’s go-to weapon for combating healthcare fraud, prohibiting anyone from deliberately presenting a false claim for payment that will be paid (directly or indirectly) by the federal government, and the law recovered $2.2 billion in false claims last year.
NDAA omits cyber reporting provisions, but includes measures for public-private cooperation.
The version of the National Defense Authorization Act (NDAA) that emerged from House and Senate conference does not include, in its final form, a House provision that would have established a Cyber Incident Review Office at the Cybersecurity and Infrastructure Security Agency (CISA) and given CISA broad authorization to establish incident reporting deadlines, TheHill reports. CISA has been following a sector-by-sector approach to incident reporting, and this now seems likely to continue.
According to Federal News Network, the NDAA does include some noteworthy cybersecurity provisions. It authorizes CISA to organize a National Cyber Exercise Program that would be able to simulate "the partial or complete shut down of the a government or critical infrastructure network by a cyber incident." It also authorizes CISA's CyberSentry, a program that would offer continuous monitoring and detection to the owners and operators of critical infrastructure. CyberSentry would be made available on an optional, not a mandatory, basis. And it authorizes the Department of Homeland Security to study ways in which voluntary public-private partnerships might be used "to discover and disrupt the use of the [participating companies'] platforms, systems, services and infrastructure by malicious cyber actors.”
The NDAA also addresses the National Guard's role in cybersecurity. The principal effect of the relevant provision is to resolve ambiguity about how the states might use their Guard: state governments will be explicitly authorized to call upon their Guard for assistance with cybersecurity. Senator Maggie Hassan (Democrat of New Hampshire) wrote to express her gratification that the measure had made it into the NDAA. The measure was introduced last January with the bipartisan sponsorship of Senator Hassan and Senator John Cornyn (Republican of Texas). “State and local governments, as well as private entities, are struggling to defend their online systems against pervasive cyberattacks,” Senator Hassan said. “By making it easier to leverage the talent and expertise of the National Guard across the board, our bipartisan amendment will help prevent cyberattacks before they happen, and quickly respond to attacks that do occur. I am glad that NDAA includes our important measure, and I will keep working across the aisle to strengthen cybersecurity at all levels of government.”
(A side note: there may be no authorization of mandatory cyber reporting requirements, but Military.com points out that the NDAA does include provision for a rapid response team that would go into action to investigate UFO reports, so the bill's got that going for it.)