fbpx

Biden administration goes back to the drawing board on water cybersecurity – The Washington Post

Welcome to The Cybersecurity 202! My cat Julius “Jules” Jonas Jonah Jameson has been extra-angelic of late. He’s always superb, but he’s just on another level of awesomeness recently.

Was this forwarded to you? Sign up here.

Below: The Supreme Court temporarily blocks a social media order, and a sanctioned crypto exchange becomes a hotbed for various illicit financing. First:

With EPA water cyber rule revoked, the administration still has plans to bolster water cybersecurity

After withdrawing a water cybersecurity rule that was facing a legal challenge, the Biden administration plans to seek authority from Congress to bolster digital safeguards for water and wastewater systems, a top national security official told me.

The Environmental Protection Agency last week revoked its March memo on the rule, which would have required states to evaluate the cybersecurity of water systems when conducting sanitation surveys. A court placed a temporary hold on the initiative in July after three GOP state attorneys general filed a petition to review it.

The Biden administration’s national cybersecurity strategy called on agencies to use any existing authorities they have to put in place minimum cybersecurity standards and seek assistance from Congress when they lack authorities. The EPA memo relied on an interpretation of the Safe Drinking Water Act.

“From our perspective, Americans want to know that their water systems are safe, their water systems are secure, that people couldn’t use cyber vulnerabilities to disrupt water systems or cause harm. That’s what’s underpinned the EPA’s rule,” Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, told me. “Nevertheless, we took stock of the lawsuit and said, ‘let’s take a step back and let’s ensure that we have in place the authorities that EPA needs to ensure that minimum cybersecurity practices are in place for vulnerable water systems across the country.’”  

The Biden administration plans to be pursue its “option B” with the Hill “in the coming weeks,” Neuberger said.

The decision, and what’s next

The attorneys general from Arkansas, Iowa and Missouri contended that, among other things, the EPA rule trampled on states’ rights and would equal increased costs to consumers.

In an Oct. 11 notice about the withdrawal of the rule, the EPA discussed its commitment to water security.

“EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water,” the EPA explanation reads. “EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that deficiencies are corrected, and potential public health impacts are minimized.”

The agency said it would continue to provide technical assistance to states and water systems via “risk assessments, subject matter consultations, training, and funding.”

Neuberger also said the administration wouldn’t give up on water cybersecurity in the absence of the rule. “There are resources states can tap into voluntarily to improve the cybersecurity of vulnerable water systems,” she said. “We have highlighted for states the president’s bipartisan infrastructure law money and encouraged them to tap into that to improve the security of their water systems. The EPA has a team set up with cybersecurity experts. They’ve been working to add security experts to their sanitation surveys.”

Advertisement

The administration could, however, encounter some resistance to providing the EPA with new authorities from Republicans who have criticized Biden’s cyber strategy by saying it is over-regulatory.

  • “The Biden Administration must prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this Strategy,” House Homeland Security Committee Chairman Mark Green (R-Tenn.) and cybersecurity and infrastructure protection subcommittee chairman Andrew R. Garbarino (R-N.Y.) said in a statement in March when the administration published its strategy.

Neuberger outlined how the administration would appeal to Congress.

“Traditionally, from a national security perspective, we have two oceans on either side of this country, which keeps the homeland safe,” she said. “Cyber doesn’t need a passport and knows no borders. So the importance of protecting homeland critical infrastructure comes to the fore.

“From our discussions with Republican leaders on the Hill who have put a focus on cybersecurity, they’ve always approached it from a bipartisan perspective,” she said.

On the other side

One of the attorneys general who brought the suit, Missouri’s Andrew Bailey, celebrated the EPA’s decision to drop the rule. (The decision was first reported by the Messenger’s Eric Geller.)

“This was yet another attempt by federal bureaucrats to push a rule through a memo instead of going through Congress,” he said on X, formerly known as Twitter. “Missouri will continue to combat government overreach at every turn.”

So, too, did a pair of groups representing the water sector who joined in on the suit, the American Water Works Association (AWWA) and National Rural Water Association.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” said the group’s CEO, David LaFrance. “We also recognize that cyberthreats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”

The two associations are advocating for legislation called the Cybersecurity for Rural Water Systems Act that authorizes $10 million annually from fiscal years 2024 to 2028 to pay for Agriculture Department cybersecurity experts who give technical assistance to rural water and wastewater systems.

The keys
Supreme Court temporarily blocks curbs on White House social media contacts

The Supreme Court on Friday maintained a block on an order imposed by a lower court that acutely restricts certain federal agencies from communicating with social media companies about removing or suppressing posts, ’s Andrew Chung reports.

“Conservative Justice Samuel Alito temporarily put on hold a preliminary injunction constraining how the White House and certain other federal officials communicate with social media platforms pending the administration’s appeal to the Supreme Court,” Chung writes.

  • The U.S. Court of Appeals for the 5th Circuit ruled last month that certain federal agencies, top government health officials and the FBI likely violated the First Amendment by improperly influencing tech firms’ decisions on removing or suppressing posts about covid-19 and elections. 
  • In that ruling, the scope of an injunction connected to the original July 4 order was narrowed to a smaller group of agencies and put communication restrictions on hold for 10 days to give the Biden administration time to appeal to the Supreme Court. But the 5th Circuit on Oct. 3 reversed course and relisted the Cybersecurity and Infrastructure Security Agency as an alleged First Amendment violator.
  • Experts have suggested the case would be a strong candidate for the high court’s review.

The Friday action puts the case on hold until Oct. 20, giving the justices a week to consider the Biden administration’s request to block the injunction from the lower court.

Sandvine ditches encrypted message surveillance tool, lays off project staff

Canadian networking equipment company Sandvine scrapped a plan to market and sell a controversial surveillance tool that would allow law enforcement agencies to track encrypted messaging exchanges, laying off most of the employees involved in the project, ’s Ryan Gallagher reports, citing four people with knowledge of the matter.

  • Gallagher writes: “Sandvine had pitched the new product, called ‘Digital Witness,’ to governments and law enforcement agencies in Europe, the Middle East, Asia and North America. It was marketed as a tool to covertly monitor people’s internet use and encrypted messages sent using popular applications such as Meta Platform Inc.s’ WhatsApp and Signal, according to the people, who asked not to be identified to discuss confidential matters.” The company declined to comment to Bloomberg News when asked about the project’s shuttering.
  • A combination of economic woes and concerns about Sandvine’s previous activities led to the initiative being scrapped, the report adds. The company’s executive solutions officer Samir Marwaha also said in an emailed statement to Bloomberg News that the company laid off about 50 employees in a move made “to better align to serving our customer base.” The layoffs were “directly attributable to the state of the global economy,” he added. Marwaha declined to comment to Bloomberg News about its products or customers.
  • Rather than breaching devices like a typical spyware tool, Bloomberg News reports that Digital Witness was said to be able to gather and analyze troves of encrypted network traffic and metadata from the communications, allowing the tool to predictively model and classify peoples’ messages, voice calls and transactions.

The FBI and Drug Enforcement Administration had expressed interest in trialing the product, as well as authorities in other nations including India, Europe and the United Arab Emirates, the people familiar told Bloomberg. The FBI and DEA declined to comment to the outlet.

Sandvine was at the center of a Washington Post report last month in which prominent Egyptian opposition politician Ahmed Eltantawy — who plans to challenge President Abdel Fatah El-Sisi in elections next year —  was targeted with a zero-day attack designed to install Predator spyware on iPhones.

  • The Biden administration in July blacklisted Cytrox, which makes Predator, as well as Intellexa, the business alliance to which Cytrox belongs. 
  • Researchers said that attempts to infiltrate Eltantawy’s phone involved using Sandvine’s PacketLogic product, which is designed to help internet companies manage and direct network traffic.
Sanctioned Moscow crypto exchange becomes bedrock for various illicit financing

A U.S.-sanctioned cryptocurrency exchange based in Moscow has become a hotbed for various forms of illicit payment schemes, with Russians using the platform to move funds to back cybercriminal activity and Hamas-linked operatives using it to finance their assault in Israel this past week, ’s Angus Berwick reports.

Customer transactions across the platform, known as Garantex, totaled some $665 million in July, an amount over three times greater than what it processed when it was sanctioned, according to the outlet, which cited crypto data provider Coinpaprika.

  • “Garantex’s growing role as a global conduit for illicit funds was underscored this month by evidence that Palestinian militants in part financed their operations through crypto in the lead-up to the Oct. 7 attacks in Israel,” Berwick writes. “Digital wallets controlled by Palestinian Islamic Jihad, which joined Hamas in the attacks, received a portion of $93 million via Garantex, according to analysis by researcher Elliptic, which said Hamas also used a similar financing strategy,” he adds.
  • In Russia, customers deposit rubles at Garantex locations and receive their funds back in crypto in the form of stablecoins that are often pegged to the U.S. dollar. “These can then be withdrawn as traditional currency abroad from a network of local partners, with little trackable record of the transactions,” the report says.

The Treasury Department has previously sanctioned other Russia crypto exchanges in an effort to stave off cybercrime payment networks. But the digital wallet infrastructure allows exchange operators to easily prop themselves up again, the Journal notes. 

The post-sanction Garantex expansion raises questions about how effective the United States’s efforts to foil potential criminal and terror operation funding are. 

  • “A senior Treasury official told the Wall Street Journal the department was closely monitoring Garantex and was working with partners and allies to close it off as a payment channel,” Berwick writes. “Treasury assessed that wealthy Russian individuals were often using Garantex to move money out of the country. The department is considering future action against actors that are using Garantex for cross-border transactions, the official said.”
  • The Atlantic Council convenes a discussion on the information environment of the Israel-Gaza war at noon.
Secure log off

If you brush a cat with a wet toothbrush, it supposedly reminds them of being groomed by their mother pic.twitter.com/yXFfPw6TP1

— Why you should have a cat (@ShouldHaveCat)

Thanks for reading. See you tomorrow.

This content was originally published here.

Scroll to Top