Cyber is now open season for investors

Dec 18, 2023

Driving the day

— Corporate cyber breaches are now under the limelight thanks to the SEC’s lightning-quick disclosure rules for companies that go into effect today.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! I may technically be back from vacation, but in my mind I’m still sipping green wine in Porto — and X is still deleted off all my devices.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below. Let’s dive in.

POLITICO AT CES® 2024: We are going ALL IN On at CES 2024 with a special edition of the POLITICO Digital Future Daily newsletter. The CES-focused newsletter will take you inside the most powerful tech event in the world, featuring revolutionary products that cut across verticals, and insights from industry leaders that are shaping the future of innovation. The newsletter runs from Jan. 9-12 and will focus on the public policy-related aspects of the gathering. Sign up today to receive exclusive coverage of the show.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

Oracle’s director of solution engineering Jim Donlon, associate vice president for research and economic development at SUNY Albany Theresa Pardo and others are joining the Government Executive Media Group for a virtual discussion on AI and public education. 11 a.m.

At the Agencies

CORPORATE BREACHES EXPOSED — While Congress is out for the holidays, the Securities and Exchange Commission is delivering a lump of coal to corporate America in the form of new cybersecurity disclosure rules that kick in today.

The move comes as the SEC tries to crack down on a deluge of C-suite cyberattacks, but it faces backlash from companies and lawmakers who argue the turnaround is just too tight. Here’s what the new rules mean.

— Incident hotline: As of today, any major cyber breach deemed “material” (think data breaches or ransomware raids) has to be splashed onto their forms within four business days. When the cyber disclosure rules dropped Friday, that was only for companies whose fiscal years ended on that day.

— Annual cyber audit: Every year, companies will dish on their cyber risk management strategies, board oversight and the juicy details of past breaches (if any). Think of it as a public cybersecurity report card, filed alongside the usual earnings babble.

— And everyone’s invited: Foreign private issuers get their own disclosure rules, with comparable requirements for incidents and annual reports.

— There’s no industry love: Companies for months have been lobbying for breathing room — including through national security and public safety exemptions — to get more disclosure time.

“In the midst of an incident,” Nick Sanna, founder of the FAIR Institute and president of Safe Security, tells MC, “it is unlikely that [companies] can make a good assessment and disclosure on time if they haven’t adopted a quantitative model and tested it before.”

Boardrooms have been arguing that four days is barely enough time to disentangle from ongoing hacks, patch major software flaws and avoid inadvertently giving attackers more intel.

But top officials with the Department of Justice, CISA and the FBI poured cold water on those exemption pleas. Instead of a sweeping security shield, the DOJ said exemptions starting today “will be met not at all that often.”

If a rare exemption is granted, victims would be offered a maximum of 120 additional days before disclosing the incident publicly.

— Lawmakers aren’t too pleased either: At a House Homeland Security cyber subcommittee hearing last week, Chair Andrew Garbarino (R-N.Y.) unloaded on the flaws in the rules. His frustration? Palpable. His word? “Terrible.”

And ranking member Rep. Eric Swalwell (D-Calif.) cut in with a “same.”

You may even remember that Garbarino recently introduced a rare congressional procedure designed to overturn the SEC policy — with Sen. Thom Tillis (R-N.C.) introducing a companion measure.

— What does this mean for the C-Suite?: Business as usual. Companies will now have to navigate short deadlines, limited exemptions and potentially tricky SEC inquiries.

“Testing cyber disclosure processes during live incidents is a recipe for failure,” Sanna said.

Cyber Diplomacy

CYBER DEEP DIVE — Nearing the top of the Indo-Pacific itinerary following the Quad’s recent cyber meet-up is “a big push” on undersea cables, a senior administration official tells MC.

The Quad — a coalition of cyber officials from Australia, India, Japan and the United States — convened in Tokyo this month in a bid to fortify cyberspace across the Indo-Pacific.

— Seabeds not firewalls: The Quad recognizes the cables as strategic chokepoints, and the countries are working on bolstering their resilience against sabotage and natural disasters.

“We are making it a big part of our 5G push,” the official said.

— All part of the plan: The West is increasingly fixating on undersea infrastructure, aiming to rival China’s Belt and Road behemoth with Build Back Better World — Washington’s answer to Beijing’s infrastructure empire by investing in telecom networks, the cloud and undersea cables in developing countries.

The International Scene

SOCIAL MEDIA AS A WEAPON — Former Ukrainian Defense Minister Oleksii Reznikov has a new enemy, and it’s lurking on TikTok.

A recent joint investigation by the DFRLab and BBC Verify discovered a massive covert Russian influence operation targeting the ousted Ukrainian official with a barrage of corruption accusations.

— The tactics: The operation relied on a network of fake pro-Kremlin accounts, each uploading just one video before disappearing. These videos, despite lacking concrete evidence, leveraged real-world events like a procurement scandal within the Ukrainian Defense Ministry to gain traction.

But it was the simplicity of the campaign that struck a chord with DFRLab associate researcher Roman Osadchuk, telling MC it was chillingly basic.

“A few images stolen from the web, stitched together with voiceover AI, subtitles, spurious claims and dramatic music,” Osadchuck explained. “Such a video has the potential to make rounds and reach millions.

“In the future, those things might be automated and spread on an even bigger scale,” he added.

— Fans of war: But it didn’t just stop at TikTok: Russian state-backed bloggers picked up the narrative and blasted it across social media platforms, including X.

The BBC identified nearly 800 fake accounts since July. TikTok identified and removed more than 12,000 accounts linked to the operation, which had amassed 847,000 subscribers and likely generated hundreds of millions of views.

— The outcome: While Reznikov hasn't been directly linked to the scandal, President Volodymyr Zelenskyy requested his resignation in September, giving the false narratives a veneer of legitimacy.

— Dissecting the deluge: Osadchuk tells MC verifying information in real time is crucial, but that platforms need tools to facilitate such rapid debunking. He also suggests sharing the battle plan between platforms and researchers, who need to work together on threat insights and identifying recurring patterns across campaigns to predict and disrupt future operations.

Industry Intel

STUCK WITH US — In the wizarding world of tech, a hidden cost lurks beneath the glossy appearance of software subscriptions: the “cyber tax.” That’s a burgeoning problem for the Coalition for Fair Software Licensing and cyber firm Prescient, according to a new report shared exclusively with Morning Cyber.

Legacy cybersecurity vendors, they argue, are leveraging their market muscle to lock customers into proprietary ecosystems — stifling competition and innovation. And it comes at a steep price, measured in vulnerabilities, skyrocketing incident response costs and a cooling effect on overall cyber resilience.

— What it looks like: Tiered pricing models include essential security features bundled into other more expensive packages — leaving businesses to pay up for comprehensive protection or roll the dice with bare-bones defenses.

— Microsoft under the microscope: Researchers say this levy, extracted by giants like Microsoft through restrictive licensing practices, shackles businesses to insecure environments and exposes them to a rising tide of cyberattacks. Citing CISA statistics, the report says Microsoft itself accounts for nearly 30 percent of known vulnerabilities reported since 2021.

— Under the radar complexities: Practices include the “forced upgrade” trap, the report adds, where a breach strikes and legacy vendors swoop in to offer solutions and security tools that are even more expensive. It’s a Catch-22 that further entangles businesses and makes it harder to embrace alternative solutions.

Tweet of the Day

Still looking for a Christmas gift for your cyber pals?

Source: https://twitter.com/nostarch/status/1736098887398478288

Quick Bytes

LOCATION DATA UH-OH — Google will soon let users store their location data on their devices, eliminating the practice of "geofence warrants" where police obtain vast amounts of location data from Google to identify suspects, Zack Whittaker reports for TechCrunch.

ANOTHER SPYING INCIDENT — Chinese spies manipulated a far-right Belgian politician for three years to sway European views on Hong Kong, Xinjiang and more, in an influence campaign aiming to sow discord and weaken U.S.-EU ties. Get the details from FT’s Demetri Sevastapulo, Henry Foy, John Paul Rathbone and Joe Leahy.

“7 Months Inside an Online Scam Labor Camp” (The New York Times)

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).

GLOBAL PLAYBOOK IS TAKING YOU TO DAVOS! Unlock the insider's guide to one of the world's most influential gatherings as POLITICO's Global Playbook takes you behind the scenes of the 2024 World Economic Forum. Author Suzanne Lynch will be on the ground in the Swiss Alps, bringing you the exclusive conversations, shifting power dynamics and groundbreaking ideas shaping the agenda in Davos. Stay in the know with POLITICO's Global Playbook, your VIP pass to the world’s most influential gatherings. SUBSCRIBE NOW.