A potential CFATS-trophe

Jan 16, 2024

— With help from Matt Berg

Driving the day

— With CFATS undone for almost half a year while war widens in the Middle East, a renewed reauthorization push comes back to Congress in the new year to prevent chemical materials from falling into the wrong hands.

HAPPY TUESDAY, and welcome to MORNING CYBERSECURITY! One of the gadgets I’m judging you on that came out of CES 2024? Samsung’s upgraded AI friend bot Ballie. Wall-E vibes aside, we all still remember how the movie “I-Robot” started right? Right?

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Tune in on Wednesday, Jan. 10, as POLITICO explores Taiwan's upcoming presidential election. Hear from our panel on the potential outcomes to the race and the profound implications for U.S.-China relations depending on who wins. REGISTER HERE.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

POLITICO is hosting an AI discussion in Davos on “The Great AI Debate,” featuring IBM senior vice president for software Rob Thomas and others. 12 p.m.

White House special adviser on AI Ben Buchanan, former National Security Agency deputy director George Barnes and others are joining the Aspen Institute for a virtual conversation on the impact of AI on cybersecurity. 10 a.m.

Defense News is holding a virtual discussion on data-driven defense and how AI propels the military, featuring U.S. Air Force operations commander Col. Tucker Hamilton and Virtualitics federal chief technology officer Kyle Rice. 2 p.m.

On the Hill

CHEMICAL IMBALANCE — It’s been about six months since the nation's chemical security shield vanished, and now industry and agency officials are banding together today to push Congress to restore the regulation as part of this year's must-pass spending bills.

And in the shadow of a war threatening expansion in the Middle East, anxieties are mounting about the vulnerability of the nation’s potentially weaponizable materials sitting overexposed — all which could be within reach for some of America’s foreign adversaries.

— Fumbling the ball: After Congress failed to save the Chemical Facility Anti-Terrorism Standards program last July, thousands of facilities no longer are required to report their chemicals of interest to CISA. The cyber agency wants you to know that’s a big deal, since most chemical facilities rely on computer systems to control and monitor operations.

And if a vulnerable computer system falls into the wrong hands, hackers could gain access to a facility's control systems.

“Absent the CFATS authority, we cannot ensure that chemical facilities are mitigating the terrorist exploitation of chemical holdings,” Director Jen Easterly wrote in an August op-ed in the Washington Post.

— Sound (sorta) familiar?: Who could forget that Iranian state-linked hackers breached at least 18 water facilities across the United States late last year to lock up systems and display crude messages? The water sector is not at all like high-risk chemical facilities, but successful critical infrastructure attacks may very well telegraph other more sinister ones by more sophisticated cyber actors down the line.

— Protect yourself or else: The House overwhelmingly voted to revive the program, but in the other chamber Sen. Rand Paul (R-Ky.) stood alone in opposition. His reasoning? CFATS is a barrier to newer and smaller companies, while bigger companies will protect themselves and handle cyber safety just fine.

But the American Chemistry Council’s advocacy communications director, Scott Jensen, said reality doesn’t quite jive with that explanation, telling Morning Cyber “our membership is actually comprised of about 50 percent small to medium sized enterprises and they all support CFATS.”

— Flip the script: While the program is important, it needs some updates “to justify its monumental historical price tag,” Brian Harrell, CISA’s former assistant director for infrastructure security under the Trump administration, told POLITICO’s Matt Berg. CFATS was last approved with a $74 million budget.

Harrell adds that the threat of terrorism is overhyped since there haven’t been any major disasters at such facilities or other high-risk places that don’t use the program.

“The idea that the lack of a terrorist screening database is putting the country at risk is a stretch given that other critical sectors screen without this tool just fine.”

— On the contrary: But try telling that to CISA executive director for instructure security David Mussington, who warned in an interview with POLITICO that “adversaries will have better opportunities to take previously well-secured chemicals … and misuse them.”

According to Mussington and CISA data, the agency was watching around 3,200 facilities — with some 300 names run through agency databases every day to check for suspicious people.

— What comes next: Rep. Laurel Lee (R-Fla.), CISA associate director of Chemical Security Kelly Murray and other industry groups are holding a virtual meeting this afternoon to talk through the path forward on the chemical program.

Artificial Intelligence

THE FUTURE IS NOW — Last year, AI burst onto the scene and everyone’s legislative agenda, with lawmakers and officials aplenty trying to take a stab at harnessing its potential in the realm of cyber defense. This year, those government forces face a critical question: Who benefits more — attackers or defenders?

According to a new report from the Aspen Institute’s Global Cybersecurity Group, it all comes down to a balanced approach. Overly restrictive policies could stifle progress, while lax regulations could leave systems vulnerable.

The report suggests government focuses on:

Mandating data openness and transparency in commercial Gen AI models. That could mean exposing hidden biases in data, which could allow researchers to identify and address potential discrimination or manipulation.
Promoting industry self-regulation through codes of ethics and governance frameworks. Self-regulation could be faster and more adaptable than government mandates, allowing industry to react quickly to emerging threats. Of course, there is a challenge in ensuring companies police themselves effectively.
Developing targeted legal guardrails to address specific Gen AI applications and potential harms. This could involve red lines for specific Gen AI applications, like an outright ban, labeling or imposing legal penalties for deepfakes that are created or distributed, while incorporating existing data privacy regulations.

— Meanwhile, at Aspen: White House AI adviser Ben Buchanan is taking part in a discussion today with the Aspen Institute’s senior director for cybersecurity programs Jeff Greene.

Greene tells MC he plans to press for specifics on how the White House’s executive order on AI will create accountability in AI development, and how the administration thinks the products will actually improve security.

China corner

DOING IT ANYWAY — Washington's efforts to choke China's military-backed AI ambitions through export restrictions are facing an inconvenient reality: Nvidia chips are still quietly finding their way into Chinese hands.

According to an investigation by Reuters, since September 2022 small batches of Nvidia's A100, H100, A800, and H800 chips — all on the U.S. export blacklist — have been procured through obscure Chinese suppliers.

— That’s a problem in Washington: The trickle of these advanced semiconductors — crucial for AI development — is reaching research institutes and universities with alleged military ties, highlighting the Biden administration’s challenges in fully cutting off China's access to advanced semiconductors that could advance its military AI.

Nvidia is already on the radar of congressional China hawks, with the select China committee shooting off a letter summoning CEO Jensen Huang — along with the heads of major chipmakers Intel and Micron — to a hearing over concerns about the semiconductor industry’s ties to Beijing.

— Not too many options: While purchasing Nvidia chips is legal within China, the persistent demand is something to watch: It exposes a possible lack of viable domestic alternatives.

Vulnerabilities

DO BETTER NEXT SEMESTER — The world got its very first report card on cyber resilience, and I don’t know how mom is going to feel about this one.

SecurityScorecard unveiled its analysis for the start of Davos 2024 on Monday, and split 189 countries into 17 regions by having threat intel analysts monitor network security, endpoint security, patching cadence and other variables, combining it with the IMF’s 2022 data on GDP per capita.

Through those parameters, regions around the world earned scores ranging from a low “B” to a low “C.”

— Who did the best?: According to the data, the highest score went to Northern Europe, at 82.97, while North America placed fifth at 80.37, followed closely behind by the Middle East at 80.07.

A majority of regions earned the “C” grade, with the lowest cyber hygiene mark going to Central Asia and the Caucasus at 71.73.

People on the Move

Brian McMillan has joined the Computer and Communications Industry Association as vice president of federal affairs. He most recently served as chief counsel and legislative director for Rep. Eric Swalwell (D-Calif.).

Tweet of the Day

Two tweets in two days from Deputy Defense Secretary Kathleen Hicks on protecting space? Hmmmmmmmm…

Source: https://twitter.com/matthew_pines/status/1746622596521562517

Quick Bytes

NINE BLACKOUTS IN 100 DAYS — Gaza has been in a near total telecom blackout since Friday, and has been largely offline for more than 72 hours. Anushka Patil with the New York Times has the story.

PHISHING FOR PROFITS — Scammers impersonating Norton tricked people into installing malware through fake renewal emails, stealing $34,000 from one victim's bank account, according to the U.S. Secret Service. The ongoing phishing scam involves remote access software and fake phone numbers, which authorities believe has recently intensified, writes Bill Toulas for BleepingComputer.

“Russia’s strategic culture drives its foreign hacking” (BindingHook)

“U.S. companies and Chinese experts engaged in secret diplomacy on AI safety” (Financial Times)

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).

GLOBAL PLAYBOOK IS TAKING YOU TO DAVOS! Unlock the insider's guide to one of the world's most influential gatherings as POLITICO's Global Playbook takes you behind the scenes of the 2024 World Economic Forum. Author Suzanne Lynch will be on the ground in the Swiss Alps, bringing you the exclusive conversations, shifting power dynamics and groundbreaking ideas shaping the agenda in Davos. Stay in the know with POLITICO's Global Playbook, your VIP pass to the world’s most influential gatherings. SUBSCRIBE NOW.