In Q&A, Sen. Mark Warner pushes for more cybersecurity in health care, describes his broader TikTok concerns
senate intelligence committee chairman mark r warner (D-Va.) is one of the leading cybersecurity lawmakers on the Hill, and he’s long been on our list of people to interview.
A co-founder of the Senate Cybersecurity Caucus, he was one of the early proponents of requiring businesses to disclose information to the federal government when they faced a major hack in late 2020 in the wake of the massive SolarWinds hack. Some of his ideas were made. This is included in the Cyber Incident Reporting Bill that became law last year.
I interviewed him Tuesday morning to discuss that legislation, but looked mostly at his immediate agenda.
This interview has been edited for length and clarity.
Cyber Security 202: What are your cyber priorities for 2023?
Warner: My top agenda item for 2023 is this white paper that I released last year, Cybersecurity in Health Care, where we’ve looked at ransomware over the years [that] Nothing is more valuable to cyber criminals than health care information, even more so than personal financial information.
Cyber security in health care has always been dependent on existing systems. We have to find a way, even if it will be a patchwork system at first, that we build cyber security into the front end of health care. I don’t know if you saw the white paper or not, but there’s a great chart in there at the beginning. It referred to 16 different entities, four different cabinet secretaries, who are grappling with it, and none in charge.
We’ve released the white paper, and we’ve received about 60 different submissions from industry and experts. We are investigating him, and there are other MLAs [Sens.] bill cassidy [R-La.] and Jackie Rosen [D-Nev.], they have some legislation. I have some thoughts and will probably come up with a slightly more comprehensive approach.
My second priority is to continue to look at how we deal with national security cyber risks. I’m still surprised in many ways that we haven’t seen more drastic action from Russia in light of the Ukraine war. I fully expected, and I think most of the intelligence community expected, we would see more vicious NotPetya-type attacks against Ukraine or possible attacks against the US or European allies. There have been some attacks, but it’s not like we’ve seen a full A-team of Russian services.
So I want us to keep thinking about how we respond when this is a nation-state. The question I’ve been asked is “Would it be a violation of Article 5 if Russia attacked Ukrainian power systems, and shut off power to an adjacent area in Poland, and resulted in people dying in the hospital or something?” ?
C202: You mentioned that there is no charge. How would you address this?
Warner: I’ll try to be politically correct and say that we’ve gone from one extreme to the other, from the Trump administration to the Biden administration. Trump, the criticism of many on both sides was that he left a cyber adviser out of the White House, and now we have a plethora of cyber advisers, all very talented people. And we’re actually adding more, for example, at the State Department level.
I still have some concern that we don’t know who is in charge. Whether you assign it to one of the existing positions inside the White House, or whether you create another one, I’m still open to that. But I’m afraid the one person in HHS is just in charge [Health and Human Services]I’m not even sure the HHS person would be able to get the FDA [the Food and Drug Administration] For example, to obey completely. or how do you deal with, if someone was in HHS, what is their interaction with CISA [Cybersecurity and Infrastructure Security Agency],
CISA’s got a challenge making sure we get the right talent, but I really think they’ve earned a good reputation. But I’m not sure that CISA, as a collaborative partner with industry, would be the right place to bring oversight because health care cyber is so complex. It’s easier said than done to say you need someone in charge, but with the complexity of how and where to put that person we’ve already met.
C202: Have you talked about banning tiktok, what do you think about tiktok plan to address concerns About Chinese ownership? And can you talk about where you want to see other technology, not just TikTok?
Warner: I think Tiktok is trying to solve it. We haven’t seen what, if any, CFIUS’ conclusion will be. [the Committee on Foreign Investment in the United States] has reached. I think we’ve seen, intentionally or not, what TikTok represents [that] There would be no ability for Chinese engineers to look at American data. They have just been proven false time and time again.
I started with privacy concerns, but I’ve converted more to the concerns of TikTok as a communication medium. I am not accusing Tiktok of creating content on its own. But boy, we definitely know that the algorithms that decide what you want to watch or what you watch are powered by TikTok. and the best example of this is tiktok which chinese kids can watch which emphasizes on things like STEM [science, technology, engineering and mathematics]Versus the Tiktok that our kids and the rest of the world watch, [which] dramatically different. There’s a lot of creativity on TikTok, but I don’t know how – as long as that code is being written in Beijing – how do you do proper security. I doubt whether you can create these constraints.
When I think of Kaspersky, Huawei, TikTok, I’m trying to think, is there any way we can comprehensively look at foreign-based technology applications that raise serious national security concerns? And there is a stage where it can be evaluated, rather than the way we are seeing it now. I would also argue that for some of this, CFIUS may not even be the right place.
C202: How satisfied were you with the last cyber incident notification law, and the extent to which you have followed it, how satisfied are you with the implementation process?
Warner: I was not satisfied with this much. I felt, to keep the chamber [of Commerce]Support or opposition, we had to reduce it. I am concerned about the implementation process in terms of making rules. This may take five years. I wouldn’t be too surprised about another major cyber incident – like a Colonial Pipeline or SolarWinds – being something where we have a “holy heck” moment and then the implementation ramps up. My hope is, we can go back to some of our friends in the industry and say, “Oh my gosh, guys, you know, five years is a long time.”
One of the active debates in health-care is, should our standards be voluntary, or should they be mandatory? And it’s been interesting in the comments that, as you’d expect, trade associations and lobbying groups in the city have said “voluntary.” We have different hospital systems saying, “If you don’t make it mandatory, we’re not going to get it done.” So I think a little bit of it’s the yin and yang of what we’re seeing on event notification.
Riot Games hackers demand $10 million
The hackers say that if the gaming giant accepts their “small request,” the hackers will remove the stolen computer code from its servers and “provide information on how the breach occurred, and how it will be implemented in the future.” recommend measures to prevent violations”. motherboardJoseph Cox and Matthew Gault report. This week, Riot Games said the source code for its “League of Legends” and “Teamfight Tactics” games had been stolen.social engineering attack,” along with “legacy” anti-cheat software. Here’s more from the company:
Today, we received the ransom email. Needless to say, we won’t pay.
While this attack disrupted our build environment and may cause problems in the future, most importantly we are confident that no player data or player personal information was compromised.
– Riot Games (@riotgames) January 24, 2023
Hackers have taunted Riot Games in their note. “We also want to remind you that it would be a shame to publicly expose your company, especially when you take so much pride in your security measures,” he wrote. “It’s worrying to know that you can be hacked in a matter of hours by an amateur-level hack.” Riot Games declined to comment on the motherboard beyond the company’s tweet.
Riot Games is the latest major video game company to be hacked. Last year, hackers breached Rockstar Games and released source code and videos from its highly anticipated “Grand Theft Auto VI” video game.
CISA gives cyber security tips to schools
The Cybersecurity and Infrastructure Security Agency report is a “mixture of achievable, individual to-do items and broader community calls for cultural change in school districts”. axiosSam Sabin writes. CISA was required to submit the report after Congress passed a law in 2021.
Chairman of the Senate Homeland Security Committee Gary Peters (D-Mich.), who helped draft the law, applauded the CISA report, saying in a statement that it is “an important step to help K-12 schools across the country protect themselves from the diseases.” An important step.” [cyberattacks] Which puts the personal information of students and staff at risk.” Peters added that “K-12 schools are increasingly being targeted by criminal hackers, and this new resource from CISA provides easy-to-understand guidance on the cyber security risks available to the schools that need it most.” Is.”
Administrator of RSOCKS proxy botnet pleads guilty (Krebs on Security)
Pakistani authorities probing whether cyber attack caused nationwide blackout (RECORD)
FBI says hacker group linked to N Korea behind US crypto firm heist (Reuters)
French privacy chief warns against using facial recognition for 2024 Olympics (Politico Europe)
analyst after 1 john dimaggio Ransomware gang wrote a report on Lockbit, it appears the group has taken notice. Here’s more from DiMaggio:
- Senate Foreign Relations Committee to hold hearing on countering Russia at 10:30 a.m. Thursday
- Cristiano Lima, who hosts The Technology 202 newsletter, moderates the R Street Institute’s program on privacy and security law on Thursdays at 4 p.m. ET.
Thank you for reading. see you tomorrow.