Reaction to the administration’s decision on leadership of the national cyber director’s office

The acting national cyber director, Kemba Walden, won’t get the job because she was told her personal debt made her difficult to confirm in the Senate — despite bipartisan support on the Hill.

That’s what Ellen Nakashima and I reported over the weekend. Walden on Friday told us in a statement that she had withdrawn from consideration for the position. She declined to comment further.

To say the reactions to this development were negative would be an understatement. As a friend of Walden’s who doesn’t work at the White House said about Walden and her husband, a lawyer at the Commerce Department: “She’s a public servant. He’s a public servant,” said the Waldens’ friend, who spoke on the condition of anonymity because of the matter’s sensitivity. “They don’t have generational wealth. They’ve taken on debt to put their kids to private school. And most importantly, they pay their bills. If the requirement to take a job like this is that you have to be independently wealthy, then it will be a poorer place because you’ll be cutting out a lot of great talent.”

The response from the cybersecurity community to the reason Walden was told she wouldn’t get the national cyber director nomination was pretty unanimously disapproving.

Here’s Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency and now partner in the Krebs Stamos Group consultancy:

Katie Moussouris, CEO of Luta Security: 

Eli Sugarman, fellow at the Schmidt Futures philanthropic initiative:

Katie Nickels, director of intelligence at the Red Canary, a cybersecurity firm:

Cristin Flynn Goodwin, founder of the Advanced Cyber Strategies consultancy and a former Microsoft attorney:

And Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation advocacy group:

Comparisons and presidential personnel experts

In her tweet, Galperin is referencing Suprme Court Justice Brett M. Kavanaugh. As Amy Brittain wrote for The Post, Kavanaugh reported having between $60,000 and $200,000 in debt in 2016. 

“The credit card debts and loan were either paid off or fell below the reporting requirements in 2017, according to the filings, which do not require details on the nature or source of such payments,” according to the 2018 story.

(We weren’t able to get ahold of Walden’s Form 278 by press time; that form would’ve described the size of her debt.)

Both Max Stier, president and CEO of the Partnership for Public Service, and a lawyer who practices in the area of presidential personnel issues said they couldn’t recall personal debt being a reason a nominee couldn’t advance. “I am not aware of any specific example,” Stier said.

The closest comparison the attorney could recall — they asked to speak on the condition of anonymity due to the sensitive nature of the matter — was debt coming up during the nomination process after some U.S. political figures allegedly got mortgage financing at noncompetitive rates from Countrywide. But it didn’t sink any nominations, the lawyer said.

Of course, precedent doesn’t exist until it’s set, they said. There were no nanny scandals before Zoe Baird’s nomination.

Here’s Stier’s overall take:

• “It is plausible” that there are scenarios where debt could hamper a nominee, he said. “I think you can imagine a world in which [that could happen,] but you would expect that it would have to be quite egregious. If someone was to appear to be in financial dire straits, it might be problematic.”
• There’s a feasible scenario “if it’s in a security clearance context where that would be a real issue,” Stier said. “You don’t want to have somebody who might be vulnerable to blackmail or anything like that.” But in Walden’s position, she already had a security clearance. “She couldn’t function without a security clearance because almost everything that she would need to access of consequence would be classified.”

Another plausible scenario would involve lawmakers from the opposite side of the aisle using personal debt as an excuse for opposition.

“It’s often difficult to oppose the nomination by saying she’s taken policy positions we oppose,” the lawyer said. “But if you can find something in their ethics forms … somebody can oppose a nominee based on some technical issues under their government — they can sort of weaponize an issue under their government ethics compliance forms.”

But then again, Walden had significant bipartisan support — at least publicly.

The overall message is not a good one, though, the attorney said.

“If this is actually an issue for nominations going forward, it’s going to really put stress on what you disclose and how you deal with personal liabilities,” they said. “So if this becomes well-known, it’s going to have a ripple effect through the Senate confirmation process.”

The White House has a preferred choice for the position: Harry Coker. 

The well-regarded Coker’s résumé, in brief:

• He was executive director of the NSA from 2017 to 2019 and held senior executive positions at the CIA before that.
• He was a Navy officer for 20 years.
• After departing the NSA in 2019, Coker became a senior fellow at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.
• He also worked on the national security and foreign policy team for the transition to the Biden-Harris administration.

Coker would be a good candidate for the position in the Biden administration, said Frank Cilluffo, director of the McCrary Institute.

“Should he tap Harry Coker, I think he’s bringing in a veteran with a wealth of experience in the defense and intelligence community,” said Cilluffo, who said he had no knowledge of the Biden administration’s plans for leadership of the national cyber director’s office and is also an admirer of Walden. “He’s a team player who would take us to the next level inside the cyber community. He does really have a unique background and has always worked well with the private sector.”

But switching leaders at the office would have significant drawbacks, said Mark Montgomery, who was the executive director of the Cyberspace Solarium Commission.

“I am really disappointed in the White House decision to date. I hope they can sense from responses on the Hill that Kemba Walden is the best candidate and review their decision-making,” said Montgomery, who now leads the successor to the commission, CSC 2.0, and is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “Any other candidate will introduce unnecessary friction and delay into the evolution of the office of the NCD. In the meantime, we are fortunate to have Walden in an acting capacity.”

EPA ’disappointed’ by hold on agency efforts to spur water systems cybersecurity

The Environmental Protection Agency said it’s “disappointed” by a court decision last week that puts a hold on an agency rule aimed at shoring up protections for water systems against hackers.

The U.S. Court of Appeals for the 8th Circuit last week granted a temporary stay of an EPA memorandum that would direct states to evaluate cyberdefenses of water systems when conducting sanitation surveys.

• “EPA is disappointed by the Eighth Circuit Court of Appeals order that undercuts EPA’s efforts to protect the safety of the nation’s drinking water from malicious cyberattacks,” agency spokesperson Robert Daguillard told The Cybersecurity 202.
• “EPA is committed to ensuring that all people have access to clean, safe water. Cybersecurity threats to the water sector are real, and EPA is committed to using its authorities to advance cybersecurity and reduce the possibility of cyber threats impacting the delivery of clean, safe water,” the statement added.

The agency justified the measure under the Safe Drinking Water Act. The sector relies heavily on functioning industrial control systems to clean and disperse water, though experts have previously said it remains one of the most vulnerable to cyberattacks.

The one-sentence court ruling did not provide reasoning for the decision but serves as the strongest sign yet of pushback against Biden-era cybersecurity moves that include mandates.

• Chief among those efforts is a new national cyber strategy, a sweeping federal plan that aims to bolster U.S. cybersecurity preparedness through a more aggressive regulatory approach.
• The EPA’s Daguillard said the strategy, whose implementation framework was rolled out last week, “will continue to guide the agency forward.”

Russian authorities to ban government use of iPhones amid spying fears

Russian officials have banned thousands of government employees and officials from using Apple iPhones amid growing foreign espionage concerns, Anastasia Stognei reports for the Financial Times. 

Russia’s Trade Ministry banned the devices for use in “work purposes,” according to the report. “The digital development ministry as well as Rostec, the state-owned company that is under sanction by the west for supplying Russia’s war machine in Ukraine, have said they will follow suit or have already introduced bans,” the report said. 

• “Security officials in ministries — these are FSB employees who hold civilian positions such as deputy ministers — announced that iPhones were no longer considered safe and that alternatives should be sought,” a person close to a government agency that has banned Apple products told the FT.
• Russia President Vladimir Putin signed a decree shortly after he launched an invasion of Ukraine declaring that organizations involved in key sectors must switch to domestically developed software by 2025.

The move suggests further efforts from Moscow to move away from the use of foreign technologies. 

Apple last month announced it fixed two flaws in its operating system that recently allowed hackers to infiltrate thousands of devices in Russia. Russia’s Federal Security Service accused the United States of colluding with Apple to carry out the hacks but did not provide evidence as to how it made that determination. Apple vehemently denied the claims. 

Appeals court pauses order restricting Biden administration contact with tech companies

The U.S. Court of Appeals for the 5th Circuit on Friday granted a temporary stay of a July 4 order that levied strict limitations on the Biden administration’s ability to communicate with social media companies, our colleague Cat Zakrzewski reports.

• The order prohibited key federal agencies and officials from meeting and communicating with social media companies about “protected free speech.” 
• The Justice Department last week warned that the injunction was overly broad and could prevent the government from warning people about online misinformation in times of national security emergencies or natural disasters.

“The stay was granted by a panel of 5th Circuit judges, which includes Clinton-appointee Carl E. Stewart, Obama-appointee James E. Graves and Trump-appointee Andrew S. Oldham,” Cat writes. “Oldham last year wrote an opinion upholding a Texas social media law, which bars social media companies from removing posts based on a person’s political ideology.”

• “The stay is the latest twist in a partisan legal battle over the future of content moderation — litigation that could have profound effects on the First Amendment,” the report adds.

Your Cybersecurity 202 host spoke to secretaries of state last week for their reactions on the initial ruling — read more here.

Experts warn of financial challenges and gaps in cyber implementation plan  (Nextgov/FCW)

House GOP cyber leaders stress regulatory streamlining as essential aspect of national strategy (Inside Cybersecurity)

Pennsylvania, New Mexico secretaries of state interviewed as part of special counsel's 2020 election interference probe (CNN)

If cybersecurity isn't recession-proof, what is? (TechCrunch)

Genesis Market infrastructure and inventory sold on hacker forum (Bleeping Computer)

BreachForums administrator facing 30-year sentence after pleading guilty to three charges (The Record)

Microsoft email hack shows greater sophistication, skill of China’s cyberspies (Wall Street Journal)

Typo leaks millions of US military emails to Mali web operator (Financial Times)

Multinationals in China accelerate push to decouple data (Financial Times)

Russian hacking group Armageddon increasingly targets Ukrainian state services (The Record)

EV charging networks prepare for cyberattacks (Wall Street Journal)

A teenager accused of hacking Rockstar Games has been deemed unfit to stand trial. (The Verge)

Thousands of images on Docker Hub leak auth secrets, private keys (Bleeping Computer)

• The Atlantic Council convenes a discussion on resilient cloud computing at 11:30 a.m.
• The Center for Strategic and International Studies convenes a discussion on the future of quantum computing tomorrow at 11:30 a.m.
• The House Energy and Commerce Committee holds a hearing on threats to electric energy infrastructure tomorrow at 2 p.m.
• The Institute for Security and Technology holds a webinar on the open-source software ecosystem tomorrow at 3 p.m.
• The Aspen Institute’s 2023 Security Forum kicks off in Colorado tomorrow at 7 p.m. 

Thanks for reading. See you tomorrow.