By Joseph Gedeon

With help from Maggie Miller

— After avoiding a shutdown, Congress can get back to business as usual. But for the hottest topic on the Hill, one top cyber lawmaker says his colleagues should hit the books first.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Do you all feel that hot October sun? That’s a good starting sign for everybody’s favorite time of year — cybersecurity awareness month. And because cyber professionals are now going back inside after seeing their shadow, that means we get two extra weeks of awareness.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Email me at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below. Let’s dive in.

Enter the “room where it happens”, where global power players shape policy and politics, with Power Play. POLITICO’s brand-new podcast will host conversations with the leaders and power players shaping the biggest ideas and driving the global conversations, moderated by award-winning journalist Anne McElvoy. Sign up today to be notified of new episodes – click here.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Want to know more about how U.S. allies see semiconductor export controls and the future of militarized AI? Be sure to tune in to a virtual panel hosted by the Center for Strategic and International Studies. 10 a.m.

LIFE LESSONS — OK, shutdown averted (for now), which means Congress can now get back to legislating on everybody’s favorite cyber-related two-letter term. But before you can effectively make laws on artificial intelligence, you should probably learn how it works, right?

That’s at least Rep. Eric Swalwell’s (D-Calif.) strategy, telling MC he’s been taking AI training with computer scientists and other tech experts to fully understand its challenges and benefits. And he suggests all his co-workers do the same.

“I would recommend all my colleagues do [training] before you legislate on AI,” said Swalwell, the ranking member of House Homeland Security’s cyber subcommittee “You should really understand it, not just theoretically but also in practical application.”

— So hot right now: AI is the talk of the town in Washington and beyond, with state legislators introducing 191 AI-related bills so far this year — including 14 that became law, according to the BSA. On the Hill this year, AI has crept into dozens of bills and Congressional hearings touching on ransomware, election security, espionage, and even the National Defense Authorization Act.

Even the White House is acting on securing AI risks in cybersecurity and insider threats through a mid-September executive order, which was shortly followed by the Senate’s first-ever AI summit with some of the tech industry’s biggest names.

— A force for good (and evil): A piqued curiosity isn’t enough though, with experts constantly tying its risks to its rewards — especially when it comes to cyber. AI has made it easier for cyber gangs to develop and deploy malicious code, disinformation campaigns and phishing tactics, but at the same time, the tech can be used to improve cyber defenses by helping to identify and respond to attacks more quickly.

“It's allowed us as a collective country trying to defend against cyberattacks to better see the attacks sooner, and isolate and eliminate them,” Swalwell pointed out.

— Start them young: Those lessons shouldn’t just be for your average hardened lawmaker, either. When it comes to the education front, he emphasized the importance of ensuring that all students have access to AI education, warning that those left out will be at a disadvantage in the future.

“I'm a parent of three little kids and I think about how we have to get AI right in the classroom,” Swalwell said. “We can’t be a two-tiered education system in America where classrooms with resources teach kids how to use AI for their future careers, and then have classrooms without those resources.”

“We already know AI will profoundly change the workforce — but we can’t allow it to change the workforce because we don’t have enough students trained in it,” he added.

— Egos at the door: In terms of how he’s personally learning about the new tech, he says he’s been asking computer scientists to share their screens while working with him on his go-to system: OpenAI. Swalwell recommends that policymakers start by learning about AI through accessible web-based systems.

"And don't bring in some ivory tower think tank-er,” Swalwell tells MC. “Start at your keyboard.”

A CYBER LEGACY — Sen. Dianne Feinstein (D-Calif.), who died late last week, leaves a long history of legislation she helped pass during her three decades in the Senate — including work on a major piece of cyber legislation, as Maggie writes in.

Feinstein was the main Democratic sponsor of the 2015 Cybersecurity Information Sharing Act, which made it easier for organizations to voluntarily share cyber threats with the federal government, while also limiting the government’s access to personal information swept up in the cyber threat data. This was one of the first major pieces of cyber legislation signed into law.

“We took every step we could to satisfy privacy concerns,” Feinstein said in a statement at the time of the Senate’s passage of the measure. “I believe this is a very good bill that reflects consensus on a very complicated issue.”

— Secure tech: Beyond the 2015 law, Feinstein also worked with Sen. John Cornyn (R-Texas) to push through the Foreign Investment Modernization Review Act in 2018. The law expanded the authorities of the Committee on Foreign Investment of the United States to cover a greater number of transactions with foreign companies, with the aim of stopping foreign governments from acquiring U.S. technologies.

— Vroom, vroom: The senator also took a stand to protect U.S. consumers from emerging technologies. Feinstein was among a group of Democratic senators in 2018 that blocked passage of the AV START Act, a key piece of legislation that would have created a federal regulatory framework for the testing and rollout of self-driving cars.

In a 2018 letter sent to the leaders of the Senate Commerce Committee, Feinstein and four other Democratic senators expressed a variety of concerns about the proposed bill, including that it did not go far enough to address potential cyber risks of internet-connected vehicles.

“We believe the bill must also lead to the development of cybersecurity safeguards, and include measures to protect consumer privacy, which are clearly foreseeable challenges,” the senators wrote.

— Future impact: Feinstein was a key Democratic vote on the Senate Judiciary Committee. Her death leaves a Democratic opening on the panel, which has jurisdiction over issues including surveillance concerns.

UNDERSTAFFED AND UNDERSKILLED — A majority of cybersecurity teams globally are understaffed, and half of all security leaders have job openings on their teams for non-entry level roles, according to a new state of cybersecurity survey from the Information Systems Audit and Control Association.

The annual report is a wakeup call from ISACA, which also found that 62 percent of respondents believe organizations underreport cybercrime, suggesting the cyber threat landscape is much more severe than realized.

— Skills pay bills: But it’s not just a hiring gap — there’s also a growing skills gap noted by security leaders. The biggest area of concern is in soft skills, like being an effective communicator, flexibility and leadership traits, at 55 percent. It’s followed by cloud computing at 47 percent and security controls, such as in endpoint and network at 35 percent.

To fix the skills gap, respondents said they are training non security staff who are interested in moving into security roles, increasing usage of contract employees and expanding use of reskilling programs.

— Tit for tat: On the flip side, it’s not like cyber professionals are without their own complaints. On the contrary, an Enterprise Strategy Group report from September shows that 63 percent of cyber staffers say their work has become more difficult over the past two years, with nearly one-third occasionally or regularly considering leaving the profession.

— Looking ahead: ISACA found that 78 percent of survey respondents say demand for technical cybersecurity individual contributors will increase in the next year, with 48 percent expecting an increased demand for cyber managers. More than half also believe that cybersecurity budgets will increase in the next year as well.

— Enter the White House: The drama is something the White House is also hoping to address in its first-ever workforce strategy unveiled this summer, with some estimates putting the cyber vacancy number at more than 660,000 jobs.

The administration is looking at reducing the shortage by exploring ways for organizations struggling to find and retain qualified cyber professionals to create a culture where cyber is a top priority.

Friday’s newsletter misidentified a lawmaker’s party affiliation. Rep. Eric Swalwell is a Democrat.

For cybersecurity awareness month, can we find a way to make multi-factor authentication cool? One free campaign idea: have graduate art students create contemporary performances on multi-factor authentication. Call it MFAs for MFAs.

A DISASTROUS HDMI — A knockoff iPhone-to-HDMI adapter that mimics Apple's branding and prompts users to download an app that asks for intrusive permissions and sends data to China was found on Amazon. Cybersecurity firm Check Point previously warned that EZCast dongles, which are made by the same company, are easy to brute force and were never designed with security in mind, reports Jason Koebler for 404Media.

YOUR OLD FRIEND — LostTrust ransomware is most likely a rebrand of MetaEncryptor, a ransomware operation that has been inactive since July. LostTrust began attacking organizations in March and has so far leaked data from 53 victims worldwide, writes Lawrence Abrams for BleepingComputer.

ICYMI — The United Kingdom’s cyber ambassador for the department of international trade sat with DarkReading to discuss how the nation is helping countries around the world form their own cybersecurity agencies. Check out the full interview with Juliette Wilcox.

Tuesday

The U.S. Navy’s director of enterprise networks and cybersecurity Scott St. Pierre is heading to the Institute of World Politics for a lecture on how the Navy is leading the way on cyber and zero-trust framework. 5 p.m.

Wednesday

The Council on Foreign Relations’ Scott Snyder, CSIS’ Victor Cha and the Stimson Center’s Jenny Town will join the Senate Foreign Relations subcommittee on East Asia, the Pacific and International Cybersecurity Policy to discuss security in the Korean peninsula. 2:30 p.m.

Thursday

The Federal Reserve’s vice chair for supervision Michael Barr is livestreaming his talk in Cleveland, Ohio, about cyber risk in the banking center. 12:15 p.m.

The Labor Department’s Amer Helmy, the State Department’s Donald Bauer and others are joining the government executive media group for a conversation on identity governance and zero trust. 1:30 p.m.

Chat soon. 

Stay in touch with the whole team: Joseph Gedeon ([email protected]); John Sakellariadis ([email protected]); Maggie Miller ([email protected]); and Heidi Vogt ([email protected]).

GO INSIDE THE CAPITOL DOME: From the outset, POLITICO has been your eyes and ears on Capitol Hill, providing the most thorough Congress coverage — from political characters and emerging leaders to leadership squabbles and policy nuggets during committee markups and hearings. We're stepping up our game to ensure you’re fully informed on every key detail inside the Capitol Dome, all day, every day. Start your day with Playbook AM, refuel at midday with our Playbook PM halftime report and enrich your evening discussions with Huddle. Plus, stay updated with real-time buzz all day through our brand new Inside Congress Live feature. Learn more and subscribe here.

Follow us on Twitter

Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to [email protected] by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to unsubscribe.