Overnight Cybersecurity: Guccifer 2.0 releases more DNC docs; China hacked banking regulator

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–EXCLUSIVE: GUCCIFER 2.0 RESURFACES: Guccifer 2.0, the hacker who breached the Democratic National Committee, has released a cache of purported DNC documents to The Hill in an effort to refocus attention on the hack. The documents include more than 11,000 names matched with some identifying information, files related to two controversial donors and a research file on Sarah Palin. “The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs,” he said in an electronic chat explaining his rationale. The documents provide some insight into how the DNC handled high-profile donation scandals. But the choice of documents revealed to The Hill also provides a glimpse of the enigmatic Guccifer 2.0. The hacker has claimed to be Romanian with no strong political leanings. But Guccifer 2.0 sent The Hill documents concerning disgraced donors Paul Magliocchetti and Norman Hsu, whose cases are now six and seven years old and mostly remembered by true D.C. wonks. It shows a detailed knowledge of American politics seemingly at odds with the backstory provided by the hacker. To read our full piece, click here.

{mosads}–ANOTHER DAY, ANOTHER HACK: The Chinese government likely hacked several high-level officials at the Federal Deposit Insurance Corporation (FDIC) as recently as 2013, according to a congressional report released Wednesday. Advanced persistent threat actors believed to have been the Chinese government compromised 12 agency work stations in 2010, 2011 and 2013, according to an internal FDIC report cited by the House Committee on Science, Space and Technology. The former chairman, chief of staff and general counsel of the agency were all infiltrated. The agency’s internal watchdog dinged the FDIC for failing to alert the appropriate authorities, according to the committee’s report, and notified Congress itself. The banking regulator has recently been in the crosshairs of Congress over its data security practices. The Science Committee, which is holding a hearing on Wednesday to evaluate the agency’s response to recent breaches, slammed the FDIC for its cybersecurity posture and for deliberately evading congressional oversight. To read our full piece, click here.

A POLICY UPDATE:

–ANOTHER DAY, ANOTHER CAUCUS. Reps. Zoe Lofgren (D-Calif.) and Ted Poe (R-Texas) on Wednesday announced the creation of a bipartisan caucus intended to address Fourth Amendment concerns in the digital age.

Its 25 members will work to “protect against warrantless searches and seizures, close privacy violating surveillance loopholes, and champion reform efforts to protect and restore Fourth Amendment rights.”

Both Lofgren and Poe have been outspoken on privacy and security issues, most recently pushing back on a change to what’s known as Rule 41, a procedural edit that would allow prosecutors to seek a single warrant for online searches in multiple jurisdictions.

Read the release, here.

–I’LL BE WATCHING YOU… The Senate on Wednesday cleared a short-term Federal Aviation Administration (FAA) extension — absent a provision from Sen. Ed Markey (D-Mass.) that would have required government and commercial drone operators to disclose if they collect personally identifiable information and how that data will be used.

Markey has already pushed back, arguing that the bill was “a missed opportunity to enact 21st century rules of the sky to protect privacy.”

“Now is the time to prevent these eyes in the skies from becoming spies in the skies,” Markey said in a statement.

A LIGHTER CLICK:

–OLD WORLD CRAFTSMANSHIP IS HORRIFYING. Meet the Milanese barber who cuts hair with fire.

A HEARING IN FOCUS:

–CYBER RULES OF ENGAGEMENT: The House Oversight Subcommittees on National Security and Information Technology hosted hearings on standards for when cyberattacks warrant counterattacks on Wednesday. The general answer? It depends.

The Obama administration’s policy has been that these events should be handled on a case-by-case basis from the top of the executive branch. There wasn’t much push back on that point at the hearing.

“Incidents described as cyber attacks or computer network attacks are not necessarily considered armed attacks for the purpose of triggering a nation’s right of self-defense,” said Aaron Hughes, deputy assistant director for cyber policy at the Department of Defense.

Hughes went on to describe factors that could contribute to a digital or physical response, including physical, personal or economic damage.

The problem with more formalized rules is the unending list of variables that go into an attack. Most experts agree it is extremely difficult to attribute an attack to a specific source with any certainty – almost all indicators of who is behind an attack can be fabricated. It is equally hard to determine an appropriate response in a landscape where non-governmental actors are common and the international community has yet to agree on a standard system of norms.

That is slowly changing according to Chris Painter, coordinator for cyber issues at the State Department. “Every time the president has a meeting with a foreign head – literally every time… you’ll see a big statement on cyber including… norms,” he said.

The U.S. currently pushes for four norms: No attacking civilian infrastructure, cooperation amongst international law enforcement, no attacking computer emergency response teams and no hacking to steal intellectual property.

A LOOK AHEAD:

THURSDAY

–The Homeland Security Committee will receive testimony on worldwide threats from FBI Director James Comey and Homeland Security Secretary Jeh Johnson, at 10 a.m.

–The House Science Committee will hold a hearing evaluating the FDIC’s response to data breaches, at 10 a.m.

–The Senate Intelligence Committee receives a closed door briefing at 2 p.m.

WHO’S IN THE SPOTLIGHT:

–CLINTON. (AGAIN.) (SORRY.) Two GOP chairmen have escalated an investigation into the security of the former Secretary of State’s email server, despite pushback from Republican leadership earlier this year.

Sen. Ron Johnson (R-Wis.), the Senate Homeland Security and Governmental Affairs chairman, and Rep. Lamar Smith (R-Texas), the House Science Committee chairman, combined efforts to send letters Tuesday to three tech vendors that provided software and services to Clinton.

The request doubled down on separate January requests for information on Clinton’s private email setup.

The companies — a network security firm, an email services provider and a data backup provider — refused to turn over some information, arguing they did not have Clinton’s consent.

But in February, House Majority Leader Kevin McCarthy (R-Calif.) suggested that the Science Committee probe had overstepped. He told reporters he believed those inquiries should have been under the purview of the House Select Committee on Benghazi.

Smith and Johnson appeared to obliquely address that in their Tuesday letters, arguing that both committees had jurisdiction over the issue — Science because it has jurisdiction over government cybersecurity standards, and Homeland Security because it has authority over “the effectiveness of present national security methods” across government.

“Because former Secretary Clinton chose to forego using State’s official government system, which is governed by strict federal cybersecurity guidelines, the Committees have questions about whether the level of security of Secretary Clinton’s private server and email account is comparable to the standards prescribed by the [National Institute of Standards and Technology] framework,” the lawmakers wrote, referring to a set of federal guidelines for digital security.

To read our full piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Tor named a new board of directors. (The Hill)

Fiat Chrysler is opening a new “bug bounty” program to pay good-guy hackers to find security holes. (WSJ)

A meeting between the New York Fed and the central bank of Bangladesh has been put on hold. (Reuters).

For the first time, a federal judge threw out evidence obtained by a “stingray” without a warrant. Stingrays mimic cell-phone towers. (Reuters)

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A