Overnight Cybersecurity: OPM data hasn’t been used against the US … yet

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry get their arms around cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–NOTHING BAD … YET: Data stolen during the recent massive government data breach has not yet been deployed against U.S. interests, Director of National Intelligence James Clapper said Thursday. “There’s been no evidence to this point of the use of this data in a nefarious way,” Clapper told the House Intelligence Committee during a rare open hearing. It was revealed in July that cyber thieves had made off with more than 22 million people’s data — including over 20 million security clearance background investigation forms — in two hacks at the Office of Personnel Management. The incident spurred fears that the pilfered data, thought be in the hands of Chinese officials who orchestrated the digital assault, could be used to blackmail government officials or out covert American agents. To date this hasn’t happened, Clapper said. The assumption didn’t sit well with every lawmaker. If these types of nefarious activity were occurring, Rep. Chris Stewart (R-Utah) said, “we wouldn’t know that yet. … We don’t really know what has been the effect of this being taken.” To read our full piece, click here.

–ARE YOU LISTENING?: Silicon Valley and the FBI are speaking past each other. On Thursday, FBI Director James Comey insisted the two sides have no reason to be at odds over encryption, despite months of public sparring. “There shouldn’t be venom,” the bureau head said during the House Intelligence hearing. “We should all care about the same thing.” But when it comes to encryption, they don’t. The tech community and Washington are locked in a battle over encryption standards. The Obama administration wants some type of guarantee that law enforcement can access locked data with a warrant. But technologists believe any such guarantee weakens online privacy and the American tech sector’s global competitiveness. Comey thinks Silicon Valley hasn’t tried hard enough to come up with a solution, a message that has not gone over well on the West Coast. Rep. Adam Schiff (D-Calif.), the Intelligence panel’s top Democrat, said that leaders from top tech firms including Facebook, Google and Twitter told him last week they want to see proposals from the government first. The government is not equipped to present the best proposal, Comey countered during the hearing. “You should not look to the government for innovation,” he said. “Technological innovation is not our thing.” To read more about Comey’s comments, click here. To read about Schiff’s meeting with Silicon Valley leaders, click here.

–WHO’S IN CHARGE HERE?: Who should be in charge of creating international rules of engagement, similar to the Geneva Conventions, for cyber warfare? At the House Intelligence hearing on Thursday, Rep. Jim Himes (D-Conn.) suggested that the intelligence community has so far neglected to help create clear set of standards, while Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers characterized such rulemaking as high-level policy decisions. Himes peppered panelists with unanswered questions: “Is stealing classified info from us an act of war or an act of espionage? What if that espionage leads to the death of a source or Americans? At what point do we respond in the cyber realm versus outside of the cyber realm?” To read our full piece, click here.

 

POLICY UPDATE:

–DON’T NEED YOU. The Software & Information Industry Association (SIIA) is pushing back on a piece of Senate legislation intended to restrict education companies from selling or using student data for targeted ads. The so-called Safe Kids Act, sponsored by Sens. Steve Daines (R-Mont.) and Richard Blumenthal (D-Conn.), would empower the Federal Trade Commission to punish companies that violate the bill’s conditions. In a Wednesday letter to Daines and Blumenthal, SIIA said that the protections of the bill are redundant given a regulatory framework already in place. The bill, the industry group said, would “unnecessarily add requirements and restrictions that create conflicting definitions and obligations on school service providers” and “create a regulatory environment impossible for school service providers to navigate.” Read the full letter here.

 

LIGHTER CLICK:

–I HAVE MANY LEATHER-BOUND BOOKS. Here are a few of the expressions that presidential candidate and cybersecurity legend John McAfee uses in his bizarre campaign announcement video, released Thursday: “Besieged human hearts,” “the whole host of afflictions that humans must bear,” “the right kind of eyes” and “power inevitably corrupts.”

Speaking with a yogi-like cadence, the only candidate of the so-called Cyber Party delivered a four-minute message, arms crossed, to the tune of soothing classical music on a green-screen backdrop of antique library shelves. Watch it here.

 

WHO’S IN THE SPOTLIGHT:

–ASHLEY MADISON USERS. Until now, it seemed likely that the huge trove of encrypted Ashley Madison passwords would never be cracked. But a group calling itself CynoSure Prime discovered a programming error that has allowed it to chew through more than 11 million Ashley Madison user passwords in 10 days. Now that the vulnerability has been exposed, users that have reused their passwords for other accounts may find themselves the victims of a new wave of account compromises. ArsTechnica has the full story here.

 

A REPORT IN FOCUS:

–IN HILLARY WE TRUST. Despite the ongoing controversy swirling around Hillary Clinton’s personal email setup, voters still believe the Democratic presidential frontrunner is the best candidate to protect the country from cyberattacks.

Forty-two percent of 1,000 voters surveyed by PKWARE think she is the “most qualified” to defend the U.S. from hackers. That’s compared to just 24 percent who think Donald Trump can handle the job.

The same poll also gave Democrats the edge over Republicans — 38 percent to 36 percent — when it comes to providing “the best policy solution for protecting your personal information.”

Read our piece here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Rep. Zoe Lofgren (D-Calif.) praised Apple and Microsoft for their fight to restrict the government’s access to customer data. (The Hill)

FBI Director James Comey said criminals using the dark Web to hide their activities are “kidding themselves.” (The Intercept)

Chinese cyber espionage continues to target a “broad spectrum of U.S. interests,” U.S. Director of National Intelligence James Clapper said on Thursday. (Reuters)

A European bitcoin exchange is effectively spamming the bitcoin network without having to lift a finger. (Motherboard)

The feds are working on new guidelines for better securing agencies’ networks and responding to cyber incidents, federal CIO Tony Scott said. (Nextgov)

GM took five years to fix a full takeover hack that researchers privately revealed to it in 2010. (Wired)

Bruce Schneier writes that there is a persistent rumor that Apple is fighting a government order to make its platform more surveillance-friendly — and losing the fight.

The U.S.-Israeli automotive cybersecurity startup Argus Cyber Security has raised $26 million in its second round of funding. (Reuters)

Experts say agency IT administrators should not immediately kick out cyber intruders when they find them. (Nextgov)

Costs outpaced revenue in the fourth quarter for network security firm Palo Alto Networks. (The Wall Street Journal)

North Korean hackers have exploited a zero-day vulnerability in a popular South Korean word processor, FireEye researchers say. (The Register)

Defense Secretary Ash Carter vows to protect funding for cyber, space and electronic warfare weapons. (Reuters)

Defense contractor Raytheon has spent $3.5 billion on cybersecurity over the last 10 years and expects that number to grow rapidly in the years ahead. (Boston Business Journal)

 

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A