Overnight Cybersecurity: FTC chair touts progress toward new data pact

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–CLOSER, CLOSER: The chairwoman of the Federal Trade Commission said Wednesday that negotiators were “well on our way” to reaching a new agreement governing how American companies can store data belonging to Europeans. “In my mind, I’m optimistic that we’re going to be able to find a solution to this, I’m hoping by the end of this month,” she said while appearing at CES, the annual technology industry trade show. “But we’re well on our way I think to doing that.” Last year, a European court struck down a ‘safe harbor’ agreement that had allowed American companies to store European data stateside without incurring the wrath of privacy regulators on the continent. That has added urgency to the task before the U.S. and European Union officials who are negotiating a new pact. Ramirez’s optimism is matched by her European colleagues, one of whom said she is “confident” a deal will be reached by an end-of-January deadline. That would come as a relief to American tech companies who do business in Europe and fear their activities might suddenly be subject to a crackdown from privacy regulators. Ramirez echoed those concerns while speaking at the trade show, which is hosted by the Consumer Technology Association. “Frankly, in my view, the current situation of uncertainty is absolutely untenable,” said Ramirez. “It’s not good for businesses, who are uncertain about the legal terrain and their footing in this arena. And secondly, it’s not good for privacy.” To read our full piece, click here.

{mosads}–HEADING HOME: A Latvian man credited with co-writing one of the most destructive computer viruses in history on Tuesday was spared further jail time by a Manhattan district judge. Deniss Calovskis, 30, was sentenced to the 21 months in prison he has already served, after admitting to writing part of the so-called Gozi virus. The code was responsible for infecting at least 40,000 U.S. computers, including 160 that belonged to NASA. The Department of Justice called the virus “one of the most financially destructive computer viruses in history.” Gozi stole tens of millions of dollars from bank accounts around the world by smuggling itself onto hard drives in a benign PDF, then collecting bank account usernames, passwords and other security information. Hackers would then use the information to fraudulently transfer money out of victims’ bank accounts. Calovskis is responsible for the portion of code that tricked victims into handing over personal information, prosecutors said. But defense attorney David Bertan insisted that Calovskis, who was working as a freelance programmer at the time, was only compensated $1,000 for his participation and was not involved in the overall scheme. His motivation was only to make a little cash, Bertan said. “He did not create or write the Gozi virus, he did not participate in collecting data from infected computers, and he did not personally use that data to access financial institutions,” Bertan said in court papers. U.S. District Judge Kimba Wood said she was impressed by Calovskis’ rehabilitation and wanted to be sure that the 10 months he spent in a Latvian prison before being extradited to the United States was taken into account. To read our full piece, click here.

 

AN UPDATE ON CYBER POLICY:

–NEXT UP? Rep. Randy Neugebauer (R-Texas) on Wednesday said he will look to push forward a combination of data breach bills later this spring.

“It’s definitely on the radar scope,” Neugebauer told The Hill. “We have to sit down and determine whether we’re going to try to make them two bills or one bill.”

The issue is seen as the next likely target for congressional action on cybersecurity, after President Obama signed significant information-sharing legislation as part of the 2015 year-end spending bill.

The House Financial Services Committee in December advanced a bill put forward by Neugebauer that would set nationwide data security standards and require businesses to notify customers following a breach.

A competing bill from the Energy and Commerce Committee has been bogged down by a partisan scuffle over whether the law would preempt existing state data security regulations.

Neugebauer said Wednesday the staffs of both committees have been in discussions over the future of the two bills, with an eye toward combining them into a single bill supported by both committees.

There have been no member-to-member meetings since the holidays, according to Neugebauer, but he intends to push forward with the discussions this spring.

“I’d like to do something on it this spring and see if we can get a feel for what direction we’re going to go,” he said.

To read our full piece, click here.

 

LIGHTER CLICK:

–A LITTLE PERSPECTIVE. We’re 20-somethings, so we’re not very good at putting our problems in perspective. Sometimes it’s important to remember that there are those who face true tragedy.

Watch, here.

 

A FEATURE IN FOCUS:

–BE CAREFUL WHAT YOU WISH FOR. So-called “lawful hacking,” in which law enforcement agents hack their way around encryption has been proposed as a solution to the “going dark” debate. Some security and privacy experts have suggested that such a scenario is preferable to building any form of guaranteed access into devices for law enforcement to execute search warrants.

Benjamin Wittes, Senior Fellow in Governance Studies at the Brookings Institution, argues in Lawfare that such an approach may have unintended consequences.

“I suspect that by advocating that the government bypass encryption systems, rather than requiring decryption, this approach will actually deprive companies of one of the strongest legal protections now granted them in this area and will instead place them in an arena in which the government can, legally speaking, effectively dragoon them into helping investigators hack consumer devices,” Wittes writes.

Read on, here.

 

WHO’S IN THE SPOTLIGHT:

–THE SMALL BUSINESS ADMINISTRATION. Republicans on the House Small Business Committee expressed concern Wednesday that the Small Business Administration (SBA) is not adequately safeguarding sensitive data.

During a hearing on mismanagement of the agency, Chairman Steve Chabot (R-Ohio) referenced a September Government Accountability Office (GAO) report that found the SBA has not implemented more than 30 inspector general recommendations related to IT security.

Citing recent data breaches at the Office of Personnel Management and the Internal Revenue Service, Chabot said that among the list of agency deficiencies provided in the GAO report, “the one that worries me the most is in the area of IT security.”

“There are issues identified by the IG that require attention. It’s a very serious issue,” said William Shear, Director of Financial Markets and Community Investment at the GAO.

Chabot’s concerns were echoed by Blaine Luetkemeyer (R-Mo.).

“One of [the SBA’s challenges] is extremely important … the security of the data the agency holds,” Luetkemeyer said.

To read our full piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

A company that sells software to dental practices will pay $250,000 to settle federal charges it misled customers about the level of encryption used to secure patient data. (The Hill)

FTC chair Edith Ramirez said she refuses to use a FitBit because she doesn’t want her ‘sensitive health information’ being shared. (The Guardian)

A report released this morning shows that no phone is 100 percent secure. (CSO)

The State Department has dramatically revised its estimate — from about 38,000 to one — of the number of pages of messages in Hillary Clinton aides’ private email about cybersecurity training. (Politico)

How Canada’s cybercrime problems differ from the U.S. (Motherboard)

 

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A