Overnight Cybersecurity: Encryption bill expected this week

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–SO CLOSE YOU CAN TASTE IT: A draft of the Senate Intelligence Committee’s encryption bill is expected to circulate sometime this week, Chairman Richard Burr (R-N.C.) told reporters on Monday. The measure — a response to concerns that criminals are increasingly using encrypted devices to hide from authorities — would require firms to comply with court orders seeking access to locked data. “My hope is that you will have it in your hands this week,” Burr said. Privacy and civil liberties advocates have preemptively campaigned against the bill, arguing it would undermine global security and endanger online privacy. But law enforcement officials and some lawmakers say such a measure is necessary to help police properly conduct criminal and terrorism investigations. The draft is merely a starting point, Burr cautioned. “This is truly a draft piece of legislation,” he said. “It’s for recommendations.” To read our full piece, click here.

{mosads}–A HELPING HAND: The FBI has informed state and local law enforcement agencies that it will help unlock seized iPhones when possible. The assurance came in a memo sent recently to local authorities around the country. “As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners,” said the letter, which was obtained by multiple news outlets. “Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints.” The bureau issued the letter five days after the Department of Justice revealed it was able to successfully hack into an iPhone used by Syed Rizwan Farook, one of the two shooters in last year’s San Bernardino, Calif., terror attack that killed 14 people. Local police have long expressed a desire to hack into hundreds of locked Apple devices in police custody. They say encryption has allowed criminals to “go dark,” hiding their communications from authorities. Arkansas officials last week directly sought the FBI’s help with a secure iPhone and iPod at the center of a homicide case. Security specialists have pressed the government to tell Apple about the flaw it exploited instead of using it to access other locked phones. These researchers fear the flaw will leak to nefarious hackers, endangering millions of iPhone users. But the DOJ has not commented on whether it will inform Apple about the method it used. To read our full piece, click here.

–SO MANY QUESTIONS: Exactly how the leaker behind the so-called Panama Papers exfiltrated 2.6 terabytes of information remains under speculation, but some details about how the unknown whistleblower coordinated with journalists to expose the data are becoming public. A German reporter named Bastian Obermayer says that the source contacted him via encrypted chat to share the data, refusing to communicate through any other channel because his or her “life is in danger.” Obermayer alluded to encrypted messaging apps like Signal and Threema, but would not say specifically which methods they used, according to WIRED. How the source gained access to, removed and transmitted the information to the International Consortium of Investigative Journalists isn’t known. 2.6 terabytes is far too much data to email, although ICIJ director Gerard Ryle says they got the 11.5 million documents piecemeal. “I learned a lot about making the safe transfer of big files,” Obermayer said. Read on, at WIRED, here.

–SPEAKING OF LEAKS: The sheer volume of mobile phones, laptops and tablets used by federal officials is making it difficult to stop leaks of classified information, officials worry. The controversy over Hillary Clinton’s private email has drawn fresh scrutiny to the handling of classified information. While Clinton’s is a high profile and somewhat unusual case, officials say federal employees across the board are struggling to keep security practices apace with rapidly evolving technology. The prevalence of email and the dramatic growth of the national security state simply makes leaks all but inevitable, they say. “In this world, with the amount of communication, with the Internet, there’s so much that’s out there,” said Rep. Dutch Ruppersberger (Md.), formerly the top Democrat on the House Intelligence Committee. The leaking of classified information — whether within the government or to the public — is infrequent but not unusual, officials say. “Does it happen? Yes. Does it happen more than rarely? Yes. Does it happen regularly? No, it doesn’t,” said John Cohen, who worked in intelligence posts under both Presidents George W. Bush and Obama. To read our full piece, click here.

UPDATE ON CYBER POLICY:

–PIECE OF CAKE. The Senate on Monday easily passed a long-awaited measure that would strengthen federal law and provide damages for U.S. companies affected by the theft of corporate intellectual property.

Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.), who have worked together on the measure for the past two years, said their bill would harmonize federal law and give businesses more consistent legal protections when their trade secrets are stolen and they are facing billions in losses.

Coons said that trade secrets, a critical form of intellectual property and the “lifeblood” of many companies, “has somehow slipped through the cracks of federal protection.”

“This bill is a commonsense solution to a very serious problem,” he said.

Trade secrets include everything from customer lists, formulas, software codes, unique designs, industrial techniques and manufacturing processes.

“The bill would establish a federal civil private cause of action for trade secret theft that would provide businesses with a more uniform, reliable, and predictable way to protect their valuable trade secrets anywhere in the country,” the Office of Management and Budget said in a statement in support.

To read our full piece, click here.

LIGHTER CLICK:

–IF YOU’RE NOT ALREADY LISTENING… This true crime serial (some millennial meta-ness to that word now) follows Paul Le Roux on a journey from gifted computer programmer to criminal kingpin to prized DEA informer.

Episode 4 just went live. If you’re in D.C. it’s raining, so you have plenty of time to catch up.

Listen, here.

A REPORT IN FOCUS:

–A SCOURGE. Hospitals are facing a surge of ransomware, malicious software that encrypts computer networks and demands payment to unlock them, a nonprofit healthcare group is warning.

Out of around 30 mid-sized hospitals reviewed by the Health Information Trust Alliance, half were infected with some kind of malware, CEO Daniel Nutkis told Reuters.

By far the most common form of malware the group found was ransomware, which was present in about 35 percent of the surveyed hospitals.

The number of ransomware campaigns has grown exponentially in recent years, with cyber criminals extorting hundreds of millions from victims. Hospitals are increasingly in the crosshairs for this kind of attack.

Last month, Hollywood Presbyterian Medical Center announced that it had paid hackers a ransom in bitcoin — an anonymous digital currency — to regain access to their locked systems.

Then last week, a cyberattack shut down much of the network of the largest healthcare provider in Washington, D.C. Although MedStar Health has declined to confirm that the shutdown was caused by ransomware, The Baltimore Sun reported a ransom of $18,500 has been sought.

To read our full piece, click here.

THE WEEK AHEAD:

TUESDAY

–The Senate Armed Services Committee will hold a hearing on the budget for the U.S. Cyber Command at 9:30.

–The International Association of Privacy Professionals will host a Privacy Shield panel with Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin and Federal Trade Commission Chairwoman Edith Ramirez, at 1 p.m., part of the two day Global Privacy Summit.

–Ramirez will also discuss consumer data protection in a Q&A at 11 a.m.

–FBI General Counsel James Baker will participate in a “candid interview” at 2 p.m.

WHO’S IN THE SPOTLIGHT:

–GOOD OLD FASHIONED DETECTIVE WORK. Undercover police in the U.K. used a clever ruse to get around the problem of encryption on a suspect’s device: They posed as company managers and asked to check the suspect Junead Khan’s driver’s license and work records. After disputing Khan’s account, the officers asked to see his device as proof. Khan handed it over and they quickly arrested him and changed the password settings on the phone to prevent it from locking.

Some security experts have suggested that the solution to the so-called “going dark” phenomenon isn’t technological, but instead lies in improving traditional police work.

Read on, at Ars Technica, here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Hackers may have breached Donald Trump’s hotels for the second time in under a year, according to a new report. (The Hill)

Speaking of Trump, the hacking group Anonymous forced several of his websites offline on Friday, as part of the first offensive in a digital war against the GOP front-runner. (The Hill)

The data of nearly 50 million Turkish citizens has been posted online by hackers. (The Hill)

More than a year after the devastating computer hack on Sony Pictures, cybersecurity is a rapidly-growing concern among entertainment and media CEOs, a new survey says. (Hollywood Reporter)

Jeffrey Coburn, unit chief at the FBI’s cyber division, offers a few tips to evade ransomware.

Thanks to Google and easy-to-guess passwords, some U.S. critical infrastructure can be accessed by almost anyone, authorities say.

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A