Overnight Cybersecurity: Silicon Valley digs in against encryption bill

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–3, 2, 1, FIGHT!: Each side is digging in its heels on the recently released encryption bill. Major tech firms are banding together to oppose the measure — which would require them to help government investigators decrypt customer data — days after law enforcement officials made a public display of support for the bill. A coalition that includes Apple, Facebook, Google, Microsoft and Twitter blasted the legislation as “unworkable” in a letter sent on Tuesday to the bill’s backers, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.). The bill “would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” said the letter, which was signed by the coalition, known as Reform Government Surveillance, as well as several industry trade groups. The efforts of Burr and Feinstein, who head the Intelligence Committee, have divided the tech community and law enforcement officials. The pair developed the legislation in response to law enforcement concerns that criminals are increasingly using encrypted technology to hide from authorities. The measure directs companies to provide “technical assistance” to investigators who cannot access this secure data on their own. Prominent police commissioners, district attorneys and the advocacy groups that represent them came out this week in favor of the draft language. But the tech community, backed by privacy and civil liberties advocates, has vociferously opposed the legislation, arguing this type of assistance would undermine security and endanger online privacy. “Any mandatory decryption requirement will to lead to unintended consequences,” the groups wrote in their letter. To read our full piece, click here.

{mosads}–NO TAKE-BACKS: The United States is reluctant to reopen negotiations on a pending data transfer deal with the European Union after European privacy regulators expressed reservations with the current draft, according to Reuters. The regulators’ opinion — published last week — is an “important milestone,” said U.S. Undersecretary of Commerce for International Trade Stefan Selig. But, he added, “We are also very cautious about not upsetting what was a delicate balance that was achieved when we negotiated the original text.” The so-called Privacy Shield is intended to replace a 2000 agreement that allowed more than 4,000 firms to legally handle European citizens’ data. It was struck down in October over privacy concerns, leaving negotiators racing to craft the new arrangement. After months of talks, the Commerce Department and the EU Commission managed to strike a deal in February — but the working group of Europe’s 28 data protection authorities (DPAs) was not satisfied with the scope of U.S. surveillance allowed. “The possibility that is left in the [Privacy] Shield for bulk collection, which, if massive and indiscriminate, is not acceptable,” Isabelle Falque-Pierrotin, chairwoman of the working group, said last week. The watchdogs’ approval is not necessary to finalize the deal, but because they will be in charge of enforcing it, many see it as essential to ensuring the Privacy Shield survives the kind of court challenge that took down its predecessor. To read our full piece, click here.

UPDATE ON CYBER POLICY:

–KEEP THE LIGHTS ON: The Senate on Wednesday approved a wide-ranging energy bill that would give the government more power to protect the electric grid from cyberattacks.

The energy bill — which passed by an 85-12 vote — had long-standing, broad support but was delayed for more than two months amid partisan bickering over the inclusion of emergency funds to help Flint, Mich., battle the lead contamination in its water supply.

The thick bill includes an extensive section dedicated to better securing the nation’s electric grid, which officials and experts say remains dangerously exposed to foreign cyber spies and hackers.

The cyber passages would give the Department of Energy (DOE) greater power to intervene during a cyber crisis, authorize funds through 2025 to establish cyber-testing programs and conduct cyber research and better delineate the department’s overall role in defending the grid from digital intrusions.

The section would be a significant addition over the last energy bill that passed Congress in 2007. That legislation contained only passing references to cybersecurity.

Check out our full recap, here.

LIGHTER CLICK:

–THIS MANY PEOPLE WANT TO SEE LIMP BIZKIT? Somehow, a few practical jokesters convinced local news outlets — and thousands of people — that 90s rap-metal innovators Limp Bizkit was prepped to play a show tonight at a gas station in Dayton, Ohio.

Things got so out of control that the police eventually had to step in.

Check out how the craziness came to be here, over at The Daily Beast.

A REPORT IN FOCUS:

–A DUBIOUS DISTINCTION. The healthcare industry vaulted to the top of the leaderboards for volume of breaches in 2015, according to IBM’s 2016 Cyber Security Intelligence Index.

And the rise was dramatic: Five of the eight largest health-care breaches since 2010 took place during the first six months of 2015. Over 100 million records were compromised during the year as a whole.

To read the report, click here.

WHO’S IN THE SPOTLIGHT:

–TED LIEU. The California Democrat made his presence known at a Wednesday House Subcommittee on Information Technology hearing.

Lieu, who has a bachelor’s degree in computer science, pressed administration officials about a number of newsy cybersecurity topics, including whether the FBI will tell Apple how it hacked into the San Bernardino iPhone (“potentially”), and whether the officials present had been aware of the mobile network flaw that allowed hackers to eavesdrop on Lieu’s phone during Sunday’s “60 Minutes” (“no,” although the FCC is reportedly reviewing the flaw, according to a report).

Lieu also lashed out at Juniper Networks, the company behind vulnerable software that many believe left government secrets exposed to foreign spies. Lieu was incensed that Juniper, which makes a variety of IT products widely used in government, was not testifying.

“I find it disrespectful that they did not come here to testify,” Lieu said. “It insinuates they have something to hide.”

Juniper’s software vulnerability was spotted in December, when the company acknowledged it had found unauthorized code in its ScreenOS product. Security experts said the code had been intentionally altered, and Juniper said the change could have let hackers infiltrate networks and decrypt traffic.

As ScreenOS had been widely deployed across federal agencies for years, many feared foreign governments had long been exploiting the defect to snoop on U.S. officials.

To read our longer piece about Juniper, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Lawmakers want to know who is behind an unauthorized government backdoor found in software used by agencies including the Defense Department. (The Hill)

The Senate Finance Committee on Wednesday approved a bipartisan bill aimed at preventing identity theft and tax refund fraud. (The Hill)

The FCC is studying mobile carriers’ use of decades-old communications technology with known security bugs after “60 Minutes” reported it could be remotely exploited to spy on callers. (Reuters)

A group of California workers said Tuesday that three insurance companies hacked into their lawyers’ databases and stole 32,000 workers’ compensation case files. (Law360)

The repetitive arguments over encryption could be giving away to a debate on “lawful hacking.” (The Intercept)

A Chinese drone maker says it may share data with Beijing. (The New York Times)

Messaging app Viber is defending its decision to roll out end-to-end encryption. (TechCrunch)

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A