Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORIES:
–COME TOGETHER?: The Senate this week is taking up its version of an annual defense bill, setting the stage for debate over a change in authority for U.S. Cyber Command. A House-passed version of the annual defense bill directs the president to elevate the Pentagon’s top cyber unit to a standalone warfighting entity. But the current version of the Senate bill lacks that provision. A bipartisan group of senators wants to bring the Senate version of the National Defense Authorization Act (NDAA) in line with its House counterpart. The amendment — one of more than 300 filed — would pull Cyber Command out from under the authority of Strategic Command, from which it currently must obtain permission before conducting cyber operations. The move appears to have wide support from lawmakers, as well as Adm. Michael Rogers, the unit’s head. He said last month that elevating the unit to a full combatant command would make it more nimble and “generate better mission outcomes.” Armed Services Committee Chairman John McCain (R-Ariz.) and ranking member Jack Reed (D-R.I.) both signaled their support for the idea during an April hearing on the unit. But the White House opposes a statutory requirement to elevate the unit, setting up a fight in the Senate. To read our full piece, click here.
{mosads}–THE TIME HAS COME, THE WALRUS SAID: Several federal agencies face deadlines this week related to the major cybersecurity information sharing law passed as part of last year’s omnibus. The Office of the Director of National Intelligence (DNI) and the Office of Management and Budget (OMB) by Thursday are expected to deliver a report to Congress on the ways in which an adversary might be able to gain access to classified information by exploiting an unclassified information system. The report is due to the Intelligence Committees of both chambers. The Department of Justice (DOJ) and the Department of Homeland Security (DHS), meanwhile, are required under the law to report public guidelines governing how federal agencies will protect privacy and civil liberties when sharing cyber threat indicators. DOJ and DHS are also expected to deliver finalized policies on how companies can best share cyber threat data with the government. The DHS issued its interim guidance in February. To read our full piece, click here.
–WHAT CHANGED YOUR MIND?: The New York Federal Reserve originally blocked, then later approved, four fraudulent requests that led to the theft of $81 million from the Bangladesh central bank’s account. The New York Fed originally received 35 requests for money transfers on the day of the February theft, all of which it rejected because the requests were not properly formatted, according to a bank official. But later in the day, the cyber thieves re-submitted the requests with the correct formatting. The requests were authenticated by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an international network used by banks to exchange information about financial transfers. On that try, the New York Fed approved five requests for $101 million. One request for a $20 million transfer was later rejected because of a spelling mistake. The Fed blocked the 30 rejected requests because they were flagged for economic sanctions review and were only later deemed fraudulent. A Bangladesh Bank official told Reuters the Fed should have rejected all of the requests on both tries. “Of course, we asked the Fed why the repetition of the names did not create red flags,” a separate source close to the Bangladesh Bank told Reuters. “They are saying they rejected 35 badly submitted ones,” the source said. But when the fraudulent requests were re-submitted, the New York Fed “paid five of them and stopped 30. Why? They can give no answer.” To read our full piece, click here.
UPDATE ON CYBER POLICY:
–RETRO MOVE. Four senators introduced a bill Monday that aims to reduce the electrical grid’s cybersecurity vulnerabilities by replacing modern systems with older technology.
The legislation would create a two-year study regarding technology that makes the grid vulnerable, with an emphasis on automated systems that can be hacked remotely.
The Energy Department would then have to report on the study and the feasibility of certain technological changes.
“The United States is one of the most technologically-advanced countries in the world, which also means we’re one of the most technologically-vulnerable countries in the world,” said Sen. Angus King (I-Maine), who introduced the bill with Sens. Martin Heinrich (D-N.M.), Jim Risch (R-Idaho) and Susan Collins (R-Maine.).
To read our full piece, click here.
A LIGHTER CLICK:
–THE SAGA CONTINUES. Do not read over dinner.
A LOOK AHEAD:
WEDNESDAY
–The House Homeland Security Committee is scheduled to mark up the Improving Small Business Cybersecurity Act of 2016 and the Cybersecurity and Infrastructure Protection Agency Act of 2016, at 2 p.m.
THURSDAY
–The Senate Judiciary Committee is scheduled to mark up the Electronic Communications Privacy Act Amendments Act of 2015 at 10 a.m.
FRIDAY
–The House Oversight Committee will hold a hearing on the 18F team and oversight of the U.S. digital service at 9:30 a.m.
A MALWARE IN FOCUS:
–PROTECTED, UNPROTECTED? The hacking tool that the FBI used in an operation that lead to the indictment of thousands of users of the child pornography site Playpen sent data back to the agency unencrypted, Motherboard reports.
“The network data stream that has been made available for defense review would be of no evidentiary value had it been transmitted in an encrypted format,” wrote FBI Special Agent Daniel Alfin in his testimony in one of the cases arising from the operation.
It’s part of an ongoing debate over whether the agency should have to disclose the exact “network investigative technique,” or NIT, used to hack users of the site. The FBI is now arguing that because the evidence sent back by the NIT was unencrypted, the defense can confirm that it is accurate and untampered.
“Because the data is not encrypted, [the defendant] can analyze the data stream and confirm that the data collected by the government is within the scope of the search warrant that authorized the use of the NIT,” Alfin wrote.
The problem, Motherboard writes, is that “because the data sent by the NIT was not authenticated, there’s actually no way to cryptographically prove that the data the FBI received wasn’t modified in transit using only the unencrypted network stream.”
Read on, here.
WHO’S IN THE SPOTLIGHT:
–JACOB APPELBAUM. The privacy and transparency activist said Monday that the “accusations of criminal sexual misconduct against me are entirely false.”
Applebaum left his position with the Tor Project last week — and the organization didn’t say why. Over the weekend, an anonymous website posted allegations against him from alleged victims and the project released a statement on the allegations.
“In the past few days, a calculated and targeted attack has been launched to spread vicious and spurious allegations against me,” said Appelbaum, a developer at the project, which is behind popular software that allows users to browse the web anonymously, in a statement.
“Given the way these accusations have been handled, I had little choice but to resign from my position as an advocate at the Tor Project and devote my full attention to completing my doctoral work on cryptography at the Technical University of Eindhoven.”
The Tor Project said it was working to investigate some of the specific allegations when possible.
To read our full piece, click here.
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
Facebook founder and CEO Mark Zuckerberg’s Twitter and Pinterest accounts have been resecured, after hackers compromised both accounts on Sunday. (The Hill)
The Fed had 51 cyber breaches, but does that mean anything? (Slate)
A recently released document highlights how little the Pentagon’s concerns and responses to threats in cyberspace have changed in the past decade. (Motherboard)
Faculty directors of the Berkeley Center for Law and Technology debate whether your data is really safer in Europe. (Christian Science Monitor)
So who are the hackers who cracked into Zuckerberg’s accounts? (NextGov)
If you’d like to receive our newsletter in your inbox, please sign up here.