Overnight Cybersecurity: House panel to take up cyber reorganization bill

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–CHANGE IS ON THE HORIZON?: The House Homeland Security Committee on Wednesday will mark up legislation by Chairman Michael McCaul (R-Texas) to reorganize how the Department of Homeland Security (DHS) protects critical infrastructure from digital threats. The bill, set to be introduced Tuesday, would replace the National Protection and Programs Directorate (NPPD) with a new agency tasked with protecting the computer networks that run the nation’s power grid, water utilities and more. The proposed agency — the so-called Cybersecurity and Infrastructure Protection Agency — would remain under the authority of the DHS, but would have operational capabilities. The administration has pushed for a reorganization of the NPPD — which currently houses a cyber-focused office — but the particulars have been the subject of quibbling between the DHS and lawmakers. The agency has proposed three operational units within the renamed NPDD — an office of infrastructure protection, an “elevated and enhanced” cybersecurity office and the existing Federal Protective Service, which protects federal buildings. McCaul’s legislation differs from the administration’s proposal in a number of key ways. While the DHS wants to integrate responsibility for cyber and physical security across the agency, McCaul’s bill would keep the cyber division separate from the agency’s mission to guard against physical threats. The bill does call for risk assessments and joint working groups to mitigate the cascading fall-out between the cyber and kinetic world. “I’d say we’re 90 percent in agreement on what we’re trying to achieve — allowing them to be operational,” the aide told The Hill. To read our full piece, click here.

{mosads}–WHEREFORE ART THOU, CYBER COMMAND: The Senate on Tuesday did not take up an amendment to the annual defense authorization bill that would elevate U.S. Cyber Command to a standalone warfighting entity. The House-passed version of National Defense Authorization Act directs the president to elevate the Pentagon’s top cyber unit, but the current version of the Senate bill lacks that provision. The bipartisan amendment to the Senate version — one of more than 300 filed — would pull Cyber Command out from under the authority of Strategic Command, from which it currently must obtain permission before conducting cyber operations. The move appears to have wide support from lawmakers, as well as Adm. Michael Rogers, the unit’s head. He said last month that elevating the unit to a full combatant command would make it more nimble and “generate better mission outcomes.” Armed Services Committee Chairman John McCain (R-Ariz.) and ranking member Jack Reed (D-R.I.) both signaled their support for the idea during an April hearing on the unit. But the White House opposes a statutory requirement to elevate the unit, setting up a fight in the Senate. To read our full piece, click here.

–BEHAVE YOURSELF!: A German privacy regulator has fined three companies for using an invalidated agreement between the U.S. and the European Union (EU) to transfer European citizens’ data across the Atlantic. The Hamburg Data Commissioner announced on Monday that it has fined Adobe Systems, Punica, a juice maker that is a subsidiary of PepsiCo, and Unilever, an Anglo-Dutch consumer goods group. The fines totaled 28,000 euros, or about $32,000, with the largest fine, 11,000 euros, or $12,500, going to Unilever. The action is the first high-profile example to date of a European privacy regulator cracking down on companies still using the defunct agreement. But onlookers have long suspected that any enforcement action would come from the privacy watchdog in Hamburg. Germany is seen to have one of the strictest privacy stances in Europe. According to the Data Commissioner, the three firms continued to transfer personal data under the so-called Safe Harbor agreement after it was struck down by the EU high court last fall. The three companies have since put into place alternative legal mechanisms. “The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favourable way for the calculation of the fines,” said Johannes Caspar, the Hamburg Commissioner for Data Protection. “For future infringements, stricter measures have to be applied.” To read our full piece, click here.

UPDATE ON (UK) CYBER POLICY:

–TODAY, IN ENCRYPTION NEWS. The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption that were opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.

But the final version eased up on restrictions on encryption. Early drafts of the law mandated that encryption include backdoor access for law enforcement — an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the act was 444-69. It now heads to the House of Lords for their approval.

To read our full piece, click here.

A LIGHTER CLICK:

–TODAY, IN THINGS THAT GO TOGETHER LIKE PEAS AND CARROTS. We’re delighted about this.

A LOOK AHEAD:

WEDNESDAY

–The House Homeland Security Committee is scheduled to mark up the Improving Small Business Cybersecurity Act of 2016 and the Cybersecurity and Infrastructure Protection Agency Act of 2016, at 2 p.m.

THURSDAY

–The Senate Judiciary Committee is scheduled to mark up the Electronic Communications Privacy Act Amendments Act of 2015 at 10 a.m.

FRIDAY

–The House Oversight Committee will hold a hearing on the 18F team and oversight of the U.S. digital service at 9:30 a.m.

A HACK IN FOCUS:

–FURTHER, IN CELEBRITY GOSSIP. The National Football League’s Twitter account was apparently hacked on Tuesday afternoon when it posted false news that Commissioner Roger Goodell had died.

The tweet and subsequent others have since been deleted. A spokesman said the account was hacked and the commissioner is fine.

Hackers gaining unauthorized access to high-profile social media accounts has become a common phenomenon in the past few years. Individuals such as Facebook CEO Mark Zuckerberg have fallen victim, as well as the government’s U.S. Central Command account.

To read our full piece, click here.

–NO ONE IS IMMUNE. The chief technologist of the Federal Trade Commission (FTC) is sounding a warning after having her cell phone account hijacked: It could happen to anyone.

Lorrie Cranor blogged about her experiences on Tuesday.

“A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers,” she wrote.

“My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.”

According to Cranor, not only is account hijacking a growing problem, it is growing faster than other forms of identity theft.

In January of 2013, it comprised 3.2 percent of the identity theft complaints logged by the FTC. In January of this year, it represented 6.2 percent.

To read our full piece, click here.

WHO’S IN THE SPOTLIGHT:

–GET TRANSCRIPT. The Internal Revenue Service (IRS) on Tuesday formally relaunched the online service, Get Transcript, following last year’s data breach that compromised the sensitive information of hundreds of thousands of taxpayers.

The web service, which allows taxpayers to access documents that summarize their tax returns, had been disabled last May, after the IRS discovered the breach.

The new Get Transcript web feature uses a multi-factor authentication process. The enhanced authentication process is scheduled to be applied to other IRS web tools later in the year, and meets security standards set by the National Institute of Standards and Technology and the Office of Management and Budget, the IRS said.

To read our full piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The FBI last month warned banks to be vigilant in the wake of the $81 million cyber heist at the Bangladesh central bank. (The Hill)

President Obama and Indian Prime Minister Narendra Modi agreed during Modi’s Tuesday visit to Washington to “deepen” their work together on cybersecurity issues and said they were committed to an open internet. (The Hill)

A former IT aide responsible for Hillary Clinton’s private email server appears to be trying to keep the details of his immunity agreement with the FBI secret. (The Hill)

Iran is developing an alternative to the U.S. Air Force-run GPS system, over concerns that the Middle-Eastern nation has no control over its continued accuracy, according to a navigation nonprofit. (Resilient Navigation and Timing Foundation)

The Department of Homeland Security has reaffirmed a $1 billion contract won by Raytheon Co. to protect the networks of dozens of federal agencies from cyber threats over protests by competitors. (Industry Week)

If you’d like to receive our newsletter in your inbox, please sign up here.