Overnight Cybersecurity: Assange mocks CIA over hacked files | Comey briefs lawmakers | Senate panel approves Trump intel chief

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–WIKILEAKS MIGHT BE OVERSTATING SURVEILLANCE PROGRAMS IN DOCS: WikiLeaks published a trove of purported CIA files this week, renewing debate over government hacking and surveillance techniques. But many experts say the anti-secrecy group’s analysis of the data may have been intentionally misleading. While intelligence officials and lawmakers believe the documents are valid, experts say WikiLeaks may be overplaying its hand. “As usual, the documents dumped appear to be real. But this analysis was just bonkers,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California at Berkeley. Security professionals point to a number of conclusions drawn by WikiLeaks in its summary of the release that go well beyond the facts. A number of misleading statements that exaggerate the documents’ descriptions of CIA capabilities, Weaver said, led him to assume WikiLeaks is intentionally skewing the documents’ contents.  Among WikiLeaks’ conclusions from the documents were that the CIA has a method to defeat encryption from popular apps, could easily spy on anyone with a Samsung smart TV, and could hack into cars’ control systems. But those claims overstate the contents of the documents, say experts. And some information — for example, that intelligence agencies can hack cell phones or that internet-connected devices are vulnerable to hackers — were already widely known.

To read the rest of our piece, click here.

–…ASSANGE ADDRESSES PRESS: WikiLeaks head Julian Assange on Thursday assailed the CIA for allowing its files to get hacked, accusing the agency of a “historic act of devastating incompetence” in his first press conference since the release of the documents. Assange used the press conference to respond to a Wednesday CIA press release that argued the agency was under strict oversight to abide by rules, including rules restricting its operations to targets outside the United States. “I think it’s an illusion,” he said of oversight efforts. Though Assange acknowledged that the CIA was, at least at present, using its surveillance capabilities in a targeted way — surveilling specific individuals rather than the kind of bulk surveillance done by the National Security Agency — he expressed concern that the policy might change. The leaked documents show some work to automate the hacking process that could either ultimately make the work of hacking easier or, in Assange’s view, be converted to bulk surveillance.

To read the rest of our piece, click here.

–…DEM ASKS FOR CLASSIFIED BRIEFING ON WIKILEAKS: Rep. Sheila Jackson Lee (D-Texas) on Thursday requested a classified hearing on the WikiLeaks disclosure of purported CIA hacking tools during a meeting of a House subcommittee with oversight of the federal government’s cybersecurity practices. Jackson Lee said that members of the House Homeland Security Committee should receive a briefing about how the WikiLeaks release “impacts negatively on the intelligence community.” The congresswoman made the request at a hearing held by the subcommittee on cybersecurity infrastructure and said that the briefing could involve members of the subcommittee or the full committee with oversight of the Department of Homeland Security. “I believe that we should receive a classified briefing as to what actually was released that impacts negatively on the intelligence community regarding the representation that WikiLeaks has released through information they received, some very viable and important data,” Jackson Lee said Thursday morning. “I think that this is a key responsibility that we have.”

To read the rest of our piece, click here.

–…REPUBLICAN SAYS ASSANGE BELONGS IN “ORANGE JUMPSUIT”: Sen. Ben Sasse (R-Neb.) said WikiLeaks founder Julian Assange should be in “an orange jumpsuit” for life following a data dump that revealed CIA intelligence hacking strategies.  Sasse, a member of the Senate Armed Services Committee, issued a statement Thursday slamming Assange as a criminal and Kremlin ally. “Julian Assange should spend the rest of his life wearing an orange jumpsuit. He’s an enemy of the American people and an ally to Vladimir Putin,” Sasse said. “Mr. Assange has dedicated his life’s work to endangering innocent lives, abetting despots, and stoking a crisis of confidence in the West.”

To read the rest of our piece, click here.

–…AND LATER WRITES SESSIONS ABOUT ASSANGE: Sen. Ben Sasse (R-Neb.) on Thursday asked Attorney General Jeff Sessions to weigh in on whether the Department of Justice thought WikiLeaks founder Julian Assange had broken any laws and if his department was investigating him. Sasse, the chair of the Senate Judiciary subcommittee on oversight, sent a letter to Sessions after White House press secretary Sean Spicer earlier in the day deferred questions about the WikiLeaks head to the attorney general. “Does the Department of Justice believe Julian Assange has broken the law and is the Department aggressively pursuing his detention and prosecution?” Sasse asked Sessions. “Frankly, it is amazing that I even have to ask this question of the Administration in light of the Intelligence Community’s formal assessment that Mr. Assange’s website is a known outlet for foreign propaganda and in light of Mr. Assange’s history of recklessly endangering the lives of Americans through his illegal disclosures. Nevertheless, because Mr. Spicer referred this matter to DOJ, I am now asking you.”

To read the rest of our piece, click here.

–…CHINA TO CIA: KNOCK IT OFF: China asked the U.S. government on Thursday to stop spying on and hacking other countries, after WikiLeaks revealed data showing that the CIA can hack a range of devices, including some manufactured in China. Software companies quickly tried to detect security weak points following the WikiLeak news, with some calling for more details about what the U.S. intelligence community was doing, according to a Reuters report. Cisco routers, which are widely used to provide wireless internet, were listed as a target in the WikiLeaks data. Cisco, a California-based company, markets its routers as providing “strong security and services to enterprise, service providers, and industrial networks.” Chinese Foreign Ministry spokesman Geng Shuang made the request for the U.S. to stop, saying: “We urge the U.S. side to stop listening in, monitoring, stealing secrets and internet hacking against China and other countries,” Geng said at a news briefing,” according to Reuters.

To read the rest of our piece, click here.

A CABINET UPDATE:

The Senate Intelligence Committee on Thursday afternoon voted 13-2 to advance the nomination of former Sen. Dan Coats (R-Ind.) to be President Trump’s director of national intelligence (DNI).

Coats, a former member of the panel, is well-liked by his colleagues and is expected to sail through to a final confirmation vote.

In a genial confirmation hearing late last month, the only major concern committee members repeatedly raised was that Coats might be too nice for the job.

But the vote came at a moment of intense scrutiny of the Trump administration’s handling of national security, while the intelligence community and multiple lawmakers express concern that Coats will be hamstrung by a limited role in Trump’s national security apparatus.

In an executive memorandum last month, Trump reshuffled the Principals Committee of the National Security Council, elevating his controversial political adviser, Stephen Bannon, and apparently de-emphasizing the role of the DNI. Under that order, Coats will only attend meetings when issues pertinent to his responsibilities are discussed.

“I have been reassured time and time and time again by the president and his advisers that I am welcome and needed and expected to be part of the Principals Committee,” Coats said during his hearing.

He told lawmakers the administration told him that demoting the DNI was never the “intent” of the order, the language of which they had merely copied from a similar George W. Bush-era memorandum.

To read the rest of our piece, click here.

SOME WIRETAPPING INTRIGUE:

COMEY MEETS HILL LEADERS: FBI Director James Comey huddled with Senate leadership during a classified, closed-door briefing on Thursday afternoon and with House leaders in the evening.

The FBI director met with Majority Leader Mitch McConnell (R-Ky.), Minority Leader Charles Schumer (D-N.Y.) and Sens. Mark Warner (D-Va.) and Richard Burr (R-N.C.) — collectively known as the Senate’s “Big Four” on intelligence issues. 

Comey met with their House counterparts later Thursday. 

The closed-door powwow comes as the Senate Intelligence Committee is spearheading an investigation into Russia’s meddling in the presidential race, including any potential contact between the Trump campaign and Moscow.

Warner — hounded by a herd of reporters after the meeting — declined to comment on the substance of the meeting or who was in attendance.

But he said he still has seen no proof to support President Trump’s claim that the Obama administration wiretapped him during the campaign.

“I stand by my statement,” he said. “I’ve seen no evidence.”

To read the rest of our story, click here.

A POLICY BRIEFING: 

DEM REPS MAY FORCE VOTE ON RUSSIA TIES: Democrats introduced a measure on Thursday that could force the House to vote on demanding documents from President Trump and Attorney General Jeff Sessions outlining Trump campaign contacts with Russian officials.

Reps. Hakeem Jeffries (D-N.Y.) and Ted Lieu (D-Calif.) unveiled a resolution of inquiry, a rarely used procedure which Democrats have revived this year under the Trump administration.

Under House rules, their resolution must either be considered by a committee within 14 legislative days or automatically brought to the floor for a vote.

It will first go to the House Judiciary Committee, which can approve it for floor consideration or review it unfavorably and prevent it from moving forward.

“The American people deserve to know why the nation’s Attorney General and all of the president’s men were in frequent contact with Russian operatives during the election,” Jeffries said in a statement. “Something stinks at 1600 Pennsylvania Avenue. We are determined to find out if the rot goes all the way to the top.”

To read the rest of our piece, click here.

A LIGHTER CLICK: 

ALEXA WON’T LIE TO YOU. Alexa won’t answer if Alexa is working with the CIA.

A REPORT IN FOCUS: 

GOVERNMENT STOCKPILED HACKING METHODS HAVE A LONG SHELF LIFE: New research shows that security vulnerabilities governments and malicious hackers use to attack systems last, on average, nearly seven years without the public finding out about them.

The United States government, like many other governments, uses hacking for intelligence and law enforcement purposes. That has led to debate over whether it is more beneficial to U.S. citizens to allow the government to stockpile vulnerabilities or alert manufacturers that their products are vulnerable, knowing that by keeping vulnerabilities under wraps, it is possible that adversarial governments and criminals discover and exploit them against the U.S. public.

Though governments conduct their own research to discover new, so-called “zero-day” vulnerabilities, private brokers also sell vulnerabilities on a quasi-legal market. The U.S. has historically been an active consumer.

The report, compiled by researchers at the RAND institute, traced vulnerabilities in the possession of one of these brokers.

The RAND study found that vulnerabilities are “likely” to survive between 5.39 and 8.84 years without being publicly discovered, with an average of 6.9 years and a quarter only lasting 18 months or less.

RAND found no significant characteristics that determined which vulnerabilities were discovered sooner or later, but the report notes it did not check either open source versus closed source products or Linux versus other operating systems.

RAND calculates that year over year, only around 1 in 20 vulnerabilities in a stockpile will be discovered by another researcher. Over the course of the study — 2002 to 2016 — only around 40 percent of the stockpile was.

To read the rest of our piece, click here.

WHO’S IN THE SPOTLIGHT: 

SOME PEOPLE NOT TRYING TO BE IN THE SPOTLIGHT: Wikileaks made the decision to redact names and internet addresses from the thousands of pages of CIA documents, presumably to not endanger many of the people involved in the CIA’s work.

But some names and code appear to have slipped through the cracks.

A few of the redacted pieces of source code left enough information for files contained unredacted names, including researcher Stefan Esser who acknowledged his inclusion in the documents on Twitter.

Esser, who uses the nickname i0n1c, had his research cited in the notes for the hacking tool “Ironic,” apparently named after him.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

A GOP congressman says the U.S. is “too easy” on leakers. (The Hill)

The government is not communicating well with the private sector on cybersecurity, Congress hears. (The Hill)

The ACLU is challenging a warrant to search the Facebook page of a group protesting the Dakota Access Pipeline. (The Hill)

One-time Trump advisor Carter Page wrote Senate Intelligence leadership to say his phone might have been tapped but offered no evidence. (The Guardian)

A security bug that’s easy for hackers to spot is savaging web servers. (Ars Technica)

IBM can now store one bit of data on a single atom. (Quartz)

Not impressed by that IBM story? That’s like 9,750,000 terabytes in a grain of sand. (based on this back-of-napkin calculation)

The head of the U.S. Digital Service will return for more service. (Nextgov)

Uber will stop using the “greyball” process to filter out public officials. (Ars Technica)

If you’d like to receive our newsletter in your inbox, please sign up here.