Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORIES:
–FACEBOOK FUNDS NONPROFIT FIGHTING ELECTION HACKING: Facebook said on Wednesday that it will give funding to a nonprofit at Harvard that is trying to curb cyberattacks aimed at political groups and election systems. The social media giant’s money will go to Defending Digital Democracy, a group led by former campaign chairs for Hillary Clinton and Mitt Romney, based at Harvard’s Kennedy School of Government. Though Facebook is providing the initial funding for the center, it said that it hopes other participants will help the organization transition into a group with several members who share information and analysis in “critical areas of the democratic process.” At Black Hat, an IT security conference, Facebook Chief Security Officer Alex Stamos said the project was born out of the company realizing that no one was taking responsibility for issues of election hacking. “A huge amount of harm falls outside what we considered to be our problem,” Stamos said. “The real problem is that those issues is generally not anybody else’s problem either.”
To read the rest of our piece, click here.
–DHS CYBER REORGANIZATION GAINS STEAM: A key House panel has advanced legislation that would satisfy a years-long push to reorganize the Department of Homeland Security’s main cybersecurity wing. The bill, introduced by Homeland Security Committee Chairman Michael McCaul (R-Texas) with bipartisan support, passed the committee at a markup Wednesday morning. The legislation would replace the National Protection and Programs Directorate (NPPD), which currently handles cyber and physical infrastructure protection at DHS, with a new, operational agency called the Cybersecurity and Infrastructure Security Agency. The agency would have three divisions focused on cybersecurity, infrastructure security and emergency communications. McCaul said the legislation would allow DHS to better carry out its cyber mission and protect federal and civilian networks. “This realignment of NPPD’s structure will allow it to become more streamlined and effective in carrying out existing authorities while achieving the department’s goal of creating a stand-alone operational organization focusing on and elevating the vital cybersecurity and infrastructure security missions,” McCaul said. The committee passed similar legislation last Congress, but it never received a vote by the full House. McCaul has been engaging with DHS under the new Trump administration on the legislation since earlier this year.
To read the rest of our piece, click here.
{mosads}
–BILL SEEKS ANSWERS ON DISCLOSING CYBER VULNERABILITIES: The House Homeland Security Committee also advanced legislation on Wednesday requiring DHS to give lawmakers more information on how it discloses cyber vulnerabilities to the private sector. The legislation was sponsored by Rep. Sheila Jackson Lee (D-Texas) and received broad support from members of the House Homeland Security Committee, including Chairman Michael McCaul (R-Texas). The bill would require Homeland Security Secretary John Kelly to send a report to relevant congressional committees describing policies and procedures used by the DHS to coordinate the disclosure of what are called “zero days” — cyber vulnerabilities that are unknown to a product’s manufacturer and for which no patch exists. The federal government decides whether to disclose zero days to the private sector through the vulnerabilities equities process (VEP), which was first acknowledged by the Obama administration in 2014 but is still shrouded in secrecy. While the government is said to err on the side of disclosure, the VEP has proven controversial because so little is known about it. The process has attracted increased scrutiny in the wake of the outbreak of the “Wanna Cry” ransomware, which is believed to be based on a hacking tool developed by the National Security Agency.
To read the rest of our piece, click here.
A FEW LEGISLATIVE UPDATES:
–SENATORS TO UNVEIL BIPARTISAN LEGISLATION ON EMAIL PRIVACY: Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) are expected to unveil legislation Thursday that will force the government to obtain warrants to look at American citizens’ emails, according to three sources with knowledge of the bill.
Leahy and Lee’s bill, titled the ECPA Modernization Act of 2017, aims to update the Email Communications Privacy Act of 1986. The bill will initially be released without any cosponsors, the sources said.
Currently, law enforcement can obtain Americans’ email correspondence with a written statement saying that the emails are necessary to an investigation, a process that does not require judicial review. The new bill would change this and require law enforcement agencies to get warrants through a court to gain access to citizens’ emails.
One source noted that the reforms would cover areas beyond email privacy like protections on metadata, and improvements to the current gag rules which allow the government to keep email service providers from notifying users that their emails have been obtained.
The bill has been extremely popular in the House, passing with an overwhelming, bipartisan majority the last two times it was introduced.
To read the rest of our piece, click here.
–CYBER DIPLOMACY HEARING GETS BUMPED: The House Foreign Affairs Committee was supposed to hear from outgoing State Department cyber coordinator Chris Painter at a morning hearing on U.S. cyber diplomacy, but it was postponed as a result of a scheduling conflict, an aide told The Hill.
It is unclear when the hearing will take place, but it’s unlikely that it will occur before Painter leaves his post at the end of July.
News of his exit was followed by reports that Secretary of State Rex Tillerson intends to close the department’s cyber office and fold it into a bureau focused on economic and business issues, which critics say would hamper efforts to engage with other countries on cybersecurity. Painter will move to a position at the Justice Department following a personal leave, according to State.
A LIGHTER CLICK:
Darth Vader actor might make an appearance in a forthcoming Hans Solo-spinoff.
BLACK HAT IN BRIEF:
The Hill’s Joe Uchill is on the ground covering the Black Hat cybersecurity conference underway in Las Vegas, Nevada, this week. Here’s some of the news coming out of the premier hacker conference today:
— Facebook announced a $1 million investment in cybersecurity research.
–“Wind farms are extremely susceptible to attack,” said Jason Staggs, an independent information security researcher, during his presentation at the cybersecurity conference. Staggs based his presentation on two years of security assessments at wind farms.
He discovered a myriad of issues, including: weak physical security, machines used unencrypted means of communications to send commands, had easy to guess default passwords, did not authenticate software updates and ran on vulnerable, out of date operating systems.
Wind turbines, he noted, can disintegrate or even catch fire when improperly maintained or mistreated and the sensors involved in maintenance could easily be configured to give faulty data.
The vulnerabilities in wind farms might allow attackers to use what Staggs referred to as the “hard stop of death” attack, repeatedly triggering the emergency stop command, causing dangerous amounts of wear and tear on the turbines. Or, said Staggs, ransomware could easily disable entire turbine farms.
WHAT’S IN THE SPOTLIGHT:
SMALL BIZ CYBERSECURITY: Lawmakers on the House Small Business Committee on Wednesday turned their attention to small business cybersecurity and particularly the benefits and drawbacks of cybersecurity insurance.
The lawmakers heard from a panel of security and cyber insurance experts who warned of the growing cyber threats to small businesses that could deal devastating financial blows.
“Attacks against small businesses are not an anomaly. They are the norm. This is the key demographic that is being targeted by hackers,” said Daimon Geopfert, a principal on security and privacy consulting at Risk Advisory Services.
Representatives from the insurance industry advocated for the use of cyber insurance as a way for small businesses to minimize the damage should they be successfully cyberattacked. The panelists also signaled the need for more cyber education for the small business community, as well as greater guidance from the federal government.
“Insurance is just one piece of the cyber risk management puzzle, but the role of insurance is increasing, as customers seek risk insight and feedback from the insurance advisers,” said Erica Davis, senior vice president and head of specialty products errors and omissions at Zurich Insurance North America.
“Finding solutions to the most complicated of cyber risks will require collaboration between the insurance industry, governments, academia and other think tanks to establish standards, encourage information sharing, build resilience and create adequate global governance,” Davis said.
Lawmakers probed for answers on how businesses can better guard themselves against cyber threats and the value of cyber insurance, and expressed concerns about the growing cyber threat to small businesses.
“I think the average small business is really at a disadvantage in this day and age, not really conscious of the intrusion of those who would want to either extort them or use them as a tool for penetrating even larger enterprises,” Rep. Yvette Clarke (D-N.Y.) observed.
For their part, Chairman Steve Chabot (R-Ohio) and Rep. Dwight Evans (D-Pa.), also a committee member, have introduced legislation that would require cyber training for small business development center counselors, which receive some praise from Geopfert on Wednesday.
Chabot closed the hearing by saying that the committee members are committed “to doing everything that we can to assist the small business community to better protect themselves, whether it’s best practices, whether its potentially cybersecurity insurance.”
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
House Intelligence Republican: Claims Gowdy acted as second lawyer for Kushner ‘horses—t.’ (The Hill)
Trump, electronics manufacturer announce new Wisconsin plant. (The Hill)
TSA to require electronics larger than cellphones be X-rayed. (The Hill)
The Trump administration’s reluctance to call out nation-state hackers is emboldening them, security experts say. (Reuters)
Roomba plans to sell mapping data of customers’ homes. (USA Today)
An Obama-era computer science program is still pressing forward. (Edscoop)
Jared Kushner’s statement to Senate investigators shows how he helped the Russians get ‘inside access‘ to Trump’s campaign. (The New Yorker)
Sen. Cory Booker (D-N.J.) talks tech, the FCC, and the Russia investigation. (Recode)
Former Obama administration official Samantha Power will meet with Senate investigators Friday as part of the intelligence panel’s Russia probe. (CNN)
UAE bans Arabian Business magazine website over ‘false news’ allegations. (Bloomberg)
DHS releases a security alert about the ‘Crash Override’ malware tied to last year’s cyberattack on Ukraine’s power grid. (US-CERT)
If you’d like to receive our newsletter in your inbox, please sign up here.