Overnight Cybersecurity

Overnight Cybersecurity: Cyber in focus at hearing for Trump DHS pick | House panel advances surveillance reform bill | Ex-Yahoo, Equifax CEOs grilled over breaches | States race to secure elections

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORIES:

–CYBER ISSUES IN FOCUS AT HEARING FOR HOMELAND SECURITY NOMINEE: Cybersecurity got attention during Kirstjen Nielsen’s confirmation hearing to become President Trump’s secretary of Homeland Security on Wednesday. Among the more interesting tidbits, Nielsen told lawmakers on the Senate Homeland Security and Governmental Affairs Committee that she pressed her polling place on voting machine security when she voted in Virginia this week. Nielsen, chief of staff to John Kelly, made the comments when responding to questions about the department’s role in protecting election infrastructure from cyberattacks, which has gained attention as a result of Russian interference in the 2016 presidential election. “When I went to vote this week in the Virginia election, I was quite concerned with the scanning machine and started asking a variety of questions on what the security was on the scanning machine for the ballot. I think we all have to be very aware and work with the state and locals,” Nielsen said. Nielsen was forced to address a flurry of questions about Homeland Security’s cybersecurity efforts, particularly those concerning election infrastructure. In her opening statement, Nielsen, who has been cheered for her cybersecurity chops, singled out cybersecurity as “one of the most significant” parts of DHS’s mission. Chairman Ron Johnson (R-Wis.) signaled during the end of the hearing that the committee would vote on Nielsen’s nomination Thursday morning.

To read the rest of our piece, click here.

–FUSION GPS FOUNDER STRIKES DEAL TO SPEAK ON RUSSIA DOSSIER: Glenn Simpson, the co-founder of the firm that assembled the controversial “Steele dossier” on President Trump, has struck a deal to appear before the House Intelligence Committee for a voluntary closed-door interview next week, committee leaders announced Wednesday. An attorney for Simpson said he will not assert his Fifth Amendment rights during the interview, as was done by two other executives from the firm who appeared before the committee last month. Simpson had been under subpoena by the committee, which is seeking more information on the dossier as part of its investigation into Russian interference in the 2016 election. That order will be lifted at the time of the interview on Tuesday, Reps. Mike Conaway (R-Texas) and Adam Schiff (D-Calif.) said during a joint statement. Simpson and his lawyer, Joshua Levy, on Wednesday morning spent more than three hours hammering out the deal in the committee’s secure spaces. “He will be able to maintain Fusion GPS’s privileges and honor its legal obligations,” Levy told reporters, referring to Simpson’s firm. “That’s important to the company, which to this point has maintained its confidential relationships with its clients.”

To read the rest of our piece, click here.

–FORMER YAHOO, EQUIFAX EXECS HAMMERED OVER BREACHES: Lawmakers railed against former CEOs of Yahoo and Equifax over massive cybersecurity breaches that occurred on their watch and floated potential policy solutions. Frustrated members of the Senate Commerce Committee pressed former Yahoo CEO Marissa Mayer, former Equifax CEO Richard Smith and its current CEO Paulino do Rego Barros Jr. on how their companies allowed such enormous breaches and pushed for answers on how they would handle the fallout. Committee Chairman Sen. John Thune (R-S.D.) opened the hearing by asking Mayer to explain how, despite the increased investments she touted during her opening, 3 billion of Yahoo’s accounts were hacked in 2013. “Despite these investments, Yahoo failed to detect the 2013 breach,” Thune said, noting it also took years for Yahoo to understand the full scale of the problem. “With such a strong security team in place, how did Yahoo fail to recognize all 3 billion of its user accounts had been compromised?” he asked. Mayer replied that such breaches are complex and required time to understand. Indeed, she said, the company is still trying to determine who was responsible. “We still have not been able to identify the intrusion that led to that breach,” the former Yahoo CEO explained.

To read the rest of our piece, click here.

–STATE ELECTION OFFICIALS RACE TO COMBAT CYBERATTACKS: A year before the midterm elections, state election administrators are racing to plug vulnerabilities and update software ahead of an expected wave of cyberattacks from foreign actors. In interviews, state officials and elections experts said they are working to bolster internal security at both the state and local levels. At the same time, many said they hope Congress will act to update federal election law, in part to provide them with the resources they need to secure the democratic process. “No matter what steps we take today, cybersecurity and the cyber risk evolves and changes daily, and we just have to be vigilant and diligent going forward,” said Vermont Secretary of State Jim Condos (D). “Anybody that thinks, ‘today I’ve got it covered,’ and washes their hands of it is fooling themselves.” Condos is the president-elect of the National Association of Secretaries of State, which has established a cybersecurity task force to share best practices among different state agencies. Condos said states are being encouraged to use cybersecurity experts in their National Guards to help secure systems, and to provide free software upgrades to local election administrators. Those local election administrators may represent a prime vulnerability for foreign actors. Localities in most states actually run elections, and many are woefully understaffed, underfunded and behind the technological times.

To read the rest of our piece, click here.

 

A LEGISLATIVE UPDATE:

–HOUSE PANEL ADVANCES SURVEILLANCE REFORM BILL: The House Judiciary Committee on Wednesday voted to advance a compromise proposal to reform the NSA’s warrantless surveillance program, the first of many hurdles that the delicately-crafted legislation will face before the program expires at the end of the year.

The so-called USA Liberty Act passed on a 27-8 vote — but a fierce dispute over privacy protections in the bill has made its future on the House floor far from certain.

An amendment from Reps. Ted Poe (R-Texas) and Zoe Lofgren (D-Calif.) that would have stiffened privacy requirements failed 12-21 on Wednesday, after chairman Bob Goodlatte (R-Va.) warned it would sink the underlying bill.

But the House Freedom Caucus has already positioned itself to oppose the bill on the floor for not going far enough to curtail what members say is an unacceptable breach of Fourth Amendment protections.

“I think there’s going to have to be a lot more work that’s done to make sure that we don’t have the illegal search and seizure of Americans that happens on a regular basis,” Freedom Caucus chair Mark Meadows (R-N.C.) told The Hill on Tuesday.

“If it does get out of committee, I don’t think there’s enough support on the House floor for it to pass.”

Complicating the path further, the Intelligence Committee — which shares jurisdiction over the issue — is also not entirely on board with Goodlatte’s proposal, worrying that it goes too far to reform a program some members don’t think needs to be fixed. Staff from the two committees have been in talks for months and rumors have swirled that the chair of that panel, Rep. Devin Nunes (R-Calif.), is preparing to drop a separate bill.

At issue is a law that allows the government to collect the emails and phone calls of foreign spies, terrorists and other foreign targets overseas — even when those foreigners communicate with Americans, who are said to have been collected “incidentally.”   

The current law allows federal investigators to search the database of collected data for Americans, an authority critics say circumvents Fourth Amendment protections against unlawful search and seizure.

To read the rest of our piece, click here.

–DEM BILL WOULD REQUIRE PAPER BACKUPS FOR VOTING MACHINES: A new bill would require states to use voting machines with paper backups and conduct audits in close elections.

Rep. Debbie Dingell (D-Mich.) introduced the Safeguarding Election Infrastructure Act on Wednesday, which aims to increase elections security by requiring voting machines funded by the federal Help America Vote Act print a paper receipt of each vote.

“Our democracy depends on free and fair elections, and we must do everything we can to protect the security and integrity of that process,” said Dingell in a written statement.

“The reality is, many of our voting machines have not been updated in nearly two decades and are susceptible to cyberattacks. We know that foreign adversaries pay very close attention to our elections, and until we address these vulnerabilities, our democratic process is at risk,” she said.

A growing group of critics believes that possible election hacking can be curbed, in part, by providing an auditable paper trail of votes that can be corroborated if digital records are changed.

Dingell’s proposed measure would trigger automatic, federally funded recounts in any election where under 59 percent of the vote went to the winner.

To read the rest of our piece, click here.

 

A LIGHTER CLICK:

Apple has got its next big project (and it’s a morning TV drama!). (USA Today)

 

A REPORT IN FOCUS:  

NEW ACTION FROM ‘FANCY BEAR’: The Russian government-affiliated hacking group Fancy Bear took advantage of the New York terror attacks on Halloween to lure new victims, according to a report from McAfee.

The attack affixes a command to download malware to a word document about the attacks titled “IsisAttackInNewYork.docx.”

In late October, Fancy Bear used a similar tactic to hack people interested in military cyber security, using a document that appeared to contain information about the CyCon cybersecurity conference sponsored by West Point, currently ongoing in Washington, D.C. That attack was first identified by Cisco’s Talos labs.

“Based on the telemetry we captured, we have observed targets in Europe, specifically France and Germany,” said Ryan Sherstobitoff, senior analyst for major campaigns for McAfee Advanced Threat Research via email.

“Based on the document theme from the previous related campaign, it has a name SabreGuardian, which is in reference to the U.S. Army in Europe”

Fancy Bear is best known as one of the Russian hacker groups believed to have hacked the Democratic National Committee during the 2016 election.

To read the rest of our piece, click here.  

 

WHAT’S IN THE SPOTLIGHT: 

DEFENSE POLICY BILL: The final version of an annual defense policy bill would require President Trump to develop a national policy for cyberspace and acts of cyberwarfare.

Such a strategy would need to address the use of offensive cyber capabilities to respond to attacks in cyberspace, according to the Senate Armed Services Committee’s summary of the compromise fiscal 2018 National Defense Authorization Act (NDAA).

However, the bill does not appear to set forth a distinct doctrine for cyber warfare, as the original Senate-passed version did. The Trump administration had objected to the provision, alleging that it infringed on the president’s authorities.

House and Senate lawmakers met to hash out the final bill over a number of weeks, releasing their own summaries on Wednesday. They plan to release the finalized text of the bill soon.

Past iterations of the defense policy bill have directed the executive branch to take actions to create policies for cyberspace. The 2017 bill passed late last year directed the administration to report to Congress on the military and nonmilitary options for deterring and responding to incidents in cyberspace.

As of mid-October, the report had not yet been completed.

Senate Armed Services Chairman John McCain (R-Ariz.) and others expressed frustration with the administration over the lack of a comprehensive cyber strategy at a hearing last month. McCain aired similar grievances during the Obama administration.

Currently, cyber responsibilities are scattered across multiple federal departments, including the Pentagon, Department of Homeland Security and Justice Department.

“The committees have long expressed their concern with the lack of an effective strategy and policy for the information domain, include cyber, space, and electronic warfare,” reads the summary of the NDAA conference report released by McCain and Armed Services ranking member Jack Reed (D-R.I.) on Wednesday.

“The conferees believe that it is long past time that the federal government develops a comprehensive cyber deterrence strategy, and it is the role of the Congress to guide and impel the creation of that strategy,” it reads.

The compromise bill includes a number of cyber-related provisions, including one that would require Defense Secretary James Mattis to conduct a review of the Pentagon’s cyber posture “with the purpose of clarifying U.S. cyber deterrence policy and strategy.”

To read the rest of our cyber NDAA coverage, click here and here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Lewandowski: ‘Memory has been refreshed’ on Carter Page email after denying getting it. (The Hill)

Facebook anti-revenge porn program asks users for their nude photos. (The Hill)

Uber announces partnership with NASA on flying car service. (The Hill)

Senate panel approves online sex trafficking bill. (The Hill)

Opinion: Let’s not waste the Equifax crisis. (The Hill)

Opinion: We’re not putting up a fight against Russia’s cyber warfare. (The Hill)

Majority of Americans have not heard of multi-factor authentication. (CyberScoop)

Experts sound alarm over threats to satellites. (SpaceNews)

Justice, AT&T trade accusations over CNN sale (The Hill)

If you’d like to receive our newsletter in your inbox, please sign up here.