Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORIES:
–PENCE SAYS INTEL COMMUNITY CONCLUDED RUSSIA DID NOT IMPACT ELECTION: Vice President Pence on Wednesday said the U.S. intelligence community universally concluded that Russia did not have an effect on the outcome of the 2016 presidential election, despite the fact that officials have made no such judgment. “Irrespective of efforts that were made in 2016 by foreign powers, it is the universal conclusion of our intelligence communities that none of those efforts had any impact on the outcome of the 2016 election,” Pence said at an event hosted by Axios, a claim he later repeated. Pence went on to acknowledge that Russia did attempt to meddle in the election and said that the administration is taking steps to counter the threat. “It doesn’t mean there weren’t efforts, and we do know there were,” Pence said. “There were efforts by Russia, and likely by other countries, to involve or influence American elections and we take that very seriously.” The U.S. intelligence community has not reached a conclusion on whether Russian meddling actually had any bearing on the election’s outcome. “We did not make an assessment of the impact that Russia activities had on the outcome of the 2016 election,” an unclassified assessment released last January states. “The US Intelligence Community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze US political processes or US public opinion.” Top U.S. intelligence officials, including Director of National Intelligence Dan Coats and CIA Director Mike Pompeo told lawmakers Tuesday that they expect Russia to attempt to meddle in the 2018 midterm elections. On Wednesday, Pence did not directly answer whether he agreed with that judgment but insisted the administration was taking steps to ensure that state election systems and U.S. infrastructure are guarded against future foreign interference efforts.
To read the rest of our piece, click here.
–QUESTIONS SWIRL OVER HOUSE INTEL’S BANNON SUBPOENA: As the House Intelligence Committee prepares to interview former White House chief strategist Stephen Bannon on Thursday, many are questioning what the committee will do if he refuses to testify even when subpoenaed. Bannon was subpoenaed by the committee in January after he declined to answer investigators’ questions in their probe into Russian interference in the presidential election. He is expected to appear before the committee Thursday, according to two Democratic lawmakers on the committee. Two senior Republicans leading the Russia investigation — Reps. Mike Conaway (Texas) and Tom Rooney (Fla.) — said separately they expect the former White House chief strategist to appear for a second interview this week. “We expect him to come under the subpoena, yes,” Conaway, the top Republican leading the investigation, said Tuesday.
But a handful of Democrats on the committee seemed less sure Bannon would comply with the subpoena. When asked Wednesday if he believes Bannon will appear, Rep. Eric Swalwell (D-Calif.) said he “hopes so.” “If subpoenas mean anything they will do something about it,” Swalwell added, referring to the majority.
To read the rest of our piece, click here.
–FTC NOMINEES PLEDGE FOCUS ON DATA BREACHES: President Trump’s nominees for the Federal Trade Commission (FTC) plan on making data breaches a top priority for the agency if they are confirmed. “They’re becoming much more significant, much more frequent, and I think that’s a real serious concern for us and I think we need to pay much more attention to it,” said Joseph Simons — a Republican antitrust lawyer nominated to chair the FTC — at a confirmation hearing before the Senate Commerce Committee Wednesday. The issue has been getting renewed attention following a year in which companies like Equifax and Uber revealed massive data breaches exposing millions of consumers. The Equifax breach gave hackers the sensitive personal information of more than 145 million people. And last year, Yahoo revealed that all of its 3 billion accounts were affected in a 2013 hack. The FTC, which is tasked with enforcing consumer protection and antitrust laws, has been operating with just two of its five commission seats filled since Trump took office over a year ago. Wednesday’s hearing was a small step towards returning the agency to its full strength. Trump nominated Simons and three others — two Republicans and one Democrat — to the FTC last month. He will still need to nominate one more Democrat for the FTC to be filled.
To read the rest of our piece, click here.
–SPEAKING OF DATA BREACHES: Lawmakers on the House Financial Services Committee held a hearing Wednesday examining current data security and breach notification standards. The lawmakers heard from a number of stakeholders in the private sector about steps the federal government could take to better protect consumers who have their information exposed to hackers. Many of the witnesses expressed the need for a national breach notification standard. “We currently have a thicket of 48 different state data breach notification standards. The variations between the state laws are not trivial and it’s unhelpful in the wake of a breach of personal information to have a company working with a team of lawyers to understand what requirements must be met in each jurisdiction,” Aaron Cooper, vice president of global policy at BSA The Software Alliance, told the panel. Marc Rotenberg, president of the Electronic Privacy Information Center, said that it “simply takes too long today to tell people that their personal data has been compromised,” at one point citing the recent Equifax data breach that exposed personal data on over 145 million U.S. consumers. Rep. Blaine Luetkemeyer (R-Mo.), who chairs the subcommittee that called the hearing, noted at the outset that he is exploring legislation that would address the issue. “We have almost daily breaches now and the American public is clamoring for some sort of solution to some of these problems,” Luetkemeyer said. “We’re trying to put together a bill that hopefully will address some of the concerns and take into account some of the suggestions that you have given us this morning.”
A LEGISLATIVE UPDATE:
DEMS PROPOSE OVER $1 BILLION IN GRANTS FOR ELECTION SECURITY: A Democratic congressional task force convened to study U.S. election security on Wednesday unveiled new legislation to help protect voting infrastructure from foreign interference.
The legislation would authorize more than $1 billion in federal grants to help states replace outdated voting technology, train employees in cybersecurity and conduct audits of elections to ensure the accuracy of results.
It represents the latest push in Congress to address Russian interference in the 2016 presidential election through legislation and follows bipartisan efforts in the House and Senate to address election vulnerabilities and deter future foreign meddling.
The task force members are sponsoring the bill, which is informed by their meetings with former officials, state election officials and election security experts over the past six months. The task force also released a final report on Wednesday summing up their findings and recommendations.
The Democrats on Wednesday accused the Trump administration and Republicans in Congress of not doing enough to address the threat.
“The first primary of the election of 2018 is March 6, only 20 days away. The general election will take place in less than nine months,” Rep. Robert Brady (D-Pa.), one of the task force leaders, told reporters at a news conference. “We do not have a minute to waste.”
The new legislation, called the Election Security Act, would authorize $1.7 billion over the next decade to provide funds for state election officials to replace outdated paperless voting systems with new machines that provide a voter-verified paper backup, allowing for an audit in case a result is called into question.
The measure provides for a $1 billion cash infusion in the first year and $175 million nine years thereafter for states to maintain election security.
It would establish a $20 million grant program to provide states with funds to conduct “risk-limiting audits,” which check election outcomes by comparing a random sample of paper ballots to the corresponding digital results. Last year, Colorado became the first state to require such audits on a regular basis.
States would only be able to use funds allocated under the bill to purchase goods and services that are produced by election vendors designated as “qualified” by the Department of Homeland Security and the Election Assistance Commission.
In addition to authorizing grants, the legislation also would trigger a number of actions at the federal level.
Homeland Security would be required to “expand” aid to state election officials by expediting security clearances for these officials and starting risk and vulnerability assessments in states that ask for them within 90 days of the request.
The legislation would also require the director of national intelligence to conduct a “full-scope” assessment of threats to election systems at least six months before an upcoming general federal election.
Finally, the bill would direct President Trump to issue a strategy on how to protect American democratic institutions from cyberattacks, disinformation campaigns and other such operations.
To read more from our piece, click here.
A REPORT IN FOCUS:
The National Institute of Standards and Technology (NIST) is out with its draft report on the cybersecurity of the Internet of Things (IoT) and is asking for comments from stakeholders between now and mid-April.
The report, produced by NIST’s interagency cybersecurity working group, looks to provide a comprehensive definition of what constitutes IoT, as well as analyze a number of IoT applications — including connected vehicles, consumer IoT devices like connected thermostats and doorbells, and connected medical devices.
The report also aims to describe the objectives, risks and threats with respect to the cybersecurity of IoT devices.
“Given how the pace of IT innovation is magnitudes faster than the pace of development of supporting standards, it is critical to be forward looking about cybersecurity needs in the future operational environment,” the report states.
When it comes to risks, the report notes that “the proliferation and increased ubiquity of IoT components are likely to heighten the risks they present; particularly as cyber criminals work to develop new generations of malware dedicated to exploiting them.” It references the October 2016 distributed denial-of-service (DDoS) attack on web services provider Dyn that leveraged thousands of infected internet-connected devices.
“As the market for IoT components expands, it is critical that manufacturers design components with security in mind and system designers pay attention to new attack surfaces revealed with unforeseen emergent properties of these systems,” the report states.
These are only a few snippets from the report – to review the full NIST draft, click here.
A LIGHTER CLICK:
A Democratic senator is worried about Tinder’s data security.
WHAT’S IN THE SPOTLIGHT:
CYBER THREATS TO ENERGY ASSETS: The Energy Department (DOE) is creating a new office to “bolster” its cybersecurity and energy security efforts.
The Office of Cybersecurity, Energy Security and Emergency Response, announced Wednesday, would support the department’s “expanded” national security responsibilities.
“DOE plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack and natural disaster, and as Secretary, I have no higher priority,” Energy Secretary Rick Perry said in a statement. “This new office best positions the Department to address the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.”
The department said the new office would allow better coordination and focus on protecting energy infrastructure, like the electric grid, from cyber and foreign attacks as well as natural threats such as hurricanes and snowstorms.
Overall, President Trump is proposing a slight increase in the DOE’s budget for fiscal 2019 to $30.6 billion from the $30.1 billion in current funding. The White House budget released Monday proposes $96 million for funding.
However, the budget is merely a proposal. Congress has the final say on funding levels and would decide on the funding of the new office.
To read more from our piece, click here.
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
Gowdy demands answers on Porter’s security clearance. (The Hill)
OP-ED: Our critical infrastructure isn’t ready for cyber warfare. (The Hill)
OP-ED: Blockchain is not bitcoin — it’s far more. (The Hill)
A new search engine helps users sift through exposed Amazon Web Services (AWS) servers. (Motherboard)
Hackers compromised Winter Olympics’ IT provider months before Opening Ceremony cyberattack. (CyberScoop)
The Center for Strategic and International Studies released a report on countering threats to democratic institutions. (CSIS)
Iranian official accuses U.S. of spying with lizards. (CNBC)
Officials in Alabama are taking new steps to fight cyber crime. (Montgomery Adviser)
Some think the National Guard could help protect elections from cyber threats. (FCW)
Emergency mobile phone alerts are bothering Olympic athletes and spectators. (The New York Times)