Overnight Cybersecurity

Overnight Cybersecurity: Cyber chief hasn’t received orders to disrupt Russian cyberattacks | Justices wrestle with digital privacy case | Hope Hicks testifies before House Intel | White House releases guidance on modernizing IT

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORIES:

 –CYBER COMAND LEADER SAYS HE HAS NOT RECEIVED ORDERS FROM TRUMP TO DISRUPT RUSSIAN CYBERATTACKS: A top military cyber official told lawmakers on Tuesday that he has not received specific direction from the Trump administration to disrupt Russian cyberattacks targeting U.S. elections. “I haven’t been granted any additional authorities,” outgoing Cyber Command chief Adm. Mike Rogers, who also serves as head of the National Security Agency, told lawmakers on the Senate Armed Services Committee. While Rogers said he has not asked for additional authorities to stop Russian cyberattacks at the source, he noted that it would ultimately be up to President Trump to give him that permission. “I need a policy decision that indicates there is specific direction to do that,” Rogers said. “The president ultimately would make this decision in accordance with a recommendation from the secretary of Defense.” Rogers did say he has directed the cyber mission force, part of Cyber Command, to “begin some specific work” on the issue, but would not go into further detail on the steps in the unclassified setting. Democrats on the committee seized on Rogers’s comments as evidence that the administration has not done enough to counter future election interference. “Essentially, we have not taken on the Russians yet,” said Rep. Jack Reed (D-R.I.), the ranking member, who accused the administration of “essentially sitting back and waiting.” While Rogers pushed back on the notion that the administration has done nothing to counter Russian interference, he acknowledged that the response so far–which has included sanctions passed by Congress–has been insufficient in deterring such behavior. “They haven’t paid a price, at least, that has significantly changed their behavior,” Rogers said. At the same time, Rogers said confronting Russian hackers in the cyber realm would not necessarily be the “optimal” response to Moscow’s efforts to interfere in U.S. elections. Rogers was grilled by lawmakers from both parties about the steps the government has taken to deter and respond to Russian efforts to disrupt American elections throughout the hearing, which was scheduled to examine the fiscal 2019 budget request for U.S. Cyber Command. He is due to retire later this spring. 

To read the rest of our piece, click here.

–HIGH COURT HEARS ARGUMENTS IN DIGITAL PRIVACY CASE: The Supreme Court wrestled Tuesday with whether the government can search and seize the contents of emails that technology companies store overseas in a potential landmark battle over information stored in the cloud. The case stems from Microsoft Corp.’s refusal to comply with a federal warrant for the emails of a customer that the government accuses of drug trafficking.  Although the warrant was served on Microsoft’s headquarters in Redmond, Wash., the company said the warrant was invalid because the emails are stored in Dublin, Ireland, not the U.S.  Justice Sonia Sotomayor asked why the justices shouldn’t just wait for Congress to resolve the issue, given the bipartisan bill that Sen. Orrin Hatch (R-Utah) has offered to make it easier for U.S. officials to create bilateral data sharing agreements and gain access to data stored overseas. She said the court is encroaching on the very thing its jurisprudence seeks to avoid, which is create an international problem.  The case could hinge on the court’s interpretation of the Stored Communications Act (SCA), which Congress passed in 1986 to protect the privacy of digital communications. Lawmakers carved out an exception to allow law enforcement to obtain a warrant for the content of stored communications. Microsoft argues that lawmakers deliberately used the term warrant in the law, which has territorial limits. Congress never intended to give law enforcement the power to search and seize communications stored overseas, the company says. The government rejects that argument, saying the law is focused on who is disclosing the information, not where it is being stored. “And we think the court should leave things as they are with the instrument that Congress authorized, operating on a person, and requiring that person to produce information regardless of whether it’s stored overseas,” Deputy Solicitor General Michael Dreeben said. “Microsoft here made a unilateral decision to move information overseas,” he said. “Nothing in the law requires it. Nothing in the law prohibits it.”

To read more from our piece, click here.

–WHITE HOUSE AIDE MEETS WITH HOUSE INTEL IN RUSSIA PROBE: White House communications director Hope Hicks appeared before the House Intelligence Committee on Tuesday morning as part of the panel’s ongoing investigation into Russian election interference. The longtime member of President Trump’s inner circle has largely shied away from the cameras and rarely gives interviews on the record, and one lawmaker told reporters she wasn’t immediately answering all of the panel’s questions on Tuesday. Hicks’s initial House Intelligence interview in January was abruptly delayed amid uncertainty over whether she would cooperate with questioning after former White House chief strategist Stephen Bannon stonewalled the committee. It remained unclear to both Republican and Democratic lawmakers whether Hicks will seek to curtail her testimony as she arrived for the interview. When asked whether the White House has tried to limit the scope of the interview, the top Democrat on the committee said he wasn’t sure. “I don’t know if an agreement has been reached with the majority, so I don’t know what the status of that might be,” said Rep. Adam Schiff (Calif.) on Tuesday. “I guess we will find out when we get down there today,” Rep. Pete King (R-N.Y.) said. Two hours in to the interview, Rep. Chris Stewart (R-Utah) told reporters that Hicks was leaving “some questions” unanswered, specifically those related to her time in the administration. Asked if she was also seeking not to answer questions related to the presidential transition, Stewart said that the committee had not reached that portion of questioning yet. “I’m going to go home and get some No Doze,” Stewart said, suggesting that the interview, which began at 10 a.m., would be lengthy.  The day before, Schiff expressed optimism Hicks would “fully cooperate” but indicated concerns that she may try to circumvent questioning much as Bannon did.

To read more from our coverage, click here.

 

A LEGISLATIVE UPDATE: 

WHITE HOUSE ISSUES FORMAL GUIDANCE ON IT: The White House on Tuesday issued formal guidance to federal agencies on implementing a law passed last year to help modernize information technology across the federal government.

The guidance released by the Office of Management and Budget (OMB) walks agency and department heads through the implementation of the Modernizing Government Technology (MGT) Act, which authorizes two different funding streams to help agencies replace legacy IT systems with newer, more efficient and secure technology.

“The MGT Act will allow agencies to invest in modern technology solutions to improve service delivery to the public, secure sensitive systems and data, and save taxpayer dollars,” OMB Director Mick Mulvaney wrote in a memo to leaders of executive branch agencies and departments on Tuesday.

The bipartisan measure was included as part of the 2018 annual defense policy bill, which President Trump signed into law late last year. It establishes a $500 million general technology modernization fund that agencies can borrow from in order to transition to new technology, in addition to allowing agencies to set up their own working capital funds for IT projects.

According to the guidance issued Tuesday, agencies will need to submit proposals to an interagency board in order to receive money from the general fund. The so-called Technology Modernization Board will be responsible for approving certain projects and making funding recommendations to the General Services Administration, which administers the funds.

The interagency board will be officially established on March 12, according to the guidance, and will be comprised of seven members, including Trump’s federal chief information officer Suzette Kent, who will serve as its chair. Trump appointed Kent, a financial services executive, to the top IT role in January, more than a year into his administration.

The board will also include a senior GSA official, a member of the Department of Homeland Security’s cybersecurity wing, the National Protection and Programs Directorate, and four federal government employees appointed by Mulvaney.

“The Board will evaluate and recommend for funding the proposals that show the strongest case for delivering on agency mission objectives and a strong likelihood of success,” the guidance states.

Agencies can begin submitting initial proposals on Tuesday. The law authorizes as much as $250 million in appropriations for the fund in each of the fiscal years 2018 and 2019.

To read the rest of our piece, click here.

 

A REPORT IN FOCUS: 

THE GROWING INSIDER THREAT: A growing number of cybersecurity professionals are worried about the threat of insider attacks, according to a report released by Haystax Technology and Crowd Research Partners.

The findings are drawn from survey responses from roughly 1,500 individuals in cybersecurity-related positions across a variety of companies.

In 2017, 90 percent of security professionals reported feeling vulnerable to insider attacks, up from 74 percent in 2016 and 64 percent in 2015, according to the survey.

“The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%),” the report states.

The research also found that increasing worries about insider threats have driven companies to rely on proactive monitoring of user behavior, over more conventional security methods like end-point protection.

“We expect this trend to continue in 2018 as artificial intelligence enhances [user behavior analytics] technologies,” the report states.

To read more from the report, click here.

 

A LIGHTER CLICK:

President Trump is tapping his ‘digital guru’ as his 2020 campaign manager.

 

WHAT’S IN THE SPOTLIGHT: 

PAYPAL: PayPal reached a settlement with the Federal Trade Commission Tuesday over charges that its subsidiary Venmo had deceived customers about access to funds, privacy settings and data security.

The FTC had alleged that Venmo was misleading consumers by telling them that their balances on the service were available for transfer to external bank accounts but neglecting to inform them that the transfers could be delayed or negated after being reviewed by the company.

“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” Maureen Ohlhausen, the acting chairman of the FTC, said in a statement. “The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”

The regulator said that users who changed a setting to limit the audience of their transactions in the app were not informed that they had to take an additional step to tighten their privacy controls.

PayPal spokesman Justin Higgs said that the company has taken steps to address the concerns since it purchased Venmo’s parent company in 2013.

As part of the settlement, Venmo is forbidden from making any more deceptive claims to its users and must obtain third-party compliance assessments every other year for the next decade.

To read more from our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Dems introduce legislation to stop FCC net neutrality repeal. (The Hill)

Poll: Americans increasingly believe Russia will try to interfere in midterms. (The Hill)

OP-ED: SEC, Congress take steps toward cyber accountability and transparency. (The Hill)

OP-ED: Breaking down the numbers in Trump’s proposed cyber budget. (The Hill)

Trump senior adviser Jared Kushner and other top aides lose access to top-secret intelligence. (Politico)

Bias within search engine results appears to be getting worse. (Technology Review)

Why a recent cyber exercise with European allies stands out. (Cyberscoop)

State agencies in Connecticut were targeted by ransomware. (NBC Connecticut)

Data analytics giant Splunk acquires startup Phantom Cyber. (Fortune)