Overnight Cybersecurity

Overnight Cybersecurity: Zuckerberg breaks silence on Cambridge Analytica | Senators grill DHS chief on election security | Omnibus to include election cyber funds | Bill would create ‘bug bounty’ for State

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORY:

— SENATE INTEL HEARING ON ELECTION SECURITY: Lawmakers on the Senate Intelligence Committee on Wednesday questioned Homeland Security Secretary Kirstjen Nielsen and other current and former officials on cyber threats to U.S. elections. The hearing, part of the committee’s investigation into Russian interference in the 2016 presidential election, yielded fresh details on the federal government’s efforts to mitigate threats to digital voting infrastructure and exposed mounting concerns about future interference efforts. Lawmakers from both parties sounded the alarm over cybersecurity threats to this fall’s midterms. “This issue is urgent,” warned Chairman Richard Burr (R-N.C.). “If we start to fix these problems tomorrow, we still might not be in time to fix the system for 2018 and 2020.” Some lawmakers suggested that federal officials have not addressed the issue quickly enough. Sen. Susan Collins (R-Maine) at one point accused Nielsen of showing “no sense of urgency” on the issue. “We can’t wait. We can’t just be focused on November,” Collins said later during the hearing. Homeland Security officials were pressed on their efforts to award security clearances to election officials to view sensitive intelligence on cyber activity, a process that some state officials have criticized as too slow. Only 21 of 150 state election officials have received permanent security clearances, officials revealed, though they said they would provide time-sensitive threat information to states regardless of clearances. Nielsen defended the department’s efforts, saying it has prioritized election security and deployed officials to provide rigorous risk assessments to 19 states and localities.

 

{mosads}

–THE HEARING also featured testimony from former Homeland Security Secretary Jeh Johnson, who served under President Obama. He acknowledged that sanctions imposed in late 2016 haven’t done enough to penalize Moscow for its actions. “The sanctions we issued in late December have not worked as an effective deterrent and it is now up to the current administration to add to those,” he said in one of Wednesday’s more notable moments. The Trump administration, which has faced pressure to take tougher actions against Russia, rolled out new sanctions last week. Johnson also later revealed that he was worried about threats to outlets that report out election results in 2016. It led him to call the CEO of the Associated Press, which calls results, on election night 2016 “to ensure that he had enough redundancies in their system if there was a failure on election night.” “I was satisfied that they did, but it’s something to also focus on,” Johnson reflected. Jeanette Manfra, the top cyber official at Homeland Security’s National Protection and Programs Directorate (NPPD), later echoed his concerns.

 

–MANFRA told Sen. Kamala Harris (D-Calif.) that Homeland Security considers possible targeting associated with key swing states as part of its “risk-based approach” to election cybersecurity. The issue of vulnerability of vote-tallying machines also came up, with officials and lawmakers endorsing the idea of machines that also produce paper ballots to allow for audits to increase confidence in digital results. Currently, five states still rely on outdated paperless voting machines that do not provide voter-verified paper backups. There is debate within the security community over the actual hacking risk to voting machines, which are typically stored in secure locations and not connected to the Internet, hardening them to remote hacking threats. Still, Sen. Ron Wyden (D-Ore.) went so far as to suggest that all states move to paper ballots cast through mail, positioning the issue as a national security threat. Wednesday’s hearing took place one day after the committee released a summary of its report on election security. Lawmakers hope to release a declassified version of the report to the public later this week.

 

A CAMBRIDGE ANALYTICA UPDATE: 

ZUCKERBERG BREAKS HIS SILENCE: Facebook chief executive Mark Zuckerberg on Wednesday broke his silence on the controversy over his company’s dealings with Cambridge Analytica.

Zuckerberg in a Facebook post acknowledged that Facebook had “made mistakes.”

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again,” Zuckerberg wrote.

Zuckerberg said Facebook is “working with regulators” that are examining the issue, likely a reference to the Federal Trade Commission (FTC) and officials in the United Kingdom.

Before Wednesday, Zuckerberg had not commented publicly on reports that Cambridge Analytica — a data firm tied to Stephen Bannon that worked for President Trump’s campaign — obtained Facebook information on more than 50 million users in the United States.

The data was provided by a researcher who created an app called thisisyourdigitallife, where an estimated 270,000 people willingly handed over personal information. The researcher then tapped into the friend networks of those users, creating the large data set given to Cambridge Analytica.

Facebook said the researcher, Aleksandr Kogan, and Cambridge Analytica had certified to the company that the data had been deleted in 2015, but had not done so.

In response, Facebook suspended Cambridge Analytica from its platform and opened an internal investigation.

“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” Zuckerberg wrote.

“While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.”

Cambridge Analytica has denied any wrongdoing.

To read more from our piece, click here.

 

SOME LEGISLATIVE UPDATES: 

–A BUG BOUNTY PROGRAM FOR STATE: A pair of House lawmakers on Wednesday introduced legislation seeking to boost cybersecurity at the State Department.

Reps. Ted Lieu (D-Calif) and Ted Yoho (R-Fla.) are co-sponsoring the Hack Your State Department Act, which seeks to establish a Vulnerability Disclosure Program (VDP) as well as a so-called bug bounty program within one calendar year.

The bill, if passed, would require State to establish a VDP within six months and then a bug bounty program after one year, so that the department can better “identify and report vulnerabilities of internet-facing information technology.”

A bug bounty program invites outside hackers to participate in a cyber scavenger hunt of sorts to find digital vulnerabilities.

The symbiotic practice allows a company or organization the chance patch up security holes — from untraced malware to other unnoticed security system gaps — before a malicious agent can exploit them, while the hackers who first unearth such vulnerabilities receive a financial reward for their efforts.

The Lieu-Yoho legislation gives the secretary of State the room to determine which information technology should be included in the program, what type of vulnerabilities the program should specifically target, and the chance to identify which individuals and offices in the agency will be responsible for responding to and addressing security vulnerability disclosure reports.

State would be required to report the “number and severity” of security vulnerabilities annually to both the House Committee on Foreign Affairs and the Senate Committee on Foreign Relations.

The State Department faced scrutiny in 2014 after Russian hackers reportedly breached its unclassified email system, forcing the department to partially shut it down as it made security upgrades.

Lonnie Price, head of the department’s Cyber and Technology Security (CTS) directorate, told The Hill in December that the agency is seeing a worrisome increase in cyber threats against its systems.

“What we’re seeing … is there are heavy hitters going after our employees’ accounts,” said Price, who has served in various security and tech roles in his 30 years at State. “They’re looking for information, they’re looking for contacts.”

To read more of our piece, click here.

 

–A BILL ON THREATS FROM ARTIFICIAL INTELLIGENCE:  A key lawmaker wants to prepare the country for threats posed by artificial intelligence.

Rep. Elise Stefanik (R-N.Y.), chairwoman of the House Armed Services Subcommittee on Emerging Threats and Capabilities, introduced a bill Wednesday that would create an independent commission to study the country’s AI national security needs.

“Artificial intelligence is a constantly developing technology that will likely touch every aspect of our lives,” Stefanik said in a statement. “This legislation I have introduced today will develop a commission to review advances in AI, identify our nation’s AI needs and make actionable recommendations of what direction we need to take.”

She added that she hopes to fold the bill into the annual defense policy bill, which the committee is expected to work on in April and May.

Stefanik’s bill comes as China has made deep investment in AI, saying it wants to be the world leader in the technology by 2030.

Last month, Defense Secretary James Mattis questioned whether AI will change the fundamental nature of war.

“The fundamental nature of war is almost like H2O, OK, and you know what it is. It’s equipment, technology, courage competence, integration of capabilities, fear, cowardice — all these things mixed together into a very fundamentally unpredictable fundamental nature of war,” Mattis told reporters. “But I’m certainly questioning my original premise that the fundamental nature of war will not change. You’ve got to question that now. I just don’t have the answers yet.”

Stefanik’s bill would create an independent National Security Commission on Artificial Intelligence to review advances in AI, machine learning and related technology and identifying national security needs related to AI.

The commission would look at the competitiveness of the United States; ways to maintain a technological advantage; developments and trends in international cooperation and competition; ways to encourage more investment in private, public, academic and combined research; incentives to attract, recruit and retain leading talent; risks associated with the law of armed conflict; and ways to establish data standards.

The commission would provide near-term actionable recommendations to the president and the Congress, such as ways to better organize the federal government for AI, and then give actionable recommendations annually through 2020.

To read more of our coverage, click here.

 

 

A LIGHTER CLICK: 

Alert Nemo and Dory: MIT releases a robotic fish to help study ocean life. (Wired.)

 

WHAT’S IN THE SPOTLIGHT: 

OMNIBUS: Congressional leaders are hammering out a massive spending bill that will include money to help secure U.S. voting systems from cyberattacks.

Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said the omnibus bill would provide grants for election security during a hearing Wednesday, though he did not go into detail about the funding.

Sources told The Hill that the omnibus package is expected to include $380 million in election technology grants for states to secure digital systems involved in elections. It is also expected to include $307 million for FBI counter-intelligence efforts against Russian cyberattacks.

The money underscores efforts in Congress to address Russian interference in the 2016 presidential election, which included attempts to target voting-related digital systems in 21 states. Lawmakers have grown increasingly concerned that Russia will look to meddle in the 2018 midterm elections and beyond.

The Senate Intelligence Committee on Wednesday held a hearing on election security, one day after senators released a summary of recommendations on securing vote systems from cyberattacks. The report, the first product of the committee’s yearlong investigation into Russian interference, calls for the federal government to establish a voluntary grant program for states to boost cybersecurity.

“It is my understanding that the appropriators have taken care of, in the omnibus bill, an amount of money to be grants and other items — I don’t want to speak for what their language is going to be — that mirrors the research that this committee did,” Burr said Wednesday during the hearing.

Lawmakers are hoping to release the omnibus Wednesday night. President Trump has backed the bill.

To read more of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Lawmakers zero in on Zuckerberg. (The Hill)

YouTube introduces stricter policies on gun videos. (The Hill)

EU proposes major new tax on big tech companies. (The Hill)  

Co-founder of WhatsApp: ‘It is time. #deletefacebook‘. (The Hill)

GOP senator blocking Trump’s Intel nominee. (The Hill)

OP-ED: Blockchain will be key to security for ‘smart cities’ of the future. (The Hill)

OP-ED: Rivals and consumers will rein in Facebook, not regulation. (The Hill)

FBI announces timeline for its next-generation IT services contract. (NextGov)

Dem say Homeland Security chair ‘backtracked’ on election security hearing. (Rep. Bennie Thompson)

New NIST guide addresses legacy IT security. (CyberScoop)