This piece originally appeared on POLITICO on September 4, 2018.
By TIM STARKS
A BREACH OVER DATA BREACH — Amid a years-long standoff between rival industries and committees over federal data breach notification legislation, one House panel is plotting a move to go it alone — at least in the short run. Sometime this month, the House Financial Services panel might consider data breach notification and security legislation that applies only to the banking sector, a GOP committee aide told MC. The panel has been locked in an impasse with the House Energy and Commerce Committee, which has jurisdiction over the retail industry. That panel has typically written legislation more favorable to that sector; retailers have resisted proposals to make it adhere to the same security requirements as the financial services industry. Now, the Financial Services Committee wants to make some headway even if it has to do it by itself, using a modified existing draft bill written by Rep. Blaine Luetkeymeyer as a vehicle, the aide said.
The idea, the aide said, is to advance data security and notification requirements for only financial institutions. Although the bill language isn’t finalized, it would first codify security requirements put in place after the Gramm Leach Bliley financial services and consumer privacy law was enacted in 1999. Beyond that, the aide said, the idea is to provide preemption from state law for those institutions that meet the requirements. That doesn’t mean, however, that all hope is lost for a complete measure. “We’re not backing away,” the aide said. “The panel’s also aware there’s not much time left in the year to get something enacted. But, absent a deal, committee leadership and individual members want to “advance some sort of marker.”
“Congressman Luetkemeyer knows that updating our data security laws is critical for all consumers,” said spokeswoman Catherine Costakos. “He will continue his work with various stakeholders to ensure consumers across the nation are protected.”
WHY CAN’T WE BE FRIENDS — Perhaps you’ve read about the National Association of Secretaries of State bashing DEF CON, and DEF CON firing back, over its vote-hacking village last month. The bad blood is authentic, but it conceals a surprising development, Tim writes for Pros: The relationship between state and local election officials and ethical hackers is improving. “We’ve seen a 10-fold increase in participation from both state and local election officials since last year,” Jake Braun, who organized DEF CON’s Voting Village, told POLITICO following the conference. “We see a dramatic uptick on buy-in.” Those who participated this year say they’ve seen the sentiment spread, that hackers can be helpful to exposing flaws in equipment despite all the unpleasant headlines they generate. “I would rather have vulnerabilities that might exist in election process today or next year identified by enthusiastic attendees at DEF CON than identified on election day after we’ve had an issue,” said Amber McReynolds, who attended DEF CON as director of elections for the city and county of Denver. Read more here.
SITTIN’ DOWN WITH THE I.C.’S NO. 2 — While you vacationed in August, Martin sat down with Sue Gordon, principal deputy director of national intelligence, to find out how the clandestine community she has been a part of for 38 years — and which has come under intense criticism over the past two years — is getting along with the White House and Congress these days. “I have never seen it like it is, where issues are being played out in the media — publicly,” she said on the sidelines of a recent Defense Intelligence Agency summit in Omaha, Neb. “What you’re seeing is a really interesting struggle right now between source protection in a data abundant, relatively open world, and a Congress that really wants to provide oversight.”
And the White House? “Here’s the best indication I have about our relationship with the president: he meets with us regularly,” Gordon said. “We are in the meetings, we are in the conversations. Probably this president has more consistently met with the intelligence community than the previous one in person. Just like every president that I’ve seen, there are days that we please him, but most often than not we’re the people who depress him when we come in the room to tell him the things that are going on in the world.” Read the full Q & A here.
HOUSE SET TO MOVE CYBER LEGISLATION — The House today will vote on two cybersecurity bills, one on global supply chain risks and another on DHS’s Continuous Diagnostics and Mitigation program. The CDM bill (H.R. 6443),sponsored by Rep. John Ratcliffe, would require DHS to develop a strategy for the long-term, multibillion dollar program that helps protect federal agencies. The supply chain bill (H.R. 6430), sponsored by Republican Rep. Peter King, would give DHS more power to impose requirements on foreign-connected suppliers who pose potential security risks, but not as much as the Trump administration is seeking. This week is also expected to bring consideration of legislation (H.R. 5576) sponsored by Republican Rep. Ted Yoho that would set up a process for the executive branch to detect, respond to and deter state-sponsored cyber threats.
IF YOU’VE GOT IT, FLEX IT — Unclear lines of authority and rarely exercised oversight powers could slow down a response to a devastating cyberattack on critical infrastructure, according to a new report from the Intelligence and National Security Alliance. “The regulatory authorities and policy guidelines pertinent to cyber emergencies are complex and relatively new,” the report notes in its introduction. “Consequently, they should be exercised regularly by the Department of Homeland Security (DHS), state and local officials, and their private sector partners.” That was one of several high-level takeaways from a November 2017 cyberattack simulation that brought together officials from several utilities in the Baltimore region. One of the other recommendations: Better clarity around the “safe harbor” provisions that give companies legal immunity for good-faith actions taken during an emergency. The report also urged governors to designate a “Unified Incident Commander” who can take charge of state-level response activities and coordinate with federal agencies.
WHILE WE WERE ON BREAK — Here’s what we wrote about for Pros while the newsletter was taking a hiatus: ES&S criticized DEF CON anew, and some Senate members weren’t pleased. … The FBI disputed a right-wing outlet’s account that Chinese hackers penetrated Hillary Clinton’s email server. … The FBI launched a website offering campaigns security advice. … Sens. Kamala Harris and Bernie Sanders got on board with an election security measure. … House Energy and Commerce leader made recommendations for improving a DHS vulnerability database. … “Industrial consumers of natural gas want Congress to ensure natural gas pipelines are protected against cyberattacks.” … The Senate confirmed Karen Evans to lead the Energy Department’s new cyber shop. … Barracuda Networks found that business email compromise scammers rarely used dicey links to lure victims.
The U.S. and its closest intel allies warned companies against deploying end-to-end encryption if they wanted to avoid a legislative fight. … NATO named a new director of its cyber research center. … An international group called on Congress to pass any election security legislation at all. … Estonia created a “cyber ambassador” role. … Germany is establishing a DARPA-style research agency for cyber. … Recorded Future determined that spam emails dropped off after implementation of Europe’s data privacy regulation.
FRIEND SUGGESTIONS — DHS and the FBI should work more closely with social media companies to clear their platforms of potential election meddlers, according to bipartisan pair of senators. “Intelligence officials have made it clear that social media platforms will continue to be targets used to spread misinformation and sow discord,” Sens. Amy Klobuchar and Dan Sullivan wrote Friday in a letter to Homeland Secretary Kirstjen Nielsen and FBI Director Chris Wray. “Accordingly, we believe these threats require DHS and the FBI to work to ensure that there are open lines of communication between digital platforms and federal agencies in order to combat attacks against our political system.” The missive comes ahead of the Senate Intelligence Committee open hearing with testimony expected from top executives of Twitter, and Facebook and Alphabet, Google’s parent company.
NO TIME TO WASTE — IoT security represents a major gap in the federal government’s regulation of consumer and business technology, according to a paper by two cyber experts, one of them a former NSA IoT researcher. “The federal government lacks clear and consistent policies on educating civil servants, contractors, and other employees who interact with IoT devices on a day-to-day basis,” wrote Deb Crawford of North Carolina State University and Justin Sherman of Duke University in a paper published Aug. 30 in the Journal of Cyber Policy.
The problem is especially acute, they wrote, in the federal procurement space: “The federal government has not specified the level of IoT security standard required to engage with private-sector contractors, nor have they specified the vetting process for purchasing foreign-made IoT devices. Federal agencies and contractors are thus left without clear IoT security guidance.” The duo recommended that the Federal CIO Council “establish common criteria for services and products, and create security and privacy policies for government-wide IoT components,” paired with security-focused changes to federal procurement rules.
PLANS FOR THE NEW DHS CENTER — DHS has set up some 90-day “sprints” to determine how it can make its National Risk Management Center useful to industry, a top department official told WJLA’s “Government Matters” over the weekend. “We set a number of 90-day sprints that will kind of manifest on November 1. Some of those actions were internal, like ‘What does our charter look like for the risk management center? What is our governance process for working with industry? How can industry put their requirements into the center?’” saidChris Krebs, undersecretary of DHS’s main cyber wing. “When I think about my authorities at DHS, they’re almost exclusively voluntary. So, what I need to be able to do is understand what industry needs, what the demand signal is, and I can take that demand signal and craft a series of programs that satisfy an industry need.”
TWEET OF THE DAY — An undercovered oversight.
— Trend Micro spotted some suspicious websites mimicking a portal used by U.S. senators and their staffers. Associated Press
— An ES&S company official elaborated on its unhappiness with the DEF CON Voting Village. CyberScoop
— The United States’ counterintelligence chief said China is using LinkedIn to recruit spies. Reuters
— Experts are worried about Google’s China-made security keys. Motherboard
— A State Department inspector general report found security flaws in its visa analysis system. Nextgov
— Georgia blocked foreign internet traffic to its online voter registration site, a move some criticized as a useless security gesture that could impede absentee voters. BuzzFeed
— Michigan’s secretary of state candidates are prioritizing election security. Michigan Live
— California’s governor signed an election security measure into law. ABC 7
— Nevada’s election security steps. Las Vegas Review Journal
— Denmark’s military intelligence agency warned banks about foreign hackers. Bloomberg Law
— The United Arab Emirates has been using Israeli spyware. The New York Times
— Foreign Policy wrote about “The Rise of the Cyber-Mercenaries.”
— A Google employee hacked its doors. Forbes
— “Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage.” Forbes
— Hackers again say they have gotten into John McAfee-backed “unhackable” Bitfi wallet. TechCrunch