POLITICO's Morning Cybersecurity: Q&A with FTC’s Thomas Pahl — Major Russian hacker due for sentencing this week — Time for ‘heavy artillery’ in cyber fight, DHS head says

By Tim Starks | 04/19/2017 10:00 AM EDT

With help from Eric Geller, Martin Matishak and Darius Dixon

BETTER, CLEARER, SMARTER - Thomas Pahl may be the federal government's top cybersecurity regulator. As acting director of the FTC's Bureau of Consumer Protection, Pahl's job is to hold companies accountable for misleading customers about their data security protections. But amid a steady stream of data breaches like the two massive Yahoo hacks disclosed last year, the private sector has complained that the FTC's guidelines are too vague to follow. To address businesses' concerns, the agency announced this week that it was reviewing its closed data security investigations for lessons that could improve its guidance.

"What we're trying to do is go back and look at some of those decisions that were made by the FTC - its closed matters - and see if there are ways that we can explain the fact pattern," Pahl told Eric in a Q&A for Pros. That way, he said, "industry can figure out, by comparing a case that we've brought to a case that we didn't bring, where they should go in terms of making [decisions] on various practices and procedures that they adopt with regard to data security." Many companies "genuinely want to comply with the law," Pahl added, and the goal here is "to find ways of helping bring into compliance those who are interested in doing so."

As cyber criminals grow more sophisticated, massive data breaches have multiplied. Hackers have struck LinkedIn, Home Depot, Anthem, Target, Sony, Yahoo and other major companies across the spectrum. Consumer advocacy groups want the FTC to get tougher on businesses that don't take cybersecurity seriously, but Pahl rejected the idea that the agency hasn't been a rigorous watchdog. "Looking at what we're doing in terms of law enforcement should belie the idea that somehow we are not taking problems seriously or taking actions to deal with it," he told Eric. Pros can read the full Q&A here.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! The "unicorn of mollusks" will ruin unicorns for you. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

THIS WEEK: MAJOR CYBER CRIME SENTENCING - A Russian hacker will be sentenced Friday in Seattle for what prosecutors say is approximately $170 million in known financial losses. "This prosecution is unprecedented," reads the sentencing memo for Roman Seleznev, who was convicted in August on 38 counts. "Never before has a criminal engaged in computer fraud of this magnitude been identified, captured, and convicted by an American jury." The U.S. Attorney for the Western District of Washington is seeking a minimum sentence of 30 years. "His victims include over 3,700 different financial institutions, over 500 businesses around the world, and millions of individual credit card holders," the memo states. "Simply put, Roman Seleznev has harmed more victims and caused more financial loss than, perhaps, any other defendant that has appeared before the Court." Seleznev's father serves in the Russian parliament.

HAJIME VS. MIRAI: THE GODZILLA VS. RODAN OF BOTNETS? - Two worms are competing to infiltrate internet-connected devices, researchers say: Mirai, which most prominently converted those devices into a botnet army that took down major websites in the fall; and Hajime, which bills itself as a good-guy attempt to block other threats. Symantec determined that Hajime is indeed blocking ports that Mirai is targeting. But the security firm said in a blog post Tuesday that "there is a question" about whether the author of Hajime "is a true white hat and is only trying to secure these systems." The firm warned that the "design of Hajime also means if the author's intentions change, they could potentially turn the infected devices into a massive botnet." Other researchers have weighed in on the fight as well. "What most disturbs me here is the fact that this trend is likely to stay with us for at least a couple of years," said Itsik Mantin, director of security research at Imperva, via email. "Existing botnets remain active until the devices are patched or retired, which in [internet of things] devices can take years."

YOUR GUESS IS AS GOOD AS HIS - "We're all waiting with bated breath" for President Donald Trump's oft-delayed cybersecurity executive order, Homeland Security Secretary John Kelly said Tuesday in his first prominent public speech since taking the job. Appearing at George Washington University, Kelly laid out an alarming picture of the cyber threat against the United States. In portions from his prepared remarks that were skipped over during delivery of the speech, Kelly also warned that the "plodding pace of bureaucracy" could slow down the cyber fight. "We're leading the charge in upgrading outdated systems. Part of that is partnering with industry," his prepared remarks state. "By integrating their cutting-edge, commercially available technology with our interagency partner's unique capabilities, we can aggressively defend our federal networks against the endless stream of cyberattacks." He added: "No more muskets; our federal cybersecurity needs heavy artillery."

PASSWORD IS VISA123 - A coalition of nearly 30 civil liberty and privacy advocacy groups has launched a campaign aimed at preventing law enforcement from searching a visa applicant's phone or laptop when they travel. The FlyDontSpy.com coalition, led by Access Now, asks supporters to sign an online petition to Kelly opposing any attempts at so-called password for entry. "Even if you support 'extreme vetting,' password for entry is an extremely bad idea that sacrifices privacy and digital security for political posturing and 'security theater,'" said Nathan White, Access Now's senior legislative director. "We're launching this campaign today to make it clear to Secretary John Kelly that we will not tolerate discrimination or a reckless disregard for privacy and cybersecurity." Evan Greer, campaign director at Fight for the Future, said asking people to "hand over the passwords to their accounts will make all of us less safe, not more safe. Not only does it undermine our basic right to privacy and have a chilling effect on free speech, but it will inevitably make our information more vulnerable to hackers, identity thieves and stalkers."

REPORT CALLS FOR BETTER FED-STATE CYBER PLANS - Via our friends at Morning Energy: State and federal agencies still need to better lay out their roles and responsibilities in the event of a cyberattack that knocks out energy infrastructure for an extended period of time, according to a new Energy Department report . The 25-page exercise summary, which stems from a multi-state exercise in December that looked at how different agencies might respond to a massive power outage that also knocked oil refineries offline, included several findings concerned with gaps in communication between agencies, as well as with the public. "DOE should identify opportunities to best align and communicate coordination procedures with states and industry for cyber incidents in the energy sector," the report recommends. It also urges DOE to help state regulators develop new ways of determining what kind of cybersecurity expenses utilities can pass on to their customers. The report was prepared by the National Association of State Energy Officials and DOE's Office of Electricity Delivery and Energy Reliability.

NEW EYES ON UPGRADING THE FRIENDLY SKIES - Transportation Secretary Elaine Chao plans to appoint her chief of staff, Michael Britt, to a new position focused on upgrading the FAA's electronic infrastructure and computer systems, our Pro Transportation colleagues confirmed Tuesday. Britt, who joined the Transportation Department in January after a four-year stint as an executive at Ultimate Fighting Championship, will now be a senior adviser for FAA modernization. In that role, he will be DOT's liaison to the White House and the FAA, according to The Hill, which first reported the move.

The FAA has been plagued by cybersecurity problems for years. Two 2015 GAO reports noted that the agency's cyber defenses needed serious work, and in February of that year, a virus spread through the FAA's administrative network. After the release of the second GAO report, Sen. Chuck Schumer warned of digital attacks on the air traffic control system. "If the Sony hacking was bad," said Schumer, who is now the Senate minority leader, "imagine how much worse the hacking of the FAA computer system could be with thousands of planes in the air."

Trump has also criticized the U.S. air traffic control system, calling it "obsolete." "I hear we're spending billions and billions of dollars" on system upgrades, Trump said in February. "It's a system that's totally out of whack."

TWEET OF THE DAY - A rather novel form of DDoS.

RECENTLY ON PRO CYBERSECURITY - The Council of the European Union is looking at ways to sanction countries that engage in cyber warfare. ... Senate Homeland Security Committee leaders urged Trump to fill inspector general vacancies at the Defense Department, NSA, CIA, intelligence community and others. ... The Pentagon's Defense Innovation Unit Experimental program that reaches out to high-tech companies awarded 13 agreements through the first half of this fiscal year.

REPORT WATCH

- Around 63 percent of information technology professionals aren't confident that their organizations can track or manage all the various internet-connected devices on their networks, according to a new survey from Lieberman Software Corporation. Meanwhile, 80 percent of IT pros are worried about cyberattacks coming from those devices, according to the study, which was conducted among nearly 160 attendees at the major RSA Conference.

PEOPLE ON THE MOVE

- Anthony Ferrante, a former top National Security Council cyber official in both the Trump and Obama administrations, is joining FTI Consulting as a senior managing director in the forensic and litigation consulting segment of the firm's global risk and investigations practice. Ferrante is the former director for cyber incident response and cybersecurity policy at the NSC, where he led the development of a presidential policy directive that codified the government's chain of command when responding to cyber incidents. Ferrante also once served as the FBI's cyber division chief of staff. Ferrante is currently an adjunct professor of computer science at Fordham University's Graduate School of Arts and Sciences, where he also is the co-director of its cybersecurity research program.

QUICK BYTES

- The FBI used a former British spy's dossier on Trump to support its request to surveil Trump campaign associate Carter Page. CNN.

- It's hard to tell whether U.S. cyber operations are messing with North Korea's missile program. The New York Times.

- The Justice Department is lacking in some key job posts, including its national security division. The Washington Post.

- "D.C. appeals court poised to rule on whether police need warrants for cellphone tracking." The Washington Post.

- Motherboard goes inside the "stalkerware" market.

- A former NSA manager will serve as Rhode Island's first cybersecurity officer. Providence Journal.

- The New Yorker considers the fallout from Trump's wiretapping claim.

- Former DHS Secretary Michael Chertoff said the United States should look at hacking North Korea's weapons systems. Nextgov.

- "Three indicted in Florida for using stolen IDs to file tax returns claiming more than $6.8 million in fraudulent refunds." Justice Department.

- Trump vs. his administration vs. Russia. The Washington Post.

That's all for today. Blech.

Stay in touch with the whole team: Cory Bennett (cbennett@politico.com, @Cory_Bennett); Bryan Bender (bbender@politico.com, @BryanDBender); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com , @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).

To view online:
http://www.politico.com/tipsheets/morning-cybersecurity/2017/04/q-a-with-ftcs-thomas-pahl-219853

To change your alert settings, please go to https://secure.politico.com/settings/settings

This email was sent to contact@emailingnewsletter.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to unsubscribe.