By Tim Starks | 05/18/2017 10:24 AM EDT
With help from Cory Bennett, Eric Geller and Martin Matishak
A WELCOME CHANGE, FOR A CHANGE - A coalition of House and Senate Democrats and Republicans dropped legislation Wednesday that serves as the first answer to the recent global ransomware outbreak, an outbreak widely believed to be triggered by the leak of an NSA hacking tool. The new bill would make permanent, but alter, the current Vulnerabilities Equities Process that decides when the federal government discloses software vulnerabilities. And the bill - known as the PATCH Act - got a joyous reception from the tech industry, cybersecurity experts and civil liberties groups who consider the current process biased toward hoarding vulnerabilities.
"The PATCH Act is a critical step forward to reform this broken process," said Information Technology and Innovation Foundation Vice President Daniel Castro. "The legislation will bring needed transparency to the vulnerabilities equities process and balance national security interests with economic interests. Moreover, disclosing vulnerabilities to companies in a timely manner will allow them to develop patches sooner and help keep the nation secure."
Andi Wilson, policy analyst at New America's Open Technology Institute, said the legislation makes necessary changes. "One of the most critical components of a strong vulnerabilities review process is that it apply to absolutely all vulnerabilities in the government's possession, not just the ones that the intelligence community chooses to put into the process," Wilson said. The Coalition for Cybersecurity Policy and Law also issued a supportive statement: "The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery."
HAPPY THURSDAY and welcome to Morning Cybersecurity! Your MC host is just catching up on Patriothole, which was pretty great. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.
THE 6 P.M. NEWS DUMP, WEDNESDAY EDITION - The Justice Department late Wednesday appointed a special prosecutor to investigate Russia's alleged meddling in the 2016 election, including whether the Trump campaign coordinated with Moscow on those interference efforts. Deputy Attorney General Rod Rosenstein tapped Robert Mueller - who led the FBI from 2001 to 2013 - to take the reins of the probe, bringing a widely respected, mostly apolitical figure to an investigation that has generated considerable partisan bickering. The DOJ's move was made under intense pressure from Capitol Hill Democrats - and some Republicans - who are still peeved over Trump's sudden dismissal of FBI Director James Comey.
Democrats and Republicans applauded the move, as did a number of cyber-focused lawmakers on the House and Senate Intelligence committees, which are conducting their own probes into Russia's apparent hacking campaign during the election. Sen. Dianne Feinstein, an Intel panel member and the top Democrat on the Judiciary Committee, called it "a good first step to get to the bottom of the many questions we have about Russian interference in our election." Sen. Ron Wyden, another Intel panel member and one of the upper chamber's most frequent cybersecurity voices, vowed, "I am going to bird-dog this every step of the way to be sure that former Director Mueller is given the broad scope and resources he needs to conduct a thorough investigation." Over in the House, Intelligence Committee ranking member Adam Schiff said Mueller's appointment "will help re-establish public confidence" in the FBI's probe.
- MUELLER? MUELLER? - Here's a backgrounder to get you up to speed on Mueller. Interestingly enough, his most recent gig has been working with Booz Allen Hamilton to review the government contractor's security protocols after two Booz Allen employees - Edward Snowden and Harold Martin - pilfered reams of sensitive information from the NSA, rattling the intelligence community and exposing government secrets.
SENATE CYBER PIONEER LIEBERMAN INTERVIEWS FOR FBI - Former Sen. Joe Lieberman, who led a fight to pass the first major cybersecurity legislation alongside Sen. Susan Collins, interviewed Wednesday for the job of FBI director. The 2012 Collins-Lieberman legislation was chock full of cyber provisions but never advanced in the Senate because of industry and Republican opposition. It did, however, contain information sharing language that formed the root of the landmark 2015 cyber law, and its language on voluntary industry standards inspired a White House effort that led to creation of technical standards agency NIST's cybersecurity framework.
Lieberman and Collins were also instrumental in creating the Department of Homeland Security, which is sometimes at odds with the FBI over cyber incident response. Lieberman was an advocate for expanding the DHS's cybersecurity role despite failings of Einstein, DHS's government-wide intrusion detection program. "I'm a big admirer of the DHS," he told Cory in a 2015 interview about the Office of Personnel Management breaches. "Although there had been screw-ups with the Einstein programs, I still felt that DHS was doing a pretty good job." But Lieberman conceded that the OPM hack had slightly diminished his view of the job DHS was doing. He also advocated, in the same interview, for digital retaliation against the OPM hackers.
WHAT'S NEXT FOR MGT ACT? - The House passed a bill (H.R. 2227 ) Wednesday by voice vote that's designed to upgrade federal government computer systems, but that was always the easy part. Similar legislation passed the House late last year, but it didn't make it through the Senate. This year's edition of the Modernizing Government Technology Act comes with a reduced price tag - it authorizes $500 million over two years, instead of a one-time $3 billion investment. Bill sponsor Rep. Will Hurd told MC he's "absolutely" confident the Senate will act on it this year because of negotiations that have occurred since last year's bill fell short. "That's what we've been doing since" last year, Hurd said. "We've been working with my Senate friends on that side, with staff there, making sure we understand their concerns with this. And so we have had a number of conversations before we dropped the original bill."
Senate appropriators Jerry Moran and Tom Udall are sponsors of the companion legislation (S. 990), and Hurd said that could help with getting the money allocated. Their legislation is in the hands of the Senate Homeland Security Committee. A panel spokeswoman said, "Committee staff is reviewing the bill."
- AND NEXT ON HURD'S AGENDA: Once the MGT Act "goes to bed," Hurd said at a VMware summit Wednesday, he plans to turn to his idea for a cyber national guard. Hurd, who chairs the Oversight Subcommittee on Information Technology, wants to offer scholarships to cyber experts who would serve in government for a while, then move to industry, and finally devote some period of time - like one weekend a month - working back for government. After that, he wants to figure out how to improve the quality of cybersecurity information the government shares with industry.
CISOs ON THE HILL WRAPS - Today is the last day for the National Technology Security Coalition's inaugural DC fly-in. The three-day event has seen chief information security officers from around the country visit with lawmakers and government officials to discuss the group's cybersecurity priorities. "Our 2017 legislative agenda includes many important issues such as national data breach notification legislation, the way we share threat intelligence information through private/public sector exchanges, and strong, protected encryption," NTSC President Larry Williams said in a statement. Patrick Gaul, the group's executive director, added that the CISOs' "presence on the Hill not only helps us deliver our policy messages but also reinforces NTSC as the primary resource for federal policymakers on technology security issues important to businesses."
GETTING SERIOUS ABOUT ELECTION SECURITY - Politicians at all levels of government must turn cybersecurity into a mainstream issue in order to reduce digital vulnerabilities to the election system, according to a new Council on Foreign Relations brief. "A comprehensive strategy should heighten the political attention cybersecurity receives in efforts to ensure the integrity of elections," wrote David Fidler, a CFR adjunct senior fellow for cybersecurity, in a paper released Wednesday. Fidler praised the Department of Homeland Security's decision to label elections critical infrastructure - putting them on par with hospitals and banks - and said other countries should follow suit. He also encouraged governors to offer all necessary support to the National Association of Secretaries of State's election cybersecurity task force and urged state attorneys general to "raise the political profile of election cybersecurity" in their own meetings.
"Democracies should emphasize election cybersecurity's importance in protecting the human right to vote in free and fair elections," Fidler wrote. "European democracies should pursue this goal in the European Union and Council of Europe and seek action in the U.N. human rights system, such as updating the authoritative guidance on voting rights issued in 1996 to address, among other things, election cybersecurity."
YOU'VE GOT A FRIEND IN ME - The American and Dutch governments on Wednesday announced a joint initiative to improve collaborative cybersecurity research. The two sides will offer $2.6 million in funding to joint U.S.-Dutch research teams. The program will fund up to five research proposals focusing on industrial control systems; distributed denial-of-service, or DDoS, attacks, which involve flooding targets with traffic to disable them; and threats to the Domain Name System, which routes internet traffic. "Cybersecurity concerns do not stop at national borders," said Robert Griffin, the acting head of DHS's science and technology arm, in a statement. The program, he added, will fund research to "develop capabilities that will benefit both countries." The two nations will jointly review all proposed research projects before an international committee with members from both countries selects the winners. DHS also said it was "working on similar bilateral agreements with its other international partners."
PASSWORD IS WINTERWHITEHOUSE45 - Reporters tested the cybersecurity at Trump's Mar-a-Lago resort - which he has occasionally dubbed the "winter White House" - and found that "any half-decent hacker could break in." The folks at ProPublica and Gizmodo teamed up to test three other Trump properties he has visited as president and found "weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information."
"Those networks all have to be crawling with foreign intruders, not just ProPublica," Dave Aitel, chief executive officer of cyber firm Immunity, told the publication. The discovery adds to the security concerns about Trump's properties that POLITICO reported on earlier this year. A Trump Organization spokeswoman said the business follows "cybersecurity best practices," adding, "we are confident in the steps we have taken to protect our business and safeguard our information."
TWEET OF THE DAY - If you don't show up, they assume you're too secure to participate.
RECENTLY ON PRO CYBERSECURITY - The Senate Intelligence Committee wants memos from fired FBI Director James Comey detailing his conversations with the White House about the Russia investigation. ... Sen. Tim Kaine said that if the memo contents are true, Trump is on the precipice of having committed obstruction of justice. ... Sen. Ben Sasse said all of Comey's Trump notes should be turned over to Congress. ... More Hill Republicans want Comey to testify before Congress. ... House Speaker Paul Ryan says some people are trying to hurt Trump and Congress should be "sober" when considering allegations that Trump asked Comey to call off an investigation into former national security adviser Michael Flynn.
A top House appropriator suspects a yearlong fiscal 2018 stopgap spending bill looms. ... "House Chief Administrative Officer Philip Kiko urged lawmakers today to rubber-stamp a $13 million boost for the next fiscal year to help the chamber fight hackers."
- Chinese state media points the finger at the NSA over the ransomware outbreak. Reuters.
- Chertoff Group leaders in Forbes write about health care cybersecurity.
- Cyber wake-up calls date back to the 1980s. NPR.
- Security companies have a "boy who cried wolf" syndrome vis-a-vis big crises. Los Angeles Times.
- Romania's foreign ministry says it was the target of a cyberattack, probably by a nation state. ABC News.
- Lawfare's analysis of the VEP bill.
That's all for today. Ah, coal, the vegetable that comes from mountains.
Stay in touch with the whole team: Cory Bennett (firstname.lastname@example.org, @Cory_Bennett); Bryan Bender (email@example.com, @BryanDBender); Eric Geller (firstname.lastname@example.org, @ericgeller); Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).
To view online:
Please click here and follow the steps to unsubscribe.