By Tim Starks | 04/20/2017 10:00 AM EDT
With help from Eric Geller and Martin Matishak
FIRST IN MC: WYDEN SEEKS SENATE SECURITY UPGRADE - Sen. Ron Wyden will ask the Rules Committee today to direct the Senate Sergeant at Arms to improve network security measures for staffers and lawmakers. Specifically, Wyden wants a mandate that all Senate information technology systems require multiple ways of verifying user identities when logging on. "Today, the Senate neither requires nor offers two-factor authentication as an additional protection for desktop computers and email accounts," Wyden writes in a letter to Committee Chairman Richard Shelby and top Democrat Amy Klobuchar. The Sergeant at Arms does require two-factor authentication for logging into its systems from home, but Wyden would like to see it expand to all occasions. "It is critical that the legislative branch is able to secure our systems from hackers and foreign governments," Wyden's letter reads.
SPIES TIE FISA RENEWAL TO CYBERSECURITY - The intelligence community on Wednesday argued that powerful foreign surveillance programs set to expire at the end of the year are vital to the country's cybersecurity efforts. The Office of the Director of National Intelligence made its case in a new Q&A published on Section 702 of the Foreign Intelligence Surveillance Act, which lawmakers must renew before 2018. The fact sheet argues that the 702 programs - which enable the government to snoop on foreigners' digital communications - help collect "information about the intentions and capabilities of weapons proliferators and other foreign adversaries who threaten the U.S." These findings "inform cybersecurity efforts," the missive says, adding that, "losing these authorities would greatly impair the ability of the United States to respond to threats and to exploit important intelligence collection opportunities."
The explainer comes as lawmakers get ready to return to Washington and roll up their sleeves on legislation to reauthorize - and possibly revise - the snooping programs. The White House, and the chairs of the House and Senate Intelligence committees, have said they want a "clean" reauthorization, with no changes. But surveillance critics - a coalition of libertarian-leaning Republicans and privacy-minded Democrats - want to use the deadline as leverage to push for alterations, such as boosting transparency over the number of Americans whose communications are incidentally sucked up via 702's eavesdropping programs.
HAPPY THURSDAY and welcome to Morning Cybersecurity! This kinda stuff is just such a tease. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.
TODAY: TRUMP DUE TO MISS CYBER PLAN DEADLINE - Our Eric joins Edward Isaac-Dovere and Matthew Nussbaum on the story out this morning. "President-elect Donald Trump was very clear: 'I will appoint a team to give me a plan within 90 days of taking office,' he said in January, after getting a U.S. intelligence assessment of Russian interference in last year's elections and promising to address cybersecurity. [Today] Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what."
Trump appointed former New York City Mayor Rudy Giuliani to head up an effort to collaborate with industry on cybersecurity, among other ambiguities. "The National Security Council would normally be involved in creating such a report," the trio write. "But on Wednesday, a NSC spokesperson told POLITICO that he was unaware if the NSC was in charge of compiling it, or if that responsibility fell to Giuliani - or if the report exists." Further, a "White House spokesperson wouldn't directly address why the deadline was missed. 'The president has appointed a diverse set of executives with both government and private sector expertise who are currently are working to deliver an initial cybersecurity plan through a joint effort between the National Security Council and the Office of American Innovation,' said Trump deputy press secretary Lindsay Walters, referring to the office run by Trump's son-in-law and top aide Jared Kushner."
WHAT A COINCIDENCE - A Russian think tank connected to President Vladimir Putin drafted a plan to tilt the 2016 presidential election to Donald Trump, Reuters reported. The Moscow-based Russian Institute for Strategic Studies - operated by retired senior Russian foreign intelligence officials appointed by Putin - drew up two documents that informed the Kremlin's alleged election tampering that eventually aimed to help install Trump in the Oval Office, according to current and former U.S. officials.
The first paper, written last June, suggested a propaganda campaign on social media and Russia-backed news outlets in the U.S. could help persuade voters to support a more Moscow-friendly candidate, the officials said. The second strategy document, drafted in October, warned that Hillary Clinton was going to win in November and recommended putting all efforts into undermining her reputation and the U.S. electoral system. In a statement, a spokesperson for Sputnik called allegations that it partook in an influence campaign an "absolute pack of lies."
LIFE WITHOUT CHAFFETZ - With House Oversight Committee Chairman Jason Chaffetz's decision not to seek reelection in 2018, Congress is set to lose one of its most aggressive cyber watchdogs. Chaffetz has been a key player in many cyber policy debates, particularly in his capacity as head of the powerful Oversight panel. He has aggressively prodded agencies to improve their cyber defenses, railing against the Office of Personnel Management after its massive data breach and calling for its chief information officer to resign.
The five-term Utah Republican has been working on cyber issues since at least 2011, when he served on the House Cybersecurity Task Force. In late 2016, when his panel released a report on the OPM hack, Chaffetz voiced concerns about cyber vulnerabilities at the Education Department, insisting that a hack there could be "the largest data breach that we've ever seen in the history of our nation." He also touted a key takeaway from the Oversight panel's report: the need to adopt a "zero-trust model" where all network activity is monitored.
Chaffetz's impending departure may also complicate the passage of IT modernization legislation. Despite initial skepticism, Chaffetz eventually endorsed a bill - co-sponsored by House Minority Whip Steny Hoyer and Rep. Will Hurd - that would create a $3 billion IT modernization fund. "It's time to stop wasting tax dollars and move government into the 21st century," he said in September when the Oversight Committee approved the bill.
IRAN CYBER THREAT FIGURES INTO TRUMP REVIEW - Secretary of State Rex Tillerson said the cyber threat from Iran will be part of a comprehensive review of U.S. policy on Iran across the government. "A comprehensive Iran policy requires that we address all of the threats posed by Iran, and it is clear there are many," he said, itemizing those threats. "Iran has conducted cyberattacks against the United States and our Gulf partners." Just last year, the Justice Department announced indictments against seven alleged government-backed Iranians for cyberattacks on 46 U.S. companies, primarily financial institutions. Iran is also thought to be behind the Shamoon virus attacks on Saudi Aramco in 2012 and other targets in the Gulf.
NEW RESOURCES FOR PRESSING ISSUES - Two companies on Wednesday announced books aiming to demystify major cyber topics. The law firm Venable LLP published a book that explores the FTC's data security investigations, drawing lessons for businesses seeking to comply with cyber guidelines. And the security firm Trend Micro published a book that lays out the essentials of smart, well-coordinated cyber crime investigations.
Trend Micro's book draws on insight from lawyers, former government investigators and security researchers. It "focuses on five key objectives," the company said in a press release, "including the need for consistent cyber criminal investigations and what content is needed for investigations." The book also "addresses the needs, background information and requirements for cybersecurity researchers assisting law enforcement, and can be used as an educational tool for students and industry practitioners."
Venable's guide helps explain the FTC's "reasonableness" standard for corporate data security measures. Some companies have complained that the commission's standard is unclear, making it difficult to comply with it. "Through this book, we aim to provide businesses with a tool for understanding its elements," Stu Ingis, co-head of Venable's cyber practice, said in a statement.
TWEET OF THE DAY - 2 deep 4 us.
RECENTLY ON PRO CYBERSECURITY - A top FBI official warned U.S. travelers that wireless networks abroad are insecure and expose them to hacking threats. ... Cyber tycoon Eugene Kaspersky says he can secure France's election, but some fear his involvement because he is Russian.
- Most data security incidents come via malware, phishing and hacking, followed by employee mistakes, lost or stolen devices, other criminal acts and lastly internal theft, according to a new report on 450 incidents by BakerHostelter. Phishing, malware and hacking accounted for a plurality of incidents at 43 percent, the firm determined, a rise of 12 percent since last year.
- The CIA and FBI are conducting a joint manhunt into who gave WikiLeaks the alleged CIA hacking tool trove. CBS.
- Tanium used a California hospital's networks in product demos without permission, the hospital says. The Wall Street Journal.
- A class-action lawsuit claims Bose was spying on its users. The Washington Post.
- Twitter is considering if it should store some user data in Russia. TechCrunch.
- Maybe the EastNets banking system was hacked after all. Motherboard.
- "The doxing of Equation Group hackers raises questions about the legal role of nation-state hackers." emptywheel.
- Washington, D.C.'s distance from major tech hubs could be inhibiting government cybersecurity efforts. The Hill.
- The Army wants to call in cyber strikes like it would artillery strikes. The Drive.
- "Pirate Bay founder launches anonymous domain registration service." TorrentFreak.
- Advice for Trump: Pay up for cyber talent. Nextgov.
- Another installment in the Motherboard series on stalkerware.
That's all for today. Would like to meet some aliens one day before I die, is all.
Stay in touch with the whole team: Cory Bennett (firstname.lastname@example.org, @Cory_Bennett); Bryan Bender (email@example.com, @BryanDBender); Eric Geller (firstname.lastname@example.org, @ericgeller); Martin Matishak (email@example.com , @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).https://secure.politico.com/settings/settings
This email was sent to email@example.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA
Please click here and follow the steps to unsubscribe.