SecurityFirst mentioned in article: https://www.politico.com/newsletters/morning-cybersecurity/2018/06/28/another-committee-jumps-into-cyber-deterrence-debate-266706
DETERRENCE BACK ON THE MENU — Congress has had a pretty productive week-plus of advancing meaningful cyber legislation, and today it considers yet another meaty bill. The House Foreign Affairs Committee will mark up a bipartisan measure (H.R. 5576) that directs the executive branch to “name and shame” the most dire nation-state cyber threats to the U.S., then take action to sanction all involved parties, although the president would have the authority to waive those sanction requirements under certain conditions. The legislation, chiefly sponsored by Rep. Ted Yoho, has support from panel chairman Ed Royce and top committee Democrat Eliot Engel.
Also today, the House Intelligence Committee is set to approve a spy agency authorization bill likely to include cybersecurity provisions, two days after the Senate panel did the same. Last week, the full Senate passed a fiscal 2019 defense policy bill (S. 2987) that contains cyber deterrence provisions the Trump administration found objectionable. Earlier this week, the Senate Foreign Relations Committee approved legislation (H.R. 3776 ) that would establish a high-level cyber office at the State Department. And then there was Wednesday…
NIST, YOU LISTENING? — The technical standards agency NIST would get $103.2 million for cybersecurity and privacy research under a reauthorization billthat the House Science Committee approved Wednesday. The bill would also direct NIST to increase its advice to federal agencies about deploying its cybersecurity framework, including by training cybersecurity employees and department auditors. In addition, the reauthorization bill would require NIST to “expand [its] fundamental and applied research” in areas like identity management and network security, as well as assessing cyber workforce gaps. There is also a section in the bill to require NIST to study the cybersecurity issues posed by the internet of things. It suggests that NIST consider “the development and publication of new cybersecurity tools, encryption methods, and best practices for internet of things security.”
“These investments in research and development will address the growing cybersecurity threats that harm our federal agencies and infrastructure and help reduce the cyber risks that are growing more frequent by the day,” Rep. Barbara Comstock, chairwoman of the House Science research and technology subcommittee, said in a statement. Elsewhere Wednesday, the Science panel held a hearing on cell site simulators, where Democrats lobbed criticisms at President Donald Trump over his cellphone security practices.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Very little is better than a good “LEEROY JENKINS” moment. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOProand @MorningCybersec. Full team info below.
THIS TIME MAYBE HE WON’T BELIEVE HIM — National security adviser John Bolton said Wednesday that President Donald Trump and Russian President Vladimir Putin would likely discuss the Kremlin’s alleged election meddling. Bolton “expects it will be a subject of conversation between the two presidents,” he said at a press conference at Russia’s Interfax news agency. It’s unclear how the discussions would differ from past talks between the pair. “He said he didn’t meddle. He said he didn’t meddle. I asked him again. You can only ask so many times,” Trump told reporters in November. “Every time he sees me, he says, ‘I didn’t do that,'” Trump said. “And I believe, I really believe, that when he tells me that, he means it.”
PLEASE HELP — The Russian antivirus firm Kaspersky Lab on Wednesday said it wants a federal court to temporarily pause changes to procurement rules intended to block its software from government systems. The defense policy bill for the 2018 fiscal year banned Kaspersky from government computers, and recently the trio of agencies that set procurement standards — the GSA, Pentagon and NASA — laid out the process for implementing that provision. Kaspersky, which is appealing a district court’s decision to toss out its challenge to that law, asked the federal appeals court in Washington for an emergency stay of those changes.
The company said “a significant number” of its customers have already canceled their contracts because of the impending ban. According to Kaspersky’s filing, these costly cancellations — along with damage to the company’s “reputation and … ability to reach new customers and increase brand awareness” — are unfair, because the appeals court might overturn the lower court’s ruling and invalidate the ban. Also Wednesday, Kaspersky filed its brief in advance of oral arguments in the case on Sept. 14.
BIGGER THAN EQUIFAX, SORTA — A security researcher discovered that a Florida marketing and data aggregation firm left exposed a database of 340 million records of consumers and business contacts, Wired reported Wednesday. The data from Exactis is extensive, down to whether a person smokes. And while 340 million is more than double the figure of last year’s Equifax breach, as some headlines and tweets hailed Wednesday, it’s not known whether it’s a true “breach” at this time. Even the researcher who discovered the leaky Exactis data has no evidence malicious hackers have obtained it, although it’s certainly plausible they might have.
HOW TO ATTACK TAX FRAUD — A committee that advises the IRS on electronic tax matters has asked Congress to change the tax code to let the agency share tax returns and other data when doing so would help combat tax return fraud that results from hackers stealing personal information. The provision that currently prevents this, Internal Revenue Code Section 6103, “may be creating unintended barriers in the effort to improve cybersecurity and prevent” this fraud, the Electronic Tax Administration Advisory Committee said in its annual report to Congress. Under current law, the IRS can only share taxpayer data with state tax officials and the companies whose software was used to file the fraudulent returns; the agency cannot share the information more widely, which could help other tax professionals spot similar fraud. The committee argued that “an appropriate balance can be struck that both protects taxpayers from improper use and disclosure of their tax information, while enabling the IRS to prevent” tax fraud.
The committee is also worried that the IRS will lose sight of its cybersecurity mission “in light of the resources that will be required for the IRS to implement” the tax law that Trump signed in December. “The funding requirements for the continued fight against [Identity Theft Tax Refund Fraud] and for enhanced cybersecurity could be overshadowed by the implementation of tax reform measures,” the ETAAC wrote.
Congress should also expand the FTC’s authority to require that companies use reasonable cybersecurity protections so that it covers tax preparers and filing services, the committee recommended, and then it should let the IRS enforce that expanded FTC rule. “The IRS should have the authority and responsibility to implement and enforce security standards for our tax system — it is much closer to the issues and operations of that system than the FTC,” the committee said in its report.
LET ME EXPLAIN — Huawei’s chief security officer in the U.S. came out with a spirited defense of the Chinese telecom firm, arguing that recent Capitol Hill actions to ban the company and others won’t improve national security. The House version of the annual defense policy bill, H.R. 5515, bars federal agencies from using technology provided by Huawei and ZTE. The measure also prohibits the military from buying or renewing contracts with any vendors that work with the firms. “Members of Congress may sincerely believe that barring one or two Chinese companies from the U.S. market will significantly protect the country’s networks. But today’s telecommunications industry is transnational and borderless,” wrote Donald “Andy” Purdy, the former top cyber official at DHS. “All of its leading players already use equipment developed or manufactured in China. In fact, such equipment accounts for a significant portion of the telecommunications and Internet equipment currently installed in American networks.” Instead, lawmakers should follow DHS’ digital strategy, according to Purdy.
HACKER SCHOOL — Tech-savvy Washingtonians will soon have a new opportunity to sharpen their cybersecurity skills. The training firm SecureSet is announcing today that it has acquired HackEd, another cyber education provider, to expand its programs to the Washington market. SecureSet’s Northern Virginia campus promises to give students hands-on instruction as well as the theoretical background that could potentially lead to jobs in cybersecurity.
Of course, cybersecurity workers are in high demand within the government and private sector. According to Cyberseek, an initiative supported by NIST to map cybersecurity worker shortages nationally, the D.C. metro area has some 43,200 cybersecurity job openings. SecureSet’s expansion comes after the Trump administration last week called for more efforts to train federal cybersecurity workers, including potentially setting up a cyber reservist program.
TWEET OF THE DAY — Group hug!
PEOPLE ON THE MOVE
— Illumio is announcing today that Jonathan Reiber, a former senior Pentagon cyber officer during the Obama administration, is joining the company as its head of cybersecurity strategy. The firm, which uses “micro-segmentation” to prevent or cauterize data breaches, “resonates with my worldview. It’s not a question of if but when you’re going to get attacked and intruded against. And you have to be ready,” Reiber told MC.
Reiber, who served as chief strategy officer for cyber policy in the Office of the Secretary of Defense, said he’s “wanted to work on cybersecurity in the tech sector for years.” “We’re at a key moment in our digital story. We thought attacks on our critical infrastructure were the dominant challenge but then we had this Russian cyber-enabled intrusion into democracy,” he said. “As internet access expands, we’re not going to be able to anticipate every kind of threat. I think we’re either at the end of act one or the beginning of act two in our cybersecurity story.”
— Americans want their local election officials to do a better job on data security and protecting critical infrastructure, according to a poll out today commissioned by SecurityFirst. The data security firm found that 71 percent want local government to spend more in advance of cyberattacks and 74 percent believe politicians need to take cybersecurity more seriously. Specifically, 59 percent said they’d support someone who emphasized data security, and only 30 percent said they’d heard candidates talk about it on the campaign trail.
— “Authorities arrest 35 alleged Darknet drug dealers in nationwide operation.” POLITICO
— “More than two years after Congress passed a landmark bill incentivizing companies to share with the government how and when malicious hackers are trying to penetrate their computer networks, only six companies and other non-federal entities are sharing that data, according to figures provided to Nextgov.”
— The CEO of an energy utility made some interesting remarks about how if hackers try “to take us down, they will have a bad day.” E&E News
— American companies need a “military-grade level of investment” to deal with nation-state hackers, a top DHS official said. CyberScoop
— The United Nations’ cybercrime chief said everyone’s facing the same threats. TechRepublic
— Ticketmaster U.K. said it suffered a breach. Inquirer
— An online betting site left information open to hackers. Motherboard
That’s all for today. Such as.