May 9, 2018
By Tim Starks
HILL GETS BUSY — Three separate committees are taking action on cybersecurity-related legislation today across both sides of the Hill. Perhaps the most significant among the bunch is a House Foreign Affairs markup of legislation that would establish a bug bounty program at the State Department, following the widely regarded success of similar initiatives across the Pentagon and at the IRS. The legislation (H.R. 5433) also mirrors efforts in Congress to expand such programs, like the push to create one at DHS (S. 1281) that passed the Senate last month.
The House Energy and Commerce Committee, meanwhile, is scheduled to consider a handful of cybersecurity bills. One (H.R. 5175) would direct the Energy Department to initiate a program to protect the physical security and cybersecurity of pipelines and liquefied natural gas facilities. A second (H.R. 5239) would create a voluntary DOE program to test the cybersecurity of products intended for use in the bulk-power system. A third (H.R. 5240) would seek to strengthen public-private partnerships on cyber. And the fourth (H.R. 5174) would make explicit that Energy Department leaders are responsible for cyber and other emergency response functions.
Later in the day, a House Appropriations subcommittee will mark up draft legislation that would provide fiscal 2019 funding for agencies including Commerce and Justice. The Commerce Department, home of the technical standards agency NIST, has a big cybersecurity role, while the Justice Department houses operations devoted to prosecuting cybercrime.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Sure, because what the world needs is a new generation of super-spiders, jumping all over the place at the command of evil dictators wielding them as a spooky army. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
TODAY: SOFTWARE, POWER INDUSTRY OFFICIALS VISIT CONGRESS — BSA | The Software Alliance is flying representatives of member companies such as Microsoft, IBM and Trend Micro into Washington to discuss cybersecurity and other items on its agenda. The cybersecurity component includes advocating for bolstering the workforce and explaining how artificial intelligence can defend computer networks. BSA has set up meetings with a range of cyber-savvy lawmaker offices, like Reps. Will Hurd and Adam Schiff and Sen. Cory Gardner, as well as House Minority Leader Nancy Pelosi.
Members of the Large Public Power Council, a utility group, will also visit lawmakers today. Representatives will meet to discuss cybersecurity with members and staffers of the House and Senate Homeland Security panels as well as the House Intelligence and Energy and Commerce committees. In addition to the group’s president, John Di Stasio, and regional power authority representatives, the council is bringing in technical cyber experts.
WAITING FOR THE NEXT SHOE TO DROP — Iran must stop hacking the U.S. and its allies, the administration said Tuesday after President Donald Trump announced a withdrawal from the Iran nuclear deal. A White House statement said Trump was “making clear that, in addition to never developing a nuclear weapon, the Iranian regime must … end its cyberattacks against the United States and our allies, including Israel.” In recent years, Tehran has deployed its hackers to disrupt the oil giant Saudi Aramco as well as to steal trade secrets and research from universities in the U.S., Israel and many other countries. Senate Majority Leader Mitch McConnell voiced support Tuesday for Trump’s holistic approach to the Iranian threat, saying in a statement that Tehran’s “malign behavior across the broader Middle East,” including its “use of cyberattacks,” should be “addressed in a wider regional effort.”
Cyber experts will be watching to see if Iranian hackers step up their attacks on U.S. targets. As Eric reported recently, threat intelligence researchers are concerned this will happen. Priscilla Moriuchi, director of strategic threat development at Recorded Future and former head of the NSA’s East Asia and Pacific cyber threats office, said her company expects U.S. financial and energy sector firms to face aggressive attacks from Iran “within months, if not sooner.”
FRESH STATS — Cyber crime cost Americans approximately $1.42 billion in 2017, according to a report from the FBI’s Internet Crime Complaint Center published Tuesday. The FBI center receives nearly 300,000 complaints each year, according to the report. Payment scams, data breaches and phishing attacks topped the list of crimes, with identity theft and business email compromises also making the top 10. Ultimately, business email compromise schemes led to the most losses, with $676 million, compared with romantic scams and other trickery coming in second and payment scams ranking third. Data breaches came in fifth, accounting for $77 million in losses. The states with the most reported victims and the highest losses are also among the largest: California, Texas, Florida, New York and Pennsylvania.
PAYING THE PRICE — DHS Secretary Kirstjen Nielsen told senators Tuesday that her department was pretty far along in ensuring that federal agency contractors are removing Moscow-based Kaspersky Lab software from their systems. DHS issued the directive, which Kaspersky is fighting in court, amid security fears last year.
“For many of the third party providers, they weren't even aware they had Kaspersky on their systems and within their products,” Nielsen told the Senate Appropriations Homeland Security Subcommittee. She said DHS was looking at ways to establish consequences for anyone who doesn’t pull the products. For its part, DHS is also looking at ways it can, under existing powers, “pause and turn off contracts” when there’s a concern like Kaspersky software or a data breach.
At the same hearing, Nielsen said DHS plans to host an election security briefing to talk about what it’s doing to safeguard state and local election administrators via voluntary assistance. When Sen. Jon Tester asked what happens when states resist DHS’ voluntary aid, Nielsen said that one of the goals of the briefing was getting lawmakers to “help us message to the state and local officials what they need to do to secure the elections.”
FROM INDEPENDENCE AVENUE TO MAIN STREET — The House approved legislation Tuesday meant to improve cybersecurity assistance offered through small-business development centers, which are Small Business Administration-backed centers that provide technical support. Under the bill (H.R. 3170), the Small Business Administration would be required to develop a cyber counseling certification program to help center employees provide advice to small business owners. The measure passed by voice vote.
RECENTLY ON PRO CYBERSECURITY — The Senate Intelligence Committee finalized its election security report with new findings and recommendations. … Georgia’s governor vetoed a hacking bill that cybersecurity experts warned would cause more digital threats. … Russia hackers waged a campaign of digital threats under the guise of the Islamic State. … Facebook unveiled another effort to combat Russian methods of election interference. … House Republicans believe Trump will override the Justice Department's refusal to turn over documents.
TWEET OF THE DAY — I think the pasta is hacking back, probably?
— Nearly 75 percent of organizations were probably or definitely hacked or experienced a data breach within the last year due to a compromised application, according to a new report from Arxan. The company surveyed around 1,400 IT firms across the U.S., EU and Asia.
PEOPLE ON THE MOVE
— New Jersey’s former chief technology officer and first cybersecurity adviser, Dave Weinstein, has joined cybersecurity firm Claroty as its vice president of threat research, the company announced Tuesday.
— The New York Times looks at how West Virginia is trying to protect its elections from hackers.
— House Intelligence Chairman Devin Nunes is feuding with the Justice Department over information involving a source who aided special counsel Robert Mueller’s Russia probe. The Washington Post
— “No, Apple is not making it harder for cops to hack iPhones.” CyberScoop
— The Trump administration’s rescission package would pull back funding for two technology loan programs. Nextgov
— A popular Android app left user information exposed. Motherboard
— A look at the new NSA/Cyber Command cyber warfare center from CyberScoop.
— “Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K”
— The former WikiLeaks fan who made public some unflattering internal messages explained why. Daily Beast
— Joy Reid's cybersecurity expert once wasted the FBI's time with an investigation that went nowhere, a source told Buzzfeed.
— Iran's cyber police warned about terrorist groups plotting in cyberspace. Fars News Agency
— Alaska officials say hackers broke into the state’s election system a little in 2016, but didn’t do any damage. Anchorage Daily News
— Twitter might be testing encrypted direct messages. Gizmodo
— Federal agency IT specialists are getting older. Nextgov
That’s all for today. Although maybe jumping spiders aren’t that scary if they can get shooed away just by holding your arms out.