By TIM STARKS
With help from Eric Geller and Martin Matishak
KASPERSKY BAN MAY MAKE FINAL DEFENSE POLICY BILL — While it could be months before House and Senate lawmakers agree on a final defense policy bill, they are expressing confidence that the finished measure will contain some form of an amendment to bar the Pentagon from using software developed by Moscow-based cyber giant Kaspersky Lab. Now that the Senate draft of the measure — the fiscal year 2018 National Defense Authorization Act — has been queued for floor time, both chambers will soon be looking to hammer out differences between their separate versions, including the Senate bill provision that would block the use of Kaspersky software on DoD networks and require the Pentagon to “immediately” sever any DoD-connected systems that are “using” Kaspersky technology. The House-passed NDAA doesn’t include such language, but lawmakers in both chambers told POLITICO that they expect some version of the Senate clause to make it into the blended legislation, despite some reservations. “I think it’s a matter of which one of us has the best idea,” said Sen. Mike Rounds, who chairs the Senate Armed Services Cybersecurity Subcommittee.
Story Continued Below
A Kaspersky ban would serve as another piece of legislation meant to thwart Russian hacking — a cause both parties have taken up as many lawmakers chastise the White House for not doing enough in the wake of last year’s alleged Russian election interference campaign. The Moscow-based company is one of the world’s largest cyber firms, claiming over 400 million global users, and the fear is that its wide reach gives Russia a backdoor into key American networks. Kaspersky strenuously denies any ties to the Russian government and has offered up its source code for inspection.
Several potential roadblocks stand in the way of lawmakers reaching consensus on a Kaspersky ban. Russian officials have suggested they may strike back at the U.S. if it enacts a ban. Meanwhile, the Senate provision’s language is “problematic,” said a House Armed Services Committee aide, because it could prove too difficult to implement. Still, while the language may not appear verbatim in the final authorization bill, some form of it seems destined to make the final cut. “There are public reports that are showing Kaspersky has a relationship with the Russian government that has given a lot of people pause,” according to Sen. Jack Reed, the top Democrat on SASC. “It’s a serious issue.” Pros can read the full story here.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! All of the rocks. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec. Full team info below.
FIRST IN MC: MASSIVE PETITION ADDS FUEL TO 702 DEBATE — Civil liberties groups from across the political spectrum will deliver to Congress today a petition bearing more than 100,000 signatures demanding reforms to a key government surveillance law, hoping to kick-start the debate over the program before Congress finds itself staring down the deadline to reauthorize it.The spying powers, part of Section 702 of the Foreign Intelligence Surveillance Act, target the communications of foreign targets, but also incidentally collect data on an unknown number of Americans. Government agents can currently obtain Americans’ warrantlessly collected personal information by searching the Section 702 surveillance database. Critics call the move a “backdoor search,” although proponents note there are procedures in place to hide Americans’ identities in such situations. The new petition calls on Congress to change the law before extending it past its Dec. 31 sunset date.
“The electronic surveillance programs under Section 702 remain gross overreaches of the federal government into the privacy of American citizens,” said Sean Vitka, policy counsel at Demand Progress, in a statement. The spy powers, he said, are “in desperate need of reform.” Others organizers of the petition include the American Civil Liberties Union, the Electronic Frontier Foundation and the libertarian group FreedomWorks. Jason Pye, vice president of legislative affairs at FreedomWorks, said the issue of 702 reform “transcends ideological boundaries.” The groups are delivering the petition to House leadership, the leaders of House Judiciary Committee and several prominent surveillance critics, including Rep. Justin Amash and Fourth Amendment Caucus co-chairs Reps. Ted Poe and Zoe Lofgren.
BLACK HATS, DEF CONS — Black Hat kicks off the meat of its information security industry conference in Las Vegas today, with fellow hacker conference DEF CON set to do the same later this week. Some of the major vulnerabilities getting the spotlight at Black Hat this year are in the energy industry, from traditional electricity generating plants to wind farm stations to nuclear power plant radiation monitors. Digital defects in Apple products will also get attention, as will those in electronic consumer locks. DEF CON will feature a much-anticipated voting machine hacking village, a demonstration on how to unlock a smart gun and more. Of note: DEF CON founder Jeff Moss said a fundraiser for Hillary Clinton at last year’s event landed him in hot water with the Trump administration.
TODAY: A HOST OF HEARINGS — The House Small Business panel today will hold a hearing confronting the problems with encouraging small businesses to adopt cybersecurity insurance. “The widespread adoption of cybersecurity insurance policies is not without its challenges — both for small businesses and for the insurance providers,” Chairman Steve Chabot will say, according to his opening statement. “Small businesses face significant hurdles in identifying what kind of policies and coverage options make sense for them and must be equipped well enough to carry out basic cybersecurity best practices.” Chabot and the top Democrat on the panel, Nydia Velazquez, plan to raise some of the same challenges. “A lack of adequate data underscores the complex nature of creating cyber liability policies for small firms,” Velazquez will say, according to her prepared remarks. “Also, the type of business, the risk management procedures, and the continually evolving threats make it difficult for the insurers and the small business.”
Elsewhere, citing a scheduling conflict, the House Foreign Affairs Committee postponed an intriguing hearing about cyber diplomacy, where outgoing State Department cyber coordinator Chris Painter was set to testify. Painter’s testimony was to come just before his departure from the job and amid reports that his office will be closed and its operations moved elsewhere.
Finally, the House Homeland Security Committee is scheduled to mark up a bill renaming and elevating the Homeland Security Department’s main cyber wing, changing it from the National Protection and Programs Directorate to the Cybersecurity and Infrastructure Security Agency. The legislation (H.R. 3359 (115)) appears to have bipartisan support. And the Senate Judiciary Committee holds a hearing entitled “Oversight of the Foreign Agents Registration Act and Attempts to Influence U.S. Elections: Lessons Learned from Current and Prior Administrations,” with testimony from top Justice Department and FBI officials.
HOUSE PASSES RUSSIA SANCTIONS, WHITE HOUSE FATE UNCLEAR — The House on Tuesday passed new Russia sanctions legislation by a 419-3 vote, but what happens next is a mystery. The House made changes to the Senate version of the bill that passed 98-2, and Rep. Eliot Engel, the top Democrat on the Foreign Affairs panel, suggested the two chambers might have to settle differences before it can move to the president’s desk. Additionally, “the White House has yet to say definitively whether Trump would sign the bill, which his administration had criticized for failing to give him necessary ‘flexibility’ to work on warmer relations with Russia,” our POLITICO colleague Elana Schor reports. Still, even if Trump vetoed the bill, the massive vote margins suggest Congress has the votes to overturn any veto.
Although Trump has cast doubt on whether Russia digitally interfered in the 2016 election, House Intelligence Committee member Mike Quigley said the vote means “that both parties acknowledged Russia’s meddling in our election.”
** A message from the Auto Alliance: Who’s watching out for auto cyber threats? The Auto-ISAC is. Automakers proactively joined together to establish an information sharing community to enhance cybersecurity awareness and collaboration across the global automotive industry. Find more here: http://bit.ly/2tZXzo2 **
SPEND IT WISELY — The Senate Appropriations Committee on Tuesday approved a spending bill for several Cabinet departments with key cyber responsibilities, and its report on the bill touts cybersecurity as a priority at several agencies. The fiscal year 2018 Commerce, Justice and Science appropriations bill would give the FBI $9 billion — $213 million more than Trump requested in his budget — and increase funding for “cybersecurity activities to neutralize, mitigate, and disrupt illegal computer-supported operations,” according to a committee statement. The bill would dole out $2.1 billion to the Justice Department unit that oversees the U.S. Attorney’s offices. At least $60 million of that must be spent on “combating cybercrime, including the investigation and prosecution of cyberattacks and cyber intrusions” — a figure $5 million higher than the cyber-specific funding that Trump requested.
The Commerce Department technical standards agency NIST — known for projects like the widely used cybersecurity framework — would get $944 million, an $8 million decrease from last year’s budget, but the committee said it still wanted NIST to “to strengthen the U.S. cybersecurity posture through cutting-edge research and development.”
JUST A LITTLE ENCOURAGEMENT — Three Democratic lawmakers introduced a bill on Tuesday that would give tax credits to companies that train their employees in cybersecurity skills. The New Collar Jobs Act, from Reps. Ted Lieu, Matt Cartwright and Ann McLane Kuster, would amend the IRS code to create a tax credit for businesses that enroll their workers in undergraduate or graduate programs that teach cyber skills. It would also double the funding for the CyberCorps: Scholarship for Service Program — a National Science Foundation initiative to help cyber-focused students pay for education costs — and give companies vying for government contracts a boost in their applications if they use the cyber training tax credit. “Our legislation will re-tool our workers for careers of the future,” Lieu said in a statement. “Our vision is to improve our economy and national security by re-educating industrial workers with high-demand skills in cyber to fill these ‘New Collar’ jobs — positions that have competitive salaries, career growth potential, and cannot be outsourced.”
THE MORE YOU KNOW — The Homeland Security Department on Tuesday issued an alert about the malware bug that researchers have blamed for causing a brief power outage in Ukraine last year. Dubbed “CrashOverride” by the cybersecurity firm Dragos, the malware can seize control of switches and circuit breakers and wipe servers to delete all traces of itself, according to DHS. It’s suspected the virus can also disable equipment designed to prevent grid overloads, potentially letting hackers cause widespread physical damage — a feature that researchers said help separate CrashOverride from its predecessors. The department’s Industrial Control Systems Cyber Emergency Response Team is analyzing the malware’s code and has developed a method to help detect malicious files.
RATCLIFFE LIKES KREBS PICK — The chairman of the House Homeland Security’s Cybersecurity and Infrastructure Protection Subcommittee, Rep. John Ratcliffe, told MC he likes the latest addition to the Homeland Security Department’s cyber team. “I applaud President Trump for nominating Chris Krebs as the assistant secretary for infrastructure protection at DHS,” Ratcliffe said in a statement, following Krebs’ announced appointment this week. “Chris possesses an impressive wealth of public and private sector cybersecurity experience, which will allow him to play an invaluable role in advancing DHS’ important cybersecurity mission. I look forward to working with Chris, [assistant secretary for cybersecurity and communications] Jeanette Manfra, Secretary [John] Kelly, [deputy Secretary] Elaine Duke and others as we work to protect our nation against cyber threats moving forward.”
RECENTLY ON PRO CYBERSECURITY — Rep. Mike Conaway, who’s leading the House Intelligence Committee’s Russia probe, said Trump senior adviser and son-in-law Jared Kushner “satisfied” all of his questions. … The Senate Judiciary Committee subpoenaed former Trump campaign manager Paul Manafort as part of its Russia probe, then backed away after reaching an agreement with him. … Additionally, the Judiciary panel backed away from a subpoena of the co-founder of the company that produced the infamous Trump dossier, who will instead testify in private. … Trump said “time will tell” on whether Attorney General Jeff Sessions stays in his job, after another critical tweet and renewed speculation about the president’s intentions.
Meanwhile, a Justice Department inspector general probe might shed light on other elements of the 2016 election. … “President Donald Trump’s nominee to oversee federal criminal prosecutions today defended his work for a Russian bank with a mysterious digital connection to the Trump Organization.” … Some Democratic groups are asking the Senate to hold off on voting for FBI director nominee Christopher Wray until the Trump administration promises to keep the special counsel. … Senate Democrats plan to drop a nominee blockade if a repeal of Obamacare fails.
