In a series of filings designed to convince a judge not to halt its order banning Russia-based Kaspersky Lab products from use in federal agencies, the Homeland Security Department provided a window into how the directive was developed and how it’s being implemented.
The filing, for instance, revealed for the first time that as of December, 14 agencies had identified Kaspersky software on their systems. DHS’s overall argument to the court was that it did give Kaspersky due process to dispute the decision and that the company’s claim of “irreparable harm” was unproven. The documents spell out in the starkest terms yet the DHS view that Kaspersky Lab’s status as a Russian company presents unique possibilities for the Kremlin to exploit its technology and infiltrate U.S. government agencies.
Story Continued Below
The filings also offered new details about how DHS arrived at its decision that Kaspersky software posed a risk to federal agency networks, and the department’s interactions with the company. A Kaspersky lawyer asked to review the classified annex of the directive, but DHS declined the request, according to one filing. Another filing asserted that unclassified, publicly available information illustrates the threat Kaspersky software presents. Other revelations: DHS consulted experts, such as an expert on Russian law, and also reviewed an independently commissioned report from Kaspersky on the safety of its products — only for the department to conclude that the report bolstered DHS’s stance.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Tampering rules are good in principle, but this fine from the NBA is, indeed, ridiculous. Send your thoughts, feedback and especially tips to firstname.lastname@example.org and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
DEMS UNITE IN CRITICISM — Senate Democrats lined up on the Senate floor Tuesday to castigate President Donald Trump for, among other things, not doing enough to bolster the cyber defenses of U.S. election infrastructure. “All of our national security witnesses have warned that they’re coming after us in 2018 with more election interference,” said Sen. Sheldon Whitehouse. “And yet what have we done?” Sen. Bill Nelson said Russian President Vladimir Putin doesn’t have the military to beat the United States on land, at sea, in the air or in space, “but he can beat us in cyber.” He added: “I must say this senator has sat through hearings with people who ought to know, and I have been appalled at how little we will have, or have, the capability of responding.”
A number of the senators condemned the Trump administration’s recent decision not to impose sanctions on Russia under a law Congress enacted last year, with Nelson saying, “We’ve got to make Mr. Putin feel enough pain to deter future attacks or else he’s going to keep doing it.” They also criticized Trump’s attacks on the FBI, Justice Department and special counsel Robert Mueller’s Russia probe.
MIXED REVIEWS FOR NEW CYBER DIPLOMACY BUREAU — Cybersecurity experts and lawmakers on Tuesday offered limited praise for the State Department’s new cyber bureau, saying the new unit didn’t address all their concerns. When Secretary of State Rex Tillerson closed his department’s main cyber office last year, he received criticism from many close observers of America’s cyber diplomacy efforts. On Tuesday, Tillerson said he was creating a new Bureau for Cyberspace and Digital Economy to raise the profile of State’s cyber efforts. The bureau would contain a cyber team and a digital economy team.
But the bureau’s leader will report to the undersecretary for economic issues, not the undersecretary for political affairs, a fact that frustrated Christopher Painter, who was the department’s cyber coordinator from 2011 to 2017. “That’s not the ideal arrangement,” Painter said at a House Foreign Affairs Committee hearing on cyber issues, where Chairman Ed Royce announced Tillerson’s plan. Because the top cyber diplomat will be dealing with a broad range of issues, not just economic ones, Painter said it didn’t make sense to have that person report to State’s top economic official.
Royce was similarly adamant that the new bureau wasn’t enough. The House recently passed a bill (H.R. 3776) he sponsored to recreate a high-level, independent cyber office at the State Department — a direct rebuke of Tillerson’s decision last year. “I think this is a positive step,” Royce said at Tuesday’s hearing, “but we’re going to continue to work” to enact the House bill.
ALSO FROM FOGGY BOTTOM: ‘THIS IS FINE’ — Tillerson said in an interview that aired Tuesday that the battle against Russian election interference might be virtually hopeless. “I don’t know that I would say we are better prepared, because the Russians will adapt as well,” he said on Fox News. “The point is, if it’s their intention to interfere, they are going to find ways to do that. We can take steps we can take but this is something that, once they decide they are going to do it, it’s very difficult to preempt it.” Tillerson also became the second top administration official warning of certain 2018 election meddling by Moscow, following CIA Director Mike Pompeo.
HOW TO ANSWER UBER — Members of a Senate Commerce subcommittee and hearing witnesses on Tuesday floated a number of policy changes in response to Uber’s long-hidden 2016 data breach and $100,000 hush money payout to hackers from a bug bounty program. Congress should alter the Computer Fraud and Abuse Act to protect the independent, “white hat” hackers who participate in legitimate bug bounty programs, as well as pass data breach notification legislation, said Marten Mickos, CEO of bug bounty company HackerOne. (HackerOne runs Uber’s bug bounty program, but Mickos largely declined to comment on the company, citing pending court fights.)
Nelson, though, said that passing weak data breach notification legislation is worse than passing none at all. And Sen. Richard Blumenthal touted his data breach legislation (S. 1900) as the answer, while Justin Brookman, director for consumer privacy and technology policy at the Consumers Union, counseled against data breach notification and standards legislation that removes states’ flexibility.
Brookman also suggested that Congress should enshrine into law the FTC standard requiring companies to adopt “reasonable” security measures, to prevent it from being overturned in court. Blumenthal, too, advocated for new FTC enforcement tools. But some of the current focus on bug bounty programs is excessive, said Katie Moussouris, CEO of Luta Security and a key figure in bug bounty programs in the past at Microsoft and HackerOne. Some people are finding it more profitable to work in bug bounty programs than as developers who can work on preventive security, she said, and there’s a bit of “bug fatigue” in industry right now as it is.
THE THREAT IS NOTHING. AND EVERYTHING — Rep. Jim Langevin took issue Tuesday with testimony from a top military official who argued that atomic weapons are the only “existential threat” to the U.S. “I would add cyber weapons as also posing an existential and asymmetric threat to our nation as well,” Langevin, the Democratic co-chairman of the Congressional Cybersecurity Caucus, said during a House Armed Services hearing about the Trump administration’s recently unveiled National Defense Strategy and Nuclear Posture Review.
The official testifying, Vice Chairman of the Joint Chiefs of Staff Gen. Paul Selva, replied that his point was that nuclear weapons “would be used uniquely for military purposes to threaten us and cause us to capitulate or surrender in … the face of military threat.” And Selva agreed that “there’s no question that cyber is an asymmetric capability and this nation has vulnerabilities both in critical infrastructure as well as civilian infrastructure.”
NO, YOU’RE THE TREASON — Rep. Hakeem Jeffries took to the House floor Tuesday to denounce Trump for suggesting it was treasonous for Democrats not to applaud during his State of the Union, questioning whether the commander in chief and his team have engaged in such acts themselves. “Is it treason for a presidential campaign to meet with a hostile foreign power to sell out our democracy and rig the election?” the New York Democrat asked, noting the charge is “not a laughing matter.” Trump made the remarks on Monday in Ohio during a speech that was supposed to highlight the GOP’s tax legislation. The president, however, veered off script to put attention back to his State of the Union address last week. “How dare you lecture us about treason. This is not a dictatorship. It’s a democracy,” Jeffries said.
ERROR 404, JOBS NOT FOUND — The Department of Homeland Security needs to do more work to identify the vacant cybersecurity jobs in its bureaucracy, according to the Government Accountability Office. DHS “did not completely and reliably identify and assign employment codes because its processes were manual, undocumented and resource-intensive,” GAO said in a report published Tuesday. The department also did not designate a point person within each of its components — from agencies like Customs and Border Patrol to divisions like the National Protection and Programs Directorate — who was responsible for finding and coding all of their component’s cyber jobs. DHS acknowledged the issues and said it would issue new guidance to address all the shortcomings by the end of June.
BALTIC TIMES — One of the FBI’s most-wanted cyber criminals at the time he was arrested pleaded guilty Tuesday to destructive attacks that targeted visitors of a newspaper website. Latvian man Peteris Sahurovs, who was in the FBI’s top-five list prior to his arrest, used advertisements on the Minneapolis Star-Tribune’s site to deliver malware. An offer to victims to purchase supposed antivirus software to free up their computers netted him between $150,000 and $250,000, Sahurovs admitted. Extradited to the United States last year, Sahurovs pleaded guilty in a Minneapolis court Tuesday to one count of conspiracy to commit wire fraud.
IT CAN’T BE DONE — Senior Trump administration officials are wrong to suggest that encrypted platforms can be engineered to provide access for government investigators without seriously compromising their security, according to a new paper by a Stanford University cryptography expert. The paper analyzed public remarks by Deputy Attorney General Rod Rosenstein and FBI Director Christopher Wray, both of whom have argued that it is possible to design warrant-compatible encryption without giving hackers a big new target. Rosenstein has been the Trump administration’s leading advocate for the idea that Silicon Valley must design its encryption to accommodate investigators.
In the paper, Stanford Center for Internet and Society cryptography fellow Riana Pfefferkorn analyzed several possible approaches seemingly favored by Rosenstein and Wray, including “key escrow,” in which tech companies hold onto a decryption key and offer it up when investigators bring them a warrant and a locked phone or piece of data. “Rosenstein suggests that manufacturers could manage the exceptional-access decryption key the same way they manage the key used to sign software updates,” she wrote. But “the software update key is used relatively infrequently, by a small number of trusted individuals. Law enforcement’s unlocking demands would be far more frequent.” This would impose a tremendous burden on tech companies to maintain enough staff dedicated to responding to these requests, she argued. That wide circle of authorized employees would also increase the risks of both mistakes and abuse, she added.
ON CLOUD NINE — From our friends at Morning Tech: Microsoft, Apple and Google are cheering the CLOUD Act, a bill that would set up bilateral data-sharing agreements with other countries, allowing U.S. authorities to obtain data held by American companies overseas with a warrant. The companies call the measure an “important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.” (U.S. access to such data is also the focus of a Supreme Court case involving Microsoft and the Justice Department, which goes to oral arguments later this month.)
But, not everyone’s a fan: The Center for Democracy and Technology argues the bill could chip away at privacy protections for data that’s stored in the cloud. “The Electronic Communications Privacy Act balances the interests of consumers, providers, and the government,” Chris Calabrese, CDT’s vice president of policy, said in a statement. “The CLOUD Act throws that balance off-kilter by accommodating providers and the government but leaving consumers behind.”
RECENTLY ON PRO CYBERSECURITY — Business Wire is suffering from a sustained distributed denial-of-service attack that’s slowing down its website, but hasn’t compromised the company’s systems or any client data. … Trump met with Deputy Attorney General Rod Rosenstein to discuss a House Intelligence Democratic rebuttal memo to the Rep. Devin Nunes memo alleging FBI surveillance abuses. … “After the success of the viral #ReleaseTheMemo campaign, Russian-influenced Twitter accounts are test-running other hashtags designed to stoke anger, particularly among supporters of President Donald Trump, against ‘deep state’ forces, according to analysts at Hamilton 68, a website that tracks Russian influenced Twitter accounts.”
“The chairmen of the CFTC and SEC said they may seek additional power from Congress to regulate virtual currency markets, saying there are gaps in their oversight now.” … A big budget deal could be on the way. … Financial Services Roundtable CEO Tim Pawlenty is leaving the job, possibly for another run for governor of Minnesota.
TWEET OF THE DAY — If wishes were cyber-horses…
— The Electronic Privacy Information Center asked the Senate Banking Committee to investigate Consumer Financial Protection Bureau acting Director Mick Mulvaney over what he isn’t doing to advance the Equifax breach probe.
— A Ukrainian power distributor plans to erect a $20 million cyber defense system. Reuters.
— What about a cyber “no-fly” list? Harvard Business Review.
— China’s Huawei is building British ties given that security concerns in the United States have shrunk the market here. Reuters.
— “Amazon explained ‘Key’ crack before it shipped fix, says hacker who found the hole.” The Register.
That’s all for today. The first one seemed legit, though.
Stay in touch with the whole team: Cory Bennett (email@example.com, @Cory_Bennett); Bryan Bender (firstname.lastname@example.org, @BryanDBender); Eric Geller (email@example.com, A@ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak) and Tim Starks (email@example.com, @timstarks).