It’s budget day, and our team will be scouring the White House’s fiscal 2019 proposal for cybersecurity highlights. MC is expecting a boost over last year’s budget for the Homeland Security Department’s main cyber wing, the National Protection and Programs Directorate.
Ross Nodurft, the former cyber lead for the Office of Management and Budget, is predicting that DHS might emphasize teams that explore vulnerabilities and incident response for federal agencies, state and local governments and industries. He also said via email that he believes the DHS’s “Continuous Diagnostics and Mitigation” program, which helps federal agencies buy cybersecurity tools and services, could be a priority.
Last year, in a budget proposal filled with cuts, the administration requested major investments in cybersecurity tools for the military, FBI and DHS, signaling President Donald Trump’s priorities, even if Congress didn’t hew closely to it. This year’s budget proposal will come after Trump signed into law a bill that is meant to replace aging, vulnerable federal information technology. The White House, under Jared Kushner’s Office of American Innovation, has made modernizing federal IT a priority. It will be interesting to see what kind of resources the budget proposal applies to that cause.
THE PLOT JUST KEEPS THICKENING — The U.S. intelligence community apparently paid a shadowy Russian operative $100,000 last year in an attempt to figure out how widely the CIA and the NSA had been compromised by foreign hackers. The plan, according to blockbuster reports late last week in the New York Times and the Intercept, was to assess the extent of the damaging Shadow Brokers and Vault 7 leaks from the NSA and CIA. Both leaks led to the government’s secret spying tools being posted online. The Shadow Brokers incident also spilled powerful cyber tools that powered global ransomware attacks throughout last year.
At first, the Trump administration dealt with a hacker who claimed to have the full NSA cache stolen by the Shadow Brokers hackers, according to the Times and the Intercept. The intelligence community offered to pay for the material, which prompted a Russian operative to step in as an intermediary. In April 2017, the Russian handed over a flash drive, but it only contained stolen files that the Shadow Brokers had already posted, prompting the CIA to withdraw its payment offer. In December 2017, according to the Intercept, the two sides met again, but this time the Russian provided what were apparently “FBI investigative reports, financial records, and other materials related to Trump officials and the 2016 campaign.”
The intelligence community immediately grew suspicious that the Kremlin was trying to drive a wedge between Trump and his spy agencies by giving the president reason to believe that intelligence officials were seeking dirt on him. The Russian operative had earlier shown the American intermediary what he claimed was a tape of Trump with two women implied to be escorts. And he even admitted that Moscow had directed him to offer material on Trump and withhold the hacking tools that sparked the negotiation. Russia’s gambit appears to have worked — Trump raged about the story on Twitter over the weekend. The NSA and CIA have flatly denied the validity of the reports.
STATE OF THE STATES — Thirty-three states have “post-election audit procedures that are unsatisfactory from an election security standpoint,” the liberal Center for American Progress think tank concluded in a review out today of state-by-state election defenses. Among the states, 32 also permit regular absentee voters and others to cast ballots electronically, “a practice deemed insecure by election and cybersecurity experts.” Additionally, 14 states use direct-recording electronic, or DRE, voting machines that do not have paper records in at least some jurisdictions. And at least 10 states provide no cybersecurity training to election officials, the center determined.
Overall, no state received an “A” grade from the organization, compared to 11 that received a “B,” 22 that got a “C,” 14 that received a “D” and five — Florida, Indiana, Arkansas, Kansas and Tennessee — that received an “F.” The report does note that state election officials are not entirely to blame for their grades, since governors and legislators set budgets and many policies. And the report’s release coincides with a center event featuring former DHS Secretary Jeh Johnson, Sen. Amy Klobuchar and state election officials.
A preview of Klobuchar’s remarks: “This is a pivotal moment for our country. We will not give up on our free elections and the freedoms those elections preserve. How does the saying go? Hack me once, shame on you. Hack me twice, shame on us. We know what they did, we know they’ll do it again, we have the solutions, and still Congress refuses to act? That makes us culpable.”
TAINTED LOVE — IBM X-Force is releasing research today showing a massive uptick in dating-related spam from the Necurs botnet, just in time for Valentine’s Day. The botnet, deploying an army of an estimated six million unwitting computers and devices, has sent more than 230 million spam messages since mid-January, according to the company. That’s more than 90 percent of all spam during that span. The campaign focuses on Russian women supposedly living in the United States, and while the spam campaign doesn’t appear to be attached to any malware, it could serve as a precursor to extortion scams or eventual infection, IBM warns.
LET’S TRY THIS AGAIN — Sen. Elizabeth Warren is demanding answers from the head of Equifax after a report that last year’s colossal data breach was more extensive that than company claimed. On Friday, Warren, a potential 2020 presidential contender, sent a letter on Friday to Equifax CEO Paulino do Rego Barros Jr. after the Wall Street Journal reported that the company submitted documents to the Senate Banking Committee revealing it may have lost tax identification numbers, email addresses and state for drivers’ licenses as part of the breach that affected more than 145 million Americans.
“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” asked Warren, who serves on the Banking panel. She gave the Equifax chief one week to provide a list of “all data elements” the company knows, or believes, were accessed during the hack and a timeline of the agency’s efforts to uncover the full extent of the intrusion. Last week Warren’s office issued a report on the Equifax hack that concluded the company could be covering up that it also lost passport numbers — a finding the credit reporting giant disputes.
DHS IN THE VALLEY — Per our friends at Morning Tech: DHS Secretary Kirstjen Nielsen is set to make a trip through Silicon Valley this week, which will include a meeting with U.K. Home Secretary Amber Rudd. The two leaders are slated to discuss strategies for tackling terrorist content online. Rudd is also scheduled to huddle with tech companies during her two-day trip, which follows a fiery hearing on election interference that U.K. lawmakers held with Facebook, Google and Twitter in D.C. last week.
LE CYBER EST SI ÉNORME — The Trump administration renewed its commitment to a cybersecurity partnership with one of America’s oldest allies late last week. During meetings last Wednesday and Thursday, the U.S. and France discussed “approaches to address domestic cybersecurity challenges, ways to strengthen international security and stability in cyberspace, and updates on cyber-related diplomatic and capacity building efforts,” according to a State Department readout. The two countries also talked about “efforts to counter malicious state and non-state cyber activities, the use of the Internet for terrorist purposes, and cybercrime.” The engagement reflects the State Department’s continuing efforts to build coalitions around “norms of responsible behavior” in cyberspace, as well as Trump officials’ stated goal of focusing on bilateral deals before multilateral ones. The U.S. and France held their inaugural cyber dialogue in September 2016.
APPLAUDING THE KEYSTONE STATE — A major election integrity advocacy group endorsed a decision by Pennsylvania to stop buying voting machines that don’t produce paper records, a move aimed at preventing future digital tampering. “Since 2006, 83 percent of Pennsylvanians have voted on unverifiable direct recording electronic (DRE) systems. This directive begins to change that,” Marian Schneider, president of Verified Voting, said in a statement. “It also serves as an example for other states to do the same.” She also called on the state to decertify its remaining DRE devices and replace them with paper-producing machines. Virginia was the first state to ban DRE machines last year.
RECENTLY ON PRO CYBERSECURITY — Lt. Gen. Paul Nakasone was nominated to be a four-star general, a precursor to his expected selection as the next head of the NSA. … Thai police arrested the alleged head of a cybercrime marketplace responsible for more than $530 million in thefts. … Trump said a House Democratic memo rebutting Rep. Devin Nunes’ own memo detailing alleged FBI surveillance abuses was “very political” and that lawmakers must “re-do” it. … The House cleared a two-year budget deal.
TWEET OF THE DAY — If we’re going to categorize major cyberattacks like hurricanes, can we also name them?
PEOPLE ON THE MOVE
— The National Retail Federation has hired Christian Beckner to head its cybersecurity program. Beckner most recently served as deputy director of George Washington University’s Center for Cyber and Homeland Security, and before that served as an associate staff director at the Senate Homeland Security and Governmental Affairs Committee.
— The Winter Olympics’ opening ceremony suffered a cyberattack, organizers say. Reuters.
— The White House is perturbed by the delay in processing Kushner’s security clearance. The Washington Post.
— Radioflow said it had uncovered the “first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.”
— “Interfax News Agency yesterday reported that several scientists at Russia’s top nuclear research facility had been arrested for mining cryptocurrency with ‘office computing resources.’” Hacker News.
— “White House mandated risk management reports show mapping of threat to capability to investment.” Federal News Radio.
— Ronald Rivest, Adi Shamir and Leonard Adleman will be inducted into the National Inventors Hall of Fame for inventing RSA cryptography.