Equifax breach grows larger, as does outrage (somewhat)

Credit score giant Equifax is back in Capitol Hill’s crosshairs after announcing it had identified an additional 2.4 million U.S. consumers whose personal information was affected by last year’s data breach, bringing the total number of victims to 147.9 million.

But lawmakers seem to have traded the white-hot rhetoric they regularly employed in the wake of the breach for milder rebukes. Senate Commerce Committee Chairman John Thune said he would reach out to Equifax for more information, and admonished the firm for “trying to clean up its mess in a piecemeal fashion.” Separately, the House duo of Commerce Committee Chairman Greg Walden and Rep. Bob Latta, who chairs the panel’s consumer protection subcommittee, said they would request a briefing about the new details from Mandiant, the cyber team hired to investigate the digital theft. “This committee has repeatedly requested documents and information from Equifax,” they said, “only to be given partial responses and delay in full disclosure.”

Meanwhile, Rep. Ted Lieu introduced two new bills aimed at safeguarding consumers whose data is compromised in such breaches. “Credit reporting agencies must be held accountable when they fail to keep sensitive data safe,” said the California Democrat.

The relatively toned down response may be tied to the fact that such changing assessments aren’t shocking following cyber thefts. “Breach investigations can be very lengthy and it is not uncommon to disclose additional findings over a period of time,” said Mounir Hahad, head of threat research at Juniper Networks. “For example, some companies may soon be required to issue a public notification of data breaches within three days of a cyber incident, but in some complicated cases the actual findings may continue to be identified for months.”

HAPPY FRIDAY and welcome to Morning Cybersecurity! Send your thoughts, feedback and especially tips to tstarks@politico.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

MUELLER’S NEXT STEP? — Special counsel Robert Mueller’s team is contemplating charges against Russian hackers for infiltrating the Democratic National Committee and Hillary Clinton’s campaign during the 2016 election, NBC News reported Thursday night.

The possible indictments would not come as a surprise — many experts consider it the logical next step after Mueller indicted Russian trolls last month for impersonating Americans online to spread divisive information during the presidential race. And The Wall Street Journal reported in November that Justice Department officials were weighing charges against at least six members of the Russian government they believe were behind the digital break-in at the DNC.

While the Obama administration has already blamed the Kremlin for orchestrating the DNC and Clinton campaign hacks, formally filing charges would give the public an unprecedented look behind the scenes of the two incidents. The DNC hack, in particular, has long generated numerous conspiracy theories, including President Donald Trump speculating during the campaign that the Democrats hacked themselves. And some on the far right remain doubtful to this day of the Russians’ involvement.

The NBC News story said U.S. intelligence agencies have already turned over all the relevant information to FBI investigators, including technical details about the Russian hackers’ tactics. A few outstanding questions are whether Mueller will decide to charge Russian intelligence officials — as DOJ did following a mammoth hack at tech giant Yahoo — and whether any American co-conspirators will show up in any indictment.

BUSY CYBER TIME IN STATES — A handful of states this week took action to shore up their cyber defenses. Kentucky’s State Board of Elections voted to mandate a voter-verified paper trail for all future election equipment purchases, a move most experts view as a safeguard against digital meddling. The Georgia State Senate similarly voted to replace electronic touch-screen voting with a paper-based system, which could go into effect in 2020 or 2024, depending on House action and subsequent funding. Finally, Arizona Gov. Doug Ducey issued an executive order creating a cybersecurity team made up of government and outside experts to enhance digital defense collaboration, develop the state’s cyber workforce and publicly promote online security.

IMPOSSIBLE GERMANY The hack of German government computer systems, allegedly by Russia, was “ongoing” as of Thursday after first being reported Wednesday, the chairman of Germany’s intelligence oversight committee said. “The spilling of secrets caused considerable damage,” said the chairman, Armin Schuster. Panel members complained after a Thursday briefing that they should’ve received notice much earlier, since the attack was uncovered last year. Some said withholding the information might have violated the law. Another said the malware at the root of the attack was significantly nastier than the kind seen in 2015’s breach of Germany’s parliament. Germany’s Interior Ministry said the new attack of its main data network was limited and has been brought under control.

NEW MOBILE SECURITY LAYER — The four major national U.S. carriers on Thursday jointly announced a new initiative designed to safeguard mobile applications users. AT&T, Sprint, T-Mobile and Verizon said their goal is to create a safer version of two-factor authentication, a process that helps reduce identity theft but can still be hijacked by digital meddlers.

The new measures could “greatly reduce fraud risk,” said Travis Jarae, CEO of One World Identity, an identity strategy and research firm. Jarae noted, however, that the big four telecom companies have tried and failed before to launch joint projects, including an attempt to offer their own digital wallet service to compete with Apple Pay and Android Pay. “The initiative failed spectacularly because of infighting among the carriers, so it will be interesting to see if this push has a similar fate,” Jarae said.

ELECTION SECURITY BILLS, ON OTHER BILLS — Congress should add money for election security measures to the government spending bill it will take up later this month, a leading liberal activist group said Thursday. “Almost all states want to strengthen their election infrastructure — including voter registration systems and voting machines — but they need federal funding to make the necessary upgrades,” the Center for American Progress said in a note to reporters. “Congress is way behind in providing resources to the states given that the upcoming 2018 midterm elections are less than nine months away, and some state primary elections already have begun.”

Lawmakers must approve an appropriations bill by March 23 to avert another government shutdown. As Martin reported Thursday, some sponsors of election security legislation, frustrated that their bills haven’t gone anywhere, are hoping to attach their offerings to the government funding bill. CAP pointed to its earlier recommendation that Congress appropriate $1.25 billion over 10 years for upgraded voting machines, voter registration databases and other election infrastructure. “It is imperative that Republican congressional leadership in both the Senate and the House includes election security funding in the omnibus appropriations bill,” the group said.

** Cybersecurity stakeholders turn to our newsletter each morning to gain critical intelligence. To introduce your brand to this community, contact partnerships@politico.com for advertising opportunities. **

OORAH — The Marine Corps formally established new career pathways on Thursday for Marines who want to focus on cyber warfare. The newly announced occupational specialties, ranging from “offensive cyberspace weapons officer” to “cyberspace defensive operator,” are accompanied by standardized training and other measures that the corps hopes will allow it to retain cyber warriors. “The Cyberspace Occupational Field provides the Marine Corps with a professionalized, highly skilled workforce,” the Marine announcement said.

GUARD THE GRID — The top Democrat on the Senate Energy and Natural Resources Committee on Thursday urged the Trump administration to conduct a wide-ranging assessment of digital security vulnerabilities in the nation’s electric grid. “We have been pushing for over a year now asking for a [cyber] threat assessment to our electricity grid,” Sen. Maria Cantwell said at a hearing on cyber threats to energy infrastructure. “We are just dead serious that this is a problem. And we are dead serious that we have to come up with a threat assessment.” Cantwell joined other Democrats last year in sending two letters to Trump on the subject.

“We need to get the threat assessment done,” Cantwell added. “We need to get an understanding of what our workforce need is from that threat assessment, and what other additional focuses besides just hardening of our infrastructure.” The Energy Department witness testifying at the hearing couldn’t promise that DOE would launch an assessment, but he did tout the agency’s progress in standing up a new cyber office that would coordinate such activities.

RECENTLY ON PRO CYBERSECURITY — GitHub endured the largest distributed denial-of-service attack ever recorded. … The Trump administration’s nominee to lead U.S. Cyber Command said countries that digitally target the United States “don’t fear us.” … The same nominee told lawmakers that he would weigh in on splitting from NSA from Cyber Command within 90 days of confirmation. … Homeland Security Secretary Kirstjen Nielsen called on industry executives to work with her agency on its review of flaws in the government’s digital supply chain. … The Senate may consider legislation next week that would rename and reorganize the main cyber division at DHS. … The leaders of the Senate Intelligence Committee met last month with House Speaker Paul Ryan to express concerns about the House Intelligence Committee. … White House press secretary Sarah Huckabee Sanders said President Donald Trump wants to reform the FISA process. … Russian trolls meddled in U.S. energy and pipeline debates, according to a new congressional report.

TWEET OF THE DAY — In general, “extreme hackers” is a hoax giveaway.


Federal Chief Information Officer Suzette Kent will chair a board to help decide which agencies receive money from a new IT modernization fund, the Office of Management and Budget announced Thursday. The other members are Alan Thomas, head of the General Services Administration’s acquisition arm; Mark Kneidinger, head of DHS’s Federal Network Resilience unit; Matt Cutts, acting administrator of the U.S. Digital Service, which helps agencies streamline their technology platforms; Social Security Administration CIO Rajive Mathur; Small Business Administration CIO Maria Roat; and Veterans Affairs CIO Charles Worthington.

Klara Jordan is taking the job of director of the Cyber Statecraft Initiative in the Atlantic Council’s Scowcroft Center for Strategy and Security. She comes over after having worked at Orlie Yaniv Strategies and FireEye. It’s her second stint at the Cyber Statecraft Initiative.


How 2018 candidates are wrestling with cybersecurity. Associated Press.

“The Justice Department inspector general is preparing a damaging report on former FBI deputy director Andrew McCabe, alleging he was responsible for approving an improper media disclosure, two people familiar with the matter said. One of the people said McCabe will also be accused of misleading investigators about his actions.” The Washington Post.

The Financial Services Information Sharing and Analysis Center, or FS-ISAC, fell victim to a successful phishing attack. Krebs on Security.

The tech and banking industries are feuding over a major internet security protocol. CyberScoop.

U.S. spy agencies want help from the U.K. on cybersecurity? Financial Times.

Israeli phone-cracking company Cellebrite says it keeps Apple vulnerabilities secret for the good of the public. (It only happens to make money off selling its phone-cracking services.) Forbes.

United Arab Emirates cybersecurity startup DarkMatter has doubled its revenue to $400 million over the past year. Bloomberg.

“23,000 HTTPS certificates axed after CEO emails private keys.” Ars Technica.

NATO’s former cyber chief worries cybersecurity is getting short shrift in broader geopolitical discussions. Fifth Domain.

That’s all for today.

Stay in touch with the whole team: Cory Bennett (cbennett@politico.com, @Cory_Bennett); Bryan Bender (bbender@politico.com, @BryanDBender); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).