The Senate Homeland Security Committee on Wednesday approved a DHS authorization bill (H.R. 2825) chock full of cybersecurity provisions, but one major anticipated fight fell by the wayside — for now.
Sen. James Lankford withdrew a planned amendment on election security that would’ve established a presumption that the Homeland Security Department and state and local election officials swiftly share any election threat data with one another. Lankford said 10 secretaries of states objected to the proposal, citing federal overreach and a pending Senate Intelligence report on 2016 election meddling. Lankford indicated his amendment might come back if the measure reaches the full Senate floor.
Story Continued Below
Committee turf fights between the Homeland Security and Rules panels also sidelined the amendment, which could also inhibit the overall bill’s chances of advancing. The Senate has had trouble moving a first-ever DHS authorization measure because no single committee has jurisdiction over the agency, and the Senate hasn’t yet forged an agreement between panels like the House did last year, allowing it to pass a DHS authorization measure. Top Senate Homeland Security Committee Democrat Sen. Claire McCaskill called the jurisdictional issue “so dumb.” And Chairman Ron Johnson said another hurdle is the potential that senators might offer amendments on the floor meant to score political points.
If the bill gets to the Senate floor and then the president’s desk, it would enact the top congressional cybersecurity priority for DHS by renaming and reorganizing the department’s main cyber wing into the Cybersecurity and Infrastructure Security Agency. An amendment included from Sen. Maggie Hassan would also authorize a DHS bug bounty program. Separately, an amendment from Johnson and Sen. Kamala Harris would establish a cybersecurity talent exchange pilot program between DHS and the private sector. Sen. Steve Daines won inclusion of an amendment detailing a cybersecurity research and development agenda for the department’s science and technology wing. One of Sen. Rob Portman’s amendments would require a DHS report on cybersecurity applications for blockchain technology, and the risk of foreign governments using it to conduct cyberattacks. Another of his amendments would direct a DHS report on whether the agency can use its relationship with China on cybersecurity to combat the opiate trade.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Now the robots are creepily laughing at us for no good reason. Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
SPEAKING OF HOUSE HOMELAND — The House Homeland Security Committee on Wednesday took its own action on cybersecurity legislation, approving a bill (H.R. 5074) that would authorize the DHS teams that deploy during a cyber crisis. The bill’s sponsor, Chairman Mike McCaul, said the legislation would “codify and enhance the cyber incident response teams at DHS.” He also touted a provision specifying that the teams can include private sector experts, “providing DHS flexibility to call on outside expertise.”
FIRST ON PRO: KEEP US IN THE LOOP — Rep. Ted Lieu asked the Trump administration’s cyber czar to be more forthcoming with Congress about the government’s process for disclosing vulnerabilities to tech companies. In a letter sent Monday to Rob Joyce, cybersecurity coordinator on the National Security Council, Lieu applauded the administration for updating and revealing unprecedented details about the Vulnerability Equities Process — the framework the White House uses to decide when to tell tech companies about unknown bugs and when to hoard them for spy agencies to exploit — but said he was “concerned with the level of discretion when it comes to sharing information with Congress.”
The California Democrat found much to like in the updated VEP, like “clarity over which agencies have a seat at the table” and the fact that it considers U.S. “relationships and commitments.” However, “the new policy lacks the critical piece of accountability to give the American people full confidence in the government’s decision-making on vulnerability disclosure,” Lieu wrote. “The ultimate success of the VEP hinges on whether the results of the government’s opaque decision-making … can be audited by Congress to ensure the desired policy is achieved.” To that end, Lieu asked Joyce if his office would commit to providing an annual report on the VEP to Congress, and if the inaugural submission would include data from 2017.
WATCHING THE WATCHDOG — DHS fell below the target in several measurements of its information security program in fiscal 2017, according to a recent inspector general report. It wasn’t up to snuff on protecting systems, detecting potential incidents and its ability to recover in the event of a disruption, the report concludes. The department did, however, meet the target on identifying risks and responding to incidents, the IG found. The watchdog made five recommendations for improvements, all of which DHS agreed with, but only one of which it has acted upon fully.
** Cybersecurity stakeholders turn to our newsletter each morning to gain critical intelligence. To introduce your brand to this community, contact firstname.lastname@example.org for advertising opportunities. **
W.H. ON BOARD WITH HELPING STATES — White House press secretary Sarah Huckabee Sanders insisted on Wednesday that the Trump administration would assist states worried about foreign interference in their elections. “We’ll continue working with states to secure their systems. We’ll continue working on the intelligence side to make sure we’re aware of any type of threat and we can combat that. A lot of the things, frankly, being done I can’t talk in detail about,” she told Fox News. “This administration across the board, agency-wide is taking this very seriously and taking very big steps to make sure we don’t repeat the mistakes of the previous administration and ignore this problem and not take bold action to prevent it from happening again.”
The vow came the day after President Donald Trump, regularly accused of not caring enough about election security, backed the idea of paper-based voting safeguards. Huckabee Sanders said DHS is “certainly taking a huge lead on this process.” But, she warned, “it’s not a one-day process.”
LOOK BEFORE YOU LEAP — Cryptocurrency owners may be trading on websites that are not registered with the SEC, thus exposing themselves to significant losses if the sites go under, the SEC said in a statement Wednesday. Commission staff are concerned that “many online trading platforms appear to investors as SEC-registered and regulated marketplaces when they are not,” the agency said. The SEC added that while some sites claim to have high standards for determining tradable assets, the agency does not review those decisions, leaving users at the sites’ mercy. The agency suggested that investors examine trading sites closely before using them, scrutinizing who can trade, how prices are set, what the fees are and how the site holds its users’ assets. Another question the agency recommended asking: “What are the platform’s protections against cybersecurity threats, such as hacking or intrusions?”
TIP OF THE ICEBERG — The FBI has a relationship with Best Buy’s Geek Squad technicians dating back to at least 2008, according to a bureau memo obtained by the Electronic Frontier Foundation. In September of that year, agents in Louisville, Ky., met with Geek Squad employees at a local repair shop. Since then, the Louisville Field Office has “maintained close liaison” with Geek Squad managers, according to the memo, which the EFF received in a Freedom of Information Act lawsuit. Other newly obtained documents “detail a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography,” according to an EFF blog post. The public first learned about this relationship last year, when California authorities charged a man with possessing child pornography after Geek Squad technicians discovered it on his computer.
New details have emerged about Best Buy employees’ behavior in that case. The company told PCMag that four technicians “may have” received money from the FBI for helping obtain evidence that the man possessed child pornography. “Any decision to accept payment was in very poor judgement and inconsistent with our training and policies,” Best Buy told the publication.
RECENTLY ON PRO CYBERSECURITY — Democratic Sens. Amy Klobuchar and Jeanne Shaheen asked top election equipment vendors whether they shared source code with the Russian government.