CUTTING THROUGH THE DIGITAL STATIC — The Trump administration’s promises about deterring Russian meddling in U.S. elections are being undercut by confusion over what the military can and can’t do to adversaries in cyberspace, Martin reports. A parade of senior officials — including Director of National Intelligence Dan Coats, retiring NSA and U.S. Cyber Command chief Adm. Mike Rogers and the top U.S. general in Europe — have sent contradictory message in recent days, leaving lawmakers from both parties confused about who’s making the decisions on cyber defenses and whether the U.S. government is allowed, or prepared, to strike back at the Kremlin hackers.
Story Continued Below
“What’s the strategy? What’s the strategy?” asked Sen. Dan Sullivan, who recently remarked that the U.S. seemed to be the “cyber punching bag of the world.” “The Obama guys didn’t give us one, and now the Trump guys haven’t given us one,” he added. “It’s time. It’s been time for a while.” The uncertainty about cyber warfare has long frustrated Capitol Hill, which has debated how to divide the cybersecurity roles of agencies such as the Homeland Security Department — which has taken on the job of safeguarding elections — as well as the FBI, NSA and the Defense Department. But the lack of a defined cyberwar doctrine is hindering the United States’ ability to fight back online against its digital adversaries, including nations such as Russia and terrorist groups like the Islamic State, lawmakers, experts and policy specialists say.
A group of frustrated lawmakers think they can tackle the topic via the upcoming annual National Defense Authorization Act, which the Armed Services committees in both chambers have begun to formulate. “I think we’ve got to try because no one seems to want to take responsibility,” said Sen. Martin Heinrich, who serves on the Armed Services and Intelligence panels. Sen. Mike Rounds, who chairs the Armed Services Cybersecurity Subcommittee, said the country “can do better” both at defending civilian targets against cyberattacks and “in preparing appropriate policy for more timely offensive responses as well.”
But other lawmakers say the agencies should be the ones clearing up any ambiguities. “They need to do some reorganizing so that they have a clearer line of responsibility and that’s what they don’t have now,” according to Sen. Jim Inhofe. Pros can read the full story here.
HAPPY TUESDAY and welcome to Morning Cybersecurity! Somebody has to hold public officials to account, right? Send your thoughts, feedback and especially tips to firstname.lastname@example.org and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POLITICO Space is our new, free weekly briefing on the policies and personalities shaping the second space age in Washington and beyond. Sign up today to start receiving the newsletter right at launch on April 6.
HOUSE INTEL CALLS IT A DAY — House Intelligence Republicans on Monday announced they were finalizing a report that concludes Kremlin election meddlers didn’t favor Donald Trump in the 2016 race, and that there was no collusion between Trump’s campaign and Moscow. Democrats said more work was needed and swiftly condemned the preliminary conclusions that go against the intelligence community’s 2017 assessment of election interference and ignore signs of cooperation between the Trump campaign and Russian intermediaries. “By ending its oversight role in the only authorized investigation in the House, the Majority has placed the interests of protecting the president over protecting the country, and history will judge its actions harshly,” said Rep. Adam Schiff, the top Democrat on the panel. The Office of the Director of National Intelligence said it stood by the 2017 assessment.
Republicans said a draft report delves into the Russian cyberattacks during the 2016 election, how Russia is interfering in Europe and the United States’ inadequate response. They also said it would make recommendations for improving the U.S. response to cyberattacks and strengthening election security.
SPEAKING OF MILITARY CYBER OPS… — The digital chiefs of four military branches will testify this afternoon before the Senate Armed Services Cybersecurity Subcommittee. It will likely mark the last such appearance for Lt. Gen. Paul Nakasone as Army Cyber Command chief and Navy Vice Adm. Michael Gilday, who will move on later this year from his commands of U.S. Fleet Cyber Command and U.S. 10th Fleet. Nakasone has been tapped to lead the NSA and U.S. Cyber Command and has his second confirmation hearing on Thursday with the Senate Intelligence Committee.
Senators are likely to press the leaders on the readiness of the digital forces and if they’re building a deep enough bench of cyber operators or if they’re simply creating a so-called hollow force, where all the slots are filled but no one sticks with the cyberspace mission, let alone as a career. Last month retiring Rogers expressed a desire to the full Armed Services Committee to “retool” the 133 teams the military services are building, collectively known as the Cyber Mission Force, after they achieve their fully operationally capable designation later this fiscal year.
** A message from Agari: To protect citizens from phishing attacks, the DHS issued Binding Operational Directive 18-01. This mandate requires Federal Government agencies to implement DMARC. As of the January 14th 2018 deadline, 63% of Federal domains have implemented DMARC. Join HHS and DHS to learn how to comply with BOD 18-01 and implement DMARC. **
ALL OF THE -DICTS AND -DITES — Top congressional Democrats urged the Trump administration on Monday to make sure the 13 Russians indicted by special counsel Robert Mueller for election meddling are extradited, after Russian President Vladimir Putin recently vowed that it would “never” happen. “While Putin’s stance is not surprising, it is also simply unacceptable,” wrote Senate Minority Leader Chuck Schumer, House Speaker Nancy Pelosi, top Senate Judiciary Democrat Dianne Feinstein and top House Judiciary Democrat Jerry Nadler in a letter to Trump. The group recommended that the Justice Department seek Interpol help to make it difficult for the suspects to travel or live overseas, or that the State Department and White House use diplomatic channels to sway Putin.
IT’S THE MOST WONDERFUL TIME OF THE YEAR — Starting last week, annual reports from agency inspectors general reviewing compliance with a major federal cybersecurity law began trickling out. On Monday, four such reviews of agency performance under the Federal Information Security Modernization Act dropped. Three of them examined components of the FBI, while the fourth took a look at the Department of Health and Human Services. Last week’s report was on the Homeland Security Department.
LOLZ NOTHING MATTERS — A majority of people don’t take steps to improve their personal cybersecurity, according to a new online survey from Lawfare. A little over half of respondents said they don’t encrypt the data on their phone or computer, while 70 percent don’t utilize an anonymous web browser. In addition, the survey of around 4,000 found that 65 percent of people don’t use a password-management service. There is a silver lining, though: A plurality of those surveyed — almost 21 percent — said the password they use most often is over eight characters long, and most everyone else answered that they used passwords over nine, 10, 11 or even 12 characters.
BAH, IRAN — An Iranian hacking group has Bahrain in its sights, according to cybersecurity firm CrowdStrike. The company said it had seen an uptick in Iranian hacking by the espionage-oriented group dubbed Helix Kitten. “Considering the pivotal nature of Bahrain for the security structure of the Persian Gulf, CrowdStrike Intelligence assesses that it is likely that adversaries such as Helix Kitten will continue to focus on themes consistent with Bahrain’s ties with Israel to lead intra- and extra-regional operations,” Adam Meyers, the company’s vice president of intelligence, said in an email Monday. Other companies have noticed an increase in Iranian hacking as well.
DHS R&D GUIDES — The Homeland Security Department’s science and technology wing on Monday released two updated guides on its cybersecurity research. The portfolio guide summarizes the cybersecurity division’s research topics, while the technology guide offers details on research work that’s ready to go to market. “We believe these guides will be catalysts for new opportunities with stakeholders in the public and private sector cybersecurity community to pilot or transition to the marketplace these groundbreaking, mature solutions,” said S&T Cyber Security Division Director Douglas Maughan. “We also believe each guide will prompt interest within the research community to discuss emerging cybersecurity capability gaps with us.”
RECENTLY ON PRO CYBERSECURITY — President Donald Trump blocked “Asian chip manufacturer Broadcom’s $117 billion takeover bid for U.S. rival Qualcomm [on Monday] amid national security and economic concerns about China.” … House leaders are looking at a Friday vote on an omnibus spending bill. … Pro eHealth did a Q&A on cybersecurity with Merlin International’s chief technology officer, Brian Wells, and CynergisTek CEO Mac McMillan.
PEOPLE ON THE MOVE
— Ben Golub is taking the jobs of executive chairman and interim CEO at Storj Labs, a blockchain-based cloud storage company that emphasizes security, the firm announced Monday. Golub is the former CEO of Docker.
TWEET OF THE DAY — It’s a vicious cycle.
— A judge is letting breach victims go forward with a lawsuit against Yahoo. Reuters.
— How distributed denial of services attacks are still dangerous. Wired.
— Motherboard looks at an industry that appears to market secure phones to criminals.
— An industry consortium published guidance on securing industrial internet-connected devices. Security Week.
— The hackers who planted a backdoor in CCleaner apparently had another level to their plans. Threatpost.
— “Mueller’s Choice of Criminal Charges: Why the Trump Team Should Be Very Worried.” Just Security.
— ESET found new samples from Italian spyware vendor Hacking Team. Security Week.
— IOActive researchers found a way to infect robots with ransomware. Motherboard.
— China messed with vulnerability data. Recorded Future.
That’s all for today. Got nothing funnier about the chocolate bunny interview than what was up there.
Stay in touch with the whole team: Cory Bennett (email@example.com, @Cory_Bennett); Bryan Bender (firstname.lastname@example.org, @BryanDBender); Eric Geller (email@example.com, @ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak) and Tim Starks (email@example.com, @timstarks).
** A message from Agari: Email phishing, where cyber criminals pose as government agencies to gain personal information from citizens, is at an all-time high. To combat against this, the Department of Homeland Security has issued Binding Operational Directive 18-01 (BOD 18-01), which mandates all Federal Government agencies to implement DMARC.
DMARC enables organizations to authenticate legitimate email and provides intelligence on the use of an Agency’s domain across the internet. Agencies who implement DMARC have seen a 75% drop in email volume as cybercriminals can no longer impersonate domains with a DMARC policy.
As of the January 2018 deadline, 63% of federal domains already have a DMARC record in place.
Watch this webinar on demand for guidance from the Department of Health and Human Services and the Department of Homeland Security on how to implement DMARC and comply with BOD 18-01.