TOPSY-TURVY IN EXECUTIVE BRANCH CYBER WORLD — The latest Trump administration leadership shakeup on Tuesday, which rattled Congress anew, would establish two different agency leaders and the exit of Rex Tillerson from his State Department post. Tillerson is out after a good deal of friction with the president, and CIA Director Mike Pompeo has been nominated to replace him. Pompeo’s job would go to nominee Gina Haspel, currently deputy director of the CIA. All of these moves are sure to have cybersecurity implications, but some are less clear than others.
Christopher Painter, the former State Department cybersecurity coordinator, told POLITICO it could mean good things for cyber at Foggy Bottom. “I don’t think the cyber issue was ever a passion for Tillerson; I don’t think this was ever a personal priority for him,” Painter said. “My sense — and all of this is speculative because it’s hard to predict — my sense is that Pompeo because of his background in the CIA and others will have a better appreciation of the security parts of the portfolio.” But Michael Sulmeyer, cybersecurity project director at Harvard Kennedy School’s Belfer Center, said the new secretary will have his hands full with North Korea diplomacy, trade tariffs, the Iran nuclear deal and more. “There’s so much on the agenda for the current and incoming secretary of State,” he told MC. “I frankly just hope that cybersecurity makes it on the agenda at some point.”
Both Painter and Sulmeyer were more confident than not that Pompeo would leave in place a plan rolled out this year to reorganize and strengthen the department’s cybersecurity operations, after Tillerson last year eliminated Painter’s office before replacing it with an office that many considered a downgrade at the time. They were less sure about how the State Department approach to Russian hacking might change, leaning toward thinking Pompeo might be equally or more adversarial than his predecessor given his recent remarks about Russian election hacking. But top House Intelligence Democrat Adam Schiff found Pompeo’s other stances worrisome. “Director Pompeo has not always been willing to stand up to the president, particularly when Trump has questioned the intelligence community’s conclusions on Russia, and we will need the new secretary to be willing to speak hard truths to the president,” he said in a statement.
Other changes were harder to predict still. Pompeo, during his time as a House Intelligence Committee member and leader of the CIA, has been a critic of unbreakable encryption, while the State Department has traditionally been less vocal. Haspel, meanwhile, has apparently made no public remarks about anything cybersecurity-related. Defense Secretary Jim Mattis just lost an administration ally, and there have been reports about a “suicide pact” between Tillerson, Mattis and Treasury Secretary Steve Mnuchin should one person be pushed out, with changes atop Defense and Treasury sure to have cybersecurity implications of their own.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! C’mon, Russian bots. If you’re on the side of General Hux, you’re now indisputably evil. Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POLITICO Space is our new, free weekly briefing on the policies and personalities shaping the second space age in Washington and beyond. Sign-up today to start receiving the newsletter right at launch on April 6. Presented by Boeing.
THE MORE YOU KNOW — Takeaways from the Pentagon’s digital war against the Islamic State “probably” could help inform future digital operations against Russia, the Trump administration’s nominee to lead Cyber Command and the NSA said Tuesday. Testifying before the Senate Armed Services Cybersecurity Subcommittee, Army Cyber Command chief Lt. Gen. Paul Nakasone was asked if there were any lessons from Joint Task Force Ares — a special unit he helms that develops digital weapons to attack and disrupt the extremist group’s online presence — that can be applied to the “information warfare threat” posed by Russia. The three-star replied: “I think there probably are.” He then ticked off three high-level insights, including the ability to “start early,” a reference to the task force’s rocky start a few years ago, and recruiting and retaining the right talent pool.
Nakasone also revealed that the unit has conducted “information operations” against Islamic State adherents. The effort has been “more at the tactical and … operational level,” he added, “but I think that’s where that begins.” Nakasone admitted that manipulating information is the piece of the task force’s work he had “learned the most about, being able to provide a message, to amplify a message, to impact our adversaries.” The comments come as members on both sides of the aisle grow anxious that the Trump administration has not done enough to punish Russia for its interference in the 2016 election and that the U.S. has failed to define roles and responsibilities for cyberspace across the federal government. Sen. Bill Nelson, the subpanel’s top Democrat, said it was “so telling” when retiring NSA and CYBERCOM chief Adm. Mike Rogers testified last month that “he’s ready to do the attacks but has not been given the authorities.” “I fear for American, democratic institutions if we don’t attack,” he added.
** A message from Agari: Federal CISOs: Stop playing cyber defense whack-a-mole. Take one basic step to solve one real problem – and change the global cyber ecosystem while you do it. Adopt DMARC and rebuild trust in government. It works. We invented it. DHS has directed you to adopt it. Agari.com. **
NEXT STEPS FOR MGT ACT — Our friends at Morning Tech note: The House Oversight IT and government operations subcommittees will get a progress report today on the Modernizing Government Technology Act, which was signed into law in December. With the law, Congress authorized $500 million for a central fund dedicated to streamlining federal IT. (It’s overseen by a Technology Modernization Fund Board chaired by federal Chief Information Officer Suzette Kent.) In today’s hearing, lawmakers will hear from the Government Accountability Office, Office of Management and Budget, Homeland Security Department and General Services Administration about how the money is being used.
CYBER SABER RATTLING — Cyber tensions are escalating between the United Kingdom and Russia. British news outlets reported this week that the U.K. was contemplating cyberattacks in retaliation for the alleged Kremlin-ordered murder of a former Russian spy with a nerve agent. The Russian Embassy in the U.K. on Tuesday indicated its displeasure in a statement, saying that the idea was a cause for “serious concern” and suggesting that it could prompt return fire. “Not only is Russia groundlessly and provocatively accused of the Salisbury incident, but apparently, plans are being developed in the U.K. to strike Russia with cyber weapons,” it continued. “Judging by the statements of the prime minister, such a decision can be taken at tomorrow’s meeting of the National Security Council. We invite the British side to once again consider the consequences of such a reckless move.”
MORE CRYPTO BURGLARY — Coincheck, Japan’s self-described largest bitcoin exchange, said it’s spent $435 million to pay back customers after 523 million units of its digital currency were stolen via a cyberattack in January, The Wall Street Journal reported. In all, 260,000 customers had units, dubbed NEM. The hack is one in a series of digital burglaries that have struck the cryptocurrency market in recent months. Coincheck says it resumed performing some exchanges and hopes to stay in business.
BAD CHIPS — Researchers say they have discovered an array of potential vulnerabilities within AMD’s Ryzen and Epyc chip architectures, comparable to the massive Spectre and Meltdown. CTS-Labs, a security research company that gave AMD less than 24 hours to respond to its findings rather than the usual 90 days’ notice, said it uncovered four potential weaknesses that attackers could exploit to affect potentially millions of devices. “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” the company said in a statement to CNET.
— SPEAKING OF FLAWS: Facebook got hit with a double whammy of security vulnerability publicity. Security Week reported that this week, a researcher disclosed the social media giant had vulnerabilities that exposed friend lists and partial payment card information. Facebook reportedly patched one of them in hours and the other within days. The Telegraph reported on another flaw that allows fraudsters to impersonate users’ friends and family. Facebook is still reportedly working to fix that flaw.
RECENTLY ON PRO CYBERSECURITY — Rep. Trey Gowdy, a top Republican on the House Intelligence Committee, broke from panel GOP conclusions that Russians weren’t trying to undermine Hillary Clinton during the 2012 election. … The Department of Health and Human Services’ cyber command center is in turmoil amid personnel fights. … An Army “wish list” for fiscal 2019 includes a sizable bump for cyber efforts. … One of two new nominees for the Privacy and Civil Liberties Oversight Board is a former deputy White House deputy chief technology officer. … “Cameron and Tyler Winklevoss, the twins who once claimed ownership of Facebook, have proposed a self-regulatory organization for cryptocurrency exchanges.”
TWEET OF THE DAY — Fifteen still sounds like a lot.
— “Muslim Cyber Army: a ‘fake news’ operation designed to derail Indonesia’s leader.” Guardian.
— The American Civil Liberties Union is going to court to get information on the TSA’s searches of electronic devices. Motherboard.
— Encrypted email service Securmail patched some recently discovered vulnerabilities. Register.
— Two data breach cases, two different results. JD Supra.
— Work has begun on a new Air Force cyber support contract. Washington Technology.
— “Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.” Register.