Top cyber Senate Republican seeks insight on White House moves — L0pht members find good, bad since 20-year anniversary.
IN REVERSE? — Eleven federal agencies actually got lower grades in the latest scorecard that measures their performance under a 2014 IT overhaul law, the Federal Information Technology Acquisition Reform Act. But it might not be as bad as it seems at first glance, or, depending on your perspective, it might be worse: The new scorecard adds several new criteria, and one of them is explicitly cybersecurity-centric. Today, the House Oversight IT Subcommittee meets to evaluate the grades.
Rep. Robin Kelly, top Democrat on the panel, notes in her prepared opening remarks the addition of criteria that grades agencies on their information security programs. No agency received an “A” in that category. Likewise, none earned an “A” in a new category measuring performance under last year’s Modernizing Government Technology Act, a law passed in part on the rationale that aging federal networks pose a cybersecurity risk. Under a third new criteria, agencies could also get dinged if their chief information officers didn’t report directly to the deputy secretary or secretary. “This most recent scorecard has me concerned,” Kelly said.
In his prepared opening remarks, panel Chairman Will Hurd warns: “I want to note that we assign these grades not to shame agencies, but rather to incentivize certain behaviors that will save money and increase security.” Today’s witnesses include multiple representatives of the Agriculture and Defense departments, as well as the Government Accountability Office.
FBI’S LATEST CRYPTO WAR BLUNDER — The FBI dramatically overstated the number of devices it couldn’t access last year because of encryption, the agency admitted late Tuesday night. FBI Director Christopher Wray and other top administration officials have cited a figure of approximately 7,800 mobile devices that remain locked, but the bureau said in a statement that it reviewed the figures and identified “flaws with the [counting] methodology.” Its initial assessment is that “programming errors resulted in significant over-counting of mobile devices reported” through its databases. The bureau said it had launched “an in-depth review of how this over-counting previously occurred, and how the methodology can be corrected to capture future data accurately.” The Washington Post first reported the news.
“It’s very unfortunate that the FBI cannot accurately count the number of encrypted phones that it seized last year,” said Ed McAndrew, a former prosecutor and cybercrime coordinator in multiple U.S. attorney’s offices. McAndrew, who supports the FBI’s position in the encryption showdown, said it was “really counterproductive to the policy debate to have them screwing up basic facts.” Amie Stepanovich, U.S. policy manager for the digital rights group Access Now and an opponent of the bureau’s position, called the FBI’s admission “the latest in a years-long pattern of [the bureau] overhyping and inflating this issue.” Marc Rotenberg, president of the Electronic Privacy Information Center and another opponent of the FBI’s stance, said the revelation was “a very serious matter” that “calls into question” the FBI’s other statements about “the scope of electronic surveillance in the United States.”
The FBI’s significant overstatement of the threat posed by encrypted devices and communications will likely encourage its opponents to press for more oversight of its campaign to require tech companies to adopt warrant-friendly encryption. Rotenberg called for the House and Senate Judiciary committees to hold hearings, while two civil society groups urged the DOJ inspector general to investigate. Stepanovich argued that “the public has never been given a clear picture of the problem the FBI is seeking to solve.” The Justice Department declined to comment when asked if the news changed how it would approach the encryption issue, and the White House did not respond to a request for comment.
The news didn’t come as a big surprise to one former Justice Department cybercrime prosecutor. The FBI’s Operational Technology Division, which tracks encryption statistics and manages the bureau’s digital forensics unit, is “not well-run,” said the former prosecutor, who requested anonymity to speak candidly about bureau operations. “That they had three different databases and were basically double or triple counting in a way doesn’t surprise me.” McAndrew said the situation was “troubling” for those like him who wanted the FBI to prevail, because “reasonable people could conclude that the information that’s come out of the FBI about this issue has historically not been accurate.”
MESSAGE RECEIVED — The White House acknowledged Tuesday that Sen. Mike Rounds asked to meet with national security adviser John Bolton to talk about the administration’s vision for cybersecurity after it eliminated the cyber coordinator post. “We are aware of the request,” spokesman Marc Raimondi told POLITICO. Rounds said he asked for the sit-down to “find out what their long-term plans are.” POLITICO broke the news last week that the White House eliminated the cybersecurity coordinator post.
DEFENSE BILLS PLOD ALONG — The House’s annual defense policy bill (H.R. 5515) hit the floor Tuesday night, even though the Rules Committee was still wading through hundreds of possible amendments. Members considered the first 103 addendums to their draft of the fiscal 2019 National Defense Authorization Act, including a handful of extremely noncontroversial digital provisions like incorporating cybersecurity into the U.S. Junior Reserve Officers’ Training Corps and giving minority institutions access to the Pentagon’s Cyber Scholarship Program. Late Tuesday night, Rules made in order 168 more amendments to be debated on the chamber floor before final passage on Thursday.
Meanwhile, the Senate Armed Services Cybersecurity Subcommittee met behind closed doors Tuesday to mark up its portion of the upper chamber’s defense policy road map. The full Armed Services Committee will move forward with a markup beginning today, without Chairman John McCain.
TWO MORE L0PHT MEMBER THOUGHTS — Lawmakers on Tuesday hosted members of a hacker collective who had testified before Congress in the first ever cybersecurity hearing 20 years ago. The two we featured in MC beforehand stuck largely to what they promised they’d say. Here’s what the other pair offered.
Chris “Weld Pond” Wysopal said the major shift is that ethical hackers once were viewed as a nuisance or worse, but are now embraced for bug bounty programs or take roles at companies. “In 10 years they went from ‘Please go away’ to ‘Thank you very much, here’s some money,’” said Wysopal, now chief technology officer at cybersecurity company CA Veracode. Wysopal also said he remembers senators asking at that first hearing if a nation-state might ever employ a group of hackers like themselves. “It all seemed so theoretical,” he said. “We all know 20 years later this is happening constantly.”
Peiter “Mudge” Zatko, head of security at online payment company Stripe, said the big problem he’s still seeing is that security is “largely about what feels right rather than data that makes things secure.” There need to be measurements, such as those being conducted by some nonprofit groups, to measure how much something is protected. “Stop thinking something is secure because it feels like it should be,” he said. He also said it’s time the government does more to mandate security. “Why has this been left almost entirely to the free market to secure and make safe?”
HERE TO HELP — The Defending Digital Democracy Project at Harvard’s Belfer Center has released a document designed to arm political parties around the world with the information necessary to build cyber incident response plans. The D3P team worked closely with the International Republican Institute and National Democratic Institute to develop the international-focused playbook, and the project’s leaders said that they consistently heard requests for communications tips, “because many political parties, campaigns, and other democratic election organizations see cybersecurity issues as unfamiliar territory.”
The resulting international version of the Election Cyber Incident Communications Plan Template is “intended for use by political parties or campaigns as a foundation from which they can develop their own tailored communications response plans, which include best practices, recommended external response processes, and scenarios to anticipate an election cyber incident,” according to D3P’s leaders. The document is divided up into sections on best practices, a recommended order for the response process, a checklist for essential actions and a series of example scenarios that can help political parties plan responses. Scenarios include a disinformation campaign, a hacked social media account and interference with election-day vote reporting.
THE EVOLUTION, AND PERSISTENCE, OF FRAUD — Cyber fraud has swung wildly away from traditional browsers on desktops and toward mobile apps, according to a study out today from RSA. In 2015, only 5 percent of cyber fraud was carried out on mobile apps, compared to 39 percent in the first quarter of 2018, the company found. Over the same time period, desktop fraud dropped from 62 percent to 35 percent. One thing hasn’t changed: Phishing email-related threats are still the top method of attack, at 48 percent. “Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade,” RSA wrote. “Phishing attacks not only enable online financial fraud, these sneaky threats chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites.”
CIOs LIKE GRANT ADMINISTRATION BOOST — A group representing state tech officials said Tuesday that they welcomed grant guidance from the Federal Emergency Management Agency that would mandate inclusion of state CIOs and CISOs on government bodies that help distribute the funds. “Our CIO and CISO community looks forward to collaborating with our state emergency management and homeland security partners to enhance the capability of state and local governments to prepare for, protect against, respond to, recover from, and mitigate all hazards including and especially cybersecurity threats,” said Bo Reese, Oklahoma’s CIO and president of the National Association of State Chief Information Officers. The new guidance, issued this week, also required states to make more explicit how they intend to use cybersecurity grant money.
HOUSTON, WE HAVE SEVERAL PROBLEMS — NASA must take “urgent action” to fix weaknesses in its information technology and cybersecurity programs, according to a Government Accountability Office report. The space agency hasn’t documented how it manages its computer systems based on “leading practices,” and it doesn’t regularly assess its IT staffing needs or report them to NASA leadership, GAO said in the report published Tuesday. NASA also falls short in “IT governance,” the collection of processes that ensure accountability in the management of IT systems, according to the report. For example, GAO said that NASA’s chief information officer lacks “visibility into all IT investments.” NASA also has not “fully established an effective approach to managing agency-wide cybersecurity risk,” which will become increasingly problematic as the agency “continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions.” The auditors urged NASA to task its CIO with a series of projects in the areas of cyber risk management and IT governance. The space agency agreed with most of GAO’s recommendations.
RECENTLY ON PRO CYBERSECURITY — Homeland Security Secretary Kirstjen Nielsen appeared to express unfamiliarity with the intelligence community’s conclusion that Russia intended to help Donald Trump get elected. … Rep. Jim Himes expressed alarm at the president undermining efforts to safeguard midterm elections with his rhetoric. … “GOP fundraiser subpoenas AP over hacked emails, setting up legal showdown.” … There’s a bipartisan Hill push to fight the Trump administration’s sanctions rollback against Chinese telecom company ZTE.
Facebook CEO Mark Zuckerberg said his company is in an “arms race” to combat election interference. … Treasury Secretary Steven Mnuchin and acting IRS Commissioner David Kautter are developing a long-term plan to upgrade information technology at the revenue agency. … Central bankers are starting to take a shine to Bitcoin. … Sen. Ron Wyden asked the Pentagon’s chief information officer to ensure that all DoD websites use a more secure protocol.
This article originally appeared on Politico.com