Unanswered cybersecurity questions for the Trump administration

White House identifies federal agency cybersecurity risks — Senate defense policy bill boosts U.S. Cyber Command.

S ANYBODY LISTENING? — Congressional Democrats haven’t been shy about seeking answers from the Trump administration on its cybersecurity policies. But some of the more frequent letter-writers are, at minimum, somewhat displeased with the replies they’re getting. Rep. Bennie Thompson, the top Democrat on the House Homeland Security Committee, said overall “the administration has generally ignored our oversight letters or replied with little or unhelpful information.” The result? “We want to work with the Administration on common sense ways to secure our elections and prevent and mitigate the impact of cyber attacks, but if the Administration continues to ignore us, they make this coordination impossible and leave the country less secure,” Thompson said in a statement to MC.

The Homeland Security Department says it doesn’t comment on congressional correspondence as a matter of policy. In one case where DHS answered Thompson on an election security question, it took more than four months. A DHS letterresponding to Thompson’s questions about its order for federal agencies to remove Kaspersky Lab’s software confirmed that all agencies had completed the removal, but declined to go into further detail since Kaspersky is challenging the ban in court.

Sen. Ron Wyden, another Democrat who often queries the administration about cybersecurity, said DHS has responded to many of his letters, and “I am generally pleased with their responses.” Wyden’s ire is mostly aimed at the FBI and Director Christopher Wray about what Wyden called his “misguided war on encryption.” In a statement to MC, Wyden said “Director Wray either can’t, or won’t, explain his technologically illiterate position on encryption. Any serious policymaker looking to understand this issue should be informed by extensive conversations with expert cryptographers without a stake in the answers they give, a step he seems to have skipped before publicly advocating for encryption backdoors.” The FBI said it had answered at least one of Wyden’s questions on encryption at a Senate hearing.

THE BIG PICTURE — Three-quarters of federal agencies are at risk of failure in their cybersecurity programs, some of them at high risk, according to a newly released Office of Management and Budget report. The document, which analyzes the individual risk management reports of 96 agencies, is a major component of Trump’s cyber executive order, issued last May. OMB found that agencies “are not equipped to determine” how attackers are trying to penetrate their networks and steal their data. This “lack of threat information results in ineffective allocations of agencies’ limited cyber resources,” according to OMB’s report. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity.” OMB’s report analyzed agencies on 76 criteria. It found that 25 agencies are properly managing their risks, 59 are at risk, and 12 are at high risk.

Four major lines of action are necessary to enable agencies to better protect their information, OMB said: increasing awareness of threats and their severity by using the intelligence community’s Cyber Threat Framework; standardizing digital security practices to reduce costs from duplication; reducing the number of security watch centers that agencies rely on to monitor their networks; and require senior agency officials to be more accountable for cyber incidents, including by instituting “recurring risk assessments.”

OMB’s report, which does not identify the agencies at risk or high risk of cybersecurity failure, reveals that 38 percent of cyber incidents affecting federal systems “did not have an identified attack vector,” which spoke poorly of agencies’ threat awareness. And only six in 10 agencies said they had clear processes in place to distribute information across their workforce about cyber risks. “At a time when our reliance on technology is becoming greater and the Nation’s digital adversaries are growing more adept,” OMB said, “we must ensure that the Federal Government can secure citizens’ information and deliver on their core missions.”

TRY TURNING IT ON AND OFF — Two days after Cisco’s Talos unit warnedabout the VPNFilter malware infecting hundreds of thousands of routers, the FBI and DHS late last week instructed the public what to do about it. The answer is for everyone to reboot their routers. “The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices,” the Friday instructions read, saying the “foreign cyber actors” compromised the routers to possibly collect information or block network traffic. The FBI last week also obtained a court order to seize a server that turned those routers into an army of devices that could launch other attacks. U.S. authorities identified Russian government-affiliated hackers as the culprits. DHS’s Computer Emergency Readiness Team offered similar advice to the FBI later on Friday, but with a little more technical detail.

WALKING-AROUND MONEY — The Senate’s defense policy bill proposes more than tripling the amount of U.S. Cyber Command can spend annually on new systems and digital tools. The increase in the command’s acquisition authority from $75 million to $250 million is so the newly elevated organization “can have a pilot” that demonstrates its ability and “so we can then have the data to judge later on,” a Senate Armed Services Committee aide told POLITICO late last week about the provision in the panel’s fiscal 2019 National Defense Authorization Act. While only a summary of the massive policy blueprint has been released, the proposed legislation also extends Cyber Command’s buying authority, which was slated to expire in fiscal 2021, to fiscal 2025, the staffer added. The Senate bill also approves President Donald Trump’s $634 million budget request for Cyber Command in the next fiscal year.

YEAH, ABOUT THAT… — The Justice Department has begun updating senior officials’ speeches to note the FBI’s substantially inflated statistic of the number of encrypted devices the bureau couldn’t access last year. In May, weeks after the FBI discovered its error, Attorney General Jeff Sessions cited the 7,700-devices figure during a speech in Scottsdale, Arizona. Now the official transcript shows an asterisk that leads to a footnote saying, in part, that “the correct number will be substantially lower.” DOJ made the same edit in two of Deputy Attorney General Rod Rosenstein’s speeches. Rosenstein used the inflated statistic to augment his months-long effort to press tech companies to use warrant-compatible encryption.

Meanwhile, Rosenstein’s predecessor as the public face of the encryption push, former FBI Director James Comey, apologized this week for how he led that campaign. “I screwed up the way I began the conversation about encryption,” Comey said at a tech conference, according to Reuters. Comey sharply criticized tech companies as irresponsible for implementing unbreakable encryption, but at the conference, Reuters reported, Comey apologized for “coming out too fast and furious in condemning strong encryption without more study and engagement with industry.” In a subsequent interview with Reuters, Comey maintained his belief that law enforcement should be able to pierce encryption in its investigations.

TWO HEADS ARE BETTER THAN ONE — Europol and the World Economic Forum announced they’re teaming up to fight cyber criminals. The European Union’s law enforcement agency and the business group inked a memorandum of understanding detailing how they will share, among other things, best practices, technical information and data about trends in digital crimes. “As criminals increasingly threaten citizens’ and businesses’ digital lives, it is vital for the law enforcement community to work closely with the global business community to create a safe cyber environment,” Steven Wilson, head of Europol’s European Cybercrime Centre, said in a statement.

RECENTLY ON PRO CYBERSECURITY — DHS revised a directive on securing the federal government’s most vital computer networks. … Sen. Richard Blumenthal has questions for manufacturers of digital tracking software about potential abuses. … “Trump administration presents Capitol Hill with deal to rescue Chinese firm ZTE.”

This article originally appeared on Politico.com