Another committee jumps into cyber deterrence debate

Congress has had a pretty productive week-plus of advancing meaningful cyber legislation, and today it considers yet another meaty bill.

The House Foreign Affairs Committee will mark up a bipartisan measure (H.R. 5576) that directs the executive branch to “name and shame” the most dire nation-state cyber threats to the U.S., then take action to sanction all involved parties, although the president would have the authority to waive those sanction requirements under certain conditions. The legislation, chiefly sponsored by Rep. Ted Yoho, has support from panel chairman Ed Royce and top committee Democrat Eliot Engel.

Also today, the House Intelligence Committee is set to approve a spy agency authorization bill likely to include cybersecurity provisions, two days after the Senate panel did the same. Last week, the full Senate passed a fiscal 2019 defense policy bill (S. 2987) that contains cyber deterrence provisions the Trump administration found objectionable. Earlier this week, the Senate Foreign Relations Committee approved legislation (H.R. 3776 ) that would establish a high-level cyber office at the State Department. And then there was Wednesday…

NIST, YOU LISTENING? — The technical standards agency NIST would get $103.2 million for cybersecurity and privacy research under a reauthorization billthat the House Science Committee approved Wednesday. The bill would also direct NIST to increase its advice to federal agencies about deploying its cybersecurity framework, including by training cybersecurity employees and department auditors. In addition, the reauthorization bill would require NIST to “expand [its] fundamental and applied research” in areas like identity management and network security, as well as assessing cyber workforce gaps. There is also a section in the bill to require NIST to study the cybersecurity issues posed by the internet of things. It suggests that NIST consider “the development and publication of new cybersecurity tools, encryption methods, and best practices for internet of things security.”

“These investments in research and development will address the growing cybersecurity threats that harm our federal agencies and infrastructure and help reduce the cyber risks that are growing more frequent by the day,” Rep. Barbara Comstock, chairwoman of the House Science research and technology subcommittee, said in a statement. Elsewhere Wednesday, the Science panel held a hearing on cell site simulators, where Democrats lobbed criticisms at President Donald Trump over his cellphone security practices.

HAPPY THURSDAY and welcome to Morning Cybersecurity! Very little is better than a good “LEEROY JENKINS” moment. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOProand @MorningCybersec. Full team info below.

THIS TIME MAYBE HE WON’T BELIEVE HIM — National security adviser John Bolton said Wednesday that President Donald Trump and Russian President Vladimir Putin would likely discuss the Kremlin’s alleged election meddling. Bolton “expects it will be a subject of conversation between the two presidents,” he said at a press conference at Russia’s Interfax news agency. It’s unclear how the discussions would differ from past talks between the pair. “He said he didn’t meddle. He said he didn’t meddle. I asked him again. You can only ask so many times,” Trump told reporters in November. “Every time he sees me, he says, ‘I didn’t do that,'” Trump said. “And I believe, I really believe, that when he tells me that, he means it.”

PLEASE HELP — The Russian antivirus firm Kaspersky Lab on Wednesday said it wants a federal court to temporarily pause changes to procurement rules intended to block its software from government systems. The defense policy bill for the 2018 fiscal year banned Kaspersky from government computers, and recently the trio of agencies that set procurement standards — the GSA, Pentagon and NASA — laid out the process for implementing that provision. Kaspersky, which is appealing a district court’s decision to toss out its challenge to that law, asked the federal appeals court in Washington for an emergency stay of those changes.

The company said “a significant number” of its customers have already canceled their contracts because of the impending ban. According to Kaspersky’s filing, these costly cancellations — along with damage to the company’s “reputation and … ability to reach new customers and increase brand awareness” — are unfair, because the appeals court might overturn the lower court’s ruling and invalidate the ban. Also Wednesday, Kaspersky filed its brief in advance of oral arguments in the case on Sept. 14.

BIGGER THAN EQUIFAX, SORTA — A security researcher discovered that a Florida marketing and data aggregation firm left exposed a database of 340 million records of consumers and business contacts, Wired reported Wednesday. The data from Exactis is extensive, down to whether a person smokes. And while 340 million is more than double the figure of last year’s Equifax breach, as some headlines and tweets hailed Wednesday, it’s not known whether it’s a true “breach” at this time. Even the researcher who discovered the leaky Exactis data has no evidence malicious hackers have obtained it, although it’s certainly plausible they might have.

HOW TO ATTACK TAX FRAUD — A committee that advises the IRS on electronic tax matters has asked Congress to change the tax code to let the agency share tax returns and other data when doing so would help combat tax return fraud that results from hackers stealing personal information. The provision that currently prevents this, Internal Revenue Code Section 6103, “may be creating unintended barriers in the effort to improve cybersecurity and prevent” this fraud, the Electronic Tax Administration Advisory Committee said in its annual report to Congress. Under current law, the IRS can only share taxpayer data with state tax officials and the companies whose software was used to file the fraudulent returns; the agency cannot share the information more widely, which could help other tax professionals spot similar fraud. The committee argued that “an appropriate balance can be struck that both protects taxpayers from improper use and disclosure of their tax information, while enabling the IRS to prevent” tax fraud.

The committee is also worried that the IRS will lose sight of its cybersecurity mission “in light of the resources that will be required for the IRS to implement” the tax law that Trump signed in December. “The funding requirements for the continued fight against [Identity Theft Tax Refund Fraud] and for enhanced cybersecurity could be overshadowed by the implementation of tax reform measures,” the ETAAC wrote.

Congress should also expand the FTC’s authority to require that companies use reasonable cybersecurity protections so that it covers tax preparers and filing services, the committee recommended, and then it should let the IRS enforce that expanded FTC rule. “The IRS should have the authority and responsibility to implement and enforce security standards for our tax system — it is much closer to the issues and operations of that system than the FTC,” the committee said in its report.

LET ME EXPLAIN — Huawei’s chief security officer in the U.S. came out with a spirited defense of the Chinese telecom firm, arguing that recent Capitol Hill actions to ban the company and others won’t improve national security. The House version of the annual defense policy bill, H.R. 5515, bars federal agencies from using technology provided by Huawei and ZTE. The measure also prohibits the military from buying or renewing contracts with any vendors that work with the firms. “Members of Congress may sincerely believe that barring one or two Chinese companies from the U.S. market will significantly protect the country’s networks. But today’s telecommunications industry is transnational and borderless,” wrote Donald “Andy” Purdy, the former top cyber official at DHS. “All of its leading players already use equipment developed or manufactured in China. In fact, such equipment accounts for a significant portion of the telecommunications and Internet equipment currently installed in American networks.” Instead, lawmakers should follow DHS’ digital strategy, according to Purdy.

HACKER SCHOOL — Tech-savvy Washingtonians will soon have a new opportunity to sharpen their cybersecurity skills. The training firm SecureSet is announcing today that it has acquired HackEd, another cyber education provider, to expand its programs to the Washington market. SecureSet’s Northern Virginia campus promises to give students hands-on instruction as well as the theoretical background that could potentially lead to jobs in cybersecurity.

Of course, cybersecurity workers are in high demand within the government and private sector. According to Cyberseek, an initiative supported by NIST to map cybersecurity worker shortages nationally, the D.C. metro area has some 43,200 cybersecurity job openings. SecureSet’s expansion comes after the Trump administration last week called for more efforts to train federal cybersecurity workers, including potentially setting up a cyber reservist program.

This article originally appeared on Politico.com

Source: Politico