It’s lowkey one of the biggest problems in all of cybersecurity: Deploying a skilled workforce in the face of an overwhelming gap.
A range of programs already exist at the state and federal level, and even overseas, designed to bolster the cyber workforce, from Michigan’s own Cyber Civilian Corps to the DHS Cybersecurity Advisor Program to Estonia’s Cyber Defense Unit. New America’s proposal draws on all of them as well as an abandoned 2002 legislative proposal creating a “NETGuard,” but the think tank estimates a federal program would clear up potential legal problems of a state-run corps and reduce costs, and be much larger than the DHS program that currently has only a dozen enrollees.
If Congress set aside $50 million, it could pay for a 25,000-strong volunteer corps, with most of the costs going to things like devices and office space, the paper reasons. That’s a lot less than the spiralling costs of things like the Atlanta attack or the NotPetya outbreak, according to New America. “If a cyber corps is able to prevent just a few of these breaches and/or mitigate their damage and costs, especially through its relatively cheap supplementary volunteer model, the investment will more than pay itself off in both economic and national security terms,” write the authors.
HAPPY THURSDAY and welcome to Morning Cybersecurity! One simple trick works for just about everything, but especially the cybers. Send me your thoughts, feedback and especially tips at firstname.lastname@example.org, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
YOUR 2018 MIDTERMS HQ: The countdown is on. Policy professionals know the 2018 midterms represent more than keeping track of winners and losers. The outcome of high-stake contests could dramatically alter the course of policymaking across the country. Go beyond election night with POLITICO Pro’s 2018 Midterms HQ. Read More.
PRESIDENT TRUMP SAYS A RED WAVE IS COMING ON ELECTION DAY. Is he right, or will the tide turn blue? Compete against the nation’s top political minds in the POLITICO Playbook Election Challenge, by correctly picking the winning candidates in some of the most competitive House, Senate and gubernatorial races in the country. Win awesome prizes and eternal bragging rights. Sign up today! Visit politico.com/playbookelectionchallenge to play.
I SPY WITH MY LITTLE iPHONE — China is eavesdropping on conversations President Donald Trump makes on cellphones, and insecure practices might be contributing, according to a New York Times report Wednesday. “Officials said the president has two official iPhones that have been altered by the National Security Agency to limit their capabilities — and vulnerabilities — and a third personal phone that is no different from hundreds of millions of iPhones in use around the world,” the story reads. “Mr. Trump keeps the personal phone, White House officials said, because unlike his other two phones, he can store his contacts in it.” He also appears to have left his phone behind, temporarily lost, in a golf cart once.
Trump isn’t very vulnerable to phishing attacks because he doesn’t use email or text, the Times reports, and while he uses one phone for Twitter that can connect to Wi-Fi, it’s rarely over an unsecured network. But according to the Times, he doesn’t switch out phones as often as he is supposed to, although when he does White House staffers don’t rely on backups that might transfer malware. POLITICO has previously reported on security issues posed by presidential and White House mobile phone use.
TODAY: NEW FINANCIAL INDUSTRY GUIDANCE — The Financial Services Sector Coordinating Council this afternoon is unveiling a framework to integrate widely used standards and more in a bid to help financial institutions develop and maintain cybersecurity risk management programs. The new “Cybersecurity Profile” is meant to complement NIST’s voluntary framework. One of its goals will be to aid regulators and firms in focusing on the most concerning cyber threats.
SOMETHING ELSE TO WORRY ABOUT — While the Energy Department has improved its cybersecurity since last year, many problems persist, including at the National Nuclear Security Administration, according to a DOE IG reportpublished Wednesday. Auditors discovered flaws in the department’s vulnerability and configuration management programs, its web applications, its access control parameters and its training programs, and they made 26 recommendations for fixes. According to the report, “at least 10 locations continued to use software on workstations and servers that were missing security patches or were no longer supported by the vendor.”
DOE’s training and formal policy development received the most scathing assessment. “Department officials had not fully developed and/or implemented policies and procedures related to issues identified in our report,” auditors wrote. “Even when policies and procedures did exist, they were not always implemented by site officials.”
AM I MY NEIGHBORHOOD’S KEEPER? — A group of energy cybersecurity heavyweights are teaming up to make industrial control system threat detection and information sharing resources available to smaller energy providers. Dragos announced a grant on Wednesday from the DOE to help create such a program alongside Ameren, First Energy, Idaho National Laboratory, North American Electric Reliability Corp.’s Electricity Information Sharing and Analysis Center and Southern Company. They’re calling the program Neighborhood Keeper.
THE MORE THE MERRIER — The Defense Department is expanding its “Hack the Pentagon” effort, awarding $34 million in contracts to three Silicon Valley firms to assess vulnerabilities in DoD hardware and systems. “Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” Defense Digital Service Director Chris Lynch said in a statement Wednesday. The contracts — awarded to BugCrowd, HackerOne and Synack — will have the firms run “continuous, year-long assessments” of the Pentagon’s assets. The expansion coincides with the growth of a pilot program between DDS and Army Cyber Command, dubbed Jyn Erso. The leaders of both organizations will formally open a joint workspace, named Tatooine, later today in Augusta, Ga.
DEM-CONTROLLED HOUSE PLANS ON TECH BREACHES — Tech companies might be spending more money to get Democrats elected this campaign season, but a Democrat-controlled House doesn’t mean all rainbows and teddy bears for the industry, our Tech colleagues John Hendel and Ashley Gold report in a story out this morning. In particular, Rep. Peter Welch, a top Democratic privacy advocate on the Energy and Commerce Committee, pointed to “an epidemic of breaches, most recently with Facebook, and consumers are entitled to have confidence that their data is secure.” Some are also warning that House Dems would be less inclined to pass legislation to preempt state privacy laws. Read more here.
SHARE YOUR SMARTS — The FTC wants researchers to pitch presentations about security and privacy issues for its fourth annual PrivacyCon, taking place on June 27, 2019. The first category of research sought in the call for presentations is about the “Nature and Evolution of Privacy and Security Risks.” The fourth category is “Incentives, Market Failures, and Interventions.” Both topics are highly resonant at a time when large companies like Yahoo, Uber, Twitter, Google and Facebook are proving unable to protect user data but are facing few legal consequences for those failures. Researchers at PrivacyCon will have 10 minutes to present their work, followed by Q&A sessions. Among the specific questions the FTC wants presenters to consider are, “What new privacy and security issues arise from emerging technologies, such as Internet of Things, artificial intelligence, and virtual reality?” and “Is there evidence that market may fail to provide the correct level of privacy and data security?”
CYBER CLINIC — The Center for Long-Term Cybersecurity out of the University of California, Berkeley, launched on Wednesday a cybersecurity clinic aimed at helping civil society organizations fight cybersecurity threats. “Citizen Clinic” is primarily aimed at media outlets, human rights groups and non-governmental organizations. The launch was inspired from a report by the CLTC that reviewed 100 politically vulnerable organizations and found that there is a significant lack of resources available to fight cybersecurity threats. The clinic will also be part of a cybersecurity course at UC Berkeley.
HACKEN SLASH — A Democratic fundraising firm left assets exposed online, including a major database used by the party, a cybersecurity consultancy wrote in a blog post Wednesday. Rice Consulting of Maryland, which boasted of helping candidates across the state raise more than $4 million in the 2017 fundraising season, most prominently left exposed access details for the privately owned NGP voter database, according to the cyber firm, Hacken. Initially, Rice Consulting gave Hacken the cold shoulder, according to the blog post, but eventually Hacken got through and Rice fixed the problem. Rice did not respond to a request for comment from MC.
RECENTLY ON PRO CYBERSECURITY — Facebook officials dropped byCapitol Hill to brief congressional offices on election security. … Top executives from Facebook, Google and Apple lauded Europe’s revamped data protection standards. … Two Senate Democrats suggested Google may have violated an FTC consent decree. … The Office of Management and Budget consolidated its top cybersecurity posts.