With help from Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
— Several dozen privacy and civil liberties advocacy organizations are uniting behind a bipartisan bill that would end an NSA phone and text records surveillance program and ban location-tracking snooping.
— A cyber threat information sharing law hailed nearly five years ago as the most significant cybersecurity legislation Congress had passed hasn’t netted the hoped-for results.
— The so-called SWAT Team of Nerds at the Defense Digital Service is assuming leadership of a Pentagon counterdrone unit.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Yeah, well, one of your MC host’s editors has also proclaimed herself the “Reaper of Death.” Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
COALITION BACKS SURVEILLANCE OVERHAUL — A coalition of 45 privacy and civil liberties groups is sending a letter to congressional lawmakers today that endorses bipartisan legislation to overhaul a set of controversial surveillance authorities set to expire next month. The missive backs a measure introduced last month, S. 3242, that would amend the 2015 USA Freedom Act, including formally ending an idle NSA program that gathers records of Americans’ telephone calls and text messages in search of links to terrorists.
The proposed legislation also seeks to enshrine into law a ban on location-tracking surveillance activities — a practice the clandestine community has confessed it stopped after a recent Supreme Court ruling — and impose additional transparency measures on spy agencies. “As Congress debates reauthorization of the three surveillance authorities scheduled to sunset on March 15, 2020, it is critical that it take this opportunity to enact substantial reforms,” the missive urges.
FIVE YEARS ON — Back in 2015, Congress passed a law that extended protections against lawsuits for companies that share cyber threat data with DHS. Nearly five years later, the information sharing initiative DHS set up to receive threat indicators isn’t living up to expectations, your MC host reports: Industry participation is “minimal,” according to an IG report, and that is hampering the caliber of information the department can share with organizations involved in the data swap.
DHS is trying to address long-running complaints about insufficient “context” to give network defenders what they need to take action, but the outcome of the 2015 law could be instructive for a fresh push to extend more liability protections for companies that share threat data, this time about shady suppliers.
COPY, ROGUE LEADER — The Pentagon today put the Defense Digital Service in charge of a counterdrone group in an effort that will see such software and hardware move faster to the battlefield. The California-based Rogue Squadron will move out from under the Defense Innovation Unit and report to DDS, which was established in 2015 to untangle DoD’s toughest IT problems. The shift marks another step by the group into the Pentagon’s operational space. “One of my clear priorities is to help protect our personnel and our partners. And when I see that there is a clear threat in that space, there’s an opportunity for DDS to play a role,” DDS Director Brett Goldstein told Martin.
LET’S MARK IT UP — Two House panels will hold concurrent markups today on a few cybersecurity bills. The House Homeland Security Committee will mark up a measure (H.R. 5823) that would authorize a $400 million DHS grant program to assist state and local governments to address cybersecurity threats.
The House Science Committee will mark up a pair of bills that would expand efforts to safeguard the electric grid from cyberattacks. The first measure (H.R. 5428) would seek to expand research and development programs at the Energy Department related to shoring up the security of the electric grid, and would authorize the Energy secretary to award grants to develop tools that would improve coordination between utilities and relevant agencies for communications in the event of a cyberattack, among other things. The second measure (H.R. 5760) would also direct the secretary to award grants to identify cybersecurity risks to information systems, develop methods to quickly detect a breach and assess emerging cybersecurity capabilities that could be applied to energy systems.
Also happening at the same time, the House Intelligence Strategic Technologies and Advanced Research Subcommittee will hold a hearing on emerging technologies and national security, featuring testimony from Chris Darby, the CEO and president of In-Q-Tel, the investment firm that finds technologies to support the intelligence community, and DJ Patil, formerly appointed by President Barack Obama to be the first U.S. Chief Data Scientist.
CISA SERVICES COMING DOWN THE PIKE — CISA isn’t sitting still on the cybersecurity services it offers state and local governments, Director Chris Krebs told the Senate Homeland Security panel on Tuesday. “We’re also trying to understand what additional capabilities we can build out down the road,” he said. “There are a number of pilots ongoing, in particular one I’m excited about, an endpoint detection and response capability.” He said he’s looking to upgrade his agency’s phishing campaign assessment tool from a manual to automated version. Krebs also talked about CISA funding needs and how feds could best distribute election security funds.
THE FUTURE OF NICE-NESS — Rodney Petersen, director of the NIST National Initiative for Cybersecurity Education, forecast on Tuesday what NICE would be working on to improve the cybersecurity workforce in coming years. “As NICE develops its strategic plan for the next five years, a few trends continue to emerge: the need to enhance cybersecurity career discovery for learners of all ages, transform the learning process to emphasize the multidisciplinary nature of cybersecurity and the multiple career pathways, and modernize the talent acquisition process to facilitate skills-based hiring and career mobility,” he testified to the House Science Subcommittee on Research and Technology.
Subcommittee Chairwoman Haley Stevens (D-Mich.) said the U.S. needs to foster certification programs and apprenticeships, and recruit more women and minorities into cyber jobs. “Relatively few high school students have any exposure to computer science in the classroom, let alone cybersecurity,” she said, offering more reasons for a shortfall in cyber job candidates. “Even when students graduate from college with a degree in computer science, they often lack the cybersecurity skills and hands-on experience to fill job openings.”
Speaking of workforce and cybersecurity, but slightly different: The GAO in a report out on Tuesday found weaknesses in cybersecurity risk management for the online system the Office of Congressional Workplace Rights uses for purportedly secure reporting of discrimination and harassment.
I SEE LOTS OF COMPLAINTS AND MONEY — The FBI Internet Crime Complaint Center received 467,361 complaints in 2019 and recorded $3.5 billion in losses to businesses and individuals, the highest for both figures since the center’s establishment in 2000, IC3 said on Tuesday. Phishing, non-payment scams and extortion were the most frequent subjects of complaints, while the most expensive were business email compromise, romance or confidence fraud and spoofing.
TWEET OF THE DAY — Can a botnet be a good thing?
RECENTLY ON PRO CYBERSECURITY — The European Insurance and Occupational Pensions Authority proposed creating a common set of rules for reporting cyber incidents. … “The growing dominance of a Chinese vendor of scanning equipment at airports and other ports of entry has European lawmakers and analysts worried about Beijing’s influence in the sensitive border and aviation security sectors.”
— The R Street Institute announced on Tuesday that it added Bryson Bort as a senior fellow for its national security and cybersecurity program. Bort, founder of the companies SCYTHE and GRIMM, is an adviser to the Army Cyber Institute and co-founder of the ICS Village at DEFCON.
— Malicious websites containing the word “valentine” increased by 200 percent in February 2018 and 2019 from previous months, a Check Point study released today found. Similarly, malicious websites with the word “chocolate” spiked, by 500 percent in 2018 and 39 percent in 2019.
— The Wall Street Journal: U.S. officials claim that Huawei can covertly access mobile networks via backdoors.
— The Washington Post recounted the history of a CIA program that sold encrypted devices around the world that were used to spy on those countries.
— The Washington Post, also: China says it wasn’t involved with the Equifax hack.
— USA Today profiled the Manhattan encrypted phone vault.
— DOJ: “Russian citizen pleads guilty to cyber tax fraud scheme that resulted in more than $1.5 million in losses to Department of the Treasury.”
— Boston 25 News: Seriously, a malware attack on Children’s Hospital affiliates?
— The Hill: GOP senators again blocked three election security bills that Democrats tried to force to the floor.
— ZDNet: The FBI warned about software supply chain attacks.
— Inside Cybersecurity: An excerpt of Charlie Mitchell’s book on Trump-era cyber, focused on the FCC.
— StateTech Magazine: FireEye made recommendations on 2020 election security for states.
— Emisoft reported on the cost of ransomware, country by country.
— Reuters: “The Japanese defense ministry said late on Monday that sensitive data on defense equipment may have been breached as a result of cyberattacks on Mitsubishi Electric Corp.”
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).