With help from Eric Geller, Martin Matishak, Cristiano Lima and Doug Palmer
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The Cyberspace Solarium Commission report dropped this morning, full of recommendations for overhauling the U.S. approach to cybersecurity.
— A House Homeland Security subcommittee today scrutinizes the CISA budget, while the Senate Judiciary panel examines the EARN IT Act.
— Democrats and Republicans left election security briefings with differing opinions about their value.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! “Quarantine” is a cool-sounding word for an idea that doesn’t exactly create happy thoughts. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
IT’S FINALLY HERE — The Cyberspace Solarium Commission released its ambitious final report this morning. In our writeup, your MC host focused on some of the biggest proposals — a National Cyber Director, a cyber state of distress declaration, a power boost for the CISA director, select cybersecurity committees in Congress — and some of the biggest ideas, namely the strategy of “layered deterrence.”
This afternoon the Commission holds an official unveiling event, followed in the future by congressional testimony and legislative language. Commission co-chair Sen. Angus King (I-Maine) told MC he doesn’t think the Solarium’s bipartisan ideas will run into election-year woes or opposition from the Trump administration. While the White House eliminated its cybersecurity coordinator position similar to the proposed National Cyber Director, that was done by the departed John Bolton, and Trump’s focus on Huawei could benefit from the commission’s proposal for an NCD.
CISA BUDGET FROM THE DAIS — The House Homeland Security Committee’s cyber subpanel holds a hearing on the CISA budget this morning. Chairman Cedric Richmond (D-La.) says in prepared opening remarks that the Trump budget blueprint for the agency “fails” to give it enough money to be an effective federal partner. “I am interested in hearing how strengthening CISA’s authorities could further clarify civilian cybersecurity risk management authorities and CISA’s role as a convener of public-private partnerships,” top panel Republican John Katko (N.Y.) says in his planned opening remarks, adding that he also wants to know more about CISA’s work on supply chain security and the 2020 elections.
WHAT TO WATCH FOR AT TODAY’S EARN IT ACT HEARING — Via our friends at Morning Tech: A Senate Judiciary hearing today on the bipartisan EARN IT Act could expose fault lines in the chamber over the bill, which would strip online companies’ liability protections if they cannot prove they’re doing enough to combat child exploitation.
Senate Judiciary Chairman Lindsey Graham (R-S.C.) rolled out the measure last week with a group of nine other co-sponsors, including Judiciary ranking member Dianne Feinstein (D-Calif.) and Sen. Dick Durbin (Ill.), the No. 2 Democrat in the Senate. But so far the bill only has the backing of three of Judiciary’s 12 Republicans, with Sens. Josh Hawley (Mo.) and Joni Ernst (Iowa) joining Graham.
Tech leaders are concerned the bill could effectively give law enforcement the power to make companies create a workaround for encryption. But proponents disagree. “I think that’s a red herring,” Patrick Trueman, CEO of the National Center on Sexual Exploitation, said in an interview. “The EARN IT Act isn’t a threat at all to big tech. It’s a reminder that with great power comes great responsibility.” And on Tuesday the bill gained its first tech company backer, Match Group, which will testify for the first time ever on Capitol Hill at today’s hearing.
A TALE OF TWO BRIEFINGS — House Democrats on Tuesday panned a classified Trump administration briefing on election security, saying intelligence and national security officials mostly spoke in “generalities.” House Speaker Nancy Pelosi (D-Calif.) and Majority Leader Steny Hoyer (D-Md.) grilled briefers for more specifics, according to multiple attendees. Pelosi later declined to comment on the details.
However, House and Senate Republicans found much to like about the hearings. The U.S. has “constructed an unbelievable architecture for election security, so if they were going to the hearing to get briefed on election security, they couldn’t have walked away and said, ‘There are holes in this,’” said Senate Intelligence Chairman Richard Burr (R-N.C.). Rep. Michael Waltz (R-Fla.) said officials indicated Russia was working to sow discord among Americans on a host of divisive subjects, from racial tensions to gun rights to abortion. When the issue of Russia’s preference for a particular candidate came up, Waltz said, the officials “went into specifics on it” but were “very clear that it was classified.”
BECAUSE THE BIOLOGICAL VIRUS ISN’T BAD ENOUGH — Cybercriminals will continue launching ransomware attacks that exploit people’s coronavirus fears, the security firm RiskIQ said in a report out today. Corporations will be top targets because of their concerns about finances and supply chains, the company said, with health care organizations a likely secondary target.
RiskIQ predicted that phishing-based coronavirus ransomware campaigns would be popular with the hackers behind the AZORult malware, which was spotted in January “targeting members of the shipping industry, who would have considerable interest in the effect the virus might have on their operations.” Hackers using the Emotet malware are also likely to get into the game, according to RiskIQ; the Trojan has already been deployed through coronavirus-related phishing messages, though not to launch ransomware attacks.
— GETTING CLOSE TO HOME: Two Exabeam employees who attended the RSA Conference last month have tested positive for coronavirus, one of whom was placed in a medically induced coma, Bloomberg reported on Tuesday. Both the company and conference said they could not confirm any link between the conference and the employees. Another RSAC attendee claimed coronavirus symptoms on Twitter on Tuesday, too, so… something to watch.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
LAWMAKER CYBER TRAINING AFOOT — The House on Tuesday passed a resolution that would require members to undergo annual cybersecurity training. The sweeping resolution (H. Res. 756) reflects recommendations from the Select Committee on the Modernization of Congress, including some other tech-related language, and it advanced by 395-13.
COMMERCE EXTENDS TEMPORARY HUAWEI WAIVER — The Commerce Department announced late Tuesday that it is extending by 45 days a temporary waiver to allow U.S. companies to do limited business with Huawei until May 15. The department also said it was opening a public comment period until March 25 to consider whether to further extend the waiver.
Commerce added Huawei to its entity list in May, citing national security concerns and allegations the company was actively skirting U.S. sanctions against Iran and North Korea. The listing effectively banned U.S. companies from doing business with Huawei. But it also issued a temporary general license allowing U.S. firms to continue to engage in a limited number of transactions with Huawei. That was set to expire in August but has been extended twice already.
The latest extension gives telecommunication providers — particularly those in rural communities — more time to find alternative suppliers, while the request for public comment “demonstrates the Department is trying to find a permanent solution,” the department said, per our friends at Morning Trade.
TWEET OF THE DAY — Clever and useful!
RECENTLY ON PRO CYBERSECURITY — There was a House deal on expiring surveillance provisions, even as privacy hawks put forward another proposal. … “House Democrats scored a major legal victory as a federal appeals court panel granted them permission to access grand jury secrets from special counsel Robert Mueller’s Russia probe.” … The Commerce Department believes the 2020 Census is as protected as it can be from hackers.
The U.K. government staved off a conservative bid to get Huawei out of its 5G networks. … Lawmakers introduced a bill that would require CFIUS to reconsider the U.K.’s special status in light of its 5G position. … “The upcoming European leaders’ summit meeting — while clouded by the outbreak of the coronavirus — would provide broad political backing for the EU’s work to beef up its trade and digital defenses, according to draft conclusions.”
— The Center for Democracy and Technology on Tuesday named Alexandra Reeve Givens as president and CEO. She was most recently executive director of the Institute for Technology Law and Policy at Georgetown University Law Center.
— Deloitte today released a paper on the causes for, and responses to, last year’s surge in ransomware attacks on governments. The company recommends managing data smartly, enhancing workforce awareness, strengthening basic cyber hygiene, war gaming, using emerging tech and sharing threat information.
— Microsoft and allies struck a blow against the prolific Necurs botnet.
— Dragos warned that a couple energy industry organization breaches aren’t necessarily limited to the targets.
— The Washington Post: Whisper left user messages exposed.
— Inside Cybersecurity: Energy legislation with grid security provisions is stalled in the Senate.
— The New York Times: U.S. intelligence officials say Russia is trying to stoke racial violence.
— The Congressional Budget Office sized up H.R. 5823, the State and Local Cybersecurity Improvement Act.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak); and Tim Starks (email@example.com, @timstarks).