With help from Eric Geller, Mary Lee and Cristiano Lima
PROGRAMMING NOTE: Morning Cybersecurity will not be published on Monday, Jan. 20. We’ll be back on our normal schedule on Tuesday, Jan. 21.
Story Continued Below
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
— State election officials should audit a wider range of things than just ballots, a think tank recommended this morning.
— The intelligence community is trying to dodge friction with the president by moving the annual congressional worldwide briefing entirely behind closed doors, POLITICO scooped.
— Leaders of two House panels want to see more out of the Trump administration on its efforts to counter Iranian cyberattacks amid recently exacerbated tensions.
HAPPY THURSDAY and welcome to Morning Cybersecurity! It’s not exactly a robot, but that doesn’t comfort much. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
COVER THE WATERFRONT — State election officials should audit not just ballots but also “registration databases, physical and cybersecurity procedures, ballot reconciliation protocols, and resource allocation tools,” the Bipartisan Policy Center said in a report published this morning. The document, a product of BPC’s elections task force, made 21 recommendations that went beyond election security measures. But the group also urged states to help their small and medium-size localities “maintain a secure connection to the registration lists” that power their e-poll books, given the costs associated with doing so.
The report also encouraged states to accelerate their adoption of paper-based voting machines. “Voting systems that produce an independent and voter-verifiable paper record provide greater confidence about election outcomes to voters and election administrators,” the report said. “Paper can be independently audited to provide a statistical analysis about the accuracy of the vote count.” The report did not weigh in on the debate between ballot-marking devices and hand-marked paper ballots.
NOBODY WATCHES, NOBODY GETS HURT — “The U.S. intelligence community is trying to persuade House and Senate lawmakers to drop the public portion of an annual briefing on the globe’s greatest security threats — a move inspired after last year’s session provoked an angry outburst from President Donald Trump, multiple sources told POLITICO,” Martin reports.
“Officials from the Office of the Director of National Intelligence, on behalf of the larger clandestine community, don’t want agency chiefs to be seen on-camera as disagreeing with the president on big issues such as Iran, Russia or North Korea, according to three people familiar with preliminary negotiations over what’s known as the Worldwide Threats hearing.” But: The change is unlikely to be approved, sources said. There’s more to the story, too.
IRAN THREAT, NOT SO FAR AWAY — Leading lawmakers from two separate House panels on Wednesday voiced concern over potential Iranian cyberattacks in retaliation for the killing of Iranian Gen. Qassem Soleimani. The chairman of House Energy and Commerce, Frank Pallone (D-N.J.), and the chairman of the Subcommittee on Communications and Technology, Mike Doyle (D-Pa.) sought briefings from the FCC and DHS on defensive steps they’ve taken to protect telecom network operators, what the operators have done and if there’s been an increase in attacks.
At a hearing of the House Homeland Security Committee about U.S.-Iran tensions, Chairman Bennie Thompson (D-Miss.) called for a Trump administration strategy for countering Iran. “I am particularly interested in understanding how Iran could use its relatively sophisticated cyber capabilities against state and local governments and critical infrastructure to exact revenge for the death of Soleimani,” Thompson said. “We need to understand whether potential targets are prepared to defend against Iranian cyber threats, and what the federal government can do to help them if they are not.”
READING YOUR MESSAGES — In an analysis out today of a half-million email attacks, Barracuda researchers identified a 400 percent increase in domain impersonation attacks used for conversation hijacking. Conversation hacking occurs when a hacker penetrates business conversations and leverages information from compromised accounts to send messages from impersonated domains, then trick their victims into sending them money or steal personally identifiable information.
Those impersonated domains could simply be replacing one letter in a legitimate URL with a similar letter or tacking on an unnoticeable letter to a legitimate URL. While the volume of these attacks is “extremely low compared to other types of phishing attacks, these sophisticated attacks are very personalized, making them effective, hard to detect and costly,” the report reads.
KEY ENDORSEMENT — A top cyber lawmaker gave a thumbs-up to the NSA for its disclosure of a serious Microsoft Windows flaw this week, rather than using it for its own offensive purposes. The NSA notified Microsoft of the vulnerability and alerted the public about it, a sign the vulnerabilities equities process is working, said Rep. Jim Langevin (D-R.I.), a member of the Cyberspace Solarium Commission and co-chair of the Congressional Cybersecurity Caucus.
“This is a feather in the cap of the NSA’s new Cybersecurity Directorate, which is committed to helping partners, whether government customers or private sector critical infrastructure owners and operators, defend against malicious activity,” said Langevin in a news release dated Wednesday. “I strongly support the United States government’s continued leadership on coordinated vulnerability disclosure, leadership enhanced by the recent binding operational directive directing government agencies to have their own vulnerability disclosure policies.”
YOUR ‘HACK THE ARMY 2.0’ HAUL — HackerOne announced the results of its second bug bounty event for the Army. The tally? A total of 146 valid security vulnerabilities found and $275,000 handed out, with the highest single bounty to any of the 52 participating researchers clocking in at $20K. “Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,” said Alex Romero, digital service expert at DoD’s Defense Digital Service. “With each Hack the Army challenge, our team has strengthened its security posture.”
INCOMING: MORE KIDS’ PRIVACY LEGISLATION — From our friends at Morning Tech: Rep. Kathy Castor (D-Fla.) said Wednesday she’s planning to drop her own bill to update children’s online privacy laws “within the month.” “I intend to drop it very soon,” she told Cristiano. Castor, a member of the House Energy and Commerce Committee, has taken a lead role on the issue as part of the committee’s efforts to craft comprehensive bipartisan online privacy legislation. Castor said she’s been working on the legislation with Rep. Jan Schakowsky, who chairs E&C’s consumer protection subcommittee and has spearheaded the panel’s privacy talks.
The bill will add to a growing number of kids’ privacy proposals vying for support. Sens. Ed Markey (D-Mass.) and Josh Hawley (R-Mo.) last year unveiled their own legislation, S. 748, to update federal standards under the Children’s Online Privacy Protection Act, as did Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.), H.R. 5573, separately last week. House E&C staffers left children’s privacy as one of the issues yet to be resolved in their bipartisan draft bill unveiled last month, labeling it as “TBD.”
TWEET OF THE DAY — Beware of sniffing attacks.
RECENTLY ON PRO CYBERSECURITY — Pete Buttigieg’s chief information security officer, Mick Baccio, has left the campaign, citing “fundamental differences” with campaign leadership. … Cloudflare is offering free defenses against distributed denial-of-service attacks to U.S. political campaigns.
— Operators of the Emotet malware waged a phishing campaign against U.N. personnel. Threatpost
— Hardware security vulnerabilities need a “common language,” Intel said. CyberScoop
— Hundreds of millions of Android users installed “fleeceware” apps. ZDNet
— Google made it easier to sign up for its Advanced Protection Program. 9to5Google
— Cisco released its Digital Readiness Index map.
— An emergent figure in President Donald Trump’s impeachment thought the Secret Service was hacking him. Mother Jones
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).