With help from Eric Geller, Mary Lee, Martin Matishak and Alexandra S. Levine
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.
Story Continued Below
— Lawmakers and election equipment makers discussed researcher probes of the companies’ wares at a rare hearing on Thursday.
— A major software industry organization raised doubts about a proposed Commerce Department rule for information and communications technology supply chain security.
— The risk of possible Iranian cyberattacks has stayed on the agenda for DHS, researchers and others.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Stay strong, Betelgeuse. We’re all on your side. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
THE ROAD TO A CVD — Voting machine vendors keep inching toward a coordinated vulnerability disclosure program, Thursday’s House Administration Committee hearing revealed, but there are still some hitches emerging toward fuller collaboration with researchers. John Poulos, CEO of Dominion Voting Systems, testified that his company reached out to an organizer of DEFCON’s machine-hacking Voting Village because it was “interested in a more collaborative penetration testing with stakeholders,” and actually sent modern certified systems, but an internal conference dispute led to scuttling those plans.
The CEOs of Election Systems & Software (Tom Burt) and Hart InterCivic (Julie Mathis) both said their companies had submitted equipment to Idaho National Laboratory, which conducts vulnerability tests with DHS. Overall, Burt said he doesn’t want to hand-select red teams but is “interested in making sure we attract hackers who can make our systems better without requiring that the information that they discover be put into the public domain,” and would like to see the Election Assistance Commission manage the program and choose researchers.
At the same hearing, Chairwoman Zoe Lofgren expressed concern about the potential for internet connectivity on vote tabulators, and the vendors voiced support for federal rules creating reporting requirements for companies’ cybersecurity practices.
I DON’T EVEN KNOW WHERE TO START — The Commerce Department’s proposed regulation for information and communications technology supply chain security is unworkable because it gives the Commerce secretary “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” the software trade group BSA said in comments filed this morning as part of the proceeding. The proposed supply chain rule, released in November, would let the government block U.S. companies from buying equipment and services that jeopardize national security. But BSA said the rule needed a serious overhaul.
BSA policy director Christian Troncoso wrote that the rule needed better transparency mechanisms and “procedural safeguards,” more precise definitions of what types of transactions and entities are covered and better-defined criteria for blocking those transactions. BSA called for exempting companies from the rule if they meet certain supply chain security standards, ensuring that “an official with adequate levels of political accountability” supervises the process and formally involving the intelligence community in decisions.
The group also urged changes such as requiring annual reports to Congress, giving companies more time to respond to a proposed decision and letting an independent interagency group reverse any decision. Absent these changes, Troncoso said, the rule’s “broad scope” and “vaguely defined standards” will “put U.S. companies at a competitive disadvantage.”
UPDATING MY PROFILE — CISA Director Chris Krebs and agency leadership met with acting Homeland Security Secretary Chad Wolf this week to discuss efforts to shore up election security and stave off potential cyberattacks originating from Iran following the U.S.-led airstrike. CISA is urging organizations to “assess their cyber readiness and take steps to protect their networks and assets, including heightened awareness, increasing organizational vigilance, confirming reporting processes, and exercising incident response plans,” according to a note.
They also discussed the mounting threat of ransomware and CISA’s efforts to support governments and businesses, as well as efforts to protect the 2020 elections from foreign interference, such as providing cybersecurity services and developing and exercising incident response plans.
IRAN’S STILL A THING, PART TWO — That recent Saudi Arabian alert about Iranian cyberattacks involves its hackers placing data-wiping malware on Bahrain’s national oil company Bapco, ZDNet pieced together. The new wiper strain is dubbed Dustman, and seemingly didn’t have the impact the hackers were looking for. And it doesn’t appear directly linked to the recent U.S.-Iran tensions, the outlet reported.
A Dragos report out Thursday highlighted an Iranian hacking group’s password-spraying attacks on the North American energy sector. “MAGNALLIUM’s increased activity coincides with rising escalations between the U.S. and allies, and Iran in the Middle East,” the report states. “Dragos expects this activity to continue.”
And Check Point released numbers on Thursday about the volume of Iranian attacks in the week since the U.S. launched missiles that killed general Qassem Soleimani showing no particular major uptick in attacks. Turkey was the top target of Iranian hackers, at 19 percent, compared to 17 percent for the U.S.
KIDS’ PRIVACY BACK IN THE SPOTLIGHT — From our friends at Morning Tech: As we await comprehensive data privacy legislation from Congress, a bipartisan pair of House Energy and Commerce lawmakers are offering a separate privacy measure — one aimed at bringing COPPA, the 1998 federal children’s online privacy law, up to date.
Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.) on Thursday introduced the PROTECT Kids Act (shorthand for Preventing Real Online Threats Endangering Children Today), which would make location data and biometric data categories protected under the law; ensure that rules safeguarding children online also apply to apps on mobile phones; give parents more control over children’s data and consent; and task the FTC with reviewing the decades-old COPPA law and making recommendations on it to Congress.
“In the past, predators and perpetrators sought to harm our children by lurking near schoolyards and playgrounds,” Rush said. “But now — due to incredible advancements in technology — they are able to stalk our children through their mobile devices and in video game lobbies.”
Meanwhile, in the Senate: Sens. Ed Markey (D-Mass.), author of the COPPA bill, and Josh Hawley (R-Mo.) last spring introduced a bipartisan COPPA 2.0 bill (S. 748) that would, similarly, expand existing federal privacy protections for children and compel the FTC to enforce them. The agency is also doing its own self-reflection on whether COPPA rules need to be changed or updated.
TWEET OF THE DAY — “Come and get us!”
RECENTLY ON PRO CYBERSECURITY — House and Senate Democrats urged the FCC to take on SIM swapping scams. … “Countries that award 5G contracts to Western-aligned companies over Huawei won’t be hobbling their transition to next-generation wireless networks, a senior State Department official said.” … Belgian security services advised the government to limit the use of “non-trusted suppliers.” … Companies are reacting to California’s landmark Privacy Act by interpreting the complex law as they see fit.
— Law firm Alston & Bird announced the election of 17 lawyers to its partnership, including Maki DePalo in the organization’s privacy and data security group.
— Intrusion Truth has returned with more information on Chinese tech companies recruiting hackers for the government. CyberScoop
— Las Vegas said it dodged a horrible cyberattack. ZDNet
— Herb Lin contemplated the intersection of cyber and psychological operations. Lawfare
— Malwarebytes said it found unremovable malware preinstalled on low-end smartphones sold to low-income Americans. ZDnet
— “Industry working groups tasked with implementing the Pentagon’s landmark cybersecurity certification program have selected the University of Virginia’s Ty Schieber as board chairman, to lead the process for selecting a board of directors for an accreditation body that is expected to be up and running later this month.” Inside Cybersecurity
— The PCI Security Standards Council and U.S. Chamber of Commerce blogged about Magecart.
— Rockwell Automation is buying Israeli cybersecurity company Avnet Data Security. Security Week
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).