With help from Eric Geller, Martin Matishak and Steven Overly
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— Mozilla this morning fired back at internet service providers that are resisting a planned privacy measure for its Firefox browser, urging lawmakers to probe how ISPs collect and use data.
— The popular video-sharing service TikTok is reportedly facing a national security review that some China hawks in Congress and security experts say is long overdue.
— National Cybersecurity Awareness Month is over, replaced by Critical Infrastructure Security and Resilience Month. DHS plans weekly focuses on election security, insider threats and more.
HAPPY MONDAY and welcome to Morning Cybersecurity! John Oliver had a pretty good segment on election security last night, if you didn’t catch it. Our team’s reporting got a shoutout, too. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
FOX FIRES — Mozilla is hitting back at internet service providers that don’t like its plan to roll out encrypted Domain Name System lookups, known as DNS over HTTPS or DoH, on its Firefox browser. The nonprofit today wrote to lawmakers to make the case for its plan to make it harder for ISPs to view customers’ browsing history. “We believe that such proactive measures have become necessary to protect users in light of the extensive record of ISP abuse of personal data,” Marshall Erwin, senior director of trust and security, said in the letter. Both Mozilla and Google are rolling out DoH, but ISPs have lobbied against it.
Mozilla asked Congress to publicly probe ISP data collection and use. Mozilla’s rollout of DoH “has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage,” Erwin wrote to leaders of the House Energy and Commerce Committee. “Unfortunately, ISPs often do not maintain privacy notices for their DNS services,” he said. “As a result, their policies are opaque to users — it is unclear what data is being retained, how it is being used, or who it is being shared with.”
ALARMS RING OUT ON TIKTOK — From our friends at Morning Tech: Lawmakers and tech policy types are welcoming a reported federal probe into ByteDance’s acquisition of Musical.ly that helped precipitate the rise of Chinese-owned video-sharing service TikTok, suggesting it could be a chance to uncover whether and how much user data flows to Beijing. Sen. Marco Rubio (R-Fla.) and Senate Minority Leader Chuck Schumer (D-N.Y.) both cheered the news Friday, reiterating fears that TikTok parent ByteDance could be funneling information on the video app’s 26.5 million U.S. users to the Chinese government. Personally identifiable data like names and email addresses, if shipped to servers in China and in turn obtained by the government there, “could reveal information about individuals and groups that is useful to Chinese intelligence services,” said Jim Baker, a former FBI general counsel and now director of national security and cybersecurity at R Street Institute.
ByteDance has tapped an outside auditor in an effort to prove its data privacy practices don’t leave users’ information exposed. Douglas Brush, the vice president of cybersecurity solutions at legal consulting firm Special Counsel, told MT he began analyzing ByteDance’s data collection practices this summer, spending five days in China meeting with staff and digging through code. ByteDance keeps users’ information in the U.S. and Singapore, Brush said, adding he found no evidence the data makes its way to mainland China. And most of the data that could in theory be harvested is information that users have chosen to share publicly on the app, he noted. “It’s hard to say what they would even think was being sent to mainland China because there’s very little that’s collected and the rest of it is stuff that people post online,” Brush said. Special Counsel will finalize a full report in the coming weeks that ByteDance plans to make public.
Critics will note TikTok has been penalized before for its data practices. Earlier this year, the company paid a then-record $5.7 million to the FTC to settle complaints that Musical.ly collected the names, contact information and other personal information of children without their parents’ permission.
About that investigation: The Committee on Foreign Investment in the United States is probing ByteDance’s 2017 acquisition of Musical.ly, according to Reuters. Rubio last month requested that CFIUS look into the national security implications of the Musical.ly deal.
Keep an eye on Tuesday’s Senate Judiciary Subcommittee on Crime and Terrorism hearing, which will delve into issues surrounding U.S. data being “exposed to criminals, China and other bad actors.” TikTok is likely to be a hot topic. The chair of that panel, Sen. Josh Hawley (R-Mo.), urged TikTok to testify in a Friday tweet. A TikTok spokesman told MT the company could not provide a witness “on short notice” but is nevertheless “committed to working productively with Congress.” Axios reports Apple also declined to attend. As of Sunday night, Hawley’s office had yet to provide MT with a list of witnesses.
DON WE NOW OUR SCADA SYSTEMS — Think you’re done with cyber-themed months for a while? Think again. It’s the first full week of Critical Infrastructure Security and Resilience Month, and the Cybersecurity and Infrastructure Security Agency is celebrating. The agency will spend the month encouraging organizations to “boost resilience through preparedness and exercises and promote smart, secure investment in resilient infrastructure,” according to a Friday statement. This week’s theme is the interconnected nature of critical infrastructure and the “convergence” between cyber and physical systems. Upcoming weeks will highlight soft targets, election security and insider threats.
President Donald Trump celebrated too, issuing a proclamation making the month official and touting his actions on supply chain security and the creation of CISA. “This month,” he said, “we reaffirm our commitment to developing new strategies to address the ever-present and increasingly complex threats facing our Nation’s infrastructure, and we pay tribute to the men and women who work diligently to safeguard the United States from any threat.”
WHOEVER HE IS, THIS IS WHAT HE CYBERS — The apparently incoming acting DHS chief, Chad Wolf, has largely focused on transportation security at the department and in the private sector, but his jobs have at least touched on cybersecurity. Wolf — whose role Trump announced Friday to some confusion — has been serving as head of the DHS Office of Strategy, Policy and Plans, which houses an Office of Cyber, Infrastructure and Resilience Policy. He also served as chief of staff to former DHS Secretary Kirstjen Nielsen, whose background was in cybersecurity and made the issue a focus of her tenure.
ENERGY EFFICIENCY — A Senate bill that would authorize programs at the Energy Department to improve how it combats supply chain vulnerabilities could wind up being cheaper than expected, according to a recent analysis from the Congressional Budget Office. The Energy Cybersecurity Act of 2019, S. 2333, would cost approximately $355 million over a five-year period — that’s below the $100 million appropriation called for annually in the legislation. The analysis presumes appropriators won’t devote the full amount immediately.
TWEET OF THE WEEKEND — What gave it away?
— Paul Manafort was pushing the conspiracy theory about Ukraine hacking the Democratic National Committee back in 2016. BuzzFeed News
— The first BlueKeep campaign isn’t too scary. Wired
— Russia and Huawei are teaming up. Financial Times
— The Hill surveys the status of election security one year out from the 2020 election.
— NordVPN users’ passwords were exposed. Ars Technica
— A camgirl network exposed millions of users, too. TechCrunch
— BuzzFeed News looks at Gaggle, a school surveillance technology.
— India denied targeting journalists and activists with spyware via WhatsApp. BBC
— An NSO Group board member left after the WhatsApp lawsuit. Bloomberg
— “Sandworm,” reviewed. The Los Angeles Times
— There’s no way to know what happened to ransomed Uber data. CBS News
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).