With help from Eric Geller, Martin Matishak, Bryan Bender, Alexandra Levine and Laurens Cerulus
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The latest Senate GOP proposal for coronavirus aid features allocations for the EAC and CISA, although some Democrats hope to see money for more specific election-related expenses.
— The Heritage Foundation has a number of cyber recommendations in a report out today meant to guide lawmakers on the annual defense policy bill.
— A consulting firm that exposed information on a massive number of Americans is back in the good graces of the RNC.
HAPPY MONDAY and welcome to Morning Cybersecurity! It’s a good thing your MC host owns a set of hair clippers. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
JOCKEYING FOR COVID-19 CASH — The Senate GOP’s $1.6 trillion legislation (S. 3548) for the third government phase of pandemic response, which failed to clear a procedural vote Sunday night, features more money for both the EAC and CISA. The EAC would get a heftier amount: $140 million “to provide grants to states in response to the coronavirus for the 2020 election cycle,” according to a summary of the bill text. CISA, meanwhile, would receive $9 million “to address immediate needs for improved interagency coordination for the protection of critical infrastructure nationwide.”
Some Democrats want money in the bill (known as the CARES Act) specifically to expand vote-by-mail and early voting, as they proposed in draft legislation last week. “It is the role of states to administer elections, but it is also the role of the federal government to ensure states have the resources they need to effectively administer those elections and safeguard them against national threats,” Sens. Amy Klobuchar (D-Minn.) and Chris Coons (D-Del.) wrote to congressional leaders on Friday. “Protecting the right to vote is critical — and we can’t let this crisis stop Americans from being heard at the ballot box.”
Coons and Klobuchar today will join Sen. Ron Wyden (D-Ore.); Sean Eldridge, founder and president of Stand Up America; and Randi Weingarten, president of the American Federation of Teachers, on a call with the media to press for the inclusion of funding for mail-in and early voting. House Democrats have also said they have issues with the Senate GOP proposal and would introduce their own bill.
CYBER IDEAS FOR DEFAUTH — The conservative Heritage Foundation today is recommending that the authors of the fiscal year 2021 defense policy bill give Special Operations Forces authorities to conduct cyber offense operations. “Currently, only Special Mission Units regularly receive national-level support from the U.S. Intelligence Community for offensive cyber operations, while theater SOF are routinely de-prioritized for this support and are explicitly prohibited from conducting offensive cyber operations,” reads the report, on how Congress can prepare the U.S. for great power competition.
Additionally, the think tank proposes that Congress should enact language in the defense authorization measure allowing DoD to accept personnel from “non-traditional professional credentialing and schooling” for its cyber workforce, “require an assessment on the U.S. quantum security posture” and order the Pentagon, director of national intelligence and other agencies to develop policy recommendations on sharing quantum research and development globally.
ONCE MORE, WITH FEELING — A Republican data analytics company that exposed the voter information of nearly 200 million Americans has been rehired by the RNC, our colleague Alex Isenstadt reported Friday. While the committee cut ties with Deep Root Analytics following the 2017 data breach that exposed the personal information and political dispositions of almost 60 percent of the country, the RNC paid the Northern Virginia-based media consulting firm $700,000 last month.
The firm will work on data analytics and media-tracking projects, sources told Alex. “The RNC has and will continue to take the security of voter information extremely seriously. Over the past three years, Deep Root has overhauled their security protocols and maintains a robust security posture,” said Mike Reed, an RNC spokesman. “We are confident that their system is safe and secure.”
DON’T YOU (FORGET PRIVACY) — The privacy and security of patients’ data must be a cornerstone of any forthcoming coronavirus relief package and the “waiver of any privacy protection must be intended to exclusively serve public health,” a coalition of civil-society groups told Congress in a letter sent to leadership on Friday. “Individuals must retain certain fundamental rights over the data collected from them during or as a result of the crisis,” said the groups, “and whatever increased access to personal data is allowed to companies and the government during the emergency should be removed once the emergency has passed.”
The coalition — including Access Now, Amnesty International, New America’s Open Technology Institute, Public Citizen and nine other organizations — insisted that any pending legislation include cybersecurity protections to prevent breaches or other unauthorized disclosures. “Any data processing or remote technology deployment should not minimize needed security protections in the context of pandemic response,” they said, adding that data ought to be “maintained in a secure environment and transmitted through secure methods.” Their other priorities included time limits on any privacy waivers, transparency about how data is collected and shared, minimization to protect patients’ identities and accountability for breaches and other failures.
SECURITY WOES FOR PENTAGON IT SYSTEM — Cybersecurity officials fell short on implementing eight of 17 security controls for a vital IT system used by a wide array of Pentagon leaders, according to a DoD watchdog report released Friday. The Global Command and Control System-Joint “allows users to plan, execute, and manage military operations into and across theaters, manage mission-specific information feeds, and gather battlefield data to provide commanders with an accurate status of air, space, land, and maritime units used for operations,” the DoD inspector general wrote.
But the report found that despite the importance of the system, DoD cybersecurity officials at seven sites didn’t consistently implement some security controls needed to protect data and IT assets, such as vulnerability management and physical access authorization. That’s because site commanders didn’t appoint GCCS-J cybersecurity officials as they should have, the IG found. Many DoD subcomponent leaders agreed with the IG recommendations, although some didn’t respond.
JOINT STATEMENT FROM THE EU — From our friends at POLITICO Europe’s Cyber Insights: The EU’s cybersecurity agencies came up with a joint statement on coronavirus. “Malign actors are actively exploiting these new challenging circumstances to target remote workers, businesses and individuals alike,” they wrote. “The European Commission, ENISA, CERT-EU and Europol, among others, will continue to monitor the situation and coordinate as appropriate to ensure a safer cyberspace for the EU and the world.”
TWEET OF THE WEEKEND — No one could’ve seen this coming.
RECENTLY ON PRO CYBERSECURITY — As political ads have largely moved online, the Federal Election Commission hasn’t done much to keep up with the digital migration. … The tech community is pitching in to fight the coronavirus.
— ZDNet: Russian hackers say they breached an FSB contractor and got details on a Kremlin intelligence agency IoT hacking project.
— DOJ won a restraining order against a website in its first COVID-19 fraud filing.
— CyberScoop: Any volunteers out there to combat attacks on health organizations?
— Microsoft talked about what it’s doing to counter coronavirus-themed phishing attacks.
— Facebook invited developers to participate in an “online hackathon” to build solutions that can help Messenger address the pandemic.
— Krebs on Security: “Zyxel Flaw Powers New Mirai IoT Botnet Strain.”
— CyberScoop: The Pwn2Own hacking contest went remote.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).