With help from Eric Geller, Martin Matishak, Melissa Heikkilä, Cristiano Lima and Daniel Lippman
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— A coronavirus contact-tracing initiative from Apple and Google has some privacy and security landmines to navigate.
— An advocacy group urged the Federal Energy Regulatory Commission to move ahead with cybersecurity standards despite calls to move back the timing.
— A top U.N. official called for a “digital cease-fire” as the world contends with coronavirus, especially because of the need to safeguard health care organizations and employees.
HAPPY MONDAY and welcome to Morning Cybersecurity! So relatable. “If a hacker gets a hold of a Zoom, what can they tell?” Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
TRACKING DOWNSIDES — A joint Apple-Google project to track coronavirus exposure risks announced last week has sparked privacy and security fears even as some lawmakers are willing to give the tech giants some leeway. “Tech companies’ new feature to contact trace coronavirus cases has positive potential, but we must ensure privacy concerns are considered,” tweeted House Energy and Commerce Chairman Frank Pallone (D-N.J.). “I’ll be following this closely to ensure consumer privacy is protected.” Rep. Jan Schakowsky (D-Ill.), who chairs E&C’s consumer protection subcommittee, echoed the sentiment.
Some security experts said that although the plan features safeguards, they aren’t adequate given the nature of the information at play. “Phone data has NEVER been proven secure and the chance of release is above 0%,” observed Sergio Caltagirone, vice president of threat intelligence for Dragos. “In fact, this is so juicy I’d argue there will be lots of baddie[s] who are interested in finding ways to leak this.” Matt Tait, a cyber fellow at the University of Texas at Austin, spelled out a slew of other potential problems.
Jennifer Granick, surveillance and cybersecurity council for the ACLU, credited the two companies for steps to mitigate risk but said there was “room for improvement.” “These systems also can’t be effective if people don’t trust them,” she said. “People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”
Former Vice President Joe Biden, the presumptive Democratic nominee, broadly touched on the issue in his newly released proposal to “safely reopen America.” In a New York Times op-ed outlining his plan, Biden calls for a “contact tracing strategy that protects privacy. And Apple and Google reportedly will work with the U.K., too.
NOT SO SLOW — The coronavirus pandemic isn’t a reason to significantly delay supply chain cybersecurity standards for electric grid utilities, the grid resilience advocacy group Protect Our Power told FERC late last week. The North American Electric Reliability Corp. wants FERC to delay the deadline for complying with the cyber rule and other new regulations, saying compliance could disrupt operations at a critical time. But in comments filed Thursday with FERC, Protect Our Power said NERC’s requested three-month delay “may not be justified or necessarily be in the public interest.” Instead, it asked FERC to only grant a 30-day extension. “This approach would acknowledge the time lost by utilities due to the coronavirus pandemic,” the group said, “but otherwise require the industry to continue to treat the supply chain security issue with the importance and seriousness it deserves.”
In requesting a 90-day delay, NERC argued that the extra time “would allow entities to recover from” coronavirus-related strains, but Protect Our Power said such a long recovery window likely wasn’t necessary. Given that FERC issued the supply chain standard 15 months ago, the group said, “many or most utilities may already be prepared to comply with it by the current July 1 deadline.” A shorter delay, it said, “would also prevent us from having one crisis, the pandemic, unnecessarily cause us to lose focus and a sense of urgency about another crisis, supply chain risk.”
CYBER CEASE-FIRE — The United Nations’ undersecretary-general on Friday published an op-ed calling for a worldwide “digital cease-fire” during the coronavirus pandemic. “When launched successfully, digital attacks are catastrophic and can lead to loss of life,” wrote Fabrizio Hochschild. In particular, health care workers and hospitals battling Covid-19 shouldn’t have to question whether their data and medical equipment is secure or worry about it being shut down. “We must commit to an immediate digital cease-fire, and governments, civil society groups, and the private sector must set the tone. Without this step, our global response to the pandemic will be weakened,” according to Hochschild.
ALL I WANNA DO IS ZOOM-A-ZOOM-ZOOM-ZOOM — The top Republican on the House Oversight panel on Friday called for majority Democrats to abandon usage of the Zoom video conferencing service, citing security issues. “Given the concerns surrounding Zoom’s security, it is clear Zoom is not an appropriate platform for Committee business, which may be particularly sensitive during the COVID-19 pandemic,” wrote Rep. Jim Jordan (R-Ohio). “Please immediately suspend any current or future use of Zoom systems for official committee activities and take immediate steps to evaluate the Committee’s internal cybersecurity preparedness to prevent hackers from accessing sensitive committee information through the Zoom platform.”
Jordan cited the Senate sergeant at arms’ warning last week for offices to stop using it, broader hacking and malware concerns, and Zoom work done by employees in China as causes to suspend use. Jordan said House Oversight Democrats had been “Zoom-bombed,” something Democrats denied.
“Rep. Jordan’s office was consulted directly and repeatedly about using Zoom and never raised any concerns, so it’s unfortunate that he is now putting out inaccurate information in this public letter,” said Chairwoman Carolyn Maloney (D-N.Y.). “Had his office consulted with us first, we could have clarified their misunderstandings and provided more information about the steps the Committee has already taken to address any potential issues.” She said the committee would continue to use a “number of different technologies” to fulfill its responsibilities. The House was already “reevaluating” whether the chamber should switch to a government-specific form of Zoom.
EDGAR RIGHT — The SEC announced last week that it has settled charges with two traders accused of profiting by exploiting sensitive corporate earnings information hacked from its EDGAR system. David Kwon of California settled for $165,474 that represented the profits from his alleged illegal trades, and $16,254 in interest; Igor Sabodakha of Ukraine settled for $148,804 in profits, prejudgment interest of $20,945 and a civil penalty of $148,804, plus the SEC said it would dismiss charges against his wife, Victoria Vorochek, whose accounts he allegedly used to conduct trades.
The EDGAR hack generated considerable interest from Congress when the SEC disclosed it in 2017, with some lawmakers pointing to their prior concerns about SEC vulnerabilities. The SEC charges against seven individuals and two entities filed in 2019 were accompanied by criminal charges against two other men.
CRITICAL SAFETY AND PRIVACY FLAWS IN CONNECTED CARS — Drivers beware: Your rides are vulnerable to digital saboteurs. Some of Europe’s most popular connected car models have crucial security flaws that allow intruders to access personal data such as passwords and location history as well as components that control key functions such as collision-warning systems and tire air pressure, according to an investigation by British consumer group Which?.
By lifting the Volkswagen badge on the front of the car, researchers say they were able to access the vehicles’ front radar module, which controls its collision-warning system, according to our friends at POLITICO Europe’s Cyber Insights. Using a cheap laptop and a £25 gadget bought from online marketplace Amazon, the researchers also hacked into the Ford Focus’ system monitoring air pressure in tires. The investigators also got access to personal data such as Wi-Fi passwords, phone contacts and location history.
TWEET OF THE WEEKEND — And then Zoom keeps doing stuff like this.
— Kevin Zerrusen is now a managing director at EY where he works on cybersecurity and advisory services. He most recently was senior adviser to the chairman for cybersecurity policy at the SEC and is also a Goldman Sachs alum and served in the CIA for 30 years.
— POLITICO: “Small business loan effort might be less generous than advertised.”
— The Wall Street Journal: After Congress allowed surveillance tools to lapse, DOJ hasn’t been able to obtain wiretaps or request business records between five and 10 times.
— The Wall Street Journal: The FBI made errors in two FISA application filings last year.
— Forbes: Cryptocurrency scammer revenue is down during the pandemic.
— CyberScoop: Cyber criminal forums are also offering discounts during the pandemic.
— Register: Cyber criminals leaked sensitive documents from contractors for Boeing, SpaceX, Tesla and other major companies in retaliation for an unpaid ransomware demand.
— The Wall Street Journal: Travelex paid a $2.3 million ransom to hackers.
— Bleeping Computer: San Francisco International Airport had a data breach.
— gCaptain: Mediterranean Shipping Company may have suffered a cyberattack.
— ZDNet: “Online betting company SBTech will have to place $30 million in escrow as insurance for covering the fallout from a suspected ransomware infection.”
— Inside Cybersecurity: Two industry groups want more details from the Pentagon on its cybersecurity standards for contractors.
— Forbes: Big data firm Palantir got some coronavirus emergency relief funds.
— The New York Times: “Burning Cell Towers, Out of Baseless Fear They Spread the Virus.”
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).