Politico: Defense policy bill nudges U.S. toward more aggressive cyber posture

Politico: Defense policy bill nudges U.S. toward more aggressive cyber posture

By TIM STARKS

DEFENSE BILL GOES BIG ON CYBER — The final defense policy bill unveiled Monday would overhaul U.S. cyber defense policies, putting the country on a more aggressive footing against digital adversaries. The compromise fiscal 2019 National Defense Authorization Act (H.R. 5515),hammered out by House and Senate lawmakers, features several modified proposals from the upper chamber draft, such as setting the nation’s first cyber warfare policy, affirming the authority of the Defense secretary to conduct clandestine military activities and operations in cyberspace, and authorizing the president to direct U.S. Cyber Command to take steps to counter Russia, China, Iran and North Korea in cyberspace.

The negotiated measure also includes a provision to establish a “Cyberspace Solarium Commission” — a 13-member panel to develop a strategic approach to protecting and defending U.S. interests online — and a pilot program authorizing the Defense Department to provide technical experts to the Homeland Security Department to boost cooperation to protect critical infrastructure, according to a Democratic summary of the policy roadmap. It also requires DoD to notify lawmakers of cybersecurity breaches and loss of information from approved defense contractors, a response to the recent incident where Chinese hackers stole troves of data about the country’s submarine efforts from a contractor.

The measure additionally mandates that the Pentagon chief notify lawmakers in the event of a data breach that exposes the personal information of service members and create a pilot program within the Defense Digital Service to identify new ways to evaluate cyber vulnerabilities in DOD’s critical infrastructure. The policy blueprint would also put Cyber Command in charge of defending the military’s information network. The House is expected to voteon the final bill some time this week.

HAPPY TUESDAY and welcome to Morning Cybersecurity! “I’m noteating anything with a broken yolk.” Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOProand @MorningCybersec. Full team info below.

PUTTING THE RISK IN CONTEXT — State and local officials will emphasize at a House Oversight hearing today that while they’re taking the election security threat seriously, they’re confident that there’s little chance of dramatically influencing the results of the 2018 midterms. “From a cybersecurity standpoint, we are most acutely concerned with ‘social engineering’ hacking attempts, which include phishing and baiting attempts through email” prior to the election, according to prepared testimony from Weber County, Utah, clerk/auditor Ricky Hatch, speaking on behalf of the National Association of Counties. “Most hacks are unsuccessful and crude attempts, akin to a burglar driving down a street looking for open windows or jiggling the locks, but it only takes one breach to cause significant problems.” Like Hatch, the representative of the National Association of Secretaries of State will point out that key systems aren’t connected to the internet. “If our protections to our voter registration system are breached, we can address that and the vote count is not impacted,” New Mexico Secretary of State Maggie Toulouse Oliver’s prepared remarks read. “If our protections election night reporting website are breached, we can address that and the vote count is not impacted.” The bigger concern is voter confidence, she will say.

Republicans’ goals for the hearing — which will also feature testimony from top DHS cybersecurity and infrastructure protection official Chris Krebs and Election Assistance Commission Chairman Thomas Hicks similar to their recent Hill appearances — are to assess election security preparedness across all levels of government, and to see what can be done before the 2018 elections to safeguard them. Democrats plan to lob a few protests, a Democratic committee staffer told MC. Among them: Republicans should have invited the director of national intelligence to testify, given his warnings about ongoing Russian interference; the GOP should back additional election security funds after rejecting them last week; and Republicans need to aid Democrats’ requests to DHS for more information on the alleged 2016 Russian attacks.

CDM LEGISLATION UP TO BAT — The House Homeland Security Committee today marks up legislation (H.R. 6443) that would enshrine DHS’s Continuous Diagnostics and Mitigation program in law and require that it keep pace with technological advancements that would aid the program’s goal of strengthening federal agencies’ digital defenses. Rep. John Ratcliffe, the bill’s sponsor, will argue at the markup that the legislation is necessary after a recent government report that most federal agencies are at risk of failing their cybersecurity program. “It is DHS’s CDM program that will help federal agencies and the whole of the federal government understand the threats they face, and the risks vulnerabilities pose in real-time,” his prepared opening remarks read.

Rep. Jim Langevin plans to offer an amendment to the bill to reflect his concerns that the original four-phased plan for implementing CDM might no longer be the best approach. “Many of the tools and services available under Phase 3 and Phase 4 would both be useful in agencies now, and it remains unclear to me why the Department would not aim to implement them in parallel,” he said in a statement emailed to MC. “My amendment will require DHS to address these important questions in its strategy and implementation plan required under the bill.”

LIFE, AND PEN-TESTING, FINDS A WAY — Penetration testers continue to slip into systems like they’re Swiss cheese, according to a new reportfrom the security firm Rapid7, which offers pen-testing services. The company said its employees successfully exploited a digital flaw in 84 percent of attempts, while its success rate for abusing a “network misconfiguration” was just slightly lower, at 80 percent. “The environments where software vulnerabilities were encountered grew significantly” from the previous survey period to the current one, Rapid7 said in its report, which is based on 268 pen-testing “engagements” conducted between last September and mid-June.

The three most common configuration errors that opened the door for pen-testers were “service misconfiguration,” password reuse, and accounts holding unnecessarily elevated privileges. Meanwhile, the most popular password lengths are eight, 10, and nine digits, respectively, according to Rapid7’s database of compromised credentials. Eight-digit passwords are far and away the most popular, accounting for 46 percent of the database.

“It is practically inevitable that an experienced penetration tester will uncover at least one vulnerability or misconfiguration and use it to their advantage,” the company said in its report. “However, this should not cause IT, security, and development teams to lose heart; there are strategies available to help minimize the impact of a breach, both simulated by a penetration tester or caused by a real threat actor.”

MORE INFO SURFACES ON GRID ATTACKS — “Hackers working for Russia claimed ‘hundreds of victims’ last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said,” The Wall Street Journal reported Monday. “They said the campaign likely is continuing.” The hackers “broke into supposedly secure, ‘air-gapped’ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies.”

TAX FRAUD — The IRS could be doing more to prevent identity theft, according to a watchdog report out Monday. The Government Accountability Office made 11 recommendations for the IRS to follow to help ensure people are who they say they are online and elsewhere. Most notably, GAO suggests the service should follow the latest NIST guidelines on cybersecurity and direct its Identity Assurance Office to help develop a plan for implementing changes to its online authentication programs consistent with NIST.

LET ME SEE SOME I.D. — DHS on Monday awarded a $200,000 grant to a Canadian company that will design a system to authenticate smart devices and prevent them from being hijacked for cyberattacks. Plurilock Security Solutions Inc. will develop the system based on its existing BioTracker identity management platform. DHS’s goal is “to prevent spoofing of [internet of things devices] that can involve unfriendly actors pretending to be smart devices to launch attacks, access and steal user information, spread malware or bypass security,” according to an agency statement. DHS said BioTracker would suit this mission well because it “uses behavioral and contextual data from users to authenticate the identity of [a smart device] to protect it” from threats like DDoS attacks and botnets. Plurilock’s grant is the latest from the DHS Science & Technology Directorate’s Silicon Valley Innovation Program. It is the second non-American company to receive a SVIP grant.

RECENTLY ON PRO CYBERSECURITY — Twenty-one state attorneys general urged Congress to take action on election security. … National security adviser John Bolton will meet with his Russian counterpart next month. … Here’s how U.S. spies can figure out what President Donald Trump and Russian President Vladimir Putin discussed. … Secretary of State Mike Pompeo turned down an invitation to testify before the House Foreign Affairs Committee about Trump’s interactions with Russian and European leaders, citing a scheduling conflict, but will testify on the same subject before the Senate Foreign Relations panel.

— A survey of chief executive officers revealed that 72 percent admitted that they took intellectual property from a former employer, but 78 percent agree that IP is the most valuable asset their companies have. The survey, by data security company Code42, also found that the CEOs were fairly cavalier with protecting their work: 93 percent said they keep copies of their work on a personal device, 63 percent confessed to clicking on a link they should’ve have or didn’t mean to and 59 percent said they downloaded software without knowing if it was approved by company security. Separately, the survey findings include the opinions and impressions of chief information security officers on a range of data security questions as well.

GoLocalProv: Langevin Calls Mueller Indictment Most Significant Hacking Case in U.S. History

GoLocalProv: Langevin Calls Mueller Indictment Most Significant Hacking Case in U.S. History

Jim Langevin is calling Special Counsel Robert Mueller’s indictment of 12 Russian military intelligence officers the most significant hacking case in U.S. history.

Congressman Jim Langevin is calling Special Counsel Robert Mueller’s indictment of 12 Russian military intelligence officers the most significant hacking case in U.S. history.

Mueller indicted the Russian officers for distributing documents they had stolen from U.S. political organizations in an attempt to interfere with the 2016 presidential election.

According to the Justice Department, the hacking targeted Clinton’s campaign, Democratic National Committee, and the Democratic Congressional Campaign Committee.

Langevin Released the Following Statement:

“This is the most significant hacking case the United States has ever brought against the agents of a foreign state. Russian interference in the 2016 election struck at the very core of our democracy, and the perpetrators must be held to account. This is another example of why Director Mueller’s investigation is so important and must be allowed to continue.

This indictment is an important part of that reckoning, but it is in no way sufficient. When a nation violates the norms of responsible state behavior in cyberspace, we must respond with all means of state power, economic, diplomatic and otherwise. It is simply unacceptable to use cyber means to steal and disseminate political documents with the goals of undermining faith in American democracy. Sadly, the President continues to cast doubt on the facts first set forth by our intelligence community and reiterated in today’s indictment. Given these developments, the President should cancel next week’s meeting with Vladimir Putin and work with Congress to punish Russia for its actions.

The indictments today continue to reinforce a clear message to America’s adversaries who would target civilian infrastructure and processes: you will be found out. Although we are unlikely to see these Russian military intelligence agents in an American prison anytime soon, their worlds have gotten much smaller. I look forward to continuing my work in Congress to hold Russia responsible for its actions and improve our cybersecurity posture.”

WPRO: Rhode Island Democrats to Trump: don’t meet with Putin

WPRO: Rhode Island Democrats to Trump: don’t meet with Putin

By WPRO News Team and the Associated Press

Three members of Rhode Island’s Congressional delegation called on President Donald Trump to cancel his meeting with Russian President Vladimir Putin after 12 Russian intelligence officers were indicted for alleged hacking offenses during the 2016 presidential election.

Trump and Putin are to meet Monday in Helsinki.

The Justice Department announced the indictments Friday as part of the special counsel probe into potential coordination between Trump’s campaign and Russia.The indictment alleges a coordinated effort to break into Democratic email accounts.

Senator Jack Reed Reed said Trump should cancel the meeting in light of the “stunning indictment that these Russian conspirators attacked our democracy.”

Congressman David Cicilline reacted on Twitter, sharing a link to a Politico article on the indictments and telling Trump he should “raise this with Putin when you see him on Monday.” In a separate tweet a few hours later, Cicilline said Trump should cancel the meeting.

Congressman Jim Langevin said Trump should not only cancel the meeting, but also “work with Congress to punish Russia for its actions.”

“When a nation violates the norms of responsible state behavior in cyberspace, we must respond with all means of state power, economic, diplomatic and otherwise. It is simply unacceptable to use cyber means to steal and disseminate political documents with the goals of undermining faith in American democracy,” he said. “Sadly, the President continues to cast doubt on the facts first set forth by our intelligence community and reiterated in today’s indictment.”

Senator Sheldon Whitehouse said “it has long been clear” that Russia hacked and leaked emails during the 2016 presidential campaign.

“The President’s willingness to ignore this — even the findings of his own intelligence community — raises red flags, and requires that law enforcement be allowed to continue its investigations unimpeded,” he said. “The phony claims that this investigation needs to be ‘wrapped up’ are highly suspect and utterly without merit.”

Senate Minority Leader Chuck Schumer also says Trump should cancel the meeting.

A White House spokeswoman says the indictments contain no allegations of knowing involvement by Trump campaign officials.

FCW: Waging cyber war without a rulebook

FCW: Waging cyber war without a rulebook

By Derek B. Johnson

For years, security experts have warned of an impending cyber Pearl Harbor: an attack so big and bold that it cripples U.S. infrastructure and demands a military response.

However, in interviews with former White House and executive branch officials as well as members of Congress and staffers involved in cyber policy, many expressed more concern about the potential for a Cyber Gulf of Tonkin: a misunderstanding or misattribution around an event that precipitates or is used as a justification for war.

“I think we should all be concerned about a [misunderstanding] or something that is made to look like someone else took action,” said Rep. Jim Langevin (D-R.I.), a co-founder of the Congressional Cybersecurity Caucus. “Attribution is very difficult, although we are getting much better at it. There’s no doubt there could always be a level of uncertainty.”

The U.S. government is currently engaged in disputes with at least four other countries — Iran, North Korea, Russia and China — over a series of recent hacks, intrusions and cyberattacks dating back five years. In cases like Iran and North Korea, some worry the situation is potentially one precipitating incident away from breaking out into military conflict.

Furthermore, members of Congress have increasingly agitatedfor a more forceful response against nation-state- led cyberattacks, while providing little in the way of statutory guidance around rules of engagement for offensive cyber operations, including which agencies should take the lead and how brightly the lines should be drawn between private sector, civilian government and military response.

Blurred lines

The federal government lacks a commonly understood framework for the type and scope of actions that would or would not qualify as an act of war in cyberspace.

“There isn’t [a document] — to my knowledge at least when I was in government — where it’s like ‘this is our list’ and if it’s one of these things then we’re going to declare war,” said Megan Stifel, a former director of international cyber policy on the National Security Council.  “It’s not very helpful and reassuring to many to say that we’ll know it when we see it, but that has been a bit of the philosophy because we haven’t seen it yet.”

Stifel pointed to many of the most high-profile attacks against United States assets – such as the 2016 election disinformation campaign, the 2017 WannaCry attacks, the 2014 Sony hack and the Office of Personnel Management hack — and questioned whether any of them could truly be interpreted as a genuine act of war by the nations who supposedly carried them out.

In its new command vision on information warfare, U.S. Cyber Command noted that nation-states have taken advantage of this ambiguous policy landscape to conduct aggressive cyber campaigns to harm or destabilize U.S. interests and infrastructure.

“Adversaries continuously operate against us below the threshold of armed conflict. In this ‘new normal,’ our adversaries are extending their influence without resorting to physical aggression,” the vision statement reads.

Some have argued that such direction would allow policymakers to clearly communicate which kind of attacks and targets are beyond the pale and require an in-kind cyber or even kinetic military response. Alternatively, the absence of such a framework carries the risk of fostering confusion and misunderstandings on the international stage that could precipitate a larger conflict.

“There are these questions of ‘what was the intent?’ and I think we need to be careful not to go [like the metaphorical hammer] looking for nails,” Stifel said. “Because of the way western democracies have the private sector own most of the communications and information technology infrastructure, the lines are very blurred.”

A shifting policy landscape

That ambiguity has left some perplexed as to how best to respond to a series of cyber-focused operations against the United States.

Langevin is one of 12 members of Congress to co-sponsor a bill introduced this year by Rep. Ted Yoho (R-Fl.) that would require the president to single out as a “critical cyber threat” any foreign persons or entities determined to be responsible for a cyberattack as well as any person or organization that “knowingly materially assisted or attempted such activities.” Those actors would then be subject to a range of potential economic and travel-related sanctions. Yoho’s bill recentlypassed the House Foreign Affairs Committee and has garnered support from a bipartisan group of cybersecurity-focused lawmakers in the House.

The legislation is meant to codify many of the strategies employed during the first 18 months of the Trump administration to respond to high-profile cyberattacks against the United States, pairing “name and shame” tactics with economic and political pressure in a way that results in meaningful consequences for those who step over the line.

The problem is many policymakers are unsure where those lines actually are, and some question whether it’s even a good idea to draw them in the first place.

Langevin believes that legislation like Yoho’s bill will help to better police “the grey zone” around nation-state cyberattacks, but said he worries that being too specific could feed the potential for a Gulf of Tonkin-like misunderstanding.

“It’s hard to draw red lines in cyberspace as the threats are rapidly evolving,” said Langevin. “We have to be careful about being too prescriptive.”

That view was echoed by many others. A majority staffer on one of the congressional homeland security committees speaking on background was reluctant to even offer a broad outline of a cyber warfare doctrine, arguing the landscape is so unsettled and the potential for new technologies like AI, quantum computing and augmented reality to disrupt the status mean that any rules the Trump administration or Congress lays out today could be obsolete five years down the road.

Even worse, the rules could box them into enforcing ultimatums that no longer makes sense in an evolving policy environment. The staffer compared the status quo to “Calvinball,” a game from the popular comic strip “Calvin and Hobbes” in which the only rule is that the rules must constantly change.

“We don’t have examples in history of that kind of asymmetry and how to handle it,” the staffer said. “Even if you looped in the smartest, most knowledgeable people with all of the letters after their name that you could possibly imagine, they couldn’t sit in a room and say 10 years from now, this framework will still hold true.”

Over the past year, policymakers have been working behind the scenes to carve out a larger role for U.S. Cyber Command. CyberScoop reported in April that CyberCom has been steadily winning a tug of war with intelligence agencies for supremacy over offensive cyber operations, including those taking place outside of traditional war zones. More recently, the organization has been wading into what is typically considered the Department of Homeland Security’s turf by establishing threat information sharing programs with the banking sector.

Curtis Dukes, who ran the National Security Agency’s Information Assurance unit, said unleashing a military organization like Cyber Command to engage in offensive operations outside of war zones without a shared doctrine for conducting information warfare is a recipe for unintended consequences.

“We don’t know with any level of precision what would actually constitute an act of war where we would respond either militarily or using our own cyber offensive capabilities,” Dukes said. “Frankly, that needs to occur if we’re going to use Cyber Command as a capability to protect the homeland.”

A former high-ranking congressional staffer who worked on military cyber policy speaking on background concurred with that sentiment, saying the U.S. lacks a solid interagency process for weighing risks and examining the trade-offs of such operations.

“I’m sure there are places where it would be appropriate for CyberCom to be more aggressive, but I can tell you having sat over at DOD, that CyberCom would bring out some really stupid proposals that would sometimes ignore risks to things like the integrity of the global financial system,” the source said.

Like many of those interviewed, the former staffer cited the recent elimination of the White House cyber coordinator position as a move that would only exacerbate these problems. Langevin as well as Rep. Ted Lieu (D-Calif.) have introducedlegislation to restore the position.

Pinning the blame

There are political and public relations factors to consider as well. When nations go to war, they often couch their decision as a defensive or retaliatory response to some malicious precipitating event.

Proving to allies and the international community that a cyberattack came at the behest of a particular nation-state is difficult. Most instances of cyber attribution — such as those done with WannaCry and NotPetya — can take months if not years before reaching a high confidence assessment.

Even then, policymakers may not want to risk exposing intelligence-related sources and methods. In December, the White House publicly blamed North Korea for the 2016 WannaCry malware.

Tom Bossert, who served as White House homeland security advisor at the time, told reporters that intelligence and technical forensics gave the government high confidence about the attribution, but he declined to specify what evidence the administration was relying on and indicated that a smoking gun definitively associating the attacks to Pyongyang was “difficult” to come by.

That sort of posture could make it trickier to convince allies that the evidence justifies a cyber or military response. A State Department document providing guidance to the president on international engagement around cyber matters released May 31 notes that “difficulty attributing the source of [cyber] attacks or sharing sensitive evidence to support attribution findings has made international or public-private cooperation to respond to specific threats more challenging.”

Such cooperation is critical to establishing international rules of engagement in most domains of war, according to John Dickson, a former Air Force officer who previously served in the Air Force Information Warfare Center. While other domains of war have had millennia to develop clear lines of engagement, there’s still significant uncertainty around how best to respond to incidents of information warfare. Because of that, Dickson argued it’s sometimes best to leave policymakers with maximum flexibility.

“We don’t have anywhere near the level of history, the level of conflict, the level of openness and visibility [with cyberwar] that you have in other wars,” Dickson said. “The biggest deal is that if you’re a talented attacker, certainly a nation-state attacker, you can prosecute and attack and still maintain some level of deniability.”

CyberScoop: Private sector isn’t sharing data with DHS’s threat portal

CyberScoop: Private sector isn’t sharing data with DHS’s threat portal

By Sean Lyngaas

For years, U.S. government officials have been trying to provide firms with actionable threat data in time for corporate officials to block hackers from compromising their networks.

The 2015 Cybersecurity Information Sharing Act (CISA) gave firms legal cover to provide threat data to the government; the Department of Homeland Security rolled out an automated threat-sharing program in 2016; and Republican and Democratic administrations have preached the information-sharing gospel at conferences across the country.

But today, amid consistent nation-state cyberthreats to U.S. companies, there is a growing consensus in Congress and in the private sector that these federal efforts are falling way short of expectations and needs.

Two years after DHS established its Automated Indicator Sharing (AIS) program, just six non-federal organizations are using it to share threat indicators with the government, a DHS official told CyberScoop.

“That’s unacceptable and it surely doesn’t reach the threshold I hoped it was going to achieve,” Rep. Jim Langevin, D-R.I., told CyberScoop.

In an interview, Langevin reflected on the shortcomings of AIS and the legislation that paved the way for it.

“Clearly, CISA has not yet reached the full potential that I and many others had hoped it would,” Langevin said.

“We had this grand vision that once we passed the bill that the legal obstacles and the perceptual obstacles would come down,” he said, “and that everyone would be enthusiastically accepting threat information from the government and be sharing threat information back with the government.”

That simply hasn’t happened yet.

Langevin said he was still hopeful that the information-sharing regime could be significantly improved. But given that it took years of horse-trading to get CISA passed, it is an open question whether the problem can be solved through more legislation.

A spokesperson for Rep. Dutch Ruppersberger, D-Md., anotherclose follower of AIS, said the congressman wants DHS to brief House appropriators on how the department will get more companies to share threat data through the program.

“[I]n order for AIS to be successful, it has to be mutually beneficial,” Jaime Lennon, Ruppersberger’s spokesperson, told CyberScoop. “We need the private sector to step up and contribute more, but we have to make it easier, quicker and more fulfilling for them, too.”

DHS officials have echoed that point.

“Our shared success and security is dependent on the continued voluntary participation of private sectors,” Jeanette Manfra, DHS’s top cybersecurity official, told CyberScoop recently.

Manfra has said the department plans to update AIS this year to include automated feedback from customers on what they are doing with the threat data.

Some good with the bad

AIS is not the only information-sharing game in town – it is simply DHS’s effort to do it at machine speed. The current struggles notwithstanding, Chris Cummiskey, a former DHS official and current cybersecurity consultant, said the department has come a long way in its threat-sharing efforts.

“Only in the last several years has the department been in the position to collect the kind of [threat] data that would be usable” by the private sector, he told CyberScoop. DHS’s ability to pass the data along is maturing, he added, through the growth of its 24/7 watch center known as the National Cybersecurity and Communications Integration Center.

And while the amount of private-sector data going to the government through AIS is not flattering, much more information appears to be flowing in the other direction. More than 260 federal and non-federal entities, and 11 international computer emergency response teams are connected to AIS, according to DHS.

There are also increasingly robust information-sharing efforts outside of government.  The nonprofit Cyber Threat Alliance (CTA) for example, disseminates threat information to its corporate members, which include Cisco and Symantec.

Ahead of the announcement last month that alleged Russian hackers had assembled a massive botnet targeting 500,000 routers, Cisco was able to share malware samples so that CTA members could respond to the threat, according to Neil Jenkins, CTA’s chief analytic officer.

By the time Cisco’s threat intelligence unit published a blog on the botnet, many CTA members had already applied protections against the threat, Jenkins told CyberScoop.

Puzzles unsolved

Such private initiatives are encouraging, observers say, but the one thing they can’t generate is classified threat intelligence. Industry executives want the government to get that classified data into the hands of more corporate officials — and to declassify it more quickly to reach a wider private-sector audience.

Some executives are mystified as to why the U.S. government — the gatekeeper of untold volumes of digital footprints — apparently still struggles to provide timely information that companies can’t get from a private cybersecurity service.

“I don’t have an answer as to why it’s so difficult to get context sometimes” with government-provided threat data, Sarah Urbanowicz, chief information security officer for engineering firm AECOM, told CyberScoop.

The “context” that Urbanowicz and many other executives seek might include qualitative analysis to complement the technical details provided on hackers. But that context is often at odds with demands for getting information a machine speed.

Scott Goodhart, chief information security officer of power firm AES Corp., called for a frank discussion with the government on the challenges it faces in pushing threat information out.

“If you know there’s a Chinese threat coming in or something, I don’t care what technique or method they use necessarily to get in, tell me the information so I can feed my systems and block it,” Goodhart told CyberScoop.

Warwick Beacon: Seniors advised on how to stay ahead of scammers, hackers

Warwick Beacon: Seniors advised on how to stay ahead of scammers, hackers

Change your password and only friend the people you know. That was some of the advice given a group of senior Friday as Congressman Jim Langevin, co-founder and co-chair of the congressional cybersecurity caucus visited Pilgrim Senior Enrichment Center to offer ways for seniors to protect themselves from hackers and scams while surfing the web.

“You are not helpless,” Langevin said. “There are things you can do to protect yourself in this whole thing…The Internet is here to stay but it has never been built for security.”

Comparing it to locking your house and keeping your car safe from theft, seniors must take the right steps to stay away from today’s manipulation tactics and scams.

John Martin, a representative from Rhode Island AARP encouraged seniors to become involved in the AARP’s Fraud Watch Network which will keep members updated on recent scams and allow them to report a scam if they were to come across one. The website, aarp.org/fraudwatchnetwork will allow seniors to stay informed and safe while spending time on Facebook and other popular sites.

“You have a part time job,” Martin said, comparing staying up-to-date on the latest scams to doctors reading recent medical journals.

Rhode Island Cybersecurity Officer Mike Steinmetz also gave a presentation about how to make sure the senior’s Facebook settings were set to private. He also told seniors about how changing passwords every so often is a good way to keep hackers out of their accounts.

“Be careful about your location, too,” Steinmetz advised. “If you go on vacation post the pictures after you get home.”

RI State Police Computer Crimes Unit Captain, John Alfred discussed the different types of scams and how to identify them. He explained social engineering as a manipulation of people, criminals trying to get people to give them personal information that they can use to take advantage of and scam the individual.

Alfred stressed how important is to approach emails and websites with caution. He explained that hackers try to look like legitimate companies.

“Your bank is not going to reach out to you in an email asking for personal information,” he said. “Anytime someone asks you to wire money, be very suspicious. Try not to be too trusting… please be skeptical.”

One senior, Christopher Brook explained how important he thought the information was, and he was glad to have learned it.

“All of this is very relevant,” Brook said. “The crooks are staying ahead of the legislation and common sense.”

Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

By Sean Lyngaas

The House of Representatives this week overwhelmingly passeda defense policy bill with several cybersecurity measures aimed at better securing Pentagon networks.

The legislation — the fiscal 2019 National Defense Authorization Act (NDAA) — seeks closer collaboration between the departments of Defense and Homeland Security in defending against hackers, asks for quick notification of data breaches of military personnel, and continues to crack down on foreign-made telecom products that are deemed security threats.

The NDAA is an annual ritual that lawmakers use to shape Pentagon policies and budget plans while throwing in some pet projects to boot. The House bill — a $717 billion behemoth — eventually will be merged with the Senate’s version, which that chamber’s Armed Services Committee also approved this week. It’s unclear when the Senate bill will have floor votes.

One key provision of the House bill, according to the Rules Committee print, would set up a pilot program for the Pentagon to dispatch up to 50 cybersecurity staff to support the DHS’s mission to secure civilian networks. The deployment of the DOD personnel, potentially to DHS’s prized round-the-clock threat-sharing hub, would be a reminder of the overlapping turf that agencies compete for and try to reconcile in cyberspace.

While DOD may find itself loaning out a small group of its experts, lawmakers want to boost the department’s own workforce by giving the Defense secretary direct hiring authority through September 2025 for “any position involved with cybersecurity.” The Pentagon has boosted its ranks of computer gurus in recent years through U.S Cyber Command, but lawmakers and military brass are wary of losing these experts to lucrative private-sector jobs.

In the event of a “significant” breach of service members’ personal information, the Defense secretary would be required to promptly notify Congress. That issue came to the fore in January when it was revealed that GPS company Strava had published a map online that showed soldiers’ locations via devices like Fitbits.

Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, backed the defense bill’s provisions to improve “our ability to deter adversaries in cyberspace.” In response to the Russian influence-operation to disrupt the 2016 U.S. presidential campaign, the bill would ask President Donald Trump for a report to Congress on what his administration is doing to protect against “cyber-enabled” information operations.

The House bill also keeps the pressure on Chinese telecom companies ZTE and Huawei by barring federal agencies from buying their products, and an amendment from Texas Republican Michael McCaul extends that ban to any use of federal grant money and loans.

The Senate version of the bill also tightly restricts the Pentagon’s use of technology considered a risk to national security. For example, an amendment from Sen. Jeanne Shaheen, D-N.H., would require DOD vendors to reveal if they’ve let foreign governments inspect their source code.

Senators seem intent on putting more language around offensive cyber-operations in their version of the bill compared to the House’s. According to a summary of the Senate bill, it stipulates a U.S. policy to use “all instruments of national power, including the use of offensive cyber capabilities” to deter cyberattacks that “significantly disrupt the normal functioning of our democratic society or government.”

WaPo: The Cybersecurity 202: We surveyed 100 security experts. Almost all said state election systems were vulnerable.

WaPo: The Cybersecurity 202: We surveyed 100 security experts. Almost all said state election systems were vulnerable.

By Derek Hawkins

The midterm elections are less than six months away, but an overwhelming 95 percent of digital security experts surveyed by The Cybersecurity 202 say state election systems are not sufficiently protected against cyberthreats. 

We brought together a panel of more than 100 cybersecurity leaders from across government, the private sector, academia and the research community for a new feature called The Network — an ongoing, informal survey in which experts will weigh in on some of the most pressing issues of the field. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) Our first survey revealed deep concerns that states aren’t prepared to defend themselves against the types of cyberattacks that disrupted the 2016 presidential election, when Russian hackers targeted election systems in 21 states.

“We are going to need more money and more guidance on how to effectively defend against the sophisticated adversaries we are facing to get our risk down to acceptable levels,” said one of the experts, Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus.

Congress in March approved $380 million for all 50 states and five territories to secure their election systems, but Langevin says he wants more. He introduced legislation with Rep. Mark Meadows (R-N.C.) that would provide election security funding to states if they adhere to new federal guidelines for identifying weaknesses in their systems and auditing election results. “I hope Congress continues to work to address this vital national security issue,” Langevin said.

Each state is responsible for running its own elections, and many state officials view attempts by the federal government to intervene with skepticism — if not outrightopposition. But some experts said the magnitude of the threats from state-sponsored adversaries is too great for states to deal with alone.

“Given the gravity of the nation-state threats we face, much more needs to be done at every level — including a strong declarative policy that this activity is unacceptable and will trigger a strong response,” said Chris Painter, who served as the State Department’s top cyber diplomat during the Obama and Trump administrations.

Dave Aitel, chief executive of Immunity Inc. and a former National Security Agency security scientist, went further: “Protecting systems from cyberthreats from nation-states can really only be done on a national level. It’s insane we have state-level control of these systems.”

Experts generally agreed that most states are more secure than they were in 2016. Officials have undertaken a variety of measures to improve security — including conducting vulnerability tests of computer networks and voting machines and hiring new IT staff.

But securing this kind of technology isn’t easy. “ ‘Election systems’ are massive, distributed IT systems with thousands of endpoints and back-end systems that hold and process large volumes of highly sensitive data,” said Jeff Greene, senior director of global government affairs and policy at Symantec. “Protecting such systems is no small feat, and election systems are no different. While [the Department of Homeland Security] and the state and local governments have in recent years dialed up their efforts, there are no easy fixes.”

Several experts said that state voter registration databases are particularly vulnerable — and make an appealing target for attackers who want to sow confusion and undermine confidence in the voting process.

“The voting machines themselves are only part of the story,” said Matt Blaze, a cryptographer and computer science professor at the University of Pennsylvania. “The ‘back end’ systems, used by states and counties for voter registration and counting ballots, are equally critical to election security, and these systems are often connected, directly or indirectly, to the Internet.”

There’s no evidence that Russian hackers actually changed any votes in 2016, but they did probe online voter rolls and even breached the statewide voter database in Illinois.“Few if any state and local IT departments are equipped to protect this infrastructure against the full force of a hostile intelligence service, and these systems are very attractive targets for disruption,” Blaze said.

“The level of expertise is quite uneven” across the states, added Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative who was U.S. deputy chief technology officer for Internet policy during the Obama administration. “Of particular concern is the voter registration systems. Imagine how much fear, uncertainty and doubt [that] Russia or any other malicious actor could sow if they raise questions about the accuracy of the voting rolls. That’s every bit as bad as actually changing votes, and much easier to do.”

Jay Kaplan, co-founder of the cybersecurity firm Synack, notes a bright spot: The Election Assistance Commission has a national voting system certification program to independently verify that a voting system meets security requirements.

“However, testing for this certification is completely optional,” said Kaplan, who held previous roles in the Defense Department and at the National Security Agency. “States can set their own standards for voting systems…. As such, some states are significantly more buttoned up than others. The reality is states are understaffed, underfunded, and are too heavily reliant on election-system vendors securing their own systems.”

On top of that, millions of Americans will vote this year on old, hack-prone digital machines that produce no paper trail. Without a paper record, it’s nearly impossible to audit the final vote tally. Federal officials and expertsrecommend scrapping such machines in favor of paper ballots.

Too many states “have taken a less than strategic approach and once again waited too long to start addressing vulnerabilities within their processes and technology,” said Mark Weatherford, a former deputy undersecretary for cybersecurity at the Department of Homeland Security in the Obama administration and chief information security officer in both California and Colorado.

“Additionally, because of significant investments in electronic voting technology, it’s difficult for non-technologists to acknowledge economic sunk costs and re-prioritize current funding to address these … problems,” said Weatherford, a senior vice president and chief cybersecurity strategist at vArmour.

Nico Sell, co-founder of the software maker Wickr, put the problem into perspective: “We will teach the kids how to hack the election system this summer at r00tz at Def Con,” she said. (r00tz is an ethical hacking program for children between 8 and 16 years old held in Las Vegas alongside the Def Con security conference.)

Many experts are worried that states lack the resources to build their defenses in time for the midterms, even with more federal assistance. “What isn’t clear is where our defenses and resiliency have improved if at all,” said Jessy Irwin, head of security at Tendermint. “This is a difficult problem to solve, and it takes something we don’t have enough of to get 50 states and a few territories flying in formation: time.”

Less than five percent of experts who responded to the survey said they were confident that state election systems were well protected.

Cris Thomas, who goes by the name Space Rogue and works for IBM X-Force Red, said that while registration databases, websites and other systems may still be vulnerable, “the election systems themselves are sufficiently protected.”

And the patchwork nature of U.S. elections is actually a bonus when it comes to deterring would-be attackers, said one expert who spoke on the condition of anonymity.

“State balloting systems are diverse and decentralized. They’re administered by some 3,000 counties, making it difficult for malicious actors to uniformly attack voting infrastructure on a vast scale,” the expert said.

That expert was satisfied with the efforts by state and federal officials to secure the vote. “Public and private authorities are taking steps to defend against nation-state attacks. The recent omnibus spending bill provides monies to states for election security; threat data are being shared between states and federal agencies (albeit probably slowly and tentatively); and election officials are utilizing best practices, such as conducting post-election audits and not connecting voting machines to the Internet,” the expert said.

“But bolstering our cyberdefenses, however fundamental, will only take us so far,” the expert added. “The White House needs to authorize agencies to disrupt cyberattacks and information operations at their sources and up the ante for prospective attackers as part of America’s broader deterrence posture.”

As another expert who participated in the survey put it:“The high level of interest has led to more eyes on the process, which itself helps deter would-be hackers.”

Elite Daily: Can The 2018 Elections Be Hacked? Experts Think So, & Here We Go Again

Elite Daily: Can The 2018 Elections Be Hacked? Experts Think So, & Here We Go Again

By Bernadette Deron

With the 2018 midterm elections approaching this fall (and primaries going on throughout the year — check your local elections), the question of whether or not the United States’ voting systems are secure enough to ensure correct results is being widely debated. The Washington Post elected to interview a number of experts on whether or not they believe the upcoming elections can be hacked. According to a majority of those cybersecurity experts, the 2018 midterms are at risk of being hacked, which is just great.

The report published by the Post on May 21 featured quotes and statistics from a panel of over 100 cybersecurity experts from the government, academia, the private sector, and the research community. According to the report, 95 percent of the experts do not believe that state election systems are sufficiently protected from cyberthreats.

In an interview with NBC News on Feb. 8, head of cybersecurity at the Department of Homeland Security Jeanette Manfra revealed that Russian hackers reportedly targeted 21 states prior to the 2016 presidential election, and that “an exceptionally small number of them were actually successfully penetrated.” Back in September 2017, the federal government notified election officials from those 21 states that their systems were targeted by Russian agents during the elections the year before.

In response to these reports, the spending bill that Congress passed on March 22 included a whopping $380 million devoted to ramping up cybersecurity in order to prevent state voting systems from any sort of cyberattack. But not everyone in Congress thinks that this is enough funding to prevent elections from getting compromised by foreign agents. We are going to need more money and more guidance on how to effectively defend against the sophisticated adversaries we are facing to get our risk down to acceptable levels,” Rep. Jim Langevin (D-R.I.) told the Post. Langevin also co-chairs the Congressional Cybersecurity Caucus. If a person with as much authority on this issue as Langevin thinks more needs to be done to protect this country’s elections, it’s definitely something to take seriously.

The impact of the hacks from the 2016 presidential election has not yet been determined. But the fact that foreign agents were able to successfully hack some systems signals that the government should be working harder to ensure that elections in this country are fair and free.

Because the 2018 midterms are so important for both sides of the aisle, it’s imperative that the outcomes of those elections are secure and correct. The problem with current voting systems is that they’re not uniform across the entire country, making some polling counties more vulnerable than others. Those smaller counties could amount to a significant number of compromised votes, which in turn has enough weight to sway an election in one direction or another.

All 435 seats in the House of Representatives up for grabs come November, and 48 of those seats are considered to be competitive, according to The New York Times. In order for the Democrats to regain control of the House, they would need to flip at least 24 seats that are currently controlled by Republicans. The Senate is currently divided 51-49 in favor of Republicans, and Democrats might be able to pull off a Senate majority win following the midterms as well. Although it’s not entirely likely that Democrats will regain control of both chambers of Congress, the tight races in each prove how crucial it is to ensure that state elections are appropriately protected.

The nation is just six months away from the midterm elections, and primaries have been going on. Hopefully, the appropriate authorities are doing what they can to protect your vote.

Cheddar: Rep. Jim Langevin (D-RI) Says Elimination Cyber Coordinator Position Is “Short-Sighted” & “A Mistake”

Cheddar: Rep. Jim Langevin (D-RI) Says Elimination Cyber Coordinator Position Is “Short-Sighted” & “A Mistake”

To watch the full interview, click here.

Congressman Jim Langevin is a Democrat representing Rhode Island’s second district. He is also the co-chair of the congressional cyber security caucus. The congressman has put forward a bill to create a cyber security director position that will be able to better coordinate cyber activities in the United States to ensure the country is protected from threats. The bill was presented soon after National Security Advisor John Bolton eliminated the top cyber policy role at the White House.