CyberScoop: GAO report shows how easy it is to hack DOD weapon systems

CyberScoop: GAO report shows how easy it is to hack DOD weapon systems

By Sean Lygaas

In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.

“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.

In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.

The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.

“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.

DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.

The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.

Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.

But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.

“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.

Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.

Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.

“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.

Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.

The Hill: Congress falls flat on election security as midterms near

The Hill: Congress falls flat on election security as midterms near

By Jacqueline Thomsen

Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away.

Lawmakers have repeatedly demanded agencies step up their efforts to prevent election meddling but in the end struggled to act themselves, raising questions about whether the U.S. has done enough to protect future elections.

A key GOP senator predicted to The Hill last week that a bipartisan election security bill, seen as Congress’s best chance of passing legislation on the issue, wouldn’t pass before the midterms. And on Friday, House lawmakers left town for the campaign trail, ending any chance of clearing the legislation ahead of November.

Lawmakers have openly expressed frustration they were not able to act before the 2018 elections.

Rep. Tom Rooney (R-Fla.), who introduced the House version of the election security bill, said it was “disappointing.”

“If you want to call it a message that we’re sending to the American people, that we’re doing everything that we can to ensure that the integrity of the vote is sacred,” he said, “If we have these opportunities to do something and we don’t, then that definitely sends the wrong message. That maybe we just don’t care or whatever.”

Rep. James Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus, said not passing the legislation was “a missed opportunity” to better protect U.S. elections.

“Every community needs to be on guard, alert and realize that the Russians are a very well-resourced and capable bad actor that are again trying to interfere with our elections,” he said.

Sen. James Lankford (R-Okla.), one of the bill’s cosponsors, told The Hill that the text of the bill is still being worked out after recent changes prompted concerns from state election officials and the White House.

It had appeared the bill would make it across the finish line but last month Reuters reported that the White House had stepped in to hold up the bill. A GOP Senate aide told The Hill at the time that it was paused over a lack of Republican support and over concerns raised by outside groups.
The White House did not return multiple requests for comment, and a spokesperson for Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.), who delayed the bill’s markup, declined to comment further.

Lankford said the White House told him it had not held up the bill. But he added that “they didn’t talk to me about it in advance.”

Like other lawmakers and experts, Lankford pointed out that even if the bill had passed ahead of the midterms, it would still be too late to implement any of the measures ahead of November’s elections.

“The bigger issue is not the legislation,” Lankford said. “The bigger issue is what the administration has done in the meantime to try to actually get all this done.”

The Department of Homeland Security has offered some cybersecurity support to state election officials, and President Trump signed an executive order earlier this month authorizing sanctions against those found interfering in U.S. elections.

Lawmakers also included $380 million for states to update and secure their election systems in an appropriations bill passed in March. That funding was initially authorized under the Help America Vote Act of 2002, passed in response to the 2000 presidential election, but this year’s grants were the first authorized under the law since fiscal 2010.

However, when Democrats tried to pass more election security funding earlier this year, Republicans knocked down the measure, arguing that substantial funds had already been allocated.

Other security bills have also been introduced after the 2016 elections, but the bipartisan bill spearheaded by Lankford and Sen. Amy Klobuchar(D-Minn.) was touted as the best shot to legislation on the books shielding U.S. election systems from cyber attacks.

Even so, it remained the subject of extensive debate: The original bill included a pilot program for states to conduct audits on limiting risks, which would examine a number of ballots to ensure that systems weren’t compromised.

But that program became mandatory in a later version of the bill, costing it support from state officials and advocacy groups who argued the measure would be too great of a burden.

Voting groups have also voiced disappointment at the lack of action, but were quick to praise Klobuchar and Lankford’s bipartisan push to pass legislation.

Vermont Secretary of State Jim Condos (D), the president of the National Association of Secretaries of State (NASS), told The Hill that while many states are already implementing the measures that would be included in the bill, it was disappointing to not have them on the books. NASS has not taken a public stance on the legislation.

He said that the bill would “send a strong message” to bad cyber actors like Russia, which interfered in the 2016 election, as well as to Americans that their election systems are secure.

“I think this would go a long way to helping us let the public know that our systems are strong and, on top of that, that everyone takes [the issue] seriously,” Condos said.

It is unclear if Congress will be any closer to overcoming the hurdles to legislation after the midterms.

But advocates insist they will keep pushing for a solution.

“This is a time for unity where the country has to unite to fight off foreign meddling in our election because that undermines our democracy,” said Marian Schneider, the president of Verified Voting.
But she also noted that the Lankford-Klobuchar bill was originally introduced in December 2017 and that lawmakers had months to finalize the text.

“I think there’s an unfortunate thing going on here that whenever elections is the topic or is the subject area that it becomes politicized,” she said.

Inside Cybersecurity: Pelosi appoints Langevin to Cyberspace Solarium Commission, as House passes four cyber-related bills

Inside Cybersecurity: Pelosi appoints Langevin to Cyberspace Solarium Commission, as House passes four cyber-related bills

By Maggie Miller

House Minority Leader Nancy Pelosi (D-CA) appointed Rep. James Langevin (D-RI) to the newly created Cyberspace Solarium Commission on Tuesday, while the House passed four cyber-related bills including one to create a vulnerability disclosure program at the Department of Homeland Security.

Pelosi named Langevin and former Rep. Patrick Murphy (D-PA) to the commission, created under the 2019 National Defense Authorization Act. The House minority leader is required to appoint two members of the Commission, one of whom must not be a current member of the House.

“Cyberspace is the future, and will grow even more important to driving American leadership and innovation in the years to come,” Pelosi said in a statement. “Guided by Rep. Langevin and former Rep. Murphy, this Commission will be a vital tool in keeping America safe, strong and free.”

Langevin, the co-founder and co-chair of the Congressional Cybersecurity Caucus, said in a statement he was “honored” to be appointed, and called for the commission to develop a “strategic framework” for international cyber “stability.”

“It is imperative that we use the opportunity afforded by the Solarium Commission to develop a strategic framework that encompasses these challenges and ensures the United States continues to benefit from global cyber stability,” Langevin said. “It is my expectation that such a strategy will encompass all elements of national power – economic, diplomatic and military – and help contextualize cyber in the broader national and economic security discussion.”

The Speaker of the House is designated to appoint three members, with the Senate majority leader to designate three, and the Senate minority leader to pick two members. Other members of the commission automatically include the FBI director, the deputy secretaries of the departments of Defense and Homeland Security, and the principal deputy director of National Intelligence.

The commission is charged with developing a “strategic approach” to defend the U.S. in cyberspace against “cyber attacks of significant consequences.”

Bills move in House

On Tuesday, the House approved four cybersecurity bills, including H.R. 6735, the Public-Private Cybersecurity Cooperation Act. The bill sponsored by House Majority Leader Kevin McCarthy (R-CA) directs the DHS secretary to establish a “vulnerability disclosure policy” for DHS internet sites within 90 days of the legislation being signed into law.

The House Homeland Security Committee approved the bill earlier this month, and Chairman Michael McCaul (R-TX) spoke on the floor in favor of passage, saying it would give a “legal avenue” to allow researchers from the private sector to identify cyber flaws in DHS’ systems.

“Between 2011 and 2013, Iranian hackers attacked dozens of American banks and even tried to shut down a dam in New York,” McCaul said. “In 2014, Chinese hackers stole over 22.5 million security clearances, including my own, from the Office of Personnel Management. In 2016, Russia meddled in our Presidential election, and because we use computer networks in our personal and professional lives, almost everyone is a target. With each passing day, cyber threats continue to grow. But the government cannot face these threats alone. We need help from the private sector.”

McCaul also spoke in favor of another bill passed Tuesday, H.R. 6620, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act, sponsored by Homeland Security cyber subcommittee ranking member Cedric Richmond (D-LA). This bill would require DHS to prepare a threat assessment related to unmanned aircraft systems, and was previously approved by the House Homeland Security Committee.

“The threats we face from drones are constantly evolving as the technology becomes more accessible across the globe,” McCaul said on H.R. 6620. “We need to do more to confront these dangers.”

The House passed two more bills: H.R. 5433, the Hack Your State Department Act, sponsored by Rep. Ted Lieu (D-CA), to establish a “bug bounty” program at the State Department; and H.R. 6229, the National Institute of Standards and Technology Reauthorization Act, sponsored by Rep. Barbara Comstock (R-VA), which supports cyber programs at NIST.

MeriTalk: Langevin, Murphy Added to Cyberspace Solarium Commission

MeriTalk: Langevin, Murphy Added to Cyberspace Solarium Commission

By MeriTalk

House Democratic Leader Nancy Pelosi, D-Calif., has appointed Rep. Jim Langevin, D-R.I., and former Rep. Patrick Murphy, D-Pa., to the recently created Cyberspace Solarium Commission, a 14-member public-private panel charged with developing consensus and actionable strategy to protect and defend the U.S. in cyberspace. Legislation creating the commission was approved as part of the FY 2019 National Defense Authorization Act (NDAA). Rep. Langevin is a co-chair of the Congressional Cybersecurity Caucus and ranking member of the House Armed Services Committee’s Emerging Threats and Capabilities Subcommittee. Murphy was a congressman from 2007 to 2011, and is a former under Secretary of the Army.

NY Times: Trump Loosens Secretive Restraints on Ordering Cyberattacks

NY Times: Trump Loosens Secretive Restraints on Ordering Cyberattacks

By David E. Sanger

WASHINGTON, D.C — President Trump has authorized new, classified orders for the Pentagon’s cyberwarriors to conduct offensive attacks against adversaries more freely and frequently, the White House said on Thursday, wiping away Obama-era restrictions that his advisers viewed as too slow and cumbersome.

“Our hands are not as tied as they were in the Obama administration,” John R. Bolton, the national security adviser, told reporters in announcing a new cyberstrategy.

Mr. Bolton rewrote a draft of the strategy after joining the administration in April. Many of his remarks on Thursday focused on a secret order — which Mr. Trump signed in August but which has never been publicly described — that appears to give far more latitude for the newly elevated United States Cyber Command to act with minimal consultation from a number of other government agencies.

The order essentially delegates more power to Gen. Paul M. Nakasone, who took over this year as the director of the National Security Agency and the commander of United States Cyber Command. During his Senate confirmation hearing in March, General Nakasone complained that America’s online adversaries attacked with little concern about retaliation.

“I would say right now they do not think that much will happen to them,” said General Nakasone, who previously oversaw the Army’s cybercommand. “They don’t fear us.”

But this month, General Nakasone said he was more comfortable with the new guidance issued by the White House, even though the administration has not made any of it public.

Senior officials have said it eliminates a lengthy process of consensus-building across the government — the Departments of Commerce, Treasury and Homeland Security among them — before the United States conducts an offensive action.

It is not clear whether Mr. Trump must still approve every major offensive online operation, as Presidents George W. Bush and Barack Obama did.

Mr. Bolton did not shed much light. “Our presidential directive effectively reversed those restraints, effectively enabling offensive cyberoperations through the relevant departments,” he said.

He said that since Mr. Trump took office, the administration has “authorized cyberoperations” against rivals, though he gave no details.

Much of the strategy that was made public on Thursday strongly echoes similar documents issued by Mr. Obama and Mr. Bush. They focus on improving digital defenses for the United States government, bettering training, working with private industry to share information about vulnerabilities and working with allies.

While the words in the strategy differ from the past, the impetus is the same. It did, however, identify specific countries as adversaries.

“Russia, Iran and North Korea conducted reckless cyberattacks that harmed American and international businesses and our allies and partners without paying costs likely to deter future cyberaggression,” the strategy read. “China engaged in cyberenabled economic espionage and trillions of dollars of intellectual property theft.”

But the classified directive appears to be significantly different, as Mr. Bolton said on Thursday.

His indictment of the previous administration omitted the fact that Mr. Obama continued or initiated three of the most aggressive cyberoperations in American history: one to disable Iran’s nuclear fuel production, another to attack North Korea’s missile programs and a third against online recruitment and communications by the Islamic State.

The first, code-named Olympic Games, was judged successful at destroying about 1,000 nuclear centrifuges for a year. The Korea operation had only mixed results at best, and Mr. Obama’s own defense secretary later wrote that the operation against the Islamic State proved largely ineffective.

But Mr. Obama hesitated to strike back at Russia in 2016 after revelations of its breach into the Democratic National Committee, and acted only after the presidential election.

And, as Mr. Bolton noted, the United States declined to name other attackers, including the Chinese, for stealing roughly 22 million files on Americans with security clearances from the Office of Personnel Management. He noted that those files, “my own included, maybe yours, found a new residence in Beijing.”

Mr. Bolton became the first American official to formally acknowledge what was widely known: that the Chinese government was behind that intrusion.

Additionally, the Trump administration accused North Korea of mounting the WannaCry attack that brought down the British health care system, and Russia of initiating the NotPetya attack that was aimed at Ukraine and cost hundreds of millions of dollars in damage, including to shipping companies like Maersk.

But Mr. Bolton, whose concepts of deterrence were formed in the Cold War, is likely to discover what his predecessors learned: Almost every strategy that worked in deterring nuclear attacks does not fit the digital era, and even figuring out where an attack originated can be a challenge.

The government has grown more skilled at attributing the source of a cyberattack, but the process remains lengthy. By the time a conclusion is reached, it is often too late to mount a successful counterstrike.

Mr. Trump has particularly muddied the waters in assigning blame for attacks, repeatedly expressing doubts that Russia was behind the hacking of the Democratic National Committee and members of Hillary Clinton’s 2016 presidential campaign. The Justice Department has indicted officers of Russia’s military intelligence unit, once known as the G.R.U., and the Internet Research Agency, in those attacks.

Part of the strategy calls for the United States to develop what it describes as an international cyberdeterrence initiative, which sounds similar to efforts to develop a theory of nuclear deterrence. The document provides few details, but says the Trump administration will build “a coalition and develop tailored strategies to ensure adversaries understand the consequences of their malicious cyberbehavior.”

Some of those efforts have already begun: The American accusations against North Korea and Russia last year were immediately echoed by Britain and other Western powers.

Representative Jim Langevin, Democrat of Rhode Island who has been active in developing new cyberstrategies, said that the White House approach was focused “in starkly offensive terms.”

“I agree that our adversaries need to know that we can — and will — challenge them in cyberspace,” Mr. Langevin said. “But as the country with the most innovative economy in the world, we must also acknowledge the abiding interest of the United States in encouraging stability in this domain.”

Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

By Joseph Marks

The House Homeland Security Committee forwarded two bills Thursday to make it easier for ethical hackers to share computer vulnerabilities they find in Homeland Security Department websites.

The first bill, sponsored by House Majority Leader Kevin McCarthy, R-Calif., would direct Homeland Security officials to create a vulnerability disclosure policy. That policy would describe which department websites, hackers can legally probe for vulnerabilities, how they can alert the department about those vulnerabilities and when and how the department will respond to and remediate the vulnerabilities.

Homeland Security Sec. Kirstjen Nielsen told lawmakers in April that the department already plans to adopt such a policy, but the department has not made progress since then, Rep. Jim Langevin, D-R.I., said during Thursday’s markup.

The second bill, which has already been passed by the full Senate, would go a step further, requiring Homeland Security to create a formal program, known as a bug bounty, that would solicit vulnerability reports from hackers and pay them for vulnerabilities that checked out.

The Hack the Department of Homeland Security bill, sponsored by Sen. Maggie Hassan, D-N.H. in the Senate, is partly modeled on numerous successful bug bounty programs at the Pentagon and military services.

The bill would mark the first departmentwide bug bounty in the civilian government. The General Services Administration’s Technology Transformation Service also runs an ongoing a bug bounty.

Those Defense Department bug bounties required a lot of time and money, however, and some bug bounty organizers have warned that a full bug bounty may not be a good investment for civilian agencies—especially if they lacks the resources to investigate and patch all the bugs ethical hackers uncover.

Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs initially expressed skepticism about a department bug bounty, worrying it could steal resources from other parts of the department’s cyber mission. He later endorsed the plan, however, during his confirmation hearing.

Cyber Scoop: House passes deterrence bill that would call out nation-state hackers

Cyber Scoop: House passes deterrence bill that would call out nation-state hackers

By Sean Lyngaas

The House of Representatives on Wednesday passed a bipartisan bill aimed at deterring foreign governments from conducting hacking operations against U.S. critical infrastructure.

The Cyber Deterrence and Response Act put forth by Rep. Ted Yoho, R-Fla., calls on the president to identify individuals and organizations engaged in state-sponsored hacking that significantly threatens U.S. interests, and then to impose one or more of a slew of sanctions on them.

That “naming and shaming” approach is an effort to ward off future cyberattacks from China, Russia, Iran, and North Korea — four countries that U.S. officials routinely label as top adversaries in cyberspace.

The bill, which passed the House by voice vote, also calls for a uniform list of foreign hacking groups to be published on the Federal Register. Sen. Cory Gardner, R-Colo., last month introduced companion legislation in the Senate.

“Our foreign adversaries have developed sophisticated cyber capabilities that disrupt our networks, threaten our critical infrastructure, harm our economy, and undermine our elections,” Yoho said in a statement. “Collectively, we must do more to combat this digital menace.”

Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, said the bill is an “important step forward in recognizing that cyberthreats are the new weapon of choice for states who seek to sow discord and engage in conflict below the threshold of war.”

Lawmakers have long urged the executive branch to delineate a cyber deterrence strategy after high-profile breaches of the Office of Personnel Management in 2015 and the Democratic National Committee in 2016.

In response to the demand for a deterrence strategy, the State Department in May recommended that the U.S. government develop a broader set of consequences that can be imposed on adversaries to deter cyberattacks.

Washington should work with allies to inflict “swift, costly, and transparent consequences” on foreign governments that use “significant” malicious cyber activity to harm U.S. interests, the unclassified version of the State Department report says.

Officials such as Vice President Mike Pence and Homeland Secretary Kirstjen Nielsen have touted the administration’s efforts to crack down on foreign hackers. “[T]his administration is replacing complacency with consequences, replacing nations’ deniability with accountability,” Nielsen said in a speech Wednesday.

Inside Cybersecurity: Rep. Langevin: Restructuring cyber oversight a top priority for Democrats

Inside Cybersecurity: Rep. Langevin: Restructuring cyber oversight a top priority for Democrats

By Charlie Mitchell

Streamlining congressional oversight of cybersecurity policy, creating a high-level “cyber director” role at the White House and — of course — closer scrutiny of Trump administration cyber efforts will top the priority list if Democrats take the House in November, according to one key Democratic lawmaker.

“We haven’t moved the ball enough on [cyber] oversight,” Rep. James Langevin (D-RI) told Inside Cybersecurity. “It needs to happen faster and more comprehensively.”

Langevin is the co-founder of the bipartisan Congressional Cybersecurity Caucus and a senior member of the Armed Services and Homeland Security committees.

He is in line to chair Armed Services’ cyber-focused emerging threats subcommittee if the Democrats get the net 24-seat pickup they need on Election Day to secure a House majority. Nonpartisan analyses and the latest polling aggregations show the Democrats poised to make the necessary gains.

But within the House’s current committee structure, Langevin said, “oversight of cybersecurity is too stove-piped — the jurisdictional issue is a problem and we need to streamline.”

What’s the problem? “Jurisdiction, jurisdiction, jurisdiction,” Langevin said. “It’s a major roadblock to legislation and oversight.”

With eighty-plus committees and subcommittees exercising authority over myriad cyber issues, “we need more agility in oversight,” Langevin said. “That takes strong leadership at the speaker and minority leader level. I hope we’re in the majority and can streamline oversight. That will be one of my top priorities.”

Otherwise, the ninth-term lawmaker said, “the only thing that moves the needle on cyber is a crisis.”

On other issues, Langevin cited the upcoming one-year anniversary of the Equifax hack in calling for action on data security and breach notice legislation, such as the bill he has introduced that would require notification to consumers within 30 days of detecting a breach and give the Federal Trade Commission statutory authority for “coordinating responses” to cyber attacks.

“There hasn’t been enough done to prevent future Equifaxes from happening or to notify consumers” of breaches, he said.

Langevin said that he will also push for a “Senate-confirmed cyber director role with budget authority, at the White House.”

“There needs to be one person who is responsible and accountable for what the policy is and what the metrics are for success.”

Such a position would have significantly more authority than the White House cyber coordinator role that President Trump eliminated earlier this year — and that was a creation of the Obama administration that lacked statutory authority.

Langevin likened the position he envisions — and has detailed in legislation introduced in the past two Congresses — to the Director of National Intelligence or the Director of National Drug Control Policy.

Langevin also discussed the new National Risk Management Center that the Department of Homeland Security has launched, calling it “a positive step forward” and saying he is “looking forward to hearing from them.”

“We need to make sure they have the tools they need and that the [National Cybersecurity and Communications Integration Center] is more operational in real time. But the risk management center could have real value,” he said.

Still, Langevin said, “we need to get better at assuring interagency coordination. The primacy of DHS is important, which is why enactment of NPPD reorganization is essential.”

Bipartisan legislation has cleared the House that would transform NPPD into a cybersecurity agency, but it remains stalled in the Senate, a source of bipartisan frustration among House members.

“Organizing and making clear the mission of NPPD is important, but we also need to know who is coordinating the whole-of-government strategy,” Langevin said, underscoring the need for a high-level policy director.

The lawmaker also expressed concerns that not enough has been done to secure state elections systems amid ongoing hostile action from Russia.

“We’re going into the elections with just a Band-Aid,” he said. “Time is short now but I’m concerned about DHS having enough resources to deal with states an localities, and to protect other critical infrastructure.”

With concerns lingering about proper state and federal role son election security, he added: “I encourage states to reach out for assistance — the federal government is never going to take over the electoral process.”

Cyber Scoop: DHS supply chain and CDM bills pass the House

Cyber Scoop: DHS supply chain and CDM bills pass the House

By Zaid Shoorbajee

The House passed two bills Tuesday that aim to bolster the Department of Homeland Security’s cybersecurity efforts as they relate to securing the agency’s own vendor supply chain as well as securing other federal agencies’ networks.

Both bills now head to the Senate. One of them, the Securing the Homeland Security Supply Chain Act of 2018, would give the secretary of Homeland Security authority to block IT vendors deemed to pose a supply chain risk from contracting with the agency.

“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or insert potentially harmful hardware or software,” said the bill’s sponsor, Rep. Peter King, R-N.Y., on the House floor before a voice vote.

King cited recent and ongoing U.S. government scrutiny of Russian cybersecurity company Kaspersky Lab and Chinese telecommunications companies Huawei and ZTE as justification for giving DHS this new authority. Those efforts “underscore the threats posed to the federal supply chain and the urgency in developing stronger mechanisms to secure it,” King said.

The bill as passed would only allow DHS to make these decisions for its own contracts.

“I am hopeful, this bill moves through the process, that we will also have an opportunity to consider legislation that provides similar authority to ensure national security vetting is incorporated into the wider government procurement process,” King said.

The other bill, the Advancing Cybersecurity Diagnostics and Mitigation Act, would codify into law DHS’s existing Continuous Diagnostics and Mitigation (CDM) program, which provides other federal agencies with monitoring and threat detection on their networks.

“We need to know what we have before we can try to defend it,” said Rep. John Ratcliffe, R-Texas, who introduced the bill. “[CDM] not only allows the ability to combat our enemies in cyberspace, but also to help federal CIOs manage information technology.”

DHS has been awarding billions of dollars worth of contracts to keep CDM’s various phases going. The bill passed Tuesday would make the program statutorily part of DHS.

Rep. Jim Langevin, D-R.I., also spoke in support of the CDM bill on the House floor, but expressed concern that the bill does not incentivize agencies to actually take advantage of the DHS program.

“This is a good bill, and I urge my colleagues to support its passage. However, I must take this opportunity to mention this bill’s major omission. It does not address the incentive structure at other agencies to actually adopt CDM offerings,” Langevin said.

Langevin lamented that CDM full potential is being hindered by the fact that there are many congressional committees and federal agencies that compete over jurisdiction of cybersecurity issues.

“During hearings and roundtables on the program, we often heard from government stakeholders that internal dynamics at DHS’s sister agencies were actually the biggest obstacle to the program’s success,” Langevin said. “I urge my colleagues to consider the wisdom of having so many committees involved with cybersecurity jurisdiction often to the detriment of making real progress.”

Nextgov: Critical Update- Cyber Leadership Has to Come from the Top

Nextgov: Critical Update- Cyber Leadership Has to Come from the Top

By Joseph Marks

The biggest problems in federal cybersecurity start at the top and fixes need to come from the top too, Rep. Jim Langevin, D-R.I., told Nextgov’s Critical Update podcast.

When Defense Secretary Ash Carter made cybersecurity a top Pentagon priority during the Obama administration, for example, Carter’s subordinates showed the same passion for the issue, said Langevin, who co-founded the Congressional Cybersecurity Caucus.

“You had everyone, all hands on deck, doing more to step up our cybersecurity at the Pentagon,” he said.

By 2018, among other cyber initiatives, the Defense Department had launched five bug bounty contests, which loose troves of ethical hackers to search for vulnerabilities in Pentagon computer systems.

When National Security Adviser John Bolton eliminated the position of White House cybersecurity coordinator in May, by contrast, it marked “an enormous step backward” for federal cyber efforts, Langevin said.

Among other things, the lack of a White House point person on cybersecurity prevents the administration from speaking with a clear and singular voice about issues such as Russian election meddling and foreign efforts to penetrate U.S. critical infrastructure, said Langevin, who has co-sponsored legislation to restore and elevate the cyber coordinator position.

“I’m very concerned about having a lack of coordination and oversight from the top,” he said.

Langevin has criticized President Donald Trump for failing to consistently acknowledge Russian government efforts to undermine the 2016 election and for acceding to the elimination of the cyber coordinator position, but he has also praised some Trump administration moves, such as appointing highly qualified Homeland Security cyber officials and continuing Obama-era cyber policies.

Going forward, Langevin said, he holds out hope the president will make cybersecurity a priority and urge his cabinet secretaries to do the same.

“The president would serve the government well by having his cabinet secretaries around the table and … asking what they’re doing to step up their game in preventing cyber vulnerabilities,” he said.

On the Ash Carter model, he said, more cabinet secretaries may then make cyber a priority “and their subordinates will make it happen.”

You can listen to the full episode [here] and subscribe through the Apple store or Google Play.