Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

Cyber Scoop: House defense bill would usher in cybersecurity changes at DOD

By Sean Lyngaas

The House of Representatives this week overwhelmingly passeda defense policy bill with several cybersecurity measures aimed at better securing Pentagon networks.

The legislation — the fiscal 2019 National Defense Authorization Act (NDAA) — seeks closer collaboration between the departments of Defense and Homeland Security in defending against hackers, asks for quick notification of data breaches of military personnel, and continues to crack down on foreign-made telecom products that are deemed security threats.

The NDAA is an annual ritual that lawmakers use to shape Pentagon policies and budget plans while throwing in some pet projects to boot. The House bill — a $717 billion behemoth — eventually will be merged with the Senate’s version, which that chamber’s Armed Services Committee also approved this week. It’s unclear when the Senate bill will have floor votes.

One key provision of the House bill, according to the Rules Committee print, would set up a pilot program for the Pentagon to dispatch up to 50 cybersecurity staff to support the DHS’s mission to secure civilian networks. The deployment of the DOD personnel, potentially to DHS’s prized round-the-clock threat-sharing hub, would be a reminder of the overlapping turf that agencies compete for and try to reconcile in cyberspace.

While DOD may find itself loaning out a small group of its experts, lawmakers want to boost the department’s own workforce by giving the Defense secretary direct hiring authority through September 2025 for “any position involved with cybersecurity.” The Pentagon has boosted its ranks of computer gurus in recent years through U.S Cyber Command, but lawmakers and military brass are wary of losing these experts to lucrative private-sector jobs.

In the event of a “significant” breach of service members’ personal information, the Defense secretary would be required to promptly notify Congress. That issue came to the fore in January when it was revealed that GPS company Strava had published a map online that showed soldiers’ locations via devices like Fitbits.

Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, backed the defense bill’s provisions to improve “our ability to deter adversaries in cyberspace.” In response to the Russian influence-operation to disrupt the 2016 U.S. presidential campaign, the bill would ask President Donald Trump for a report to Congress on what his administration is doing to protect against “cyber-enabled” information operations.

The House bill also keeps the pressure on Chinese telecom companies ZTE and Huawei by barring federal agencies from buying their products, and an amendment from Texas Republican Michael McCaul extends that ban to any use of federal grant money and loans.

The Senate version of the bill also tightly restricts the Pentagon’s use of technology considered a risk to national security. For example, an amendment from Sen. Jeanne Shaheen, D-N.H., would require DOD vendors to reveal if they’ve let foreign governments inspect their source code.

Senators seem intent on putting more language around offensive cyber-operations in their version of the bill compared to the House’s. According to a summary of the Senate bill, it stipulates a U.S. policy to use “all instruments of national power, including the use of offensive cyber capabilities” to deter cyberattacks that “significantly disrupt the normal functioning of our democratic society or government.”

PBN: Five Questions With: James R. Langevin

PBN: Five Questions With: James R. Langevin

By Susan Shalhoub

The National Institute of Standards and Technology released an update to the Framework for Improving Critical Infrastructure Cybersecurity this spring, the group’s first such update. Rep. James R. Langevin, D-R.I., is co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of both the House Committee on Armed Services and the House Committee on Homeland Security.

PBN: Why is it important for different sectors, such as academia and businesses, to partner on cybersecurity defense?

LANGEVIN: Cybersecurity is a challenge that everyone faces. Computers and other information technology are pervasive in every sector of the economy … no one has a monopoly on cybersecurity talent or techniques. That’s one reason it’s been so important for the National Institute for Standards and Technology to bring together a broad set of stakeholders to develop its cybersecurity guidelines.

In updating the Cybersecurity Framework, NIST consulted with experts from business, academia and government to develop guidelines that draw upon the unique experiences of people in each of these fields and ensure that the guidelines are applicable to any organization.

PBN: What has changed most since the Framework for Improving Critical Infrastructure Cybersecurity was first created?

LANGEVIN: NIST published a major update to the Cybersecurity Framework. … The new version improves some of the original technical guidelines and better explains how to manage supply-chain cyber risks. The Russian NotPetya attack, for instance, while originally targeted in Ukraine, has cost U.S. corporations [such as] Merck and FedEx hundreds of millions of dollars and was enabled by a supply-chain vulnerability.

Every business should think about how it works with its vendors and service providers and whether sensitive data may be inadvertently exposed. One of the biggest changes, though, is that NIST has made the Framework easier to use. An organization using the revised Framework will have more information to select the levels of cybersecurity it wishes to implement and to self-assess its progress in reaching those levels.

NIST has also worked to provide more resources to make the Framework immediately relevant to small and medium businesses, which often do not have dedicated risk managers. Beyond the content of the Framework, a lot has changed with respect to awareness and adoption since it was first published in 2014. The word has gotten out.

PBN: In a press release recently, you said: “Cybersecurity is not just a technical issue, and an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily.” Can you elaborate?

LANGEVIN: Of course, technology is at the core of cybersecurity. In a broader sense, however, cybersecurity is just part of risk management. Businesses generally excel at assessing competitive and market-driven risks, [such as] the risk that a disruptive technology will reduce demand for their product or service.

Unfortunately, we still lack the ability to describe cybersecurity risks in similar business terms. The NIST Cybersecurity Framework describes steps organizations can take to reduce their risk, but that guidance needs to be coupled with better cost-benefit information to help executives – and board members – prioritize cybersecurity investments.

PBN: What do you think is most generally misunderstood about the topic of cybersecurity?

LANGEVIN: There are, unfortunately, some who believe they have nothing to worry about because no malicious cyber actor has a reason to target them. Conversely, there are doomsayers who insist that no amount of cybersecurity will protect you from a determined adversary. The reality is somewhere in between.

There are basic defensive steps – often called “cyber hygiene” – that we should all take to improve our cybersecurity. Using unique passwords – or even better, a password manager, keeping software up to date with patches, maintaining offline backups of valuable data and scrutinizing links in emails or texts before clicking on them are a few examples. Everyone should realize that they’re a target. But they should also feel empowered to take steps to protect themselves.

PBN: What more needs to be done?

LANGEVIN: One thing I hear over and over again is that we need to strengthen our cybersecurity workforce, because the demand for cyber skills in every sector is staggering. That’s why I’ve been proud to introduce and co-sponsor several bills to expand cybersecurity scholarships, apprenticeships and training. I also believe we need a national standard for notifying consumers when their private data has been breached, which is what my Personal Data Notification and Protection Act would provide.

Susan Shalhoub is a PBN contributing writer.

Bloomberg: Election Security a Top Concern, Trump Officials Assure Lawmakers

Bloomberg: Election Security a Top Concern, Trump Officials Assure Lawmakers

By Nafeesa Syeed and Anna Edgerton

The Trump administration sought to assure lawmakers on Tuesday that it’s working with states to ensure the security of U.S. elections after Democrats raised concerns that the government isn’t doing enough.

“This is an issue that the Administration takes seriously and is addressing with urgency,” according to a joint statement Homeland Security Secretary Kirstjen Nielsen and FBI Director Christopher Wray released after top intelligence officials briefed House members behind closed doors. The officials said they highlighted efforts to protect “critical infrastructure” for elections.

Democrats have questioned whether the Trump administration has acted forcefully enough to prevent other countries from meddling with U.S. election results after intelligence agencies concluded that Russia sought to help President Donald Trump and hurt Democrat Hillary Clinton in the 2016 presidential contest. Russia denies the accusations.

Raja Krishnamoorthi, an Illinois Democrat, said after the meeting that “I don’t feel confident” that the Homeland Security Department and other agencies are doing enough to secure future elections. Much of the briefing focused on Russia, but there are “others out there” seeking to do the same thing, he said.

“I didn’t walk away thinking that we’re there yet” in terms of being prepared, he said.

Read more: Hack-Resistant Vote Machines Missing as States Gird for ’18 Vote

The briefing comes as primary elections are underway Tuesday in Arkansas, Georgia Kentucky and Texas.

James Langevin, a Democrat from Rhode Island, said after the briefing that “states have had better interaction with the federal government than they did prior to the 2016 election but there are still weaknesses in the system,” especially making sure there’s a paper trail. He said about 50 lawmakers attended the meeting and some raised questions about specific information the government has about efforts by Russia to interfere with elections.
Nielsen said after Tuesday’s meeting that Russians have sought to “manipulate public confidence on both sides” and that “we see them continuing to conduct influence campaigns.”

Michael McCaul, a Texas Republican who is chairman of the Homeland Security Committee, said Russia’s goal is to “create chaos” and not help a specific candidate.

Cyber Scans

House Speaker Paul Ryan organized the classified meeting. Trump held his own briefing May 3 with Director of National Intelligence Dan Coats, Wray and others to discuss efforts to bolster the country’s election systems and how to work with states.

DHS is offering states voluntary cyber services, including remote checks of their election systems and on-site vulnerability assessments. It’s also granting security clearances to election officials, though they haven’t all been finalized.

States are now deciding how to use their share of $380 million in federal election security grants that came with the omnibus spending package earlier this year. But it’s hardly enough to update aging voting equipment in most states ahead of the November polls, and many state officials are hoping Congress will approve more dollars.

Also this month, the Senate Intelligence panel issued its first interim report on election security. While confessing its members lacked a firm grasp on the extent of hacking into voter systems in 2016, the committee said the U.S. should “clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.”

A group of former U.S. and European officials, including ex-Vice President Joe Biden, who say governments haven’t sufficiently addressed election security threats have started the Transatlantic Commission on Election Integrity, which plans its first meeting in Copenhagen on June 21-22. The group aims to conduct studies on how to better reduce risks to elections from Russian cyber threats, including looking at new technologies, and share their findings with governments.

Every House seat is on the ballot in November general elections, along with a third of Senate seats.

FCW: House Dems look to salvage cyber coordinator post

FCW: House Dems look to salvage cyber coordinator post

Written by Derek B. Johnson

Amid reports that the White House has officially eliminated its cyber coordinator position, a group of Democratic lawmakers have filed a bill to restore the job.

The bill, introduced by Reps. Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.), would establish a “National Office for Cyberspace” within the White House and create a director-level position appointed by the President and confirmed by the Senate. The office will serve as “the principal office for coordinating issues relating to cyberspace” and have responsibility over recommending security measures and budgets for federal agencies.

The bill so far has attracted 10 other co-sponsors, all Democrats.

Politico reported on May 15 that new national security advisor John Bolton eliminated the position following the departure of Rob Joyce, who had filled the spot since March 2017. Joyce, who left shortly after his boss Tom Bossert stepped down the day after Bolton started, has since returned to the National Security Agency where previously managed the agency’s elite hacking unit.

Langevin told FCW in a May 15 interview he was “very disappointed” in the Trump administration’s decision. Up until this point, he had been relatively pleased with the Trump administration’s cybersecurity moves, listing off positives like continuity with Obama administration initiatives, delivering a cyber doctrine, hiring Tom Bossert and Rob Joyce as homeland security advisor and cyber coordinator and nominating Chris Krebs to lead the Department of Homeland Security’s cyber wing.

However, he characterized the elimination of the cyber coordinator position as “a clear step backwards.”

“I think that’s a bad move. It’s a very shortsighted decision,” said Langevin. “In my mind, that decision was made by someone who clearly does not understand the threats we face in cyberspace and doesn’t understand that cybersecurity is the national and economic security challenge of the 21st century.”

Bank Info Security: SEC Fines Yahoo $35 Million Over 2014 Breach

Bank Info Security: SEC Fines Yahoo $35 Million Over 2014 Breach

Photo By Scott Schiller

Written By Jeremy Kirk

The U.S. Securities and Exchange Commission says Yahoo has agreed to a $35 million civil fine to settle accusations that it failed to promptly notify investors about a December 2014 data breach.

The enforcement action puts public companies on notice that the SEC doesn’t look kindly upon efforts to conceal or downplay data breaches.

Yahoo, which has renamed itself Altaba, has neither admitted nor denied the allegations – as is typical in such enforcement actions, the SEC says.

But the SEC says that despite Yahoo learning within days of a December 2014 breach that it had been attacked by Russian hackers, the search giant waited nearly two years to disclose the breach to investors. The regulator’s probe into Yahoo’s breach notification speed reportedly launched in December 2016 (see SEC Reportedly Probing Yahoo’s Breach Notification Speed).

“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
—Jina Choi, director of SEC’s San Francisco office

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” says Jina Choi, director of the SEC’s San Francisco regional office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

Altaba couldn’t be immediately reached for comment.

The SEC’s enforcement action has been praised by some lawmakers. “Investors have a right to know whether companies are taking cybersecurity seriously,” says Rep. Jim Langevin, D-R.I. “[The] announcement of a $35 million fine in response to Yahoo’s failure to disclose its massive 2014 data breach is a long overdue first step toward providing real protections for investors. I agree that we should ‘not second-guess good faith exercises of judgment’ by executives, but the bias should be toward disclosing a breach, not burying it.”

Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned breach notification service, says that the $35 million fine will “surely cause organizations to think a bit more” about data security.

Many organizations publicly say that security is a top priority, but that often is not necessarily reflected in their IT spending, Hunt says. “There seems to be a degree of lip service [to security],” he says.

‘Crown Jewels’ Stolen

Yahoo disclosed the 2014 breach in September 2016 as it was negotiating its sale to Verizon. Due to the severity of the breach, Verizon closed its acquisition of Yahoo in June 2017 for $4.48 billion, around $350 million lower than the initial asking price.

Under the terms of the acquisition, Yahoo must pay half of all costs related to government investigations and third-party litigation. Yahoo did not carry cybersecurity insurance.

The December 2014 breach affected 500 million users. The SEC’s order says the stolen data included Yahoo’s “crown jewels,” including email addresses, user names, phone numbers, birthdates, hashed passwords as well as unencrypted security questions and answers.

“The bias should be toward disclosing a breach, not burying it.”
Rep. Jim Langevin

Following the breach, Yahoo filed regular SEC reports in which it only outlined the risks of a data breach without disclosing that it had been attacked. The SEC alleged that Yahoo did not share information about the breach with outside auditors or counsel “in order to assess the company’s disclosure obligations in its public filings.”

The SEC adds: “Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”

Repeatedly Breached

Yahoo has a complicated breach disclosure history. After Yahoo disclosed the 500 million breached accounts in September 2016, it revised that tally in December 2016 to 1 billion accounts. It also said at that time attackers had forged cookies, allowing them to directly access some accounts.

In March 2017, four men, including two Russian FSB agents, were indicted on charges related to intrusions into Yahoo, Google and other webmail providers (see Russian Spies, Two Others, Indicted in Yahoo Hack).

Former Yahoo CEO Marissa Mayer told a Congressional committee in November 2017 that it was tough for any corporation to defend against nation-state attackers. She testified that Russian intelligence officers and state-sponsored hackers were responsible for sophisticated attacks on the company’s systems (see Former Yahoo CEO: Stronger Defense Couldn’t Stop Breaches).

“Even robust defenses … aren’t sufficient to protect against the state-sponsored attack, especially when they’re extremely sophisticated and persistent,” Mayer testified.

Just a month prior to Mayer’s testimony, Yahoo disclosed that a 2013 breach compromised virtually its entire user base, encompassing some 3 billion accounts (see Yahoo: 3 Billion Accounts Breached in 2013).

A class-action lawsuit against Yahoo is still winding its way through federal court in San Jose, California. Similar to the SEC’s allegations, the plaintiffs allege Yahoo waited too long to disclose breaches. Some of the plaintiffs allege the Yahoo breaches resulted in fraudulent charges on their cards and spam in their accounts (see Federal Judge: Yahoo Breach Victims Can Sue).

One of the four men who was charged, Alexsey Belan, has been accused of using his access to Yahoo to search for credit and gift card numbers. He has also been accused of using Yahoo account information to facilitate spam campaigns.

Executive Editor Mathew Schwartz also contributed to this report.

Federal Times: NIST publishes update to its cyber framework

Federal Times: NIST publishes update to its cyber framework

By Jessie Bur

The National Institute for Standards and Technology issued the finalized updates to its Cybersecurity Framework April 16, 2018.

The new version 1.1 of the Cybersecurity Framework, which was developed through public feedback collected in 2016 and 2017, includes updates to authentication and identity, self-assessing cyber risk, managing cybersecurity within the supply chain and vulnerability disclosure.

“This update refines, clarifies and enhances version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the internet of things.”

NIST also plans to release an updated Roadmap for Improving Critical Infrastructure Cybersecurity later this year as a companion to the framework.

The NIST Cybersecurity Framework has featured heavily in recent government IT and cybersecurity initiatives, and received a callout in the White House IT Modernization report released in December 2017.

In a news release, Rep. Jim Langevin, D-R.I., applauded the update for keeping the framework relevant in the face of a changing cyber landscape:

“In the four years since its release, countless organizations have used the NIST Cybersecurity Framework to voluntarily assess their cybersecurity risk posture, identify gaps, and prioritize security best practices. As demonstrated by the Russian government’s targeting of our election systems, however, the cybersecurity threats to our critical infrastructure continue to evolve. Today’s release marks an important evolution of the Framework that will ensure it remains relevant as risk management practices change to keep pace with the threat.”

Langevin added that, while the framework now has many positive additions, the update process did miss out on an opportunity to offer more concrete guidance on ways to quantify risk.

Industry, too, offered support for the new changes.

“There’s a lot to like in the new Framework, but one area where they made big strides is on supply chain risk management,” said David Damato, chief security officer at Tanium.

“2017 was the year of the supply chain attack, with attacks from NotPetya to CCleaner originating with a breach of a company’s third-party partner. The increasing attention NIST is bringing to this issue, and the standardized language they offer, will go a long way in helping organizations better understand the risks associated throughout their supply chain.”

NIST plans to host a webcast on the updated framework April 27, 2018, and the framework will also feature heavily at the agency’s Cybersecurity Risk Management Conference in November 2018.