With help from Eric Geller, Mary Lee, Martin Matishak, David Beavers and Ben White
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— One of the leaders of the DHS supply chain task force outlined its second-year plans, which include small-business assistance and risk management education.
— DHS touted improvements from 2018 to its 2019 election war room on threat information sharing, the department’s top cyber official said.
— The U.S. needs to figure out the relationship between cyberspace risks and who’s responsible for them, said a member of the Cyberspace Solarium Commission.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Felt like a long week, for some reason. Hope you all made it out OK. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WHAT’S NEXT FOR SUPPLY CHAIN TASK FORCE — The DHS Cybersecurity and Infrastructure Security Agency’s supply chain task force is planning an ambitious second-year agenda, according to one of its co-leads. The group, a collaboration between government agencies and private firms, will tackle nine new projects — including risk management education, software component transparency and small-business assistance — in addition to three holdovers from its first year, Robert Mayer, senior vice president of cybersecurity at USTelecom, said Thursday during a National Security Telecommunications Advisory Committee meeting in Washington.
The task force will also study ways to develop a template for supply chain risk evaluation, so that everyone is speaking the same language when it comes to vulnerabilities and mitigations. The final product, Mayer said, would play a role similar to that of NIST’s Cybersecurity Framework, in terms of providing a universal way to describe and evaluate an organization’s supply chain security posture. Another of the nine new projects involves continuous monitoring of the software development process, to help companies spot potential risks before they’re baked into products. The task force will likely vote to formally approve this work plan in the next few weeks, Mayer told POLITICO after the meeting.
Don’t expect an EnergyStar label for cybersecurity anytime soon, Mayer said during the NSTAC discussion. After CISA Director Chris Krebs asked Mayer about the best ways to encourage consumers and businesses to prioritize security, Mayer said the first step would be to establish “baseline capabilities” that all products should be expected to meet. Once a baseline has been created, he said, “it’s a lot easier then to start thinking about, ‘OK, how do we put some system in place that gives signals to consumers’” that certain products do or don’t meet that baseline. A labeling scheme is “on the horizon,” Mayer said, hopefully led by the private sector. “We’re not there yet, but we’re building the foundation to get us there.”
NEW AND IMPROVED — CISA upgraded its election day war room for this year’s local elections based on the experience of running it for the first time during the 2018 midterms, Krebs told Eric after the NSTAC meeting. “In ’18, it was the first time we had this situational awareness room where we got everybody together,” Krebs said. After evaluating how it went, the CISA team “worked out some kinks.” As a result, while residents of Kentucky, Mississippi, Virginia and other states voted last week, CISA’s war room sported new capabilities for digesting and sharing information about possible incidents, from intrusions to influence campaigns. “Now we have the ability to highlight certain issues as they pop up and isolate them and share them more rapidly,” Krebs said, which helps with “homing in on issues as they pop up and getting them out more broadly.”
RISKY BUSINESS — The Cyberspace Solarium Commission will try to sort out how risk management relates to roles and responsibilities in cyberspace, Rep. Jim Langevin (D-R.I.) said Thursday at the Georgetown University Cyber SMART research center. He sees three categories: steps that are in the business interest of the company to make; steps that are not in a company’s business interest but are of national interest; and threats that go beyond any reasonable steps a company could take.
“Judging where the lines should be drawn between those three responsibilities is a hugely challenging task, particularly because the cyber landscape is always changing,” he said. It’s one reason why he wants better measurements of success. At the same event, House Homeland Security Chairman Bennie Thompson (D-Miss.) said shifting, vacant and “acting” leadership at the White House and DHS is hampering the department’s cyber efforts.
HOUSE MOVING CYBER BILLS — The House Science Committee approved a bill (H.R. 4990) on Thursday that would create an Elections Systems Center of Excellence supervised by NIST to promote cooperation between the agency, state and local governments, and academia to ensure more secure, fair and accessible elections. The panel also adopted a Charlie Crist (D-Fla.) amendment that would require the center to include the accessibility of poll book data by voters when testing and evaluating the security, usability and accessibility of voting system technologies. Crist specifically cited needs for the visually impaired, who may have their information read aloud when checking in to cast their vote, thus violating their right to privacy.
Another House panel, the Energy and Commerce Consumer Protection and Commerce Subcommittee, approved a bill (H.R. 4779) that would reauthorize a law on cross-border spyware through Sept. 30, 2027. The existing law will expire next September. The panels approved both bills by voice vote.
MASSHOLES — Two men from Massachusetts were arrested and charged with 11 criminal counts from a string of cryptocurrency thefts, DOJ announced Thursday. The pair, both in their 20s, specifically targeted executives of cryptocurrency firms and others with deep pockets for takeover in order to drain their wallets. The duo accomplished this via SIM-swapping, which is when hackers convince carriers to attach a new SIM card to a target’s account and then pose as their victims. From November 2017 to May 2018, the pair targeted at least 10 identified victims across the country, according to the indictment, and allegedly stole, or attempted to steal, over $550,000 in cryptocurrency from these victims.
GO TROJANS — The University of Southern California’s Annenberg Center on Communication Leadership and Policy will launch election security training sessions in all 50 states starting in January. According to Thursday’s announcement, a Google grant supports an extension of the courses, previously limited to six states after support from the Democracy Fund and in conjunction with the National Governors Association. “In advance of the 2020 election, we are committed to enhancing election security for voters, campaigns and journalists alike,” said Kristie Canegallo, vice president of Google’s Trust and Safety team. The school’s daylong Election Security and Information Project sessions will draw on resources from across USC.
TWEET OF THE DAY — When it comes to election security, there are never enough perverse dynamics.
RECENTLY ON PRO CYBERSECURITY — The government hasn’t collected cellphone location and GPS data since a Supreme Court ruling last year, according to the Office of the Director of National Intelligence. … The GridEx exercise will test an attack on New York’s power and fuel supplies. … Eugene Kaspersky, head of the antivirus company named after him, said catastrophic cyberattacks loom if governments can’t agree on rules of engagement.
The Commerce Department is expected to extend a limited export waiver for Huawei. … Attorney General William Barr is backing an FCC proposal targeting Huawei and ZTE. … China’s edge on 5G is a rising threat to NATO, Secretary General Jens Stoltenberg said. … Germany isn’t looking at more security restraints to exclude Huawei from 5G. … Chinese-owned TikTok is gearing up for a lobbying fight in Europe. … Chinese bus maker BYD is worried about being excluded from the U.S. market. … The European Data Control Board has concerns about Privacy Shield. … Google is changing how it targets people with advertisements after Ireland’s privacy watchdog launched an investigation.
— Michigan Elections Director Sally Williams will retire at the end of the year, she announced Thursday.
— Via our friends at POLITICO Influence and Morning Money: Former Rep. Dan Donovan (R-N.Y.), who was ousted in the 2018 midterms by Democrat Max Rose, has joined cyber defense services firm K2 Intelligence as a senior adviser.
— Seth Blank and Nathaniel Borenstein were named co-chairs of the Election Security Special Interest Group for email industry organization M3AAWG. Blank is director of industry initiatives at Valimail and Borenstein is chief scientist for Mimecast.
— In 2016, the Government Accountability Office recommended that the Department of Veterans Affairs take 74 steps to improve its cybersecurity program; as of October of this year, it hadn’t made adequate effort to address 42 of them, according to the watchdog.
— Proofpoint researchers discovered hackers pretending to be the U.S. Postal Service.
— A top Iranian hacking group built its own VPN network. ZDNet
— Axios examines how most cyberattacks aren’t so sophisticated.
— Cyber Command is making faster hires. CyberScoop
— “Justice Dept. watchdog won’t let witnesses give written feedback on report about FBI’s Russia probe, sparking fears of inaccuracy.” The Washington Post
— A CISA official offered insights on companies’ reluctance to share threat info. CyberScoop
— A European bank recommends Googling your password. Motherboard
— There’s an app for finding out if your iPhone is hacked. Motherboard
— NIST is prepping supply chain security recommendations. Inside Cybersecurity
— More than half of Fortune 500 companies were exposed to remote access hacking. Axios
— The president of the National Association of Secretaries of State talked about the #TrustedInfo2020 initiative. electionline
— The New Zealand National Cyber Security Centre released its annual threat report.
— The pope said tech execs are responsible for child safety. Reuters
— The color of cybersecurity is blue, gray and red. University of California Berkeley Center for Long-Term Cybersecurity
— The AspenTech Policy Hub announced its second round of projects from its fellows.
That’s all for today.
Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Mary Lee ([email protected], @maryjylee) Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).
