DEFENSE BILL GOES BIG ON CYBER — The final defense policy bill unveiled Monday would overhaul U.S. cyber defense policies, putting the country on a more aggressive footing against digital adversaries. The compromise fiscal 2019 National Defense Authorization Act (H.R. 5515),hammered out by House and Senate lawmakers, features several modified proposals from the upper chamber draft, such as setting the nation’s first cyber warfare policy, affirming the authority of the Defense secretary to conduct clandestine military activities and operations in cyberspace, and authorizing the president to direct U.S. Cyber Command to take steps to counter Russia, China, Iran and North Korea in cyberspace.
The negotiated measure also includes a provision to establish a “Cyberspace Solarium Commission” — a 13-member panel to develop a strategic approach to protecting and defending U.S. interests online — and a pilot program authorizing the Defense Department to provide technical experts to the Homeland Security Department to boost cooperation to protect critical infrastructure, according to a Democratic summary of the policy roadmap. It also requires DoD to notify lawmakers of cybersecurity breaches and loss of information from approved defense contractors, a response to the recent incident where Chinese hackers stole troves of data about the country’s submarine efforts from a contractor.
The measure additionally mandates that the Pentagon chief notify lawmakers in the event of a data breach that exposes the personal information of service members and create a pilot program within the Defense Digital Service to identify new ways to evaluate cyber vulnerabilities in DOD’s critical infrastructure. The policy blueprint would also put Cyber Command in charge of defending the military’s information network. The House is expected to voteon the final bill some time this week.
HAPPY TUESDAY and welcome to Morning Cybersecurity! “I’m noteating anything with a broken yolk.” Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOProand @MorningCybersec. Full team info below.
PUTTING THE RISK IN CONTEXT — State and local officials will emphasize at a House Oversight hearing today that while they’re taking the election security threat seriously, they’re confident that there’s little chance of dramatically influencing the results of the 2018 midterms. “From a cybersecurity standpoint, we are most acutely concerned with ‘social engineering’ hacking attempts, which include phishing and baiting attempts through email” prior to the election, according to prepared testimony from Weber County, Utah, clerk/auditor Ricky Hatch, speaking on behalf of the National Association of Counties. “Most hacks are unsuccessful and crude attempts, akin to a burglar driving down a street looking for open windows or jiggling the locks, but it only takes one breach to cause significant problems.” Like Hatch, the representative of the National Association of Secretaries of State will point out that key systems aren’t connected to the internet. “If our protections to our voter registration system are breached, we can address that and the vote count is not impacted,” New Mexico Secretary of State Maggie Toulouse Oliver’s prepared remarks read. “If our protections election night reporting website are breached, we can address that and the vote count is not impacted.” The bigger concern is voter confidence, she will say.
Republicans’ goals for the hearing — which will also feature testimony from top DHS cybersecurity and infrastructure protection official Chris Krebs and Election Assistance Commission Chairman Thomas Hicks similar to their recent Hill appearances — are to assess election security preparedness across all levels of government, and to see what can be done before the 2018 elections to safeguard them. Democrats plan to lob a few protests, a Democratic committee staffer told MC. Among them: Republicans should have invited the director of national intelligence to testify, given his warnings about ongoing Russian interference; the GOP should back additional election security funds after rejecting them last week; and Republicans need to aid Democrats’ requests to DHS for more information on the alleged 2016 Russian attacks.
CDM LEGISLATION UP TO BAT — The House Homeland Security Committee today marks up legislation (H.R. 6443) that would enshrine DHS’s Continuous Diagnostics and Mitigation program in law and require that it keep pace with technological advancements that would aid the program’s goal of strengthening federal agencies’ digital defenses. Rep. John Ratcliffe, the bill’s sponsor, will argue at the markup that the legislation is necessary after a recent government report that most federal agencies are at risk of failing their cybersecurity program. “It is DHS’s CDM program that will help federal agencies and the whole of the federal government understand the threats they face, and the risks vulnerabilities pose in real-time,” his prepared opening remarks read.
Rep. Jim Langevin plans to offer an amendment to the bill to reflect his concerns that the original four-phased plan for implementing CDM might no longer be the best approach. “Many of the tools and services available under Phase 3 and Phase 4 would both be useful in agencies now, and it remains unclear to me why the Department would not aim to implement them in parallel,” he said in a statement emailed to MC. “My amendment will require DHS to address these important questions in its strategy and implementation plan required under the bill.”
LIFE, AND PEN-TESTING, FINDS A WAY — Penetration testers continue to slip into systems like they’re Swiss cheese, according to a new reportfrom the security firm Rapid7, which offers pen-testing services. The company said its employees successfully exploited a digital flaw in 84 percent of attempts, while its success rate for abusing a “network misconfiguration” was just slightly lower, at 80 percent. “The environments where software vulnerabilities were encountered grew significantly” from the previous survey period to the current one, Rapid7 said in its report, which is based on 268 pen-testing “engagements” conducted between last September and mid-June.
The three most common configuration errors that opened the door for pen-testers were “service misconfiguration,” password reuse, and accounts holding unnecessarily elevated privileges. Meanwhile, the most popular password lengths are eight, 10, and nine digits, respectively, according to Rapid7’s database of compromised credentials. Eight-digit passwords are far and away the most popular, accounting for 46 percent of the database.
“It is practically inevitable that an experienced penetration tester will uncover at least one vulnerability or misconfiguration and use it to their advantage,” the company said in its report. “However, this should not cause IT, security, and development teams to lose heart; there are strategies available to help minimize the impact of a breach, both simulated by a penetration tester or caused by a real threat actor.”
MORE INFO SURFACES ON GRID ATTACKS — “Hackers working for Russia claimed ‘hundreds of victims’ last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said,” The Wall Street Journal reported Monday. “They said the campaign likely is continuing.” The hackers “broke into supposedly secure, ‘air-gapped’ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies.”
TAX FRAUD — The IRS could be doing more to prevent identity theft, according to a watchdog report out Monday. The Government Accountability Office made 11 recommendations for the IRS to follow to help ensure people are who they say they are online and elsewhere. Most notably, GAO suggests the service should follow the latest NIST guidelines on cybersecurity and direct its Identity Assurance Office to help develop a plan for implementing changes to its online authentication programs consistent with NIST.
LET ME SEE SOME I.D. — DHS on Monday awarded a $200,000 grant to a Canadian company that will design a system to authenticate smart devices and prevent them from being hijacked for cyberattacks. Plurilock Security Solutions Inc. will develop the system based on its existing BioTracker identity management platform. DHS’s goal is “to prevent spoofing of [internet of things devices] that can involve unfriendly actors pretending to be smart devices to launch attacks, access and steal user information, spread malware or bypass security,” according to an agency statement. DHS said BioTracker would suit this mission well because it “uses behavioral and contextual data from users to authenticate the identity of [a smart device] to protect it” from threats like DDoS attacks and botnets. Plurilock’s grant is the latest from the DHS Science & Technology Directorate’s Silicon Valley Innovation Program. It is the second non-American company to receive a SVIP grant.
RECENTLY ON PRO CYBERSECURITY — Twenty-one state attorneys general urged Congress to take action on election security. … National security adviser John Bolton will meet with his Russian counterpart next month. … Here’s how U.S. spies can figure out what President Donald Trump and Russian President Vladimir Putin discussed. … Secretary of State Mike Pompeo turned down an invitation to testify before the House Foreign Affairs Committee about Trump’s interactions with Russian and European leaders, citing a scheduling conflict, but will testify on the same subject before the Senate Foreign Relations panel.
— A survey of chief executive officers revealed that 72 percent admitted that they took intellectual property from a former employer, but 78 percent agree that IP is the most valuable asset their companies have. The survey, by data security company Code42, also found that the CEOs were fairly cavalier with protecting their work: 93 percent said they keep copies of their work on a personal device, 63 percent confessed to clicking on a link they should’ve have or didn’t mean to and 59 percent said they downloaded software without knowing if it was approved by company security. Separately, the survey findings include the opinions and impressions of chief information security officers on a range of data security questions as well.