Politico: U.S., allies slam China for brazen cyberattacks as Trump administration indicts hackers

Politico: U.S., allies slam China for brazen cyberattacks as Trump administration indicts hackers

By Eric Geller

The Chinese government broke its promise to stop hacking U.S. businesses and stealing their trade secrets, the Trump administration declared Thursday, ratcheting up tensions between two of the world’s cyber superpowers and adding fuel to a trade war that has spooked global markets.

“China stands accused of engaging in criminal activity that victimizes individuals and companies in the United States, violates our laws, and departs from international norms of responsible state behavior,” Deputy Attorney General Rod Rosenstein said at a press conference.

To emphasize the point, the Justice Department on Thursday indicted two Chinese hackers for a long-running economic espionage campaign that resulted in the theft of hundreds of gigabytes of data from companies and government agencies.

Hours later, DHS and the State Department warned Beijing to “abide by its commitment to act responsibly in cyberspace” and said the U.S. would “take appropriate measures to defend our interests.”

Thursday’s actions confirm what private-sector cybersecurity researchers and U.S. intelligence officials have been saying for months: The 2015 agreement in which Beijing pledged to stop hacking U.S. companies for their valuable intellectual property is dead.

“The activity alleged in this indictment violates the commitment that China made to members of the international community,” Rosenstein said. “The evidence suggests that China may not intend to abide by its promises.”

The two Chinese hackers, Zhu Hua and Zhang Shilong, worked for a technology company in Tianjin, China, and “acted in association with” China’s Ministry of State Security, according to the indictment unsealed today in federal court in the Southern District of New York. They were part of a group that security researchers and the government have dubbed APT10, for “advanced persistent threat.”

The men participated in two parallel campaigns of digital intrusions, DOJ said. In the first operation, beginning in 2006, they hacked at least 45 companies and government agencies in at least 12 states and stole vast troves of data from firms in industries such as aviation, oil and natural gas, manufacturing, pharmaceuticals, and telecommunications.

In the second campaign, which began in 2014, they hacked “managed service providers,” which offer technology services to other companies, and stole data from manufacturing, consulting, healthcare, biotechnology, consumer electronics and other companies around the world.

The companies were located in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the U.S., according to the indictment.

Prosecutors said that APT10’s “hacking operations evolved over time, demonstrating advances in overcoming network defenses, victim selection, and tradecraft.”

Also on Thursday, the United Kingdom issued statements blaming China’s government for sponsoring economic cyberattacks across the U.S., Europe and Asia.

Adam Segal, who leads the cyber program at the Council on Foreign Relations, praised the U.S. for building a global coalition against Beijing’s activities.

“Getting other countries to call China out is an important step,” he told POLITICO. The Trump administration, he added, is “likely to get more traction with Beijing when it is multilateral, not just the United States criticizing.”

Rep. Jim Langevin (D-R.I.), one of Congress’s most active lawmakers on cyber policy, agreed. “Collective international action, rather than going it alone, is the best way to make it clear to China that their actions are unacceptable,” he said in a statement.

At the press conference in Washington, Rosenstein said that the Chinese government “will find it difficult to pretend that it is not responsible for these actions.”

“In some cases, we know exactly who is sitting at the keyboard perpetrating these crimes in association with the Chinese government,” he said. “There is no free pass to violate American laws merely because they do so under the protection of a foreign state.”

But experts also expressed disappointment at the limited nature of Thursday’s actions. The indictments “fell short of the full punitive response that many in the administration were advocating,” said Paul Triolo, an expert on China and global technology issues at the Eurasia Group.

Treasury Secretary Steven Mnuchin and other “administration moderates … were able to prevail in their efforts to hold back the most punitive actions,” Triolo told POLITICO.

Chris Painter, who was the State Department’s top cyber diplomat from 2011 to 2017 and helped negotiate the 2015 agreement, said the Trump administration should make economic espionage central to the bilateral relationship.

“This cyber activity is only part of a larger set of issues with China,” he said, “and there needs to be consistent messaging that continuing this malicious activity is a roadblock to solving other issues between our countries.”

Segal, Painter and Langevin urged the U.S. and other Western countries to sanction the Chinese firms that benefited from Beijing’s cyber thefts.

“Chinese business leaders need to understand that if they make a Faustian pact with their government, they will not be welcome in the international community,” said Langevin.

Thursday’s actions mark the most aggressive turn in a months-long effort by the Trump administration to shine a spotlight on Beijing’s malicious cyber activity, especially its use of cyberattacks to steal U.S. intellectual property and hand it off to Chinese businesses.

In March, the Office of the U.S. Trade Representative issued a report on Chinese intellectual property theft that detailed Beijing’s decade-long campaign of “cyber intrusions into U.S. commercial networks targeting confidential business information held by U.S. firms.”

“Through these cyber intrusions, China’s government has gained unauthorized access to a wide range of commercially valuable business information, including trade secrets, technical data, negotiating positions and sensitive and proprietary internal communications,” the report said. “These acts, policies, or practices by the Chinese government are unreasonable or discriminatory and burden or restrict U.S. commerce.”

China is linked to more than 90 percent of DOJ’s economic espionage cases over the past seven years, as well as more than two-thirds of its trade secrets theft cases, Rosenstein said today.

Speaking after Rosenstein, FBI Director Christopher Wray told reporters that “no country poses a broader, more severe, long-term threat to our nation’s economy and cyber infrastructure than China.”

Intellectual property theft has long been a source of tension between the U.S. and China, the world’s two largest economies, and in 2015 the issue came to a head before a summit between Presidents Barack Obama and Xi Jinping.

Facing the threat of sanctions just as Xi and his high-level delegation were set to arrive in Washington, Beijing agreed to a deal that would ban the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Xi and Obama announced the agreement from the Rose Garden following their summit.

Cybersecurity researchers saw a significant drop-off in Chinese intellectual property theft following the deal. But in recent years, as trade tensions escalated following Trump’s election, the hacking resumed its previous pace and expanded to new areas, including “dual-use” technology that has commercial and military applications, experts said.

“On the one hand the diplomatic agreement definitely worked, but on the other hand it established a narrow norm that Beijing has continued working around using all elements of national power to improve their economy at the expense of U.S. competitors,” Christopher Porter, chief intelligence strategist at the security firm FireEye, told POLITICO.

For a while, the U.S. government avoided directly accusing China of breaching the 2015 agreement. But that changed in recent months. In November, Rob Joyce, a senior NSA cybersecurity official, said it was “clear that they are well beyond the bounds” of the deal.

“We’ve certainly seen the behavior erode in the last year,” said Joyce, who previously served as Trump’s cyber coordinator in the White House. “And we’re very concerned with those troubling trends.”

On Oct. 30, the Justice Department announced charges against Chinese intelligence officers and their contract hackers for a five-year cyber campaign that targeted, among other things, the proprietary design for a jet engine.

“At the time of the intrusions,” the government said, “a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.”

The indictment followed news that Belgian authorities had extradited to the U.S. a senior officer of China’s Ministry of State Security to face economic espionage charges, also related to aviation firms. Officials said it was the first U.S. extradition of a Chinese spy.

Another aspect of the counter-China offensive is a focus on the so-called supply chain, the complex and often opaque web of companies that design, produce and sell technology products and services.

U.S. intelligence officials worry the Chinese government will pressure its telecom giants, Huawei and ZTE, to manipulate the equipment they sell to Western countries for espionage and disruptive cyberattacks. The U.S. is trying to persuade its closest allies to stop using those companies’ products, but the effort has met with mixed results.

Washington is also concerned about Chinese cyberattacks on corporations and government agencies that host vast troves of Americans’ personal data, especially information — like security clearance applications and health records — that could help Beijing turn Americans into double agents.

The 2014 hack of the U.S. Office of Personnel Management, which compromised the records of 21.5 million current, former and prospective federal employees, was part of this campaign, officials have said. So too was the hack of the giant health insurer Anthem, disclosed in January 2015, which exposed more than 37.5 million patient records.

U.S. officials believe the massive Marriott data breach, which compromised as many as 500 million people’s information, was also part of this counterintelligence project. That hack, which the company disclosed on Nov. 30, included not only basic information like names, phone numbers and street addresses, but also passport numbers. Secretary of State Mike Pompeo publicly blamed China for the hack last week.

None of the OPM, Marriott or Anthem data have surfaced online, which would be unusual if it lay in the hands of garden-variety cyber criminals. The U.S. believes Beijing’s analysts are pouring over the data, trying to determine who is most susceptible to recruitment by China’s spy services.

Complicating efforts to reduce this type of hacking is the fact that the U.S. — along with every other country with an advanced cyber program — also conducts cyber espionage. Efforts to prosecute foreign government hackers for digital spycraft risk creating a norm that intelligence and national security officials see as unwise. In addition, other countries might try to charge NSA or CIA hackers using the U.S.’ rationale.

While China’s intelligence operations may perennially bedevil U.S. investigators, senior DOJ officials appeared confident Thursday that exposing Beijing’s economic espionage would yield results.

“Today’s charges mark an important step in revealing to the world China’s continued practice of stealing commercial data,” said Rosenstein.

MeriTalk: New Bipartisan Bill to Authorize $10 Million for Cyber Education

MeriTalk: New Bipartisan Bill to Authorize $10 Million for Cyber Education

SOURCE: MeriTalk

WASHINGTON, D.C. – On Tuesday, Representatives Jim Langevin, D-R.I., and Glenn Thompson, R-Penn., introduced the Cybersecurity Education Integration Act, a bill that would establish a grant program to develop career and technical education (CTE) classes that include cybersecurity fundamentals.

“Whether in our hospitals or our power grid, vital systems are increasingly being connected to the Internet,” said Langevin. “We need to offer better training for the workers who deal with these systems on a day-to-day basis, particularly in safety critical industries where lives can be put in jeopardy by malicious cyber actors.”

The bill includes $10 million to establish a competitive grant program run by the Department of Education to provide grants up to $500,000 to partnerships of educational institutions and employers that commit to include cybersecurity in career and technical education. Applicants would need to describe which sector of critical infrastructure their program plans to train for, the workforce needs of that sector, the work-based learning opportunities available to program participants, and how the program would lead to a recognized postsecondary credential, among other criteria.

“We must ensure we’re protecting sensitive data and critical infrastructure from bad actors, and this bill is one step in the right direction,” said Thompson. “By enabling our next generation of learners to have the most sophisticated and comprehensive educational programs out there, we will be better prepared to protect our most critical systems and assets.”

The bill also requires the Department of Education to consult with the Department of Homeland Security and the National Institute of Standards and Technology to find the most pressing workforce needs in critical infrastructure.

The bill has been referred to the House Committee on Education and the Workforce for further consideration.

Federal News Network: Top House Armed Services Democrat wants oversight of new DoD cyber strategy

Federal News Network: Top House Armed Services Democrat wants oversight of new DoD cyber strategy

By Scott Maucione

With the Democrats taking control of the House starting in January, the likely-incoming chairman of the House Armed Services Emerging Threats and Capabilities Subcommittee is whittling down his priorities for the panel in the next legislative session. The top areas he wants to cover have a common thread that should come as no surprise: cyber.

Rep. Jim Langevin (D-R.I.) was just reelected to his tenth term in Congress, and is poised to take the gavel from current chairman, Rep. Joe Wilson (R-S.C.).

In an interview with Federal News Network, Langevin said cybersecurity, election security and keeping a watchful eye over the Trump administration’s new defense cyber policy are some of the most important topics the subcommittee will face in the coming year.

“We want to make sure they are held accountable and we are properly implementing these new strategies,” Langevin said.

DoD’s new cyber strategy, which was released in September, is much more “forward leaning” than strategies of the past, Langevin said. The strategy focuses on great power competition and also allows DoD to more readily conduct cyber operations in defense of the nation outside of its own networks.

What’s concerning is “the unintended consequences,” Langevin said. “If we are going to be more proactive in cyberspace, I think that can be a good thing, but working with allies and having international coordination is essential.”

To that point, Langevin criticized the administration’s decision to eliminate the cybersecurity coordinator at the State Department and the cybersecurity coordinator role on the National Security Council.

The Trump administration said it got rid of the roles in the NSC and State Department as part of an effort to cut back bureaucracy and streamline decision making.

“Big mistake,” Langevin said. “Cybersecurity is not just a U.S. problem or challenge; it’s an international problem and challenge that we need to work on together. Having an international focus and having someone at the State Department is going to help coordinate those cyber strategies and responses.”

While Langevin thinks international cooperation is imperative to the nation’s cybersecurity, he also thinks the government and private sector need to ramp up their communication about cyber threats.

“We are going to continue to track the implementation of the Cybersecurity Information Sharing Act of 2015,” Langevin said. “It has not lived up to its potential or what I certainly hoped we would accomplish in terms of sharing robust threat information, threat signatures and network speed. That has not happened at all to the level it needs to happen.”

Currently, only six companies are sharing cyber threat information with the government and about 200 are taking the information the government is offering, Langevin said.

“That just seems incomprehensible to that the numbers would be low, but that’s the reality and we have to do better,” Langevin said. He added that it is unclear why the companies are not signing up for the program.

“We need to get our arms around why and how we can incentivize more robust information sharing,” Langevin said. “The only way we are going to really effectively protect ourselves and the government is to properly inoculate ourselves when we know of a threat signature that could pose harm.”

Langevin is also planning on keeping a close eye on the delegation of authorities given to U.S. Cyber Command as it grows in its role as a full combatant command.

The congressman also stressed the need for a law that governs how quickly data breaches need to be reported. Currently each state has its own law about how quickly breaches need to be reported, Langevin wants a federal standard of 30 days.

Numbers around the 2020 Defense budget are already beginning to fly. Langevin said he agreed with Rep. Adam Smith (D-Wash.), who will likely chair the House Armed Services Committee, that the United States needs to specialize in certain areas and leave some slack for allies to pick up. That could have an effect on how big the Defense budget ends up.

Smith said Democrats will look at how they can, within a reasonable budget, manage risk while also prioritizing other factors that make a country “safe, secure and prosperous” like paying down debt and fixing infrastructure.

“The biggest problem I feel that we’ve had is, because we get this ‘Oh my God we have to cover everything [mindset],’ we wind up covering nothing well and that leaves the men and women who serve us in a position where they are not properly trained, properly equipped to meet all the missions we want them to meet,” he said. “It’s a complete impossibility to meet all the missions that we dream up.”

Langevin stated the sequestration caps for both defense and nondefense need to be lifted.

NextGov: DHS and Pentagon Memo Details Future Cyber Cooperation

NextGov: DHS and Pentagon Memo Details Future Cyber Cooperation

By Joseph Marks

The Pentagon and Homeland Security Department have established a memorandum of understanding that details how the departments will work together on cybersecurity in the future, a Homeland Security official confirmed Wednesday.

That agreement “reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats,” according to written testimony from Homeland Security Assistant Secretary Jeanette Manfra.

It also “clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats and establish coordinated lines of efforts to secure, protect, and defend the homeland,” according to the statement delivered to a joint hearing of the cyber panels of the House Homeland Security and Armed Services committees.

A Homeland Security official confirmed the agreement is completed but did not provide additional details.

Rep. Cedric Richmond, D-La., described the agreement in broad terms during the hearing. Richmond, who is the ranking Democrat on the Homeland Security panel, said he has not read the memorandum yet.

The civilian-military agreement comes as the government is trying to ramp up civilian and military cooperation in cyberspace, especially when it comes to protecting election systems and other critical infrastructure such as banks, hospitals and airports.

In advance of last week’s midterm elections, 11 Pentagon cyber officials came over to Homeland Security’s cyber operations center as liaisons, Manfra told lawmakers during the hearing.

Those liaison officers were there to pave the way for their colleagues in case an election cyber threat popped up that state and local officials couldn’t handle on their own with Homeland Security’s support and the military needed to help out, Manfra said.

Though the departments were prepared, that threat didn’t materialize.

Rep. Jim Langevin, D-R.I., the ranking member on the Armed Services panel, praised the Pentagon and Homeland Security for removing legal and bureaucratic barriers to cooperation in advance of the election.

In the future, it will be critical for the two departments to work together on cyber threats, he said.

“While Congress has been abundantly clear about DHS’ primacy in defending civilian networks in the United States, coordination, collaboration and information sharing with the DOD will be critical to the defense of the homeland,” [Rep. Langevin] said.
Congress officially authorized the Defense Department to send those detailees to Homeland Security in August in a pilot program included in the most recent version of the National Defense Authorization Act, an annual defense policy bill.

The mammoth policy bill also mandated other Defense Department efforts to help the civilian government and critical infrastructure providers, such as banks and hospitals, repel cyberattacks if called upon.

The bill also mandated a study on whether to create cyber components in the military reserves that could assist states during a cyber emergency.

Overall, in the months leading up to the election, Homeland Security, the Pentagon and FBI made more progress on sharing cyber threat information and developing a common cyber operations picture than in the prior decade, Manfra told lawmakers.

ProJo: Rep. Langevin, seeking to restrain Trump, faces Caiozzo, GOP moderate and veteran

ProJo: Rep. Langevin, seeking to restrain Trump, faces Caiozzo, GOP moderate and veteran

By Mark Reynolds

PROVIDENCE, R.I. –

A 57-year-old West Greenwich man who served in the Army before he ran a plumbing business is the Republican candidate who hopes to unseat U.S. Rep. James R. Langevin next month.

To continue his run in Rhode Island’s 2nd Congressional District, which started in 2000, Langevin must vanquish Salvatore G. Caiozzo on Nov. 6.

Langevin has done this before. But the political landscape has changed since the 54-year-old Democrat beat Caiozzo in 2016.

This is not to say that Caiozzo, who ran as an independent that year, now represents himself as Rhode Island’s version of President Donald Trump.

“I am Sal,” Caiozzo says in the early moments of his interview. “Sal is a guy who has been out here with everybody else and knows exactly what everyone is going through. I have my own platform.”

“Yes, I am a Republican, because I stand by certain Republican values, but it doesn’t mean I stand by all of them,” adds Caiozzo, who describes his politics as moderate and not unlike those of a John F. Kennedy Democrat.

That said, here are a few things that Caiozzo and Trump agree on:

Like Trump, Caiozzo supports members of the North Atlantic Treaty Organization spending more money on their own defense.

“I think we’ve been used long enough by NATO,” says the candidate, who won endorsement from the Republican Liberty Caucus, an association of the GOP’s libertarian-leaning activists.

But if the U.S. spends less money on its NATO commitments, Caiozzo says, the savings should benefit veterans.

Caiozzo, who says he was disabled by exposure to chemicals on an Alabama Army base in the 1980s, talks quite a bit about supporting veterans.

Like Trump, Caiozzo wants to change the nation’s health-care policy. But he says he would not abandon parts of the Affordable Care Act that provide coverage for preexisting conditions.

Schools and education decentralization are central to the Taunton, Massachusetts, native’s platform. He says he wants to improve education across the country and he believes education should be governed at the state and local levels, not by the federal government.

Neither Caiozzo nor Langevin brought up the probe being conducted by Special Counsel Robert Mueller, who is investigating Russian interference in the 2016 election and contacts between the Trump campaign and Russia.

When prompted, Caiozzo says, “I haven’t really seen the Mueller investigation come up with anything.” He adds that he regards the probe as a “waste of money.”

Langevin said if he and other Democrats can control the House after the election, they can provide stronger checks and balances on Trump generally.

He is hopeful, he says, that even with the current Republican majority in the House, Congress will keep Trump from shutting down the investigation.

“I’m determined to let the truth come out and let the facts lead where they will,” Langevin says.

But taking control of the House would “certainly allow us to advocate for and put forth policies that are important to building a strong middle class in this country,” he says.

“We would end attempts to try to dismantle the Affordable Care Act,” he says. “And we would hopefully work on ways to strengthen and improve health care, quality health care, in the country, and also work on growing good-paying jobs to further grow a strong middle class.”

The experienced politician has lots to say about how he would proceed if given the chance.

Langevin’s focus is on the middle class, improving the health-care system, launching infrastructure projects, protecting the country from cyberattacks and reducing gun violence.

“The country is at its best when we have a very strong middle class,” says the Warwick resident, who also says political leaders must do what’s possible to help Rhode Islanders gain the skills they need to find good-paying jobs.

Langevin, the first quadriplegic elected to Congress, was paralyzed when he was accidentally shot as a 16-year-old. He says he’s captivated by research that shows that a large proportion of all guns tied to crimes are funneled through a very small proportion of companies that supply guns.

“There is something wrong with that,” he says.

 

Salvatore G. Caiozzo

Age: 57

Residence: West Greenwich

Occupation: Retired from plumbing business, disabled veteran

Affiliation: Republican Party

Education: Monsignor Coyle & Cassidy High School, attended Labore Junior College and the University of Palermo

Previous elected office: None

Family: Single with two grown sons and one daughter

 

JAMES R. LANGEVIN

Age: 54

Residence: Warwick

Occupation: U.S. representative

Affiliation: Democrat

Education: Rhode Island College, Harvard University

Previous elected office: Rhode Island secretary of state, 1995-2000; state representative, 1989-1994

Family: Single

Washington Post: The Cybersecurity 202: The U.S. needs a law that requires companies to disclose data breaches quickly, cybersecurity experts say

Washington Post: The Cybersecurity 202: The U.S. needs a law that requires companies to disclose data breaches quickly, cybersecurity experts say

By Derek Hawkins

WASHINGTON, D.C. – A slight majority of digital security experts surveyed by The Cybersecurity 202 say the United States should follow in the European Union’s footsteps and pass a law that requires companies to disclose data breaches quickly.

Europe’s General Data Protection Regulation requires companies with customers in the E.U. to notify regulators of a breach within 72 hours or face a severe penalty. Fifty-four percent of experts we surveyed supported a similar law in the U.S.  The Network is our panel of more than 100 cybersecurity leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)

Some experts said they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States. “Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach affecting personally identifiable information they control,” said Rep. Jim Langevin (D-R.I.), who has introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live.”

“Europe now plays by one set of rules, while the United States plays by over 40,” added Jeff Moss, who founded the Def Con and Black Hat hacking conferences. “This is a costly, confusing and at times contradictory mess that only a national breach notification law can resolve.”

The issue has been in the spotlight in recent weeks. In late September, Facebook reported that hackers stole information that could have allowed them to take over of tens of millions of accounts. After learning of the breach, Facebook disclosed it within 72 hours even though the company did not have all the information about the breach. Google took a different approach. The search giant learned that a software bug exposed data on half a million accounts on its social media service Google in March but did not disclose it until this month — and was criticized for not being transparent.

Survey respondents disagreed on how much time companies should be given to disclose their breaches. Langevin’s bill, for instance, would offer companies more leeway than GDPR. Instead of three days, they’d have 10 days to notify regulators after discovering a breach, and 30 days to notify consumers. “These timelines allow flexibility for companies to determine the scope of a breach while ensuring prompt notification so people can protect themselves,” he said.

There are competing bills on Capitol Hill, though: Legislation introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) would mirror GDPR, requiring companies to disclose a breach within 72 hours of discovering it.

And other experts said 72 hours would be the right time frame. Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said that window would help the victims of a data breach take quick action to protect themselves from attackers who seek to misuse their information. “Attackers want to monetize the private data the companies store,” he said. “People have a right to know and protect themselves from subsequent attacks using this data, whether it is phishing or fraud. Having a standard like 72 hours will help all companies being on a level playing field and build processes to respond in a timely way.”

Harley Geiger, director of public policy at the cybersecurity firm Rapid7, agreed — provided that the countdown begins “when the company concludes a breach has occurred, not on discovery that an incident or attack occurred.”

“The company will need time to identify and investigate the incident, determine whether data was accessed or exfiltrated, and conclude based on the evidence that a breach has actually occurred,” Geiger said. “Reporting ‘a breach’ to regulators or the public prior to that process can be counterproductive for all sides, including consumers.”

The hack disclosed by Facebook late last month illustrates the complications of reporting a breach early. While Facebook took just three days to notify privacy regulators and the public that hackers may have compromised up to 50 million user accounts, the social media giant had only just begun to investigate the incident at the time of the announcement, and Facebook officials weren’t able to offer users a clear picture of the risks. In an update Friday, Facebook revealed that the hack affected about 20 million fewer users than it previously estimated — but that hackers had stolen more sensitive information than the company initially indicated, including search histories and location data.

Mark Weatherford, a former cybersecurity official in the Department of Homeland Security, supports a breach notification law but cautioned that figuring out the scope of an incident is complex and time-consuming work. “While there needs to be a trigger that starts the process, reporting too soon leads to mistakes, revisions and recriminations that might be avoided by waiting until enough information is gathered,” he said.

Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative, said a U.S. breach notification law should be coupled with measures that provide recourse to breach victims and impose consequences on companies. “Timely notification is important. But without some guidance on what regulators — and victims — should do, it feels somewhat toothless,” she said. “They should specifically address the needs of breach victims and establish some sense of corporate responsibility.”

Yet 46 percent of respondents said the United States shouldn’t impose a breach notification standard similar to the one in Europe.

“Unfortunately, GDPR does not take into account the reality of incident response and will lead to multinational companies disclosing breaches before they can provide accurate information or even be sure their attacker has been flushed from their network,” said Alex Stamos, Facebook’s former chief security officer who is now an adjunct professor at Stanford University. “Any U.S. law should balance promoting speedy disclosure with accurate disclosure.”

Jessy Irwin, head of security at Tendermint, agreed. “Being required to report a breach so early in the investigative process, when new facts emerge and information changes rapidly, will cause much more harm than it prevents on all fronts, especially if reporting has the potential to compromise an organization’s ability to effectively coordinate with law enforcement,” she said. “This kind of instant-gratification breach reporting legislation sets up smaller teams with fewer resources for major, major failure.”

There isn’t a one-size-fits-all solution, some experts argued. “Timing isn’t always the most important part of transparency,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “And — as most people in the business know — 72 hours isn’t enough time to unravel what has really happened in even a moderately complex breach. The intention behind the law may be good, but this provision is just not sensible.”

Giving companies flexibility is reasonable, as long as they’re acting in the interest of the breach victims, said Cindy Cohn, executive director of the Electronic Frontier Foundation. “While we have been concerned about companies sitting on this bad news, there are also legitimate reasons for delay, like when either the company or law enforcement is trying to identify and catch the perpetrators or when important facts about the situation (how many people are impacted) are still unclear,” she said. “Fiduciary responsibility framing can help give some clarity here; the company must act in the interest of those whose data is impacted, not its own here.”

There could be risks to consumers, too. Some experts worried that a 72-hour timeline could wind up overwhelming users with unnecessary notifications that their information was compromised just to meet the standard. “The deadline is going to produce a lot of half-baked breach reports and lead to ‘breach notice fatigue,’ ” said Stewart Baker, former general counsel of the National Security Agency.

ProJo Editorial: For U.S. House: Cicilline, Langevin

ProJo Editorial: For U.S. House: Cicilline, Langevin

SOURCE: Providence Journal Editorial

PROVIDENCE, R.I. — Rhode Island benefits from experienced, hardworking leadership in Washington. For that reason, we encourage our readers to vote to re-elect U.S. Representatives David Cicilline and James Langevin. As Democrats, they could become more powerful after January, if pollsters’ predictions hold true and control of the U.S. House flips to their party.

Representative Langevin, who serves Rhode Island’s Second District, sits on the House’s Homeland Security and Armed Services committees. Far from being content to serve as a partisan back-bencher, he has been a been a strong and assertive voice on defense and security matters. He supports internet privacy protections and wants to harden cyberprotections for the critical infrastructure of Rhode Island and the country.

He has correctly identified diagnosed weaknesses in America’s cyberdefenses, even as cyberspace is increasingly a battlefield for nation-states, terrorists and criminals. He has demonstrated a grasp of the havoc that could follow a widespread, malicious attack, and consistently advocated for greater cooperation among the interdependent public and private sectors.

Mr. Langevin also has advocated for broader and deeper health care services for all, especially the disabled. As a paraplegic, he provides a unique and personal perspective on issues ranging from stem-cell research to study of the most effective ways for people to undergo rehabilitation after becoming paralyzed.

He is popular, too, with Rhode Islanders, enjoying sizable electoral majorities after successful stints as a state representative and Secretary of State.

Representative Langevin is opposed by military veteran and Republican Sal Caiozzo, who is an advocate for veterans harmed by toxins while serving. Mr. Langevin’s experience and willingness to reach across the aisle suggest he is the better choice.

In the First Congressional District, which includes Providence and Newport, former Providence Mayor Cicilline enjoys a huge party registration advantage over Republican challenger Patrick Donovan and should coast to victory.

Mr. Cicilline has been an advocate for trying to limit the spread of guns in America. He has aggressively pushed for expanded background checks for gun purchasers and a ban on assault weapons.

In Washington, Mr. Cicilline’s articulate tongue has served him well. He has been willing to appear on conservative TV programs, making the case for his party’s values and helping to bridge the yawning partisan chasm in the nation’s capital. He has also spoken out for manufacturing in America. And he has been a champion of newspapers and a free press.

Mr. Cicilline could well be leadership material. A respected member of the Congressional Progressive Caucus, he is competing for the new elected position of assistant majority leader. Little Rhode Island can use all the power it can get in Washington.

We believe Rhode Island voters would be well-served by returning its incumbent U.S. House members to office.

CyberScoop: Leet List- Jim Langevin

CyberScoop: Leet List- Jim Langevin

SOURCE: CyberScoop 2018 Leet List

As a co-founder of the Congressional Cybersecurity Caucus, Rep. Jim Langevin has helped shaped the policy debate on Capitol Hill on issues ranging from federal bug bounty programs to information sharing. The Rhode Island Democrat talks about what galvanized his interest in cybersecurity and his hopes for bipartisanship on the issue, among other topics.


CyberScoopWhat sparked your sustained focus on cybersecurity?

Rep. Jim Langevin:  A lot changed for me the day a couple of scientists from Idaho National Lab came and gave me a briefing on the Aurora threat [in 2007].

In the SCIF, we saw the video of the generator blowing itself up. They described to me how it could be done. It’s, at first, hard to get your arms around, but then as they further explained, this could affect not only just one generator but several, and not only just one power generation facility, [but] potentially it could shut down a whole sector of the country’s electric grid as a result of a SCADA attack. And that was very alarming.

CSThat was 2007. More than 10 years later, we hear the word “cyber” more on Capitol Hill, for better or for worse. How have your fellow lawmakers improved in paying attention to and talking about cybersecurity, and how do they still need to get better?

JL: Members of Congress have become more aware of the problem in the same way that the American people have become more aware of the problem, in many cases because of the high-profile cyber-intrusions or events that have occurred.

We’ve been at this for a long time. I’d love to say that it is because of the work that I did, or that we did together, to raise awareness. That was a part of it, of course, but unfortunately, most of it is because of the large number of cyber-intrusions and threats that the country has faced, the personal and private information that’s been stolen and compromised, the theft of intellectual property, and the list goes on and on.

CS: Do you find yourself being an educator with fellow lawmakers on cybersecurity? Do other members heed the advice of colleagues who have been paying attention to the subject longer?

JL: There are different times that a bill that I have sponsored or co-sponsored, and it’s come up for a vote, that I have members say they voted for the measure because they have a lot of respect for me on this topic and they know that I spend a lot of time on this issue.

Each member of Congress specializes in a different topic. We’re not all experts on every topic. Certain people are go-to people on any range of issues, and cyber happens to be something that I spend a lot of time on.

CS: Have we had a galvanizing moment that generates widespread momentum to drive better cybersecurity policy — the proverbial “Cyber 9/11,” to use a tortured metaphor? Was the 2016 election that moment?

JL: It was a moment, and certainly one of those things that has gotten people’s attention. But it wasn’t a Cyber 9/11, per se. I am still worried about that type of event occurring. It’s still possible, even though it may be remote at this point. It’s still a possibility. … It’s one of those things that keeps me up late at night — you wonder when or if that date will ever come. It’s probably more of a “when” not “if.”

I’ve often said that you will never have modern warfare again without some type of a cyber component to it.

The United States continues to get better at being better organized and defended against a Cyber 9/11. But you can never say never, that it won’t happen. But between the work that the Department of Homeland Security is doing, the work that U.S. Cyber Command is doing, [and] NSA, we have nation-state capabilities to defend the country. But there’s still more work to do. Remember, most of critical infrastructure is still in private hands and we haven’t completely figured that piece out yet as to how we [might] adequately defend the country if there were a Cyber 9/11.

CS: Cybersecurity has often been described as a bipartisan issue. But with all of the politicization of the aftermath of Russian hacking and information operations during the 2016 election, is cybersecurity still a bipartisan issue in 2018?  

JL: I believe it is. … Some make it a partisan issue, but I don’t see it that way. Case in point: I have a bipartisan election security bill, the Paper Act, with Congressman Mark Meadows [a Republican from North Carolina].

We both see this as an American issue — not a Democrat or Republican issue, it’s an American issue – that we need to do a better job with, securing our elections infrastructure.

CSCongress has recently moved to set up bug bounty and vulnerability disclosure programs at multiple federal agencies. What have you learned from talking to experts on what works in setting up these types of programs at agencies?

JL: What I’ve learned over the years in working on the cybersecurity issue and [from] meeting with cybersecurity researchers is that they want to help … they want to help make the internet more secure and function the way it’s intended to.

Bug bounty programs are a great way to leverage that private sector talent, as we saw with the Pentagon’s bug bounty program. It was set up the right way. You get trusted researchers who want to do the right thing, provide them a vehicle where they can lend their talents, I think [it] is a good model. I’d like to see other government departments and agencies do a similar bug bounty program.

We also need to have a vulnerability disclosure program at each of the departments and agencies so that when cybersecurity researchers do find a vulnerability they’ve got somebody they can report it to – and they know that it’s going to be acted upon.