DOJ talks breaches, Cyber Command talks size
With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
Advertisement
— A DOJ official told a Senate panel it should require breached companies to notify law enforcement, while the Cyber Command chief told the House it aims to rightsize its Cyber Mission Forces.
— “Kilos” looks like the hottest dark web search engine, with vast indexes of cybercrime forums and attractive features, researchers said.
— Five countries, including the U.S., will announce an anti-online child sexual exploitation initiative today.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Kitty gon getcha. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
OF BREACHES AND STANDARDS — Congress should consider requiring companies to alert law enforcement about data breaches as part of any nationwide breach notification standard, a DOJ official told senators on Wednesday. “We can’t respond to what we can’t see, and there are significant disincentives, [in] some cases, to reporting to law enforcement,” Adam Hickey, the deputy assistant attorney general for national asset protection, said at a Senate Judiciary Committee hearing about the risks of China’s relationships with tech firms.
Hickey encouraged lawmakers to go beyond personally identifying information when considering data breach legislation. “We ought to be thinking about threats to critical infrastructure, export controlled information and the like,” he said, adding that DOJ is “working on a proposal for such legislation now.” Speaking of legislative recommendations, Hickey’s prepared testimony listed others, including updating the 1986 Computer Fraud and Abuse Act to enable more effective prosecutions of insider threats and voting machine hacking.
Later in the hearing, a China expert told lawmakers that Beijing has “gotten ahead of the curve” on 5G and outflanked the U.S. at meetings where key standards are written. “There is no question,” said New America cyber policy fellow Samm Sacks, “that Chinese telecom companies … are sending more representatives to vote and influence the setting of 5G standards.” She also said the U.S. should work with China on setting AI standards: “There is a national security risk if we do decouple with China and lose visibility into the way they are thinking about these issues.”
THE RIGHT FIT — U.S. Cyber Command will work to determine if its Cyber Mission Force is constructed properly to meet all of its recent missions, its chief told lawmakers on Wednesday. The 133-team, roughly 6,200-person cadre of personnel that conduct cyber operations was conceived in 2012 and since then has taken on election support, combating foreign influence operations and defending the data and weapons systems of the armed forces, Army Gen. Paul Nakasone said during a House Armed Services subpanel hearing.
“What we are doing, given all of those missions, is, through a series of exercises this year, looking to gather data. What is the right size force that we need? Obviously as a commander I would tell you that I never have enough forces. But what I do need is I need the ability to show that in data,” according to Nakasone. The four-star — who has previously said the CMF would grow — noted that U.S. digital strategy, authorities and policies have changed “dramatically” in recent years, such as Cyber Command’s “persistent engagement” approach to online operations. All of those changes have “driven a larger op-tempo,” Nakasone said.
HOW MANY POUNDS IS THAT, THOUGH — A dark web search engine that emerged in November is rapidly becoming the Google of cybercriminal marketplaces and forums, Digital Shadows assessed in a blog post out today. The site, Kilos, might have connections to a predecessor, Grams, whose alleged operator was indicted last month. “Kilos lives up to its name though in the sense that it allows users to perform even more specific searches from a larger index than Grams did, enabling users to search across six of the top dark web marketplaces for vendors, listings and reviews,” Digital Shadowswrote.
The index isn’t the only upgrade, according to Digital Shadows: “Kilos’ growing index, new features, and additional se rvices combined could allow Kilos to continue to grow and position itself as a natural first stop for an increasingly large user base, whether it’s to find and purchase illicit products, search for specific vendors, look for reviews, or stay up to date on current news and updates on markets and forums.”
ENCRYPTION-ADJACENT — DOJ and U.S. allies today will hold a press conference to unveil an initiative to combat online child sexual exploitation, the subject around which the nations have centered their argument against warrant-proof encryption. The announcement will feature representatives of every member of the “Five Eyes” nations: Attorney General William Barr and acting DHS secretary Chad Wolf will attend alongside officials from the U.K., Canada, Australia and New Zealand. The Washington Post reported this week that the proposal “calls on tech companies to ensure search, social-networking, video streaming and chat tools aren’t havens for child predators.”
THIS SPACE MAYBE NOT FOR RENT — The Senate on Wednesday passed legislation (S. 1869) that would require federal agencies with leasing authority to obtain information from owners of a space about whether it’s foreign owned before entering into a deal for a high-security facility. “Storing sensitive materials and private data at properties owned by foreign adversaries, especially those with sophisticated intelligence agencies, could leave the federal government susceptible to breaches and attacks,” said top Senate Homeland Security Committee Democrat Gary Peters (Mich.), who sponsored the bill with Rob Portman (R-Ohio).
— AND NEXT WEEK THERE’S MORE: The Senate Homeland Security panel next week will mark up a CISA legislative priority (S. 3045), a measure that would give it administrative subpoena power to track down critical infrastructure owners via internet service providers when the agency discovers a vulnerability. The panel also will mark up legislation (S. 3207) that would require DHS to appoint a cybersecurity state coordinator in every state. A third bill (S. 2502) would largely ban federal purchases of foreign-made, off-the-shelf drones.
HAWLEY ESCALATES FEUDS WITH TIKTOK, APPLE — Per our friends at Morning Tech: Sen. Josh Hawley (R-Mo.) again chastised Apple and TikTok for declining to testify at another Senate Judiciary hearing on big tech and China on Wednesday, and he teased a new bill aimed at cracking down on TikTok. Hawley said he will continue to hold “open spots” for the firms to appear at future hearings on the topic. And he announced plans to introduce legislation “to ban the use of TikTok by all federal employees on all federal government devices.” He added: “This is a necessary step to protect the security of the United States and the data security of every American.”
IS THIS ‘HOMELAND’ ON SHOWTIME? — A U.S. military contractor stole information from classified DoD systems about human intelligence sources, then leaked it to an apparent Hezbollah operative around the time of last year’s strikes against Iranian-backed forces in Iraq, prosecutors said in an indictment released on Wednesday. The criminal complaint charged the contract linguist, Mariam Thompson, with espionage for sharing information with the Hezbollah co-conspirator with whom she had a romantic interest.
Investigators observed that following the U.S. airstrikes and continuing through February, Thompson allegedly went into DoD systems that she had no need to access, DOJ said. “Thompson accessed dozens of files concerning human intelligence sources, including true names, personal identification data, background information, and photographs of the human assets, as well as operational cables detailing information the assets provided to the United States government,” a press release stated.
CIRCLE CIRCLE DOT DOT — The Transportation Department inspector general will conduct an audit of the FAA’s security controls to protect 50 information systems where a breach would be catastrophic, the watchdog said in a Wednesday memo. Three years ago, the FAA informed program managers at the Air Traffic Organization that it was re-designating low and medium impact systems to high, and after an appeals process, 50 were ultimately upgraded to high. The IG also will review the FAA’s process for categorizing information systems.
TWEET OF THE DAY — Interesting discussion here.
RECENTLY ON PRO CYBERSECURITY — “U.S. prosecutors say they have a witness who will directly implicate a Russian businessman known as ‘Putin’s chef’ in schemes to carry out election interference overseas.” … Senate Commerce Chairman Roger Wicker (R-Miss.) said talks on data privacy legislation are at a standstill. … Sen. John Thune (R-S.D.) is filing a bill that would make 5G security a goal of U.S. trade negotiations. … Nokia said that legislation (S. 3189) offering money to rural telecommunications carriers to replace Huawei equipment if they subscribe to a certain standard is unrealistic. … A U.S. and Europe-backed candidate to lead the U.N. World Intellectual Property Organization is a bid to counter a Chinese candidate.
— Twilio announced that Steve Pugh, a former White House Military Office chief information security officer, is joining the company as its chief security officer. Pugh most recently was CISO for Ionic Security.
— Bloomberg: The aforementioned “Putin’s chef” speaks.
— A Huawei official told CyberScoop he doesn’t know how to keep track of how its technology is used.
— Austin American-Statesman: South by Southwest is still a go despite coronavirus fears shutting down other conferences.
— Protocol: But maybe coronavirus isn’t so bad for VPNs?
— TechCrunch: J. Crew got hacked around a year ago and just disclosed it.
— CyberScoop: The alleged LinkedIn hacker might have collaborated with other hackers.
— Daily Beast: A supposedly “new” app is linked to RT.
— Motherboard: Utah gave an AI company access to a lot of government-owned surveillance.
— CyberScoop: “Verisign, Amazon patch zero-day vulnerability that utilized homoglyph characters.”
— ZDNet: Hackers might have used the Citrix vulnerability to access a defense recruitment database.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com, @martinmatishak); and Tim Starks (tstarks@politico.com, @timstarks).
Gloss