THE FUTURE OF THE SECURE ELECTIONS ACT — Things are looking up again for the Secure Elections Act (S. 2261), the legislation on its namesake subject that has the broadest support in the Senate. Lawmakers left it on the cutting room floor as a potential amendment to a defense policy bill earlier this week. But Senate Rules Chairman Roy Blunt said Wednesday at a hearing on election security that it’s “a bill we will take up at some point.” Sen. Amy Klobuchar, one of the chief sponsors of the bill and the top Democrat on the Rules panel, told MC that Blunt informed her it would come up sometime after another election security hearing tentatively scheduled for this month or next.
Klobuchar said the legislation already underwent tweaks at the request of state officials on some of its “smaller provisions.” Another needed tweak is related to the legislation’s calls for the release of $380 million in Help America Vote grants authorized way back in 2002, since Congress earlier this year approved distributing that cash. So what now? State election officials at a Wednesday Rules hearing said they still want more money, even if they differ on how highly the cyber threat to elections ranks. “The second piece is funding,” Klobuchar said. “We’d like to see more funding. We’ve talked about ongoing funding.”
Blunt told reporters after the hearing that many of the things the Secure Election Act bill would do, like ordering improved threat information sharing from the federal government, are already happening. But Klobuchar said it was worth getting those provisions into law, since leadership at DHS and other agencies working on election security will inevitably change. Speaking of that $380 million: A group of congressional Democrats on Wednesday asked the Election Assistance Commission to block states from purchasing paperless voting machines with those grants, but the commission said it doesn’t have that authority.
NO REPEATS — Senate Intelligence Committee Chairman Richard Burr on Wednesday said the Trump administration is sending so many mixed signals on Russia and the midterm election that it’s time to get U.S. intelligence community leaders in the same room and hash things out. The North Carolina Republican wants “anybody that’s got an intelligence operation that may have jurisdiction over Russia meddling” to “sit at one table to discuss what is or is not going on,” he said.
The remarks came after Intel held a public hearing with two Obama administration officials who offered another postmortem of why the White House wasn’t more forceful in defending against Moscow’s interference in the 2016 presidential race. “Much of our problem in responding strongly and quickly enough in 2016 stemmed from insufficient integration of information among government agencies, which led to delays in attribution,” said Victoria Nuland, who served as assistant secretary of state for European and Eurasian Affairs. Another reason is that the Russians “expected deterrent measures and didn’t see them, and so felt they could keep pushing.” In the aftermath, “other countries and malign actors are now adapting and improving on Russia’s methodology, notably including China, which now runs disinformation campaigns and influence operations in Taiwan, Australia and other neighboring countries,” she warned.
Michael Daniel, former President Barack Obama’s cybersecurity coordinator, said Russian hackers likely scanned the election systems of all 50 states for vulnerabilities in 2016 — not just the 21 states confirmed as targets by DHS officials late last year. “I think it is highly likely,” he told the panel. “It was more likely that we haven’t detected it than it didn’t occur.” Daniel also warned Moscow could continue its digital attacks, citing the VPNFilter malware researchers uncovered last month that has suspected Russian origins. And he said that he was asked to “stand down” on developing cyber countermeasures against Russia during his time in the White House.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Your MC host is looking forward to tonight’s NBA draft, even though the Wizards are unlikely to get anything out of it to transform their fortunes. Send your thoughts, feedback and especially tips to firstname.lastname@example.org and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
NICE TRY — The Pentagon should give up on trying to dominate cyberspace, according to a recent Defense Department assessment. “Permanent global cyberspace superiority is not possible due to the complexity of cyberspace,” states a new edition of Joint Publication 3-12, Cyberspace Operations, shared by Secrecy News. The document was originally published in 2013, and updated this month. The updated examination argues that mastering the digital domain is out of reach for various reasons, including existing legal frameworks and the inherent complexity of internet systems. “Even local superiority may be impractical due to the way IT is implemented; the fact U.S. and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology,” according to the report. That said: “Commanders should be prepared to conduct operations under degraded conditions in cyberspace,” the assessment warns.
MY NAME IS DMARC — The top 100 federal government contractors are ahead of the curve when it comes to adopting a standard to foil email spoofing, email authentication company Valimail revealed in a study out today. Nearly half have adopted the Domain-based Message Authentication, Reporting and Conformance, or DMARC, standard, which Valimail estimates puts them ahead of nearly every other industry. They have done so despite not being subject to a DHS directive on DMARC issued last year. However, only 5 percent of the contractors appear to have DMARC set to the most rigorous levels, meaning the rest lack full protection against all fake emails, Valimail concluded.
GOOGLE ENHANCES SECURITY FEATURES — Google today is announcing new privacy and security features for Google Account for Android users, which will launch on other platforms later this year. On security, the changes build on last fall’s update of “Security Checkup” to give users an overview of account security. “The new Google Account experience builds on this and will show you prominent notices if we detect there’s something you can do to improve your security,” the announcement states. “For example, we might suggest you remove your account from old devices you’re no longer using or remove unverified apps you had granted access to your account data.”
NIST BOARD GETS CYBER SMORGASBORD — The technical standards agency NIST’s cyber advisory board holds its quarterly meeting today and Friday, with the board’s government and industry members set to receive briefings on a wide range of topics. First up for NIST’s Information Security and Privacy Advisory Board is a briefing on the government’s use of blockchain technology, featuring speakers from DHS and the National Technical Information Service. Then a NIST expert will deliver a briefing on supply chain risk management — a discussion that is sure to touch on the hot-button debates over Kaspersky, ZTE, Huawei and other companies deemed cyber-risky. Later, NIST fellow Ron Ross will update the ISPAB on NIST’s risk management framework, and another NIST staffer will brief the board on NIST’s National Initiative for Cybersecurity Awareness. Rounding out today’s briefings, NIST and HHS staffers will discuss how the government trains employees to spot social engineering schemes in their inboxes and on social media.
Friday’s briefings will include an update on congressional activities in the cyber realm, with one staffer from the House Energy and Commerce Committee and two from the Congressional Blockchain Caucus. An employee from OMB’s cyber team will discuss how that office is working with agencies to improve their information security practices. There will be yet another blockchain briefing, this one focused on how the technology can work for the government. Then a top cyber official at the Office of the Director of National Intelligence will offer a supply chain threats briefing, which may or may not be closed to the public. The last briefing will be from NIST and FTC staffers on the government’s efforts to help small businesses protect themselves from digital threats.
FORM UP — Hackers are using phishing emails to deploy easily purchased malware that can take screenshots of victims’ computers, record their keystrokes and steal their account passwords, according to researchers at Cisco’s Talos threat intelligence unit. “The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email,” the researchers wrote. Cisco has watched a specific campaign of spear-phishing attacks that use this brand of malware, dubbed FormBook, since last month. The virus is low-grade: it relies on two publicly disclosed vulnerabilities in Microsoft Office to slip past victims’ defenses and embed itself on their machines.
The new FormBook campaign shares infrastructure with a previous operation by hackers using the “Pony” malware, which Cisco wrote about in February 2017. This and other “technical elements” led Cisco to conclude that “the actor behind this campaign is probably the same actor behind” the Pony campaign. Most likely, researchers wrote, “he/she no longer uses Pony, but switched to FormBook in order to steal information on compromised systems.”
FormBook is a popular tool among hackers. In October, FireEye reported that hackers were using it to target U.S. and South Korean defense, aerospace and manufacturing firms. “Its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” the company said at the time.
SHAKE ON IT — Eleven more companies have enlisted with the Cybersecurity Tech Accord, an industry organization that asks members to commit to strengthening defenses, not conducting offense, building their capacity for handling cyberattacks and taking action together. The new companies are Atlassian, Carbon Black, Cyber adAPT, ESET, Gigamon, GitLab, KoolSpan, KPN, MediaPRO, Salesforce and WISeKe. The previous 34 signatories included tech and cyber giants like Facebook, Microsoft and Trend Micro.
RECENTLY ON PRO CYBERSECURITY — Lawmakers want Education Secretary Betsy DeVos to investigate alleged Chinese spying at U.S. universities. … The White House again criticized China over its tech and cyber rules. … The FTC will hold a series of public hearings that will touch on privacy and data security. … Illinois will spend $6.6 million in federal funds to help local governments thwart cyberattacks.
TWEET OF THE DAY — This … this is trolling, right?
PEOPLE ON THE MOVE — Suzanne Spaulding, the former undersecretary for DHS’s main cyber wing, has joined the board of advisers at cybersecurity and consulting services firm King & Union.
REPORT WATCH — Microsoft Office is increasingly becoming a target of attacks exploiting undiscovered vulnerabilities as it grows in popularity, Menlo Security concludes in a report out today. “Microsoft Office is now the latest platform for exploiting vulnerabilities,” the company concluded. “Almost all recent zero-day attacks have been delivered via Microsoft Word.”
— “Congress would urge the Commerce Department to investigate cybersecurity threats in the telecommunications supply chain in a draft reauthorization for the department’s National Telecommunications and Information Administration.” Nextgov
— “How a Few People Took Equifax to Small Claims Court Over Its Data Breach and Won.” The New York Times
— Blockchain might play a role in securing data collected at the border. Nextgov
— Major web platforms pulled a database listing personal information on Immigration and Customs Enforcement employees not long after it went public. Motherboard
— Tesla accused a former employee of stealing gigabytes of data. CNBC
— The Air Force is expanding its cyber training operations. Fifth Domain
— No, really. Fifth Domain
— Small businesses mostly fail to do anything after getting hacked. Computer Weekly
— Israeli Prime Minister Benjamin Netanyahu warned about cyber threats that could down aircraft. Reuters
— Europe’s data privacy law was expected to boost the cybersecurity insurance market, but it hasn’t. The Wall Street Journal
— The leader of an ethics watchdog group believes a House Democratic IT controversy isn’t getting enough mainstream media attention. Fox News
— Computer security researcher Nicholas Weaver surveys the international supply chain risk picture at Lawfare.
That’s all for today. Maybe it’s just because I dig the Polish Hammer, or maybe it’s because it was a dumb contract, but that Ian Mahinmi deal…