with Bastien Inzaurralde
“I need a name on the door that tells what the organization does,” said Krebs, who has run the NPPD in an acting capacity since last summer and was confirmed this week. “If you don’t have a brand, you’re not in the game.”
House Homeland Security Committee Chairman Michael McCaul (R-Tex.) has introduced a bill to rebrand the oddly named agency as the Cybersecurity and Infrastructure Security Agency — a more descriptive title that matches its mission of helping the nation’s critical infrastructure sectors respond to cyberthreats. It would also elevate the agency so that it has the same stature as other DHS units, such as the Federal Emergency Management Agency.
It sounds like a simple change, and it has broad bipartisan support. But the measure has stalled in the Senate amid committee turf wars.
The struggle to approve the bill illustrates how the federal government’s sprawling national security apparatus makes it hard to pass even relatively uncontroversial cybersecurity legislation. U.S. cybersecurity capabilities are housed in many agencies — including the National Security Agency, the FBI and DHS — and lawmakers and other officials are squabbling over which are best equipped to lead the government’s response to a growing web of digital threats.
The goal of McCaul’s legislation, called the Cybersecurity and Infrastructure Security Agency Act, is to create a more accessible hub within DHS for government agencies and the 16 critical infrastructure sectors the agency protects to coordinate responses to cyberthreats. It's part of an overall expansion of DHS's cybersecurity capabilities that has taken place in recent years that has raised the department's profile as one of the government's key cybersecurity authorities. Under legislation Congress passed in 2015, the agency was tasked with leading the federal government's efforts to share threat information with the private sector. And in 2017, then-Homeland Security Secretary Jeh Johnson designated election systems as critical infrastructure, giving the agency a greater role in helping states shore up election security.
McCaul's bill would elevate Krebs's role to become Director of National Cybersecurity and Infrastructure Security to "lead national efforts to protect and enhance the security and resilience of U.S. cybersecurity, emergency communications, and critical infrastructure."
Krebs told me that he’s meeting with lawmakers on the Hill in hopes of moving the bill along.
“We’re watching the clock,” he said. “There’s only so many days left in the Congress, and this is a priority.” If approved, he added, it would be “a game changer for this organization” that would help recruit staff and send a clear signal to government and industry stakeholders about its role.
The House approved McCaul’s legislation in December in a voice vote. An effort to include it in the massive spending package President Trump signed in March was unsuccessful. Now it’s awaiting action in the Senate as part of legislation to formally reauthorize DHS for the first time since its inception 15 years ago.
McCaul told me recently he’s flummoxed by the Senate’s inaction, since everything in the legislation fits the mission Congress has outlined for DHS.
“The only thing I can think of is some of these senators are still of this old thinking” that the NSA should take the lead on the cybersecurity and infrastructure protection efforts, McCaul said.
“For God’s sake, now that we’ve given [DHS] this mission, I think we have an obligation to do everything we can to bolster their capabilities so they can carry out the mission,” he said, “and that’s really what the bill is designed to do.”
The proposal to create a cybersecurity and infrastructure agency started during the Obama administration with Suzanne Spaulding, a former undersecretary for NPPD. At the time, many federal agencies with cybersecurity functions, including the FBI and the NSA, were loath to give up their responsibilities. And the dozens of congressional committees that claim jurisdiction over parts of DHS couldn’t agree on who should be in charge, or whether cybersecurity and infrastructure belonged under one roof. A previous attempt by McCaul to create a such an agency failed in 2016.
“While we are taking so long to address the need for a more comprehensive approach to safeguarding critical infrastructure and cybersecurity, our adversaries are moving with increasing speed,” Spaulding told me recently. “This is an incredibly dynamic threat environment. And yet it takes us years to even change the name of the organization to reflect the mission.”
The Trump administration now supports the move, and Homeland Security Secretary Kirstjen Nielsen has urged the Senate to approve McCaul’s legislation.
"With strong leadership in place at NPPD, my next priority is to elevate our cybersecurity and infrastructure protection mission space within the Department and ensure the new agency is properly organized to meet the challenges of the rapidly evolving threat landscape," Homeland Security Secretary Kirstjen Nielsen said in a statement after Krebs's nomination. "Together, Under Secretary Krebs and I will continue to work with Congress to affirm DHS’s central role in leading the federal government’s critical infrastructure risk management efforts."
Frank Cilluffo, a homeland security adviser to President George W. Bush, told me he’s optimistic the bill will make it through this year. “This is one of the least controversial issues Congress needs to wrestle with, and if they can’t get this over the goal line, people ought to be scratching their heads,” said Cilluffo, who heads George Washington University’s Center for Cyber and Homeland Security.
Hill staffers I spoke with also said they were confident about the bill’s prospects. But with campaign season underway, not everyone is convinced it’s a shoo-in.
“All the sudden, when it’s the 11th hour again,” Spaulding said, “all it takes is for someone to cough and then it’s dead.”
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: "Apple is making it harder for police to collect evidence from iPhones of suspected criminals," by The Washington Post's Craig Timberg and Tony Romm. "Apple announced Wednesday that it would block access to a port that law enforcement uses to break into iPhones during criminal investigations, a move that could reignite debate over whether tech companies are doing enough to help authorities probing serious crimes," Timberg and Romm write. "Apple said the change, which would disable the Lightning port on the bottom of iPhones an hour after users lock their phones, is part of software updates to be rolled out in the fall. Designed to better protect the private information of iPhone users, it will have little obvious effect on most people using the devices but will make it far more difficult for investigators to use extraction tools that attach through the port to collect the contents of seized iPhones.”
Julian Sanchez, a senior fellow at the libertarian Cato Institute, told Romm and Timberg that the security patch aims to fix a technical weakness instead of hindering investigators' work. “This could be painted as fundamentally about denying law enforcement access, but this is a security vulnerability,” Sanchez said. “There is a method by which the security of the [iPhone] can be compromised by devices law enforcement can purchase. There’s not really any reason to think only law enforcement will ever have those devices.”
Apple said this update is not meant to get in the way of law enforcement, but former FBI assistant director Ronald Hosko told my colleagues: "I think that privacy protections are on a collision course with responsible law enforcement actions to conduct legitimate investigations. Terrorists or other criminal organizations will do something that’s heinous, in a way that is blocked from lawful law enforcement view."
PATCHED: British authorities are investigating a massive data breach at the telecommunications retailer Dixons Carphone, Britain's National Cyber Security Centre (NCSC) announced on Wednesday. The company said in a statement that it discovered an attempt to compromise 5.9 million payment cards and also found that 1.2 million personal records such as names, addresses and email were accessed. “We are extremely disappointed and sorry for any upset this may cause,” Alex Baldock, the company's chief executive, said in a statement. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
The NCSC advised Dixons Carphone customers to look for unusual activity on their financial accounts. “Be particularly wary of unsolicited emails, phone calls or SMS messages asking you to disclose further personal details eg login information — especially if they claim to come from your bank/credit card provider,” the NCSC said in a notice to customers. “Such scams can be very convincing, and attackers may use your personal data to make them look even more realistic.”
PWNED: China will start implanting radio-frequency identification chips on cars' windshields next month to create a nationwide tracking mechanism that will expand the country's vast surveillance system, the Wall Street Journal's Yoko Kubota reports. Participation in the tracking program will be optional when it starts on July 1 but will become a requirement for new vehicles next year, according to Kubota. Chinese authorities have made the case that such a plan will help manage traffic — the contours of the project were drawn by the Ministry of Public Security's Traffic Management Research Institute — but experts say it's hard not to see this new policy as a surveillance tool.
“It’s all happening in the backdrop of this pretty authoritarian government,” Ben Green, a fellow at the Berkman Klein Center for Internet and Society at Harvard University, told Kubota. “It’s really hard to imagine that the primary use case is not law enforcement surveillance and other forms of social control.” One of the people familiar with the project told the Journal that the tracking system will collect data such as license plate numbers and the car's color. “Reading devices installed along roads will identify cars as they pass and transfer the data to the Ministry of Public Security, said one of the people,” Kubota writes. “Unlike GPS tracking systems, the system won’t pinpoint a car’s position at all times.”
PUBLIC KEY
— Homeland Security Secretary Kirstjen Nielsen on Wednesday thanked Israeli Prime Minister Benjamin Netanyahu for his government's cooperation with DHS on a range of security issues, including cybersecurity. "In addition to these efforts, Secretary Nielsen also highlighted actions DHS has taken to counter threats," according to a statement from DHS. "These efforts include countering the proliferation of nuclear, missile, and other technology; providing capacity building to our allies; and countering cyber threats." Nielsen was in Jerusalem for the first International Homeland Security Forum.
— Trump plans to nominate Karen S. Evans for assistant secretary of energy for cybersecurity, energy security and emergency response at the Energy Department, the White House announced late Tuesday. Energy Secretary Rick Perry in February announced the establishment of an Office of Cybersecurity, Energy Security, and Emergency Response to strengthen the department's defense of energy infrastructure.
— A former defense contractor was sentenced to 41 months in prison for unlawfully retaining classified information, the Justice Department announced in a statement on Wednesday. Weldon Marshall shipped hard drives with classified information about military operations in Afghanistan to his Texas home while he worked overseas for Pentagon contractors, the department said. Previously, while serving in the Navy between 1999 and 2004, Marshall downloaded classified material — including documents about U.S. nuclear command, control and communications — onto a disk that he labeled “My Secret TACAMO Stuff,” according to the department's statement. He was arrested in January 2017 and will be under supervised release for one year after serving his prison sentence.
— The White House and Congress are on a collision course over the Trump administration’s deal to salvage Chinese tech giant ZTE, a company that many senators have said threatens national security. “A senior White House official said Wednesday that the administration would try to remove Senate language that severed a lifeline … Trump’s administration had extended to the company,” the Wall Street Journal’s Michael C. Bender, Siobhan Hughes and Kate O’Keeffe report. “The Senate is expected to pass the bill as soon as this week, and the White House official said the administration would try to block the measure later in the legislative process.”
— More cybersecurity news from the public sector:
PRIVATE KEY
— Facebook will roll out new privacy features to provide users a better understanding of how advertisers target them on the social network, Reuters's Joel Schectman reports. “Starting July 2, Facebook ... for the first time will require advertisers to tell its users if a so-called data broker supplied information that led to them being served with an ad,” Schectman writes. “Data brokers are firms that collect personal information about consumers and sell it to marketers and other businesses.” Facebook previously considered banning data brokers this year but backed down in the face of advertisers' discontent, Schectman reports. “Advertisers said the restrictions on data brokers would hurt their ability to aim their ads at customers most likely to buy their products,” he writes.
— “A Frenchman who was arrested in August 2017 after arriving in the United States to attend a beard competition in Austin, Texas has now admitted to being 'OxyMonster,' a well-known drug vendor on the Dream Market underground online marketplace,” Ars Technica's Cyrus Farivar reports. Gal Vallerius, 36, pleaded guilty on Tuesday to charges of narcotics trafficking and money laundering, according to a statement from the Justice Department. “Investigators began homing in on Vallerius when they analyzed the 'tip jar' that OxyMonster advertised on Dream Market,” Farivar writes. “According to the criminal complaint, '15 of 17 outgoing transactions from the “OxyMonster” tip jar went to multiple wallets controlled by French national Gal VALLERIUS on Localbitcoins.com.'”
— More cybersecurity news from the private sector:
SECURITY FAILS
THE NEW WILD WEST
ZERO DAYBOOK
Today
- Last day of Cisco Live conference in Orlando.
- House Energy Subcommittee hearing on the Chemical Facility Anti-Terrorism Standards program.
- The Brookings Institution holds a discussion on cybersecurity in Asia.
Coming soon
- Interface Phoenix conference tomorrow.
- BSides San Antonio conference on June 16.
- Senate Judiciary Committee hearing on the Justice Department inspector general’s first report on the department and FBI’s actions before the 2016 election on June 18.
- House Judiciary Committee and House Oversight Committee joint hearing on the Justice Department and the FBI’s actions before the 2016 election on June 19.
EASTER EGGS
Sen. Bob Corker (R-Tenn.) says the GOP is “cultish” with Trump:
Changes in thickness and sea level from 1992 to 2017:
Who will win the World Cup opener? “Psychic” cat picks a winner: