The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Senate defense bill pushes Trump to get tougher on Russian hacking

Placeholder while article actions load

with Bastien Inzaurralde


The Senate wants to turn up the pressure on President Trump and his military chiefs to strike back against Russian hacking.

The massive defense policy bill the Senate approved Monday night calls on Trump to curb Russian aggression in cyberspace. It gives Trump the green light to direct U.S. Cyber Command to “disrupt, defeat and deter” cyberattacks by the Russian government, conduct surveillance on Kremlin-backed hackers and partner with social media organizations to crack down on disinformation campaigns such as the ones that disrupted the 2016 election. It would also require the administration to send quarterly reports to Congress about the progress of its efforts. 

But the measures may have limited impact. There's little Congress can do through the legislation to force the administration to take action. As it stands, the non-binding provisions in the annual defense authorization bill are simply a signal to Trump that lawmakers are unsatisfied with his stance on Russia’s cyberoffensives.

“Some Senate Armed Services Committee members have been frustrated by what they see as insufficiently strong deterrence policy in general, and especially with respect to Russian actions in cyberspace,” said Matthew Waxman, a cybersecurity expert at Columbia University and former senior national security official in the George W. Bush administration. Although the provisions in the bill are “a formal expression of that frustration,” Waxman said, they likely won’t have an immediate and direct practical effect on Trump’s policy.

Indeed, they may amount to little more than a nudge in the direction lawmakers want the administration to go, said Jason Healey, a cyber conflict expert and senior researcher at Columbia University’s School for International and Public Affairs.

"I think it is pressure as a statement of Congress, but not more," said Healey, who was also a founder of the first joint cyber warfighting command in the U.S. military. The president, he said, already has "all the authorization he would need." 

It really comes down to a messaging push, and there are a few signals the bill sends. First, it tells the Trump administration to prioritize efforts to combat Russian cyber activities, according to Matthew Rhoades, who handled legislative affairs for the National Security Council and the Defense Department during the Obama administration.

The motivation for including the provisions could be different depending on each lawmakers' party, Rhoades said. “If you’re a Republican, it encourages the president’s rhetoric to more closely match the administration’s actions” with respect to recent sanctions against Russian businesses and executives, said Rhoades, now the managing director of the Cybersecurity and Technology Program at the Aspen Institute. “If you’re a Democrat, it fits into a narrative that you're taking the Russia threat more seriously.” 

And of course, there's a message to the public: Democrat and Republican lawmakers now can say they're willing to go after Russian hackers -- even if the president doesn't follow through. 

Trump’s intelligence chiefs have warned that Russia is continuing to target the U.S. political system following its sweeping interference campaign in 2016. But Trump himself has been reluctant to take action, dismissing their conclusions, as well as findings by congressional investigators, that Russia interfered to help him win.

As recently as February, Adm. Michael S. Rogers, then-head of the National Security Agency and U.S. Cyber Command, all but conceded that the military had done little to respond to Russian cyber offensives. He told lawmakers in a hearing that Russian President Vladimir Putin probably felt he paid “little price” for the interference and hadn’t stopped. He also testified that Trump had not given him new authorities or capabilities to strike at Russian cyber operations.

There is one key way the bill could have an impact: the reports the administration would be required to send back to Congress on actions taken against Russian cyber operations. That could add a more robust layer of accountability, Rhoades said. 

“If they see something that is not necessarily in line with the president’s rhetoric, the Congress can say, ‘Not only do we disagree with how he’s characterizing the situation, we have information to the contrary,’ ” he said. “It gives them a basis to talk about the threat to the American people.” 

The Senate’s bill, which approves $716 billion in defense spending, passed by a vote of 85 to 10 after cruising out of the Armed Services Committee late last month, as my colleague Karoun Demirjian reported. In addition to the provisions about Russian hacking, it calls on the administration to create a national policy governing cyberwarfare and cyber deterrence. It has to be reconciled with a House version of the legislation.

In its report on the legislation, the Armed Services Committee said it “urges” Trump and the secretary of defense to act on the bill’s authorization to target “the activities of operators working on behalf of the Russian Federation to conduct influence operations in the United States.” 

“The committee heard testimony establishing that the Russian Federation seeks to achieve strategic objectives in conducting such operations and concludes that the threat posed by such operations is significant enough to require active countervailing actions,” the committee said.

This is not the first time Congress has sought to force the administration’s hand on Russia. Last summer lawmakers voted overwhelmingly to impose economic sanctions on Russia in retaliation for election interference. Trump signed the legislation, but only after questioning its constitutionality and raising doubts about enforcing it.

The administration followed through with a string of sanctions this year in response to election hacking as well as cyberattacks and recent cyber intrusions on the U.S. energy grid. It also took the aggressive step of publicly attributing the devastating global NotPetya attack to Russia, though the move came with no public remarks on the topic from the president himself.


PINGED: Federal prosecutors on Monday charged a former CIA employee suspected of leaking hacking tools from the agency with violations of the Espionage Act, The Washington Post's Matt Zapotosky reports. “Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, was charged in a 13-count superseding indictment with illegally gathering and transmitting national defense information and related counts in connection with what is considered to be one of the most significant leaks in CIA history,” Zapotosky writes. “The indictment accused Schulte of causing sensitive information to be transmitted to an organization that is not named in the indictment but is thought to be WikiLeaks.”

“Leaks of classified information pose a danger to the security of all Americans,” John C. Demers, assistant attorney general for national security, said a in a statement. “It adds insult to injury when, as alleged here, the leaks come from former government officials in whom Americans placed their sacred trust.” Before Monday, Schulte had been held on unrelated charges of child pornography. Manhattan U.S. Attorney Geoffrey S. Berman said in a statement that federal agents discovered the pornographic content in Schulte's residence in New York during the investigation. “The indictment accuses Schulte, 29, of exceeding his authorized access to CIA computer systems and altering systems to delete records of his activities and deny others access,” Zapotosky writes. “Added together, the charges against him carry a statutory maximum penalty of 135 years in prison.”

PATCHED: The Senate is challenging Trump on ZTE. The annual defense authorization bill that senators passed Monday includes provisions to reinstate penalties on the Chinese tech giant, a move that the White House opposes, The Post's Karoun Demirjian reports. "Both the House and Senate versions of the defense policy bill restrict government agencies from purchasing ZTE products," Demirjian writes. "But the Senate bill goes one step further, ordering the reimposition of punitive measures that Trump sought to roll back in a deal the Chinese say is necessary to keep the company from dissolving."

Commerce Secretary Wilbur Ross has been trying to convince the House and Senate GOP to do away with the provisions about ZTE in the upcoming conference process to reconcile both chambers' versions of the bill, Demirjian reports. Sens. Tom Cotton (R-Ark.), Marco Rubio (R-Fla.), Chris Van Hollen (D-Md.) and Senate Minority Leader Charles E. Schumer (D-N.Y.), who had offered the measure, praised the inclusion of the ZTE amendment in a joint statement.

"We’re heartened that both parties made it clear that protecting American jobs and national security must come first when making deals with countries like China, which has a history of having little regard for either. It is vital that our colleagues in the House keep this bipartisan provision in the bill as it heads towards a conference," they said. Several lawmakers on Capitol Hill have expressed concerns that ZTE products threatens nationals security.

PWNED: Sen. Charles E. Grassley (R-Iowa) has some questions about James B. Comey's personal email account. Grassley, the chairman of the Senate Judiciary Committee, said in a letter to FBI Director Christopher A. Wray on Monday that he wants to know whether the bureau has sought to retrieve the work emails that Comey sent from a personal account during the Hillary Clinton email investigation. “It is disturbing that FBI employees tasked with investigating Secretary Clinton, including the former Director, appear to have engaged in strikingly similar conduct,” Grassley wrote. “Although it does not appear as egregious and prolonged, they also used non-government systems for official work.”

Grassley asked Wray whether the FBI requested that Comey turn in “official work-related material” from his personal email accounts and devices or that he give the bureau access to his accounts. Grassley also wants to know whether the FBI has sought to search Comey's personal accounts and devices or moved to “secure, retrieve, or clean” any classified material about FBI business that Comey may have sent form unclassified systems. The Justice Department inspector general said in a report about the Clinton email probe released on Thursday that Comey used a personal email account in “numerous instances” to carry out unclassified FBI work. The report also noted that FBI agent Peter Strzok and FBI lawyer Lisa Page used personal email accounts.


— A Maryland woman pleaded guilty in a scheme to obtain loans by using stolen data from the Office of Personnel Management security breach, according to a statement Monday from the U.S. Attorney's Office for the Eastern District of Virginia. Karvia Cross pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft, according to the statement. She was involved in a plan to use stolen information that was exposed in the OPM hack to receive personal and vehicle loans from Langley Federal Credit Union and also recruited other people to take part in the scam. The information of about 22.1 million people was exposed in the OPM breach, making it one of the worst instances of hacking of U.S. government computer systems.

— More than 3,800 Twitter accounts were involved in Russia's Internet Research Agency's efforts to spread disinformation during the 2016 U.S. presidential election, according to updated data released Monday by Democrats on the House Intelligence Committee. “One of the primary ways that we as Americans can begin to inoculate ourselves against a future attack on our electoral processes is to see first-hand the tools that malign actors use to attempt to destabilize and divide us,” Rep. Adam B. Schiff (Calif.), the panel's ranking Democrat, said in a statement. Aside from the list of 3,841 Twitter accounts linked to the IRA, the committee's Democrats also released a list of paid advertisements that RT, a channel funded by Russian authorities, ran on three Twitter accounts. The Twitter ads span from April 1, 2016, till Dec. 26, 2016. Here are some of the tweets included in Monday's release:

"By releasing this Twitter data, we hope that researchers will continue their important work exposing any additional Russian operators who used similar tactics and themes, and provide the American people with additional information to protect our elections and political debate in the future,” Schiff said. “We continue to work with Twitter and other online platforms and technology companies to fully understand the scope and scale of Russian interference during the 2016 election.” The release also includes samples of content aiming to suppress voter turnout that Twitter provided to the committee, but Schiff said that “there are no indicators that these types of voter suppression tweets were part of the Russian influence campaign.”

— More cybersecurity news from the public sector:

Trade Tensions With Allies Not Affecting Cyber, Top Diplomat Says (Nextgov)

Capitol Hill staffers learn what really happens when there's a data breach (CyberScoop)

The Supreme Court will wade into a fight over Apple’s tightly controlled App Store (Tony Romm)


— A coalition of civil rights groups including the American Civil Liberties Union is demanding that stop selling facial recognition technology to law enforcement authorities. “By making this dangerous technology cheaply and easily available, Amazon is uniquely positioned to spread face surveillance throughout government agencies, and it has been working behind the scenes to do so for years,” Kade Crockford, director of the ACLU of Massachusetts Technology for Liberty Project, wrote in a blog post Monday. The campaign to pressure Amazon to stop selling the technology, called Rekognition, to law enforcement agencies includes a petition, a letter from almost 70 groups to Amazon founder and chief executive Jeffrey P. Bezos and a letter from several Amazon shareholders, according to Crockford. (Bezos is also the owner of The Post.)

"People should be free to walk down the street without being watched by the government,” the letter from civil rights groups says. “Facial recognition in American communities threatens this freedom. In overpoliced communities of color, it could effectively eliminate it. The federal government could use this facial recognition technology to continuously track immigrants as they embark on new lives. Local police could use it to identify political protesters captured by officer body cameras.” The ACLU of Northern California said last month that Amazon is selling its facial recognition tool for a handful of dollars to law enforcements agencies in Oregon and Orlando.

— Apple wants to make it easier for first responders to find you. The company announced on Monday that iOS 12, which is due this fall, will allow iPhones to share users' location automatically if they call 911, The Post's Hamza Shaban reports. “The feature is designed to give first responders faster and more accurate information, helping to reduce the time it takes for emergency services to arrive,” Shaban writes. “According to the Federal Communications Commission, about 70 percent of 911 calls are made by people using mobile phones.”

— Small businesses face cyberattacks but many don't bother to improve their defenses. “Small businesses suffered a barrage of computer invasions last year but most took no action to shore up their security afterward, according to a survey by insurer Hiscox,” the Associated Press's Joyce M. Rosenberg reports. “It found that 47 percent of small businesses reported that they had one attack in 2017, and 44 percent said they had two to four attacks.” Almost two-thirds of small businesses said they did not strengthen their cyberdefenses after being hacked, according to Rosenberg. Small business were targeted by ransomware, phishing scams and “drive-by attacks, which infect websites and in turn the computers that visit them,” she writes.

— More cybersecurity news from the private sector:

DHS-Funded Company Wants to Use Blockchain at the Border (Nextgov)

Microsoft, an ICE Tech Partner, 'Dismayed' by Child Separation Policy (Motherboard)

CEO Musk emails staff alleging employee 'sabotage' (Reuters)

IBM Unveils System That ‘Debates’ With Humans (The New York Times)

Four in 10 people have deleted a social media account in the past year due to privacy worries (CNBC)

Alleged top Silk Road adviser extradited to US to face charges (The Verge)


— A Google vulnerability exposes the location of users of the voice assistant Google Home and the streaming tool Chromecast, according to the computer security blog “Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic,” writes Brian Krebs, the author of the blog and a former Post reporter. The company is expected to patch those weaknesses soon, according to Krebs.


— Iranian agents provided a former Israeli minister with an encrypted communications system to keep in contact with him as he spied on Israel, the Israel Security Agency and the Israel Police announced on Monday. “Gonen Segev, who served as energy and infrastructure minister from 1992 to 1995, was allegedly providing Iranian intelligence agents with sensitive information connected to Israel’s energy market and security sites, said the security agency, also known as the Shin Bet,” The Post's Ruth Eglash writes. State prosecutors indicted Segev last week.

"'Segev received a secret communications system to encrypt messages between him and his operators,' the Shin Bet said,” Eglash reports. "'The investigation also revealed that Segev gave his operators information connected to the energy market and security sites in Israel, including buildings and officials in political and security organizations.'” The Israeli newspaper Haaretz reported that Segev also spent two years in jail for trying to smuggle ecstasy and forging a diplomatic passport and was released in 2007, Eglash writes.

— More cybersecurity news from around the world:

North Korea to blame for string of Latin America bank hacks, insiders say (CyberScoop)

S.Africa's Information Regulator seeks meeting with Liberty over cyber attack (Reuters)



Coming soon


How separated immigrant children are housed in detention:

The Post's Michael E. Miller explains how shelters for immigrant children recently separated from their parents are different from other detention facilities. (Video: Monica Akhtar/The Washington Post)

The meaning behind five pieces of art seen in the new Beyoncé and Jay-Z video:

Beyoncé and Jay-Z’s new joint video, “Apesh--,” was shot in the Louvre. From the Mona Lisa to an Egyptian sphinx, here's the meaning behind five of the pieces. (Video: Nicki DeMarco/The Washington Post)

Mexicans celebrating goal in World Cup game trigger quake sensors:

The Institute of Geological and Atmospheric Investigations say earthquake sensors registered tremors in Mexico City seconds after Hirving Lozano scored. (Video: Reuters)