THE KEY

Current and former policymakers admit it: The U.S. government needs do a better job sharing cyberthreat information with the private sector if it’s going to defeat increasingly complex cyberattacks from nation states. 

The exchange of cyberthreat information between the government and companies was the cornerstone of a 2015 bill hailed as landmark legislation to protect against digital attacks. But more than two years later, these comments at a Cyber 202 Live event hosted Friday by The Washington Post reveal the U.S. government has an incredibly long road ahead to effectively implement the legislation. Officials are finally acknowledging they have been too focused on trying to get companies to share information with them -- and less on sharing with private companies who want threat intelligence the government detects. 

“No company out there, no state out there is going to overcome this challenge by themselves. We have to work together,” said Christopher Krebs, undersecretary for the Department of Homeland Security’s main cyber unit, the National Protection and Programs Directorate. 

“We have to be thinking more broadly,” added Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center, which tracks cyberthreats from within the Office of the Director of National Intelligence. “The U.S. government does not have the monopoly on intelligence when it comes to cybersecurity.”

Ugoretz said the government could create a more “holistic picture” of the threats it sees by forging new relationships with the private sector's cybersecurity industry.

“The more that we can create a dialogue and mechanisms for sharing information between government and private sector back in the other direction,” she told my colleague Ellen Nakashima at the event, “that will help all of us be better able to play defense against some of these efforts.”

The Cybersecurity Information Sharing Act created incentives for private companies to share their threat intelligence with the federal government. By giving them legal immunity and setting up a more formal repository for that information through DHS, the hope was that the exchange of information would better prepare the country to defend collectively against attacks.

But few companies are participating. As the website NextGov reported recently, just six nonfederal entities have signed up to share their data. Lawmakers who supported the legislation had expected the number to rank in the thousands, according to NextGov.

Still, the fact that they’re not sharing doesn’t mean there’s nothing to share. All industry sectors are facing widespread threats — and it's going to take a “whole-of-government” response to help them, panelists said.

“If you talk to [chief information security officers] who are in financial institutions, they shake a lot and they sweat and they don’t sleep much, because they are overwhelmed at the sheer level,” Mike Rogers, the former Republican chair of the House Intelligence Committee, told my colleague Carol Leonnig. “You used to have criminals only trying to get in — now you have nation-states trying to get in, which makes their job incredibly difficult.”

“And we’re all going to pay a price for that,” Rogers said. “Without a concerted effort this is only going to get worse.”

There have been hopeful developments of collaboration, panelists said. One major success story, Ugoretz said, was the government’s work with private cybersecurity researchers to investigate and attribute the devastating WannaCry ransomware attack to North Korea. In that instance, she said, private-sector researchers had detailed data on the cyberattack that they shared with DHS and the intelligence community. “We relooked at that data that came from the private sector and I think realized what we had,” Ugoretz said. “The importance was having the relationships and the trust to be able to go to different partners and say, 'This part of the community needs this piece of information that another part has. And also, to be that kind of nudge to the community.'”

Krebs also noted, for instance, that DHS and the FBI are working with Microsoft to investigate unsuccessful hacks on three congressional candidates that the company revealed last week. 

But the panelists agreed a broader partnership is necessary.

“It’s not just about government working together — it’s about industry and government working together,” Krebs said. “We have to have integrated, cross-sector, government-industry collaboration in the cybersecurity space, in the critical-infrastructure protection space. And that’s where we’re going.”

PINGED, PATCHED, PWNED

PINGED: A Foreign Intelligence Surveillance Act application to wiretap former Trump campaign adviser Carter Page released Saturday by the Justice Department said Page carried out “clandestine intelligence activities” for RussiaThe Washington Post's Shane Harris reported. The Justice Department released the application to surveil Page as well as three renewal applications, representing more than 400 pages of documents that are heavily redacted, according to Harris. “In the four decades that FISA has been in effect, it’s not clear that any application for surveillance has ever been released,” my colleague wrote. “Materials related to FISA operations and legal processes are among the most highly classified and closely guarded in the government. The New York Times, USA Today and the James Madison Project all sued for release of the materials.”

Page responded to the release of the FISA documents in an interview on CNN's “State of the Union” and denied being an agent for Russia. “On Sunday, Page said that it was 'ridiculous' and a 'complete joke' to believe he had been an agent of the Russian government,” The Post's Elise Viebeck and David A. Fahrenthold wrote. “'I’ve never been an agent of a foreign power by any stretch of the imagination,' Page said on CNN. That echoed President Trump’s own statements on the documents — issued via Twitter from Trump’s golf club in New Jersey — that the wiretap on Page was part of politically motivated spying on Trump’s presidential campaign.”

Additionally, the release of the documents undercuts claims by House Intelligence Committee Chairman Devin Nunes (R-Calif.) that the surveillance of Page was tainted by political considerations, The Post's Philip Bump wrote. Bump lists several allegations made in a Republican memo released in February about the FISA application to surveil Page and compares them to the actual application released last week. “From the evidence at hand though, it’s certainly fair to assume that it’s Nunes’s memo, not the warrant application, that suffered from a stronger political bias in its creation,” Bump wrote. “We can’t entirely blame Nunes, though. In an interview with Fox News in February, he admitted that he himself hadn’t read the warrant application.”

PATCHED: Clemson University researchers gathered 3 million tweets from 3,841 Twitter accounts involved in Russia's efforts to sow discord in American politics and found that Russian trolls were especially active the day before WikiLeaks started releasing stolen emails from Hillary Clinton's campaign chairman John Podesta, The Post's Craig Timberg and Harris reported on Friday. According to the Clemson researchers, accounts used by Russia's Internet Research Agency sent more than 18,000 tweets on Oct. 6, 2016, my colleagues wrote.

“The Clemson researchers and others familiar with their findings think there probably is a connection between this looming release and the torrent of tweets, which varied widely in content but included a heavy dose of political commentary,” Timberg and Harris wrote. “'Hillary Clinton and Donald Trump: Which one is worse: Lucifer, Satan or The Devil?' said one tweet from an account called Gwenny that directed readers to a YouTube video.” Aside from the release of the Podesta emails, Oct. 7, 2016, was also the day that The Post published Trump's vulgar comments about groping women and the federal government accused Russia of seeking to interfere in the election. “The tweets overall reveal a highly adaptive operation that interacted tens of millions of times with authentic Twitter users — many of whom retweeted the Russian accounts — and frequently shifted tactics in response to public events, such as Hillary Clinton’s stumble at a Sept. 11 memorial,” Timberg and Harris wrote.

PWNED: The United States in recent years has been less and less assertive in shaping international cyber policies, ceding ground to China and the European Union in the process, Politico's Eric Geller reported Sunday. “The weakening American position comes as the European Union, filling a gap left by years of lax U.S. regulations, imposes data privacy requirements that companies like Facebook and Google must follow,” Geller wrote. “At the same time, China is dictating companies’ security practices with mandates that experts say will undermine global cybersecurity — without any significant pushback from the United States.”

Politico offers another example of America's loss of influence: the enactment by the European Union of rules such as the General Data Protection Regulation, which creates online privacy standards that U.S. companies have to abide by. The United States lacks a comprehensive cybersecurity agenda and has generally relied on voluntary standards rather than legislation and regulation to advance Internet policies, Geller writes. “The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet," Adam Segal from the Council on Foreign Relations tells Geller.

— More cybersecurity news:

Politics
Konstantin Nikolaev, a transportation magnate who was in Washington during President Trump’s inauguration, was in contact with Butina as she launched a gun rights group.
Rosalind S. Helderman
Politics
In an evening tweet, the president once more muddied the waters on whether he thinks Russia meddled in the 2016 campaign.
Felicia Sonmez
Public Safety
The final hearing before the start of his bank and tax fraud case is set for Monday.
Rachel Weiner
CHAT ROOM

The release of the application to surveil Page drew a mix of sharp reactions on Twitter.

From the New York Times’s Charlie Savage:

From the Los Angeles Times’s Chris Megerian:

From Sen. Marco Rubio (R-Fla.):

From Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee:

From the libertarian Cato Institute’s Julian Sanchez:

PUBLIC KEY

— Score one for Trump against Congress. “Senate Republicans have dropped their attempt to reimpose U.S. sanctions on the Chinese telecommunications giant ZTE, lawmakers said Friday, a victory for President Trump as congressional Republicans abandoned a rare effort to thwart his agenda,” The Post’s Erica Werner reported. “The retreat means ZTE, a company found guilty of selling U.S. goods to Iran in violation of sanctions, will duck Commerce Department penalties that bar U.S. companies from doing business with it.”

Senators dropped the provision and language from House lawmakers prevailed, according to Werner. “The House language bars U.S. government agencies and contractors from doing business with ZTE, but allows the company to continue doing business with private U.S. firms,” my colleague wrote. Rubio expressed disappointment on Twitter and said he was “surprised” that senators “caved so easily.”

— Public officials and transparency advocates are debating where privacy ends and public records begin as private messaging applications expand across the nation, including among government officials, the Associated Press’s Ryan J. Foley reported. “Some government officials have argued that public employees should be free to communicate on private, non-governmental cellphones and social media platforms without triggering open records requirements,” Foley wrote. “Lawmakers in Kentucky and Arizona this year unsuccessfully proposed exempting all communications on personal phones from state open records laws, alarming open government advocates. A Virginia lawmaker introduced a bill to exempt all personal social media records of state lawmakers from disclosure.”

— More cybersecurity news from the public sector:

China is waging a “quiet kind of cold war” against the United States, using all its resources to try to replace America as the leading power in the world, a top CIA expert on Asia said Friday.
The Associated Press
Fact Checker
The Homeland Security secretary left out that Russians apparently gained access to U.S. election systems and stole 500,000 voter records in one state.
Salvador Rizzo
They may be part of the Kremlin’s best-known hacker crew. But many of their most important players were unknowns—until the Special Counsel stepped in.
The Daily Beast
Here's what DoD can do differently to better equip in the realm of cyber.
Fifth Domain
PRIVATE KEY

"Facebook said Friday it suspended a longtime partner that had used data from Facebook and other social networks to assist governments — including Russia, Turkey, and the United States — in monitoring public sentiment, a more cautious approach in the aftermath of a data privacy scandal," my colleagues Elizabeth Dwoskin and Craig Timberg report. The action appears preemptive. "Facebook said that Boston-based Crimson Hexagon did not do anything inappropriate but that it is curtailing the company’s access to its data while conducting an investigation," according to Dwoskin and Timberg. 

Have you taken an Uber or Lyft ride in St. Louis this year? You may have been streamed to an online audience without ever knowing.
St. Louis Post-Dispatch
SECURITY FAILS
THE NEW WILD WEST
Will journalists, due to hatred of Assange, unite behind the Trump DOJ in support of one of the gravest threats to press freedom in years?
The Intercept
A measure in Parliament would fine social networks about $800,000 for posts deemed factually inaccurate. Critics say it could limit freedom of speech online.
New York Times
FOR THE N00BS
ZERO DAYBOOK

Coming soon

EASTER EGGS

Iranian President Hassan Rouhani warns the United States of the “mother of all wars”:

Tightrope walker conquers 115-foot high stunt in Paris:

Can you teach happiness? New Delhi says yes: