THE KEY

This morning, the Senate will have its first opportunity to question Federal Communications Commission Chairman Ajit Pai about why officials at his agency falsely claimed to have experienced a cyberattack during the height of last year’s net neutrality debate. 

Lawmakers on the Commerce, Science and Transportation Committee are expected to press Pai about an FCC inspector general report last week that found officials misled the public and Congress about the episode. 

It's a high-stakes appearance for Pai, whose inconsistent responses to the fabricated attack have brought on fierce criticism and tainted his unpopular decision to repeal Obama-era net neutrality rules. There’s no doubt he’ll come prepared for a grilling, especially from Senate Democrats, but he risks further alienating himself and his agency if he sidesteps questions or continues to deflect responsibility onto his subordinates. 

Chairman Pai should take the FCC inspector general’s report as an opportunity to reflect on his leadership. It’s clear now that the only attack at the FCC was the one he led on Americans to rob them of an open and fair internet,” Sen. Catherine Cortez Masto (D-Nev.), a member of the committee, told me in an email. She said it’s important that Pai “is held accountable to the millions of Americans who tried to make their voices heard against the rollback of net neutrality.”

Here's what senators will want to know: 

When did Pai learn the cyberattack story was bogus?

This, of course, is the million-dollar question. In May of last year, the FCC blamed an hours-long outage in its public comment system on a distributed denial-of-service attack that overwhelmed its network with fake traffic. The commission ran with the story for months, and at one point chided journalists for raising questions about its claims. 

But the FCC’s inspector general found in its Aug. 6 report that no such attack took place. In reality, the outage probably was caused by a crush of legitimate traffic after comedian John Oliver, host of HBO’s “Last Week Tonight,” urged viewers to file comments opposing Pai’s net neutrality repeal. The FCC, relying on faulty information from its then-Chief Information Officer David Bray, made false statements to lawmakers during congressional inquiries into the matter, the inspector general concluded. The commission also fed phony stories about a similar attack from 2014 to media outlets. 

Pai said last week that he was in the dark about the whole affair. He said the report “debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes.” 

Senators may want to see if he gives the same answer under oath. Some of their colleagues in the House have already raised the issue, telling Pai in a letter this week that they were troubled that the fake story persisted for so long. As Motherboard notes, “Pai’s claim that he knew nothing at all doesn’t align with the fact that several Pai staffers not only fed false information to Congress, but Pai’s own press shop maligned reporters for digging into the false claims.”

Will Pai amend his statements to Congress? 

The inspector general found that the FCC made false statements about the supposed denial-of-service attack in a letter responding to an inquiry from Sens. Ron Wyden (D-Ore.) and Brian Schatz (D-Hawaii). The letter was signed by Pai, but the commission’s CIO was responsible for the sections related to technical issues, according to the report, which states plainly that the information they provided the lawmakers about the incident was inaccurate. It’s hard to imagine Commerce Committee senators won’t call on Pai to set the record straight. 

What about the FCC’s statements to the public? 

Pai could also face pressure from senators to correct the public statements and news releases the commission issued about the fake cyberattack. One release falsely claimed that an “analysis” had shown that the denial-of-service attack was genuine. Another blasted “completely irresponsible” news reports challenging the FCC’s account. On top of that, a public records request by the blog Gizmodo revealed that  the commission tried to plant untrue stories about the incident in media outlets such as the Wall Street Journal and Politico. 

Will the FCC get a better public comment system? 

An important, albeit technical, takeaway from the inspector general’s report is that the FCC’s online comment system is pretty shoddy. On the night of the outage, it simply couldn’t handle all the traffic from Oliver’s followers, in part because of design flaws in the system. This is one area where Pai seems eager to help. In a statement last week on the inspector general’s report, he said it was “abundantly clear” that the system needed a redesign.

PINGED, PATCHED, PWNED

PINGED: President Trump, seeking to loosen restrictions on launching cyberattacks, has revoked Obama-era rules that established a process for using cyberweapons against adversaries, the Wall Street Journal's Dustin Volz reported. “Mr. Trump signed an order on Wednesday reversing the classified rules, known as Presidential Policy Directive 20, that had mapped out an elaborate interagency process that must be followed before U.S. use of cyberattacks, particularly those geared at foreign adversaries,” Volz wrote. “The change was described as an ‘offensive step forward’ by an administration official briefed on the decision, one intended to help support military operations, deter foreign election influence and thwart intellectual property theft by meeting such threats with more forceful responses.”

But, as the Journal notes, it's unclear what policy Trump is enacting in replacement of the 2012 guidelines.  “As designed, the Obama policy required U.S. agencies to gain approval for offensive operations from an array of stakeholders across the federal government, in part to avoid interfering with existing operations such as digital espionage,” Volz wrote. “Critics for years have seen Presidential Policy Directive 20 as a particular source of inertia, arguing that it handicaps or prevents important operations by involving too many federal agencies in potential attack plans. But some current and former U.S. officials have expressed concern that removing or replacing the order could sow further uncertainty about what offensive cyber operations are allowed.”

PATCHED: Hackers carried out repeated cyberattacks against a Democratic opponent of Rep. Dana Rohrabacher, the California Republican who is a vocal supporter of Russia, targeting his work email as well as his campaign's website, hosting service and Twitter account, Rolling Stone's Andy Kroll reported Wednesday. Hans Keirstead, who unsuccessfully ran in a California nonpartisan primary against Rohrabacher, gave away his password when hackers first attacked him with a spearphishing email in August 2017. But later hacking attempts, which included brute-force attacks on his campaign's website, did not succeed.

“Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness,” Kroll wrote. “‘It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,’ Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.” The FBI investigated the hacking, but Quinn-Quesada said the bureau did not tell the campaign whether it had found who launched the attacks, Kroll reported.

PWNED: The FBI sought location data of Google users as part of an investigation into robberies in Portland, Maine, but the company never complied and the bureau was able to find the suspect via other means, Forbes's Thomas Fox-Brewster reported on Wednesday. “The feds wanted the tech giant to find all users of its services who’d been within the vicinity of at least two of nine of those robberies,” according to Forbes. “They limited the search to within 30-minute timeframes around when the crimes were committed. But the request covered a total space of 45 hectares and could’ve included anyone with an Android or iPhone using Google’s tools, not just the suspect.”

The bureau first issued a warrant to Google in March and unsuccessfully renewed its request several times until August. “It’s unclear whether Google didn’t want to give up the information, or if it simply couldn’t retrieve the data,” Fox-Brewster wrote. “There were no filings objecting to the warrant and Google declined to comment.” Marina Medvin, an attorney and founder of the Medvin Law firm, told Forbes that the warrant was overly broad. “This is a general search, which is prohibited under our Constitution. It is not particularized, a legal prerequisite to obtain a warrant under U.S. law,” Medvin said.

PUBLIC KEY

— The Department of Homeland Security hosted a three-day exercise involving 44 states, the District of Columbia and several federal agencies to improve the response to election security threats, according to a DHS statement released Wednesday. “The response we have received from this week’s participants has been overwhelmingly positive and we’ve identified areas we need to collectively focus on ahead of the midterm elections,” Homeland Security Secretary Kirstjen Nielsen said in a statement. “In this environment, if we prepare individually, then we fail collectively, and I am grateful for everyone’s participation and partnership this week.” The exercise relied on a scenario that featured threats such as online disinformation, spearphishing against campaigns and cyberattacks against election infrastructure, according to DHS.

From Nielsen:

— The troubles in Louisiana's quest to modernize its voting equipment are not over. “Candidates vying to be Louisiana secretary of state want to pause the work being done to replace the state’s 10,000 voting machines until after the election, citing allegations of impropriety during the contractor selection,” the Associated Press's Melinda Deslatte wrote on Wednesday. “Republican former state Sen. A.G. Crowe, one contender seeking to oust GOP Secretary of State Kyle Ardoin, said he’s asking the attorney general and legislative auditor to review the bid process for the contract that could be worth as much as $95 million.”

— “The National Security Agency successfully broke the encryption on a number of ‘high potential’ virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems, according to a March 2006 NSA document,” the Intercerpt's Micah Lee reported Wednesday. The 2006 document is an article from SIDtoday, an internal publication of the NSA's Signals Intelligence Directorate. The Intercept published 328 documents in its seventh release of SIDtoday articles on Wednesday.

“According to the document, contained in the cache of materials provided by NSA whistleblower Edward Snowden, the NSA also compromised VPNs used by airline reservation systems Iran Air, ‘Paraguayan SABRE,’ Russian airline Aeroflot, and ‘Russian Galileo,’ ” Lee wrote. “Sabre and Galileo are both privately operated, centralized computer systems that facilitate travel transactions like booking airline tickets. Collectively, they are used by hundreds of airlines around the world.” However, the document doesn't specify how the NSA actually managed to break the encryption. “The technical details that describe how the NSA exploits VPNs are a closely-guarded secret, according to another SIDtoday article, from December 2006,” the Intercept reported. “‘Exploiting VPNs makes use of some of the newest state-of-the-art techniques,’ the article stated, ‘and because of this, the exploitation details are held closely and generally not available to field sites.’ ”

— “A Georgia woman who mailed a secret U.S. report to a news organization faces the ‘longest sentence’ ever behind bars for a federal crime involving leaks to the news media, prosecutors said in a court filing,” the AP's Russ Bynum reported on Wednesday. “Former National Security Agency contractor Reality Winner, 26, is scheduled to be sentenced Aug. 23 by U.S. District Court Judge J. Randal Hall in Augusta. She pleaded guilty in June to a single count of transmitting national security information when she worked in Augusta as a translator at an NSA facility.”

— More cybersecurity news from the public sector:

The number of informants executed in the debacle is higher than initially thought.
Foreign Policy
Politics
White House press secretary Sarah Huckabee Sanders announced the action, quoting the president’s citing risks from Brennan’s “erratic conduct and behavior.”
David Nakamura and Felicia Sonmez
Giant cranes loading and unloading gargantuan barges. Oil tankers, supply vessels and pipelines serving a vital energy industry. Flood control structures. Chemical plants. Cruise ships. Drinking water sources. All computer-reliant and tied in some way to the internet. All of them vulnerable to cyber thieves, hackers and terrorists.
The Associated Press
Trump administration officials are growing increasingly frustrated over stalled legislation concerning a key office responsible for combating cyber threats.
The Hill
The FCC’s site went down last year not because of a DDoS attack, but because it couldn’t handle the traffic spike. So who’s responsible for making sure that doesn’t happen?
FCW
PRIVATE KEY
The Switch
Twitter chief executive Jack Dorsey said he is rethinking core parts of the social media platform so that it doesn’t enable the spread of hate speech, harassment and false news, including conspiracy theories shared by prominent users like Alex Jones and Infowars.
Tony Romm and Elizabeth Dwoskin
McAfee is offering free security services to election offices in all 50 states in order to protect voter data stored in the cloud.
CyberScoop
What can the 14-person Digital Forensics Research Lab discover about fake news on Facebook that the billion-dollar company doesn't already know?
Wired
Nonprofit TraceLabs ran DEF CON’s first crowdsourced event for tracking missing people through public information.
Joseph Cox
SECURITY FAILS

— “A U.S. investor filed a $224 million lawsuit against AT&T on Wednesday, accusing the telecommunications giant of negligence that allegedly caused the California resident to lose roughly $24 million in cryptocurrency,” CNBC's Kate Rooney reported. “In a 69-page complaint filed in U.S. District Court in Los Angeles, Michael Terpin claimed that because of ‘AT&T's willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy,’ he lost nearly $24 million worth of cryptocurrency.”

— More news about security incidents:

Caesars Palace told DEF CON attendees that hotel security room check only involved 'visual review,' but a video shows some security staff going further.
Motherboard
THE NEW WILD WEST
The Switch
Facebook shared some details of the progress it's made in Myanmar.
Hayley Tsukayama
Brazil's antitrust watchdog Cade is considering opening an investigation into Google over alleged abuses in its cell phone operating system, the president of the agency said in an interview published on Wednesday in newspaper Valor Economico.
Reuters
FOR THE N00BS
ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

How one man escaped North Korea at the height of the Korean War:

Firefighters in Genoa are using drones after the bridge collapse:

White House: Trump revokes security clearance of former CIA director John Brennan