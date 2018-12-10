Hello, Cybersecurity 202 readers. My name is Joe Marks and I’ll be anchoring this newsletter going forward. I’ll be your guide through data breaches, bug bounty bills, encryption debates and disinformation campaigns. Send your tips, quips, critiques and big ideas to me anytime at joseph.marks@washpost.com or on Twitter at @Joseph_Marks_.

THE KEY

The sun sets behind the U.S. Capitol dome in Washington on Nov. 6. (James Lawler Duggan/Reuters)

It will take a very long time and a gargantuan effort before the technology Americans rely on is safe from hackers, according to a report from a congressional panel that has spent five years in the cybersecurity trenches.

The strategy document released last week from the House Energy and Commerce Committee’s investigations panel suggests companies completely overhaul the way they find and fix vulnerabilities in everything from the power grid to smart thermostats, cameras and cars.

It even contemplates fundamentally changing the way consumers get Internet-connected products. Maybe they should lease instead of buying them, for example, so they don’t keep using outdated technology that becomes more vulnerable to hackers with each passing year.

The report also demonstrates, however, the dramatic limits of Congress’s ability to force major changes that will improve cybersecurity practices.

It was written by staff for the investigations panel of the committee’s outgoing Republican majority, which dove into the issue after the 2013 data breach at Target. Five years later, their laborious process of roundtables, formal requests for information and letter writing campaigns to companies has only nudged the Internet ecosystem toward mildly better cybersecurity. The report does not lay the groundwork for any kind of mandate for cybersecurity protections.

That’s a far cry from the early 2010s when Congress tried, but failed, to mandate national cybersecurity protections through sweeping legislation. The most substantial piece of cybersecurity legislation that’s passed since then was a voluntary program that gave companies legal protection for sharing cyber threat information with the government, which only a handful of organizations have signed up for three years later.

Still, the report highlights six main cybersecurity priorities for the committee to work on in the next Congress under the committee's new Democratic majority. Those include making it easier for independent researchers to alert companies to software bugs they find and urging companies to be more transparent about the software they use.

“This report recognizes that there is no one ‘solution’ to cybersecurity, but instead discrete yet interdependent policies that together create a holistic and effective strategy for dealing with the realities of modern cyber threats and opportunities,” the report states.

Here are four big takeaways:

Start planning for retirement early

Companies should begin planning from the moment they introduce a new product for when the product’s underlying technology will be too outdated to be supported, the report urges. Data shows that the number of hackable vulnerabilities in any product’s software increases over time, but as products get older and fewer people use them, companies are less likely to actively monitor those vulnerabilities or to force customers to patch them.

As a result, the Internet ecosystem abounds with legacy technology that’s ripe for hacking. The WannaCry malware campaign, which wreaked global havoc in 2017, for example, was launched using a vulnerability in a decades-old tech protocol Microsoft had already released a patch for.

Currently, however, there’s no incentive for consumers and organizations to stop using outdated tech that companies aren’t supporting anymore. The strategy speculates about several ways to shift incentives so consumers don’t keep using old and insecure technology.

For example, companies that sell products that have Internet connections but aren’t fundamentally tech products — such as cars with fancy entertainment and navigation systems — could figure out ways to decouple the software components from the non-software components. That way, a car owner could replace the Internet-connected bells and whistles without having to replace the product itself.

We’ve seen this movie before

Most of the report’s major priorities have been pointed out before in reports by industry, academics or federal agencies.

A Commerce Department report from May, for example, which focused on combating armies of zombie computers known as botnets also stressed the importance of securing technology for its entire life cycle.

The Energy and Commerce report also stresses the importance of the public and private sector working together on cybersecurity. That was a main takeaway from an all-star commission established by the Obama administration after the Office of Personnel Management breach, which reported its findings shortly after the 2016 election.

The common elements show that Congress, the executive branch and cybersecurity experts are on the same page about a lot of what needs to be done. They also underscore, however, that the past few years have seen many recommendations on cybersecurity, but much less implementation.

No regulation in sight

One thing the report doesn’t advocate or even mention is any effort to mandate cybersecurity protections through regulation. That puts it in good company with government and industry reports, which have typically warned that broad cyber regulations would backfire by limiting companies’ flexibility to adapt quickly and to secure themselves in the smartest ways.

The Obama-era cybersecurity commission warned that broad regulation may be necessary in the future, but said it’s not clearly necessary yet. Some consumer groups and Democratic lawmakers have been much more open to the idea of cyber regulations and other mandates.

The government is vital to cybersecurity

The private sector owns the vast majority of the Internet, but the government must play a leading role in cybersecurity, the report warns.

In particular, the report heaps praise on a government-financed effort to collect, organize and rate the severity of all known computer bugs, known as the Common Vulnerabilities and Exposures database, or CVE.

The committee criticized the Department of Homeland Security, which funds the CVE database, and MITRE, the federally funded research center that manages it, in August, citing reports that researchers were waiting weeks or months for new computer bugs to be catalogued. Despite that mismanagement, the report describes the database as “the cornerstone on top of which modern cybersecurity is constructed.”

PINGED, PATCHED, PWNED

The Justice Department in Washington on May 24. (Jacquelyn Martin/AP)

PINGED: The United States is getting ready to make another move against Chinese hackers in its crackdown on cybertheft and espionage for commercial gain. “Federal prosecutors are expected to unseal criminal charges as soon as [this] week against hackers linked to the Chinese government who have allegedly engaged in a sophisticated multiyear scheme to break into U.S. technology service providers in order to compromise the networks of their clients, according to people familiar with the matter,” the Wall Street Journal's Dustin Volz reported. Senior U.S. officials consider this operation, which could potentially affect hundreds or thousands of businesses, as one of China's most serious hacking campaigns, according to the Journal.

“The hacks have allowed intruders potential access to scores of American companies and government agencies that rely on the service providers for a wide range of digital tasks, such as the remote management of technology infrastructure or cloud storage,” Volz reported. He added that “hackers sometimes breach a client company in order to jump into the provider’s systems, from where they can then leapfrog into other client networks.”

Sen. Mark R. Warner (D-Va.) in Washington on Dec. 6. (Andrew Harrer/Bloomberg)

PATCHED: Senate Intelligence Committee Vice Chairman Mark R. Warner said the United States needs to overhaul its cybersecurity policy. “That shift should include greater investments in military cybertechnology, more funding for cybersecurity research and development and a reinvigorated process of building international cyber norms with allies and punishing nations that violate them, Warner (D-Va.) said during a speech at the Center for a New American Security think tank,” as I reported Friday.

Warner also wants the U.S. to lay out how it would respond to cyberattacks backed by foreign governments. “Those responses could range from indictments and economic sanctions to retaliatory cyber-strikes and conventional military operations,” as I reported. “U.S. officials have typically argued that it would be counterproductive to predetermine responses to a cyberattack because that would limit the government’s flexibility and invite adversaries to walk up to a point that would invite retaliation but not cross it.”

Separately, Warner told BuzzFeed News's Craig Silverman that Chinese mobile app companies represent a national security risk. “Under Chinese law, all Chinese companies are ultimately beholden to the Communist Party, not their board or shareholders, so any Chinese technology company — whether in telecom or mobile apps — should be seen as extensions of the state and a national security risk,” Warner told Silverman.

An employee arranges a European Union flag ahead of an E.U. leaders summit in Brussels on Feb. 23. (Dario Pignatelli/Bloomberg)

PWNED: A top European Union official said the E.U. should beware of Chinese telecommunications giant Huawei. Chinese authorities demand cooperation from Chinese companies on “mandatory back doors” to access encrypted data, said Andrus Ansip, the E.U.'s tech commissioner, Reuters's Francesco Guarascio and Foo Yun Chee reported.

“Do we have to be worried about Huawei or other Chinese companies? Yes, I think we have to be worried about those companies,” said Ansip said. ​​​​​​Huawei pushed back: “Huawei has never been asked by any government to build any backdoors or interrupt any networks, and we would never tolerate such behavior by any of our staff,” Huawei said in a statement.

Separately, Bloomberg News reported that the Chinese company seeks to alleviate security concerns in Europe. “Huawei will offer to spend at least $2 billion to transform the way it engineers software, instead of merely applying one-off changes and workarounds in response to specific demands from companies and governments,” Bloomberg News's Thomas Seal reported, citing people familiar with the matter.

PUBLIC KEY

Sen. Rand Paul (R-Ky.) talks during a television interview on Capitol Hill in Washington on July 17. (J. Scott Applewhite/AP)

— Sen. Rand Paul (R-Ky.) said the views of President Trump’s pick for attorney general about domestic surveillance are “very, very troubling.” Speaking on NBC News’s “Meet the Press,” Paul said he hasn’t decided yet whether he will support William P. Barr. “I'm concerned that he's been a big supporter of the Patriot Act, which lowered the standard for spying on Americans,” Paul said of Barr. “And he even went so far as to say, you know, the Patriot Act was pretty good, but we should go much further.”

WATCH: Sen. Rand Paul talks William Barr, President Trump's pick for his next Attorney General. #IfItsSunday #MTP@RandPaul: "Uh-oh is right." pic.twitter.com/BnrszBltlm — Meet the Press (@MeetThePress) December 9, 2018

— Federal investigators are probing fake comments on net neutrality rules that were posted on the Federal Communications Commission’s website starting in April 2017, BuzzFeed News’s Kevin Collier and Jeremy Singer-Vine reported. “The Justice Department is investigating whether crimes were committed when potentially millions of people’s identities were posted to the FCC’s website without their permission, falsely attributing to them opinions about net neutrality rules,” Collier and Singer-Vine wrote.

PRIVATE KEY

Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)

— The New York Times explored how an industry that collects users' location information “has spread and grown more intrusive.” The Times reporters reviewed “a database of more than a million phones in the New York area” as part of their investigation. “At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found,” Jennifer Valentino-DeVries, Natasha Singer, Michael H. Keller and Aaron Krolik reported. “Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.”

SECURITY FAILS

The FBI seal is displayed outside the bureau's headquarters in Washington on Feb. 2. (T.J. Kirkpatrick/Bloomberg )

— If you wonder whether your personal data has been hacked, this FBI official has a tip: “Every American person should assume all of their data is out there,” Elvis Chan, a supervisory special agent with the bureau, told the Wall Street Journal's Robert McMillan, underscoring how prevalent the sale of stolen personal data is on the dark web. McMillan wrote that “stolen information is spread across a dizzying array of black-market websites and discussion forums, where it is packaged, processed and sold in bulk for hard-to-trace digital currencies such as bitcoin. Many sellers aren’t trustworthy and prices can range wildly, but the marketplace is growing, fed by abundant supply.”

THE NEW WILD WEST

— France wants to know if Russia is trying to influence social unrest on its soil. “France opened a probe into possible Russian interference behind the country’s Yellow Vest protests, after reports that social-media accounts linked to Moscow have increasingly targeted the movement,” Bloomberg News's Carol Matlack and Robert Williams reported. “According to the Alliance for Securing Democracy, about 600 Twitter accounts known to promote Kremlin views have begun focusing on France, boosting their use of the hashtag #giletsjaunes, the French name for the Yellow Vest movement. French security services are looking at the situation, Foreign Minister Jean-Yves Le Drian said Sunday in a radio interview with RTL.”

— “Russian government-affiliated actors launched coordinated cyber attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced this week,” Defense One's Patrick Tucker reported. “The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.”

FOR THE N00BS

ZERO DAYBOOK

Coming soon

EASTER EGGS

