Dear Readers: The Cybersecurity 202 is taking a break for the holidays starting on Monday, Dec. 24. We will be back in your inboxes ready to go for 2019 on Jan. 7. Thanks for reading this past year and we hope you, your family and friends have a relaxing and happy holiday season and new year.
While we’re away, check out The Post’s new premier daily podcast, Post Reports. Unparalleled reporting. Expert insight. Clear analysis. Every weekday. Get new episodes online, to your email or in a podcast app: Apple Podcasts | Google Podcasts | Stitcher
Sen. Gary Peters, the incoming top Democrat on the Senate Homeland Security Committee, wants to make it easier for the government to protect against Russia, China and other cyber adversaries sneaking spying tools into its vast digital supply chains.
Peters (Mich.) wants to ask federal agencies in the next Congress about how effectively they’re instituting a government-wide ban against the Russian anti-virus Kaspersky, which officials worry is a Kremlin spying tool, he told me.
Peters is also considering reintroducing legislation to create a government-wide council to oversee supply-chain cybersecurity and to fast-track decisions about risks to how the government buys everything from smartphones to custom-built computer systems that store and process tax information and military data. That bill was originally sponsored by Peters’s predecessor as ranking Democrat , Sen. Claire McCaskill (Mo.), who lost her bid for reelection in November.
“We need to make sure agencies are doing what they need to do and identifying any problems they have in achieving their goals,” Peters told me.
Peters’s move comes amid broad concern the government’s sprawling chain of contractors and subcontractors presents an easy target for hackers. If adversaries, from foreign countries to domestic disruptors, gain a foothold in one company that serves sensitive branches of the government such as the Pentagon or the Homeland Security Department, they could use it to steal troves of classified data or to disrupt or disable vital government computer programs.
The Kremlin, for example, may have used Kaspersky to steal troves of intelligence documents off an analyst’s home computer, the Wall Street Journal reported.
Congress has instituted big changes already. In addition to banning Kaspersky late last year, Congress ordered the government in August to cancel all contracts that include technology from the Chinese telecoms Huawei and ZTE, which officials worry could assist Chinese government surveillance.
But this piecemeal approach -- in the form of a ban of a specific company by Congress or DHS -- can take months. That's too slow to fully protect the United States against the light-speed pace of cyberthreats, DHS’s top cyber official Chris Krebs has said.
The Homeland Security Committee in November passed the Federal Acquisition Supply Chain Security Act to fix this problem, which McCaskill co-sponsored with Sen. James Lankford (R-Okla. But that measure isn’t expected to reach the Senate floor before the close of this Congress.
The bill is similar to a Trump administration proposal that would go a step further, effectively empowering DHS to bar contractors and subcontractors that pose cybersecurity or national security risks through their civilian contracts.
A bill that implements some of the Trump administration plan passed the House this Congress, but not the Senate.
Details of his renewed effort are still being worked out, Peters told me. Peters has discussed cyber issues with Chair Ron Johnson (R-Wis.), he said, but didn’t offer details of those discussions.
Peters has other cyber priorities next Congress, he told me, including assessing the help DHS cyber teams provided to state and local election official during the 2016 midterms and how they can improve that assistance before 2020.
“I’m very concerned about foreign influence,” he told me. “We need to bring people in and ask them the tough questions."
Peters also plans to reintroduce a measure to create a rotation program allowing cyber workers at one government agency to take short-term tours at another agency. That bill, which Peters co-sponsored with Sen. John Hoeven (R-N.D.), is based on a similar program among military services.
“When it comes to cybersecurity, particularly on the civilian side, many of our agencies are very siloed,” Peters said. “They’re not talking with each other.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sensitive European communications about President Trump's dealings with them and other foreign leaders were hacked, most likely by an elite section of China’s People’s Liberation Army, said cybersecurity firm Area 1, according to the New York Times’s David E. Sanger and Steven Erlanger. Oren Falkowitz, chief executive of Area 1, told the Times that hackers were able to access the E.U. communications following a phishing attack against diplomats in Cyprus. Sanger and Erlanger reported that a “former senior intelligence official said that the European Union had been warned, repeatedly, that its aging communications system was highly vulnerable to hacking by China, Russia, Iran and other states. The official said the warnings were usually received with a shrug.”
The hackers also penetrated the networks of other institutions such as the United Nations, foreign affairs and finance ministries across the world as well as the AFL-CIO, the Times reported, adding that more than 100 organizations were targeted. “After over a decade of experience countering Chinese cyberoperations and extensive technical analysis, there is no doubt this campaign is connected to the Chinese government,” Blake Darche, an expert at Area 1, told the Times.
PATCHED: Federal agencies reported more than 35,000 cybersecurity incidents to DHS's U.S. Computer Emergency Readiness Team in fiscal 2017, according to a report by the Government Accountability Office. Such incidents included phishing, web-based attacks and theft or loss of computer equipment, the report said. Moreover, 22 percent of cybersecurity incidents resulted from people who did not follow an agency's user policy. “These incidents and others like them can pose a serious challenge to economic, national, and personal privacy and security,” the report said.
The report also found that many agencies are lagging when it comes to improving digital security, as Nextgov's Jack Corrigan noted. “Seven agencies earned negative marks on four indicators of cyber hygiene: the departments of Agriculture, Commerce, Health and Human Services, State and Veterans Affairs, NASA and the Small Business Administration,” according to Nextgov. Corrigan also reported that the study identified shortcomings in efforts by DHS and the Office of Management and Budget to bolster cybersecurity across the federal government.
PWNED: Several cybersecurity experts say there are signs that Iran-linked groups have started to carry out cyberattacks against the United States and Europe following President Trump's decision to withdraw the United States from the Iran nuclear deal and restore sanctions against Tehran, according to Wired's Lily Hay Newman. Even though some recent cyberattacks have not been definitely attributed to Iran, some analysts have spotted clues of increased hacking activity from groups linked to Tehran, Wired reported.
“The most direct potential tie to Iran comes from a new wave of attacks utilizing a variant of the famously destructive virus called Shamoon,” Hay Newman wrote, adding the variant recently hit Saipem, an Italian oil company.
Additionally, Certfa, a British cybersecurity firm, spotted a phishing operation against U.S. Treasury officials and other targets that probably came from the Iran-linked hacking group Charming Kitten, according to Wired. “If you look at these groups, they’re not hacking for money, what they’re doing is very much nation state motivations,” Eric Chien, a fellow in Symantec's security technology and response division, told Hay Newman.
— Haisam Elsharkawi, a U.S. citizen of Egyptian descent, is suing the federal government as he alleges that officers from U.S. Customs and Border Protection and DHS stopped him at Los Angeles International Airport last year and coerced him into unlocking his phone to search the device, according to Motherboard's Lorenzo Franceschi-Bicchierai. The suit was filed in California in October, according to Motherboard. When Elsharkawi declined to unlock his phone and requested an attorney, “CBP officers allegedly handcuffed him and took him to a room for more questioning, where a DHS officer eventually convinced him to unlock the phone and then looked through it for 15 minutes,” Franceschi-Bicchierai reported.
But as Ars Technica's Cyrus Farivar noted, federal agents can search devices such as a phone or computer without a warrant at the border. “They rely on what’s known as the ‘border doctrine’ — the legal idea that warrants are not required to conduct a search at the border,” Farivar wrote. “This legal theory has been generally recognized by courts, even in recent years.”
— A poll found that a majority of Americans said they were confident the midterm elections were secure from hacking, the Hill's Jacqueline Thomsen reported. “The Pew Research Center found that 64 percent of Americans trusted that elections were secure, while 35 percent had little or no confidence in that statement,” Thomsen wrote. “That’s a rise in confidence in election security compared to another poll conducted by Pew ahead of November’s midterms, during which only 45 percent of Americans thought the elections would be secure from threats like hacking.”
— More cybersecurity news from the public sector:
— A NASA server may have been hacked, the Register's Chris Williams reported. “According to an internal memo circulated among staff on Tuesday, in mid-October the US space agency investigated whether or not two of its machines holding employee records had been compromised, and discovered one of them may have been infiltrated,” Williams wrote. “The agency's top brass stressed no space missions were affected, and identity theft protection will be offered to all affected workers, past and present.”
— Ken Hu, one of the four deputy chairmen of Chinese telecommunications giant Huawei, pushed back during a news conference against efforts in several countries to prevent the company from taking part in the rollout of 5G networks, according to the Wall Street Journal's Dan Strumpf. “There isn’t any evidence that Huawei poses a threat to national security to any country,” Hu said, as quoted by the Journal. Strumpf reported that Hu also “reiterated Huawei’s independence from state leaders in Beijing and said cybersecurity is among the company’s highest priorities.”
— More cybersecurity news from abroad:
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15, 2019.
Why Michael Flynn’s sentencing delay matters:
Trump shuts down foundation amid allegations of illegal conduct:
Trump administration announces bump stock ban: