The Trump administration has given the U.S. military more latitude than ever to launch offensive hacking operations against U.S. adversaries. Rep. Jim Langevin says it'll be one of his top priorities this Congress to make sure the administration is not using that power irresponsibly.
“As the gloves come off, we want to make sure our policies are implemented the right way, that we’re not overstepping, that we’re acting consistent with our values,” Langevin (D-R.I.), incoming chair of the House Armed Services Committee panel responsible for cyber conflict, told me.
Now that Democrats are in charge of the House, Langevin plans to hold subcommittee hearings and conduct other oversight on Trump's August order loosening Obama-era rules that governed how and when U.S. troops could use cyber tools to disrupt or degrade adversaries’ computer networks.
If Trump administration rules are implemented well, those offensive strikes could raise the costs bad actors pay for violating norms of good behavior in cyberspace and convince them to clean up their acts, said Langevin, who co-founded the Congressional Cybersecurity Caucus.
But if the military flubs the implementation -- by striking too hard or simply vexing adversaries rather than cowing them -- Langevin warns there could be consequences. He worries the new policy could undermine the very norms of good behavior the United States is trying to promote in cyberspace and make Americans less safe in the process.
The Trump strategy could backfire especially if the United States ends up in an escalating tit-for-tat cyber conflict with a nation that’s less reliant on the Internet and so has less to lose.
There’s also a danger that if the United States acts too muscularly in cyberspace it could prompt other nations to do the same, ultimately creating more conflict in cyberspace rather than less, Langevin said.
“It’s enough of a wild West out there as it is now,” he told me.
The specific wording of Trump’s order isn’t public, but it generally devolved the authority for launching offensive hacking operations, which used to rest with the president, to the agency that manages the hacking, national security adviser John Bolton has said. That typically means the secretary of defense will make the call for military hacking operations but, in some cases, that authority rests lower down the chain of command, officials have said.
The order’s ultimate goal is to cause enough pain to U.S. cyber adversaries that they decide it’s not worth attacking the United States in cyberspace, Bolton told reporters during a September conference call. The change in strategy came after several years during which alternative responses, such as indictments, sanctions and naming and shaming hackers, generally failed to deter U.S. cyber adversaries.
Here are some other highlights from my interview with Langevin:
Another cyber czar?: Langevin plans to reintroduce a bill he sponsored with Rep. Ted Lieu (D-Calif.) in the last Congress that would require the Trump administration to reinstate the White House cybersecurity coordinator position and make it a Senate-confirmed job, he said.
Bolton eliminated the cyber coordinator role soon after taking office in May, a move Langevin said was a major step backward in addressing the nation’s cyber needs. “We’re trying, now more than ever, to have a coordinated strategy to protect our country in cyberspace, and how do you do that without a coordinator?” he asked.
Supply chain vulnerabilities: Langevin also plans to introduce legislation and do oversight focused on reducing cyber vulnerabilities in the Defense Department’s vast network of hardware and software contractors, he said.
That move comes after Congress successfully passed broad legislation to protect the civilian government’s cyber supply chain last Congress.
Espionage: Langevin applauded the Trump administration’s December indictment of two Chinese Ministry of State Security hackers for stealing hundreds of gigabytes of sensitive business information, but said he hopes the indictments will be followed with sanctions against the companies and organizations that benefited from that stolen data.
The Trump administration considered sanctions, but Treasury Secretary Steven Mnuchin blocked the proposal, my colleagues Ellen Nakashima and David J. Lynch reported.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Washington's metro system will revise the specifications for a contract for rail cars to include cybersecurity safeguards amid concerns about cyberespionage should China's state-owned rail car manufacturer win the contract, The Washington Post's Robert McCartney and Faiz Siddiqui reported. Metro is set to award the contract later this year. “The changes are expected to require the winning bidder get its hardware and software certified as safe by a third-party vendor cleared by the federal government,” according to my colleagues.
The transit agency decided to amend the request for proposals after David Horner, a member of Metro's board representing the federal government, expressed worries. “My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner, a former U.S. deputy assistant secretary of transportation, told Robert and Faiz. “These risks are today not widely understood, but their significance is becoming apparent very quickly.”
Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council, said Washington faces a particularly high risk of espionage as the U.S. capital. “Malware could divert data collected from the high definition security cameras. An adversary with that data could then use facial recognition algorithms to track riders, potentially right down to the commuting patterns of individual riders,” Grotto, now a fellow at Stanford University’s Center for International Security and Cooperation, told my colleagues.
PATCHED: The National Counterintelligence and Security Center wants U.S. businesses to better protect themselves from foreign threats emanating from nation-state actors. The NCSC, which is part of the Office of the Director of National Intelligence, launched a campaign to provide businesses with best practices to protect their data and networks, according to a news release from the ODNI.
“Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data, and compromising supply chains,” NCSC Director William Evanina said in a statement. “The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars.”
The campaign uses videos, posters and other materials that were previously distributed to federal employees. The campaign materials also aim to raise awareness among U.S. businesses about a broad range of risks including threats to the supply chain, spearphishing and deception via social media. “Adversaries may create fake profiles on social media, posing as a job recruiter or someone with a shared interest, to connect with and elicit information from business persons,” according to the news release.
PWNED: A 20-year old German man confessed to publishing data via Twitter on hundreds of politicians and public figures including Chancellor Angela Merkel, Bloomberg News's Chris Reiter and Karin Matussek reported. The BKA Federal Criminal Police Office said in a statement that the man, a student from the state of Hesse living with his parents, was arrested after authorities raided his home Sunday and was released the day after following his confession. “He also gave investigators assistance in uncovering crimes committed by others, which helped him avoid pretrial detention, officials said,” according to Bloomberg News.
Most of the data that was spread on Twitter consisted of contact information such as email and phone numbers, but more sensitive information including bank account details or bills was also published online in 50 to 60 cases, according to the Wall Street Journal's Ruth Bender. “The arrest of a young German resident puts to rest concerns that a foreign intelligence service could have been behind the data theft after a string of cyberattacks in recent years authorities have blamed at times on Russian or Chinese cyber thieves,” Bender wrote.
— The Supreme Court declined Monday to weigh in on a class-action lawsuit that was prompted after cyber researchers discovered hackable vulnerabilities in a Jeep Grand Cherokee. Chrysler, the defendant in the suit, wanted the high court to declare that Jeep owners couldn’t sue because the company fixed the vulnerability before anyone was hacked. The case will now continue at the U.S. district court level.
— A study found that South Carolina state election officials miscounted hundreds of ballots because of “continued software deficiencies” in voting systems during last year’s primary and general elections, StateScoop’s Benjamin Freed reported. The analysis found that 148 ballots were counted twice in a precinct in Marlboro County in a June primary election. In another precinct, more than 400 votes were counted in the wrong county board race during the general election.
Duncan Buell, a computer science professor at the University of South Carolina, conducted the study for the League of Women Voters of South Carolina. “Neither case involved enough votes to swing the outcome of an election, but Buell told StateScoop the incidents demonstrate the state continues to use poorly designed software that poll workers, many of whom are volunteers working long shifts, struggle to operate correctly,” Freed wrote.
— More cybersecurity news from the public sector:
— Zerodium, a company that purchases and sells hacking tools to governments, increased the bounties it pays to security researchers who find exploits on mobile devices and desktops, Motherboard's Lorenzo Franceschi-Bicchierai reported. For instance, hackers who find exploits for WhatsApp or Apple's iMessage could receive $1 million. The company could also pay up to $2 million for iPhone remote jailbreaks. Such price hikes illustrate the fact that it is increasingly difficult to hack mobile devices, according to Motherboard.
Announcement: We are increasing our bounties for almost every product.— Zerodium (@Zerodium) January 7, 2019
We're now paying $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp/iMessage/SMS/MMS RCEs, and $500,000 for Chrome RCEs.
More information at: https://t.co/0NBRnq4I4y pic.twitter.com/vXDyxC3Q4v
“Messaging apps in general and WhatsApp in particular are sometimes the only communication channel used by targets and end-to-end encryption makes it difficult for our government customers to intercept such communications,” Chaouki Bekrar, the founder of Zerodium, told Franceschi-Bicchierai in an online chat. “So having the ability to remotely compromise these apps directly without compromising the whole phone is much more strategic and effective.”
— More cybersecurity news from the private sector:
- The Brookings Institution hosts a discussion titled “How China and the U.S. are advancing artificial intelligence” on Jan. 14.
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15.
Artificial intelligence stars at CES 2019:
This 149-year-old law is why we have government shutdowns:
No, the USMCA doesn't mean Mexico is paying for the wall: