THE KEY

A pair of Pennsylvania computer science professors will come to Washington next week with a message for the cybersecurity community: More high schoolers need to start learning advanced cybersecurity skills if the nation has any hope of protecting itself against a rising wave of cybercrime.

Jacob Miller and Sandra Gorka, both Pennsylvania  College of Technology computer science professors, will outline a grass-roots program they developed to get high school students prepared for cybersecurity careers at ShmooCon, an annual hacker convention held in Washington, through advanced level classes and hands-on training. They’ll also lay out how ShmooCon attendees -- which typically include security and policy professionals and students -- could launch similar programs across the nation. 

“By the time kids reach college they’ve often decided what they want to do for a career. You need to get them interested in cybersecurity at an earlier age,” Miller told me. 

The address comes as the United States faces a deficit of nearly 300,000 cybersecurity workers that threatens to leave large swaths of the U.S. economy underprotected against criminal hackers, according to a May report from the Homeland Security and Commerce departments. More than half of cybersecurity workers say short staffing has left their organization more vulnerable to hacking, according to another report from the cyber credentialing organization (ISC)2. That workforce shortage will only become more damaging as criminal hackers become more sophisticated, and traditional college cybersecurity programs aren’t doing enough to fill the talent gap, Miller and Gorka told me.

Miller and Gorka won a 2016 National Science Foundation grant to pioneer a college-level cybersecurity course that high school students can take for college credit and that they say can be a model for early cyber training programs in other states. After two years offering the course to students in a handful of high schools near Pennsylvania  College of Technology in Williamsport, Pa., they plan to transition it next year to a dual enrollment program that could offer the course in dozens of high schools across the state.

Under that program, high school instructors are trained to teach college courses, and their students receive college credit. It’s too early to say how many high schools will offer the cyber class, Miller told me. The course covers technical topics as well as legal, policy and ethical challenges in cybersecurity, he said.

Despite widespread concern about the shortage of cyber workers, there’s no national program to surge education and training. 

The May report from the Homeland Security and Commerce departments included more than 65 recommendations, sub-recommendations and action items to increase the federal cybersecurity workforce, but most were vaguely worded or lacked concrete mandates or timelines.

A National Cyber Strategy released in September that built off that report was even shorter on details. It described working with Congress on programs to re-skill workers from other fields for cybersecurity jobs and bringing in more cyber pros from abroad through merit-based immigration programs.

The Commerce Department’s National Institute of Cybersecurity Education division offers scholarships and tutorials aimed at high school-aged students, but on a relatively limited scale.

As a result, most of the work of training new cyber workers is being done in a bottom-up fashion by small programs such as Miller and Gorka’s.

In connection with the ShmooCon presentation, the pair is planning to offer their course materials online for teachers in other states who want to emulate their program, they told me.

They’re also working on a separate grant to develop cyber curriculum for junior high and middle-school students.

“If you go into a first- or second-grade class and ask what do you want to be when you grow up, it’s doubtful anyone would say information security analyst,” Miller told me. “But we want to raise the profile so when they’re thinking of doctors, nurses and firefighters, they’ll also think of IT pros and security in IT. That’s the holy grail of where we want to see this project go.”

PINGED, PATCHED, PWNED

PINGED: Instead of directly attacking U.S. utilities, Russian hackers started by targeting hundreds of small contractors and subcontractors such as construction companies to carry out “the worst known hack by a foreign government into the nation’s electric grid,” the Wall Street Journal's Rebecca Smith and Rob Barry reported.

The Journal's play-by-play of the 2017 attack, shows operatives taking aim at small companies as well as larger utilities. Two energy companies that were targeted in the campaign also make systems to provide emergency power to Army bases. Two dozen or more utilities were breached in the campaign, according to some experts. The hackers took advantage of relationships of trust between businesses and “worked their way up the supply chain,” according to Smith and Barry.

“The hackers planted malware on sites of online publications frequently read by utility engineers,” the Journal reported. “They sent out fake résumés with tainted attachments, pretending to be job seekers. Once they had computer-network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows.”

PATCHED: Georgia's Secure, Accessible and Fair Elections (SAFE) Commission recommended the adoption of voting machines that print paper ballots instead of hand-marked paper ballots to replace the state's paperless direct-recording electronic voting machinesthe Atlanta Journal-Constitution's Mark Niesse reported. “The commission voted 13-3 to endorse touchscreens and ballot printers when the Georgia General Assembly considers buying a new statewide voting system during this year’s legislative session, which starts Monday,” according to the Journal-Constitution.

Election security experts say paperless electronic voting machines are significantly more vulnerable to hacking than paper-based voting systems or machines that include a paper trail. “Ballot-marking devices with verifiable paper ballots ensure that a voter’s selection in each contest is captured in a manner that will be accurately counted,” the SAFE Commission’s report said, according to Niesse. “The Commission believes that moving from one form of touchscreen voting to another will be an easier transition for Georgia voters than it would be to move to hand-marked paper ballots.”

From Politico's Eric Geller:

PWNED: Ring, a company that makes home security cameras and was acquired by Amazon, used loose protocols in managing its customers' video feeds, potentially allowing employees to watch customers in their homes, according to the Intercept's Sam Biddle. “Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world,” Biddle wrote. The video files were not encrypted and could be viewed, downloaded and shared easily.

Meanwhile, the company also allowed executives and engineers in the United States access to live feeds of cameras from some Ring customers even if those employees might not have needed that access in their jobs. Those with such access only needed the email address of a customer in order to be able to watch cameras from the customer's home, but a “source said they never personally witnessed any egregious abuses,” Biddle reported. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

After the story's initial publication, "Ring spokesperson Yassi Shahmiri told The Intercept that 'Ring employees never have and never did provide employees with access to livestreams of their Ring devices,' a claim contradicted by multiple sources," Biddle reported. 

This item has been updated to reflect a response Ring's response to the Intercept story. 

PUBLIC KEY

— Reps. Jerry McNerney (D-Calif.) and Robert E. Latta (R-Ohio) introduced two bills aiming to bolster the defenses of the U.S. power grid, according to a news release from McNerney's office. The first bill, titled Enhancing Grid Security through Public-Private Partnerships Act, would promote collaboration between the public and private sectors via the sharing of best practices and data collection. The legislation would also provide training and assistance to electric utilities.

The second bill, named Cyber Sense Act, would establish a voluntary program at the Energy Department called “Cyber Sense” to identify secure products to be used in the bulk-power system. “The electric grid is the backbone of our economy and touches every aspect of our lives,” McNerney said in a statement. “Any vulnerable component or weakness is a threat to our physical and national security.”

— A report found that IT vulnerabilities at the Defense Department could prove costly for the agency, Nextgov's Jack Corrigan reported. “The Defense Department inspector general flagged some 800 new shortcomings across the agency’s IT systems and processes in 2018, according to a report published Tuesday,” Nextgov reported. “Much of the flawed tech is used to process contract payments and other transactions, leaving the department’s financial ecosystem potentially vulnerable to bad actors, auditors said.”

— A man was sentenced in Boston to more than 10 years in prison and must pay almost $443,000 in restitution for conducting a cyberattack on behalf of the Anonymous group against a hospital, Reuters's Nate Raymond reported. The man, named Martin Gottesfeld, carried out the attack to protest the treatment of a teenage girl at the center of a custody dispute. “A federal jury in August found him guilty of two counts, including conspiracy to damage protected computers related to cyberattacks he carried out in 2014 on Boston Children’s Hospital and another facility,” Reuters reported.

— More cybersecurity news from the public sector:

National Security
Federal law enforcement professionals, working without pay, say they’ve been reduced to bargaining chips.
Devlin Barrett, Tom Jackman and Nick Miroff
DARPA and private companies are looking to improve supply chain security through the use of tiny chips and diamonds that can authenticate IT parts used by the government.
FCW
Self-described computer whiz Christian Rodriguez told jurors on Thursday how he had a nervous breakdown from the stress of cooperating with the FBI to hack into the secure communication system he built for accused Mexican drug lord Joaquin “El Chapo” Guzman.
Reuters
PRIVATE KEY

— AT&T said it will stop selling its customers' location data to third-party companies, according to The Washington Post's Hamza Shaban and Brian Fung. The announcement comes after Motherboard reported that T-Mobile, Sprint and AT&T sell access to their customers' location information to third-party service providers. Bounty hunters and others can ultimately access that data through this system.

“In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits,” AT&T said in a statement, according to my colleagues. “We are immediately eliminating the remaining services and will be done in March.”

— More cybersecurity news from the private sector:

Researchers built a tool that can predict where you live and work, as well as other sensitive information, just by using geotagged tweets.
Wired
THE NEW WILD WEST

— Polish authorities charged a Chinese Huawei executive for carrying out espionage for China, the Wall Street Journal’s Drew Hinshaw and Dan Strumpf reported. A Polish citizen who was deputy head of Poland's Internal Security Agency’s IT security department was also detained.

“Officers of Poland’s counterintelligence agency this week searched the local Huawei office, leaving with documents and electronic data, as well as the home of the Chinese national, Poland’s state-owned broadcaster reported Friday,” according to the Journal. “The individual wasn’t named, but was identified as a graduate of one of China’s top intelligence schools, as well as a former employee of the Chinese consulate in the port city of Gdansk.”

ZERO DAYBOOK

Coming soon

EASTER EGGS

Furloughed employees rally against shutdown:

Is your food safe to eat? Shutdown forces FDA to sharply reduce food inspections:

What's Deepak Chopra doing at CES of all places?