THE KEY

Sen. Ron Johnson tells me his top cybersecurity goal as chair of the Senate’s Homeland Security Committee this Congress is to make it more attractive for cybersecurity workers to stay in government jobs rather than flee to the private sector.

If the government can’t keep and recruit top workers, Johnson (R-Wis.) worries that the United States won’t be able to defend itself against sophisticated hackers from U.S. adversaries such as China or Russia — and might not be able to help critical industry sectors such as energy plants and airports secure their networks. 

Retaining these highly skilled workers — as the nation faces a massive shortage of trained security pros — was already tough because cyber workers can earn two or three times their government salary in the private sector. It’s going to be far harder after the 35-day government shutdown that furloughed about half the Homeland Security Department’s main cyber agency and required the other half to work without pay, Johnson told me in an interview.

“This is not helping the federal government’s ability to attract and retain people in some very important positions that require a fair amount of sacrifice,” Johnson told me.

Johnson says he wants the Senate to consider a wide range of incentives for government cyber workers including raised pay and more flexibility to move from agency to agency to share their expertise and gain new skills.

Concerns that government is losing the race for top cyber talent are long-standing in government but Congress, so far, has done little to mend the situation. Frustration over the shutdown, however, may spark an exodus that necessitates action.

Sen. Mark R. Warner (Va.), ranking Democrat on the Senate Intelligence Committee, fretted in a Monday letter to Homeland Security Secretary Kirstjen Nielsen that “shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and [push] some of our best toward alluring careers in the private sector.”

Caitlin Durkovich, a former DHS assistant secretary with cyber responsibilities, called on Congress during a mid-shutdown panel discussion hosted by the House Homeland Security Committee to “rethink the civil service system to make sure we can get the best and the brightest, that they’re well paid, that they have benefits and that they have the flexibility we have in the private sector.” 

Retaining cyber workers will take more than a single fix, Johnson told me.

As a first move, Johnson said, he plans to focus on creating a fast track for civilian government cyber workers to rotate between agencies.

The committee’s new ranking Democrat, Sen. Gary Peters (Mich.) introduced during the last Congress a bill that would allow this — and told me in December that he’s also interested in renewing it.

The goal of the program, which is based on military joint duty systems, is to “boost collaboration between agencies” and to help employees “enhance their careers and broaden their cybersecurity expertise,” Peters said in a statement.

Johnson also wants Congress to consider boosting pay for cyber workers outside the normal range for federal employees, he told me. That’s going to be a tough sell because of agreements with employee unions and because many other categories of federal workers consider themselves underpaid, Johnson acknowledged.

“There will be the question: ‘Why are these people special?’” Johnson told me. “You do risk opening up a large can of worms. But, to a certain extent, the marketplace has to dictate it.”

Congress should also consider allowing some carve-outs for top cyber officials from an Obama-era law that requires top federal leaders to divest from stocks in areas where they might have insider knowledge and to publicly report contents of their stock portfolios, Johnson told me.

That bill, the STOCK Act, which was primarily aimed at halting insider trading by members of Congress, won large bipartisan majorities when it passed in 2012.

Before making other proposals, Johnson said, he wants to hold numerous hearings and gather data about how bad the cyber workforce problem is and if it's affecting some parts of government more than others.

“We really need to examine to what extent we’re not able to attract talent, to what extent we have very high turnover, going through the problem-solving process, gathering information and describing reality before we can really describe a solution,” he said.

PINGED, PATCHED, PWNED

PINGED: A Russian company that Special Counsel Robert S. Mueller III’s team indicted for spreading disinformation during the 2016 campaign is now spreading disinformation about the Mueller probe, prosecutors said.

The company Concord Management and Consulting altered and then leaked some discovery materials related to the prosecution in an effort “aimed (apparently) at discrediting ongoing investigations into Russian interference in the U.S. political system,” prosecutors said in a filing, The Washington Post's Spencer S. Hsu reported.

A Twitter account called “@HackingRedstone” released the altered documents on Oct. 22 and claimed it had accessed the “Mueller probe’s database” after penetrating a Russian server, my colleague reported. In reality, that was just a cover for the documents shared during the legal discover process, my colleague reported. The FBI found no evidence of a hack of Mueller's office, according to the filing.

— The story prompted numerous reactions on Twitter:

From Cindy Otis, ‏a former CIA analyst and branch chief:

 

From the Atlantic's Natasha Bertrand:

 

PATCHED: The Justice Department is in the final stages of dismantling a massive botnet operated by an elite North Korean hacking unit, according to a news release. Officials charged the operation’s leader Park Jin Hyok last fall with running the botnet that 100,000 routers, but that was only the start of the operation.

For the past several months, FBI and U.S. Air Force Office of Special Investigations officials have secretly operated servers that posed as infected computers within the botnet in order to map its operations, according to the news release. Now, investigators are reaching the final phase – alerting the remaining botnet victims directly and asking them to disinfect their computers.

“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” U.S. Attorney Nicola T. Hanna said in a statement. “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet.”

PWNED: Several former U.S. intelligence operatives joined a surveillance team called Project Raven that spied and hacked on behalf of the United Arab Emirates, Reuters's Christopher Bing and Joel Schectman reported. The American former spies used skills that they acquired while working for the U.S. intelligence community to spy on opponents of the UAE. Targets included human rights activists, governments and militants — but also Americans. “I don’t think Americans should be doing this to other Americans,” Lori Stroud, a former intelligence analyst for the National Security Agency who took part in Project Raven, told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”

The targeting of Americans began after the UAE moved the hacking team to a company called DarkMatter in 2016. The laws governing what U.S. intelligence contractors can do when they work for another country are not very clear, according to experts. But those contractors would be breaking U.S. law if they hacked into American networks or harvested Americans' communications. “It would be very illegal,” Rhea Siers, a former deputy assistant director for policy at the NSA, told Reuters.

PUBLIC KEY

— New York state announced an investigation into Apple's response to a FaceTime glitch that allowed users to listen in on the recipient of a call before the person had picked up, the Wall Street Journal's Tripp Mickle reported.  A statement from New York Attorney General Letitia James, who announced the probe along with New York Gov. Andrew M. Cuomo, said the probe will look at the company's failure to warn users about the flaw and its slow response to the issue. “New Yorkers shouldn’t have to choose between their private communications and their privacy rights,” James said. “This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.”

From cybersecurity reporter Kim Zetter:

-- Another major oversight priority for the Homeland Security Committee this Congress will be making sure DHS is effectively implementing a new law aimed at keeping government’s technology supply chain free from cybersecurity risks, Johnson told me. Congress approved that law after passing separate government bans for the Russian anti-virus company Kaspersky and the Chinese telecoms Huawei and ZTE. Going forward, Johnson told me, he wants to make sure the intelligence community is sharing information with DHS about digital spying threats so questionable companies can be barred from government network as quickly as possible. 
 
Johnson also wants to dig into reports that Homeland Security’s system for detecting and preventing government-wide cyber threats is catching only a small percentage of intrusion attempts, he told me. Federal Chief Information Officer Suzette Kent told Johnson in a September 2018 letter that the system, known as EINSTEIN, detected only 1,600 out of 44,823 cybersecurity incidents across federal civilian networks during a 15-month period. “DHS has got a long way to go in terms of protection of cyber assets,” Johnson said.

— The Defense Department created a working group to patch cybersecurity weaknesses that a group of military hackers and IT specialists spotted last fallBloomberg Government's Travis Tritten reported. “The tests found the Military Healthcare System Genesis, which will eventually serve more than 9 million beneficiaries at dozens of military hospitals and hundreds of clinics, was still ‘not survivable’ when the system was hit with staged attacks,” according to Tritten.

— More cybersecurity news from the public sector:

Local
The case in federal court in Virginia was mistakenly referenced in an unrelated file.
Rachel Weiner
Comments come during New York arraignment of alleged leaker
Bloomberg News
PRIVATE KEY
Technology
Facebook shrugs off controversies and has record quarterly profits as well as growth in monthy active users. The company said it is shutting the app down for Apple users.
Hamza Shaban and Tony Romm
It looks like Facebook was not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users.
TechCrunch
Google is taking steps to make it harder for someone to push a malicious update that disables the security features on an Android phone.
Motherboard
A top official at technology group IOTA Foundation said most of the roughly $11 million in the company’s cryptocurrency stolen from investor wallets has been found, but the funds are being held to be used as evidence by law enforcement authorities against the alleged perpetrator of the heist.
Reuters
SECURITY FAILS

— The Minnesota Department of Human Services reported a data breach that potentially exposed personal information including names, dates of birth and contact information of up to 3,000 people, according to the Associated Press. “Commissioner Tony Lourey tells legislative leaders it happened Sept. 28 when an employee fell for a phishing scam and clicked on a malicious link that caused the employee’s email account to send spam,” the AP reported.

— A collection of breached databases amounting to 2.2 billion unique usernames and associated passwords is circulating “on hacker forums and torrents,” according to Wired's Andy Greenberg. “Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox,” Greenberg wrote. “WIRED examined a sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.”

— More news about security incidents:

Airbus SE said its jetliner business was hit by a data breach that gave intruders access to some employees’ personal information.
Bloomberg News
THE NEW WILD WEST
The ban is seen as the first in a succession of similar restrictions on the Chinese telecom giant and its rival ZTE likely to land in the Czech Republic as the U.S. pushes its European allies to restrict Huawei and ZTE from building internet infrastructure on the continent.
The Wall Street Journal
Slovakia does not consider Chinese telecoms supplier Huawei as a security threat and would need evidence the company’s technology poses a risk before imposing any restrictions, Prime Minister Peter Pellegrini said on Wednesday.
Reuters
ZERO DAYBOOK

Coming soon:

EASTER EGGS

In Trump’s White House, everything is “so true”:

 

Why is “The Masked Singer” so addictive? We asked a psychology professor and comedian Ken Jeong.

Trump's love for the Patriots, explained: