THE KEY

Congress might finally be ready to develop a comprehensive strategy to tackle cybersecurity threats from Russia, China and elsewhere — but it will need the Trump White House to be a partner.

The Cyberspace Solarium Commission, which formally launched Wednesday, aims to offer a grand vision for how the nation should tackle cybersecurity threats. It's based on a similar commission, called Project Solarium, that President Dwight Eisenhower established in 1953 to develop a policy to contain the Soviet Union during the Cold War. 

The commission comes with a lot of political heft. Among its 14 members, there are four executive branch leaders and four lawmakers who represent both parties in the House and Senate.

“One benefit of having four sitting members … is we can inject ideas immediately into the legislative bloodstream,” Rep. Mike Gallagher (R-Wis.), a commission co-chair, told me. “We’re really thinking about how do we, in the final report, have a set of legislative recommendations that are ready to go?”

It also has the benefit of good timing — coming when lawmakers and the public are more focused on cybersecurity threats than they were before because of Russian intervention in the 2016 election and a cavalcade of data breaches.

“To be honest, until 2016, I don’t think we really took this sufficiently seriously. We didn’t realize the extent of the threat,” Sen. Angus King (Maine), an independent who caucuses with Democrats and the commission’s other co-chair, told me.

But turning the commission’s big ideas into government policy will require a lot of support and coordination from the top. And it’s not clear the Trump White House — which has focused mostly on projecting toughness in cyberspace and eliminated the position of White House cybersecurity coordinator — is interested in that role. Trump's White House has loosened the reins on the military’s offensive hacking operations and ramped up the pace of sanctions and indictments against foreign hackers. But it has paid less attention to developing its own policy for when the U.S. should retaliate or developing cyberspace rules of the road with allies.

And while Eisenhower was the one to convene the original Project Solarium, this version was launched out of Congress — in an amendment Sen. Ben Sasse (R-Neb.), who’s also a commission member, inserted into an annual defense policy bill. Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, is also a member. 

“Something needs to be done. This White House isn’t going to do it, so maybe the commission can,” said Bobby Chesney, a former Justice Department official who directs the Center for International and Security Law at the University of Texas at Austin. 

Some on the commission are also concerned that the lack of a White House cybersecurity coordinator could impede the process. “Even with the participation and involvement key departments and agencies, it’s just incredibly difficult to bring about change other than through White House leadership,” Suzanne Spaulding, who led Homeland Security Department cyber operations during the Obama administration, told me.

And the commission could impact the White House directly, which risks a fight down the line: The commission's recommendations might also include reinstating the cybersecurity coordinator role or otherwise updating how the White House manages cybersecurity, King and Gallagher both told me. 

But there are reasons the White House may be receptive to the eventual recommendations. The commission will be focusing on a raft of cybersecurity issues ranging from criminal hacking to Chinese IP theft, rather than narrowly on election security, Russian hacking and other issues that have raised the president’s ire.

And, although there are no White House officials on the commission, it does include representatives from the most powerful federal agencies focused on cybersecurity, including FBI Director Christopher A. Wray and Deputy Director of National Intelligence Susan Gordon, as well as acting deputy directors at the Homeland Security and Defense departments.

The project also offers a distinct and dramatic structure. Instead of all the commissioners immediately trying to reach agreement on recommendations, they’ll split up into three groups — each representing a different worldview. Those groups will then battle it out to see which ideas are the strongest.

During the original Project Solarium, that argument between the three groups happened in a day-long National Security Council meeting with Eisenhower presiding, according to Gallagher — who wrote a PhD thesis partly focused on the project at Georgetown University.

This time around, the commission will hold a similar “contest of wills” in September, King said, and then try to publish a report on its conclusion in December. The contest of wills may or may not happen publicly, he said.

PINGED, PATCHED, PWNED

PINGED: The Justice Department announced the arrests Wednesday of two Israeli citizens Wednesday for running a dark web site called DeepDotWeb that referred people to sites where they could buy hacking tools, guns and drugs including cocaine, heroin and fentanyl.

The men -- Tal Prihar and Michael Phan – were both arrested abroad, Cyberscoop’s Jeff Stone reported

“The website, which has been seized by law enforcement as part of the operation, reaped more than $15 million in illegal proceeds since 2013,” Stone reported.

DeepDotWeb essentially acted like a referral service for the dark web – a portion of the internet that’s inaccessible to search engines – showing visitors how to find illicit goods, Stone reported.

He described the arrests as “the latest move in a steady international campaign aimed at rooting out dark web markets. Police last week announced the closure of Wall Street Market, until now the second-most-popular site of its kind.”

During a press conference announcing the arrests, law enforcement also warned dark web surfers against Tor, an anonymizing tool that people use to visit the dark web, Stone reported.

“To the people using these sites … I advise you to reconsider the anonymity of the Tor network, .onion addresses and the ability of these markets to shield you from law enforcement,” said Robert Allan Jones, FBI Special Agent in Charge of the Pittsburgh field office.

PATCHED: The Russian delegation to an international cryptography standards body may have snuck in an encryption flaw that could be exploited by hackers – or the Kremlin, Motherboard’s Joseph Cox reported.

“The Russian delegation, who designed the algorithm, say the flaw is a coincidence, but multiple people deciding whether the algorithm should become a standard aren't convinced,” Cox reported.

The flaw, which was discovered in January, was discussed during a meeting in Tel Aviv of the International Organization for Standardization – and “Russian officials weren’t very happy,” a meeting participant told Cox.

Such disputes aren’t unheard of. The NSA has had its own issues with big questions about its cryptographic algorithms, Cox notes.

PWNED: The Chinese company CRRC still plans to bid on a contract to build DC metro trains, despite concerns raised in Congress that the project could present a spying opportunity for Beijing, Reuters’ Alexandra Alper and Allison Lampert report.

“The world’s largest maker of passenger trains has roared into the U.S. market in recent years, clinching contracts in Boston, Philadelphia, Chicago and Los Angeles by underbidding rivals - including Canada’s Bombardier - by hundreds of millions of dollars,” Reuters reports.

“It plans to bid this month on the D.C. Metro rail car contract, worth more than $500 million, Dave Smolensky, a spokesman for the company’s Chicago-based CRRC Sifang subsidiary told Reuters. And it has also set its sights on winning an order to supply 1,500 cars as part of New York City’s massive subway system upgrade, according to an industry source familiar with the matter,” the report continues.

Critics, however, say hose low prices come as a result of Chinese state subsidies. And the contracts could assist the U.S. rival in a vast spying operation – especial in U.S. centers of government and finance.

“While some experts have described the purported cyber threat as fear mongering, CRRC is taking steps to counter those concerns, telling Reuters it plans to hire a new lobbyist, engage a cyber security adviser and host an industry summit to explore tougher cyber regulations and take a critical look at its own protocols,” the news service reported.

PUBLIC KEY

Cybersecurity news from the public sector:

Special counsel Robert Mueller last month revealed the suspected hacking in a report on Russian interference in the 2016 election.
Politico
The GrayKey promises access to locked iPhones. And ICE is its biggest fan.
Forbes
A House hearing highlighted differences on how the government should work to strengthen tech companies’ protection of personal information, as a huge fine looms for Facebook.
Wall Street Journal
“Government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they’re barely hanging on by their fingernails.”
Nextgov
PRIVATE KEY

Cybersecurity news from the private sector:

Amazon.com Inc. said it was hit by an "extensive" fraud, revealing that unidentified hackers were able to siphon funds from merchant accounts over six months last year.
Bloomberg
Amazon.com Inc.'s Echo Dot Kid digital personal assistant is collecting children’s data without parental consent, privacy advocates are alleging in a complaint to the Federal Trade Commission.
Bloomberg Law
The CFO of a school lunch distributor faces charges of identity theft and unauthorized computer access and could spend three years in prison.
Vice
THE NEW WILD WEST

Cybersecurity news from abroad:

This time no hacking tools were released, but the leakers exposed a previously unknown Iranian APT group.
ZDNet