THE KEY

A major cybersecurity conference’s decision to cancel a keynote address by Rep. Will Hurd (R-Tex.) over his antiabortion voting record is dividing the cybersecurity community.

The move by the Black Hat cybersecurity conference also highlights how partisan politics is creeping into the once largely nonpartisan field of cybersecurity. Political disputes aren't unheard of at Black Hat -- but they usually center around debates over government hacking and surveillance that don’t break down along neat party lines.

Critics of the move say it sows unecessary conflict with one of Washington’s top lawmakers on cybersecurity issues -- and risks alienating other Republicans, whose votes will be vital to passing cybersecurity legislation or to raise funding to secure elections against digital attacks.

“Our community needs to build bridges to Congress & we publicly burned one [political party],” John Bambenek, a longtime cybersecurity intelligence researcher, tweeted. “They’ll remember when we show up with an ask.”

Susan Hennessey, a senior fellow at the Brookings Institution and a former National Security Agency attorney, tweeted that “to disinvite [Hurd] from Black Hat over his views on abortion, promotes a flawed and counterproductive narrative that cybersecurity & election security are partisan.”

Supporters of the move, however, say that inviting a lawmaker who has voted to restrict abortion unnecessarily alienates women who work in cybersecurity — a field that is notoriously male dominated and has a difficult legacy of gender discrimination and harassment.

“A keynote from a lawmaker who doesn’t believe women should have fundamental human rights is not a great way [to] make women feel welcome in the infosec community,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation digital advocacy group, said on Twitter.

Chad Loder, CEO of the cybersecurity company Habitu8, threatened that his company would boycott the conference before Hurd’s keynote was canceled and called the move a “slap in the face to women in cybersecurity.”

Hurd, a former CIA officer and cybersecurity executive, has led a number of bipartisan cybersecurity efforts in Congress — including recent legislation to improve the cybersecurity of Internet-connected devices. He’s also a frequent speaker at Washington cybersecurity conferences and has attended Black Hat’s sister conference Def Con several times, including with Democratic Rep. Jim Langevin (R.I.), another top cybersecurity policymaker, in 2017.

But he has a traditionally Republican voting record on abortion, including votes to outlaw the procedure after 20 weeks and to stop federal funding to Planned Parenthood, which provides abortions among other services.

Here are details from TechCrunch’s Zack Whittaker:

Black Hat, which was founded in 1997 and is one of the largest annual gatherings of cybersecurity researchers, withdrew Hurd’s keynote invitation on Friday after publicizing it Thursday. Conference organizers said in a statement that they “misjudged the separation of technology and politics” and that the conference “is not the appropriate platform for the polarizing political debate resulting from our choice of speaker.”

Hurd’s communications director Katie Thompson told me in a statement that the congressman was “honored” by the initial invitation and “has always sought to engage groups of people that don't necessarily agree with all of his votes or opinions.”

Some critics of canceling the keynote echoed that sentiment, arguing that antiabortion views are widely held and shouldn’t restrict someone from addressing a conference on an unrelated topic.

Here’s security researcher Robert Graham:

Jennifer Granick, a surveillance and cybersecurity counsel at the American Civil Liberties Union, fretted that the disinvitation could be a slippery slope that would preclude many lawmakers from addressing the conference — a troubling outcome at a time when Congress is facing an ever-increasing bevy of cybersecurity problems ranging from Russian and Chinese cyberattacks to the government's own digital vulnerabilities.

Yet Lesley Carhart, principal threat analyst at the cybersecurity company Dragos, argued Black Hat could invite lawmakers – just not for keynote addresses, which she said should be kept free from partisan politics and where “detaching a politician from votes impacting the audience is impossible.”

PINGED, PATCHED, PWNED

PINGED: A New York Times story Saturday describes another way the Trump administration is pivoting to more offensive cyber operations, after using digital attacks to protect the 2018 elections.

The story by David E. Sanger and Nicole Perlroth, which was attributed to current and former government officials, describes U.S. Cyber Command implanting malicious software in portions of the Russian power grid “at a depth and with an aggressiveness that had never been tried before… intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”

The story did not detail where the alleged digital implants were placed or how they could be effectively used to deter Russian attacks – which can be immensely difficult given the complexity of electrical grid systems, Johns Hopkins University cybersecurity professor Thomas Rid pointed out on Twitter.

The Times also reported that President Trump “had not been briefed in any detail” on the operation out of concern he might “countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.”

Trump, who has frequently disputed accurate news stories in the past, said on Twitter that the story was “NOT TRUE!” and called it a “virtual act of Treason.”

Cybercom declined to comment on the story to me.

PATCHED: Huawei’s revenue is expected to drop $30 billion over the next two years due to a series of U.S. government actions against the Chinese telecom giant, the Associated Press’s Dake Kang and Yanan Wang reported.

During a panel discussion at the company’s headquarters, founder Ren Zhengfei compared Huawei to a “badly damaged plane” after U.S. actions that restricted the company’s suppliers and banned it from U.S. government contractors and grant recipients among other restrictions, according to the AP.

“We never thought that the U.S.’s determination to attack Huawei would be so strong, so firm,” Zhengfei said.

PWNED: Government agencies need to stop verifying people’s identities with information from credit agencies including Equifax that could be widely available to hackers and fraudsters, a new government watchdog report says.

The Commerce Department effectively ordered agencies to stop using credit report information to verify people’s identities after the 2017 Equifax breach in which hackers compromised credit information about roughly 40 percent of the U.S. population. 

And yet of the agencies named in the report, only the Department of Veterans Affairs has even partially introduced an alternative verification system. The U.S. Postal Service and the Social Security Administration had no timeline to phase out or reduce credit report-based verification. And the Health and Human Services Department's Medicare office flat out rejected the recommendation stating that alternatives to credit report-based verification, such as asking people to send in a cellphone photo of a driver's license, "are not suitable" for some Medicare recipients. 

PUBLIC KEY

-- A bipartisan pair of senators wants to make sure the federal government isn’t doing secret work in buildings leased from Chinese companies that Beijing could have seeded with digital spying devices. 

The Secure Federal Leases from Espionage And Suspicious Entanglements Act comes in the wake of a 2017 Government Accountability report which found that the FBI, Drug Enforcement Administration and other agencies were doing high-security work in offices owned by companies based in China and other foreign countries, presenting risks of “espionage and unauthorized cyber and physical access.” Most of the agencies didn’t know their office space was foreign owned, GAO found. 

The bill from Sens. Gary Peters (Mich.), ranking Democrats on the Senate Homeland Security Committee, and Rob Portman (R-Ohio) would require the government to verify who owns any building that houses high-security work. “Sensitive materials and private data housed in properties owned by foreign adversaries, especially those with sophisticated intelligence agencies, is simply an unacceptable security risk for our nation,” Peters said in a statement. 

More cybersecurity news from the public sector:

Politics
The former vice president promises not to use dubious tactics, days after President Trump says he would listen if foreign governments offered information on his rivals.
Amy Wang
Huawei’s American chip suppliers, including Qualcomm and Intel, are quietly pressing the U.S. government to ease its ban on sales to the Chinese tech giant, even as Huawei itself avoids typical government lobbying, people familiar with the situation said.
Reuters
Troubles at the Election Assistance Commission could undermine the effort to safeguard the 2020 presidential contest from foreign meddling.
Politico
Group responsible for safety tampering Triconex malware has expanded, researchers say.
Ars Technica
In a strangely public product announcement, the phone-cracking firm revealed a powerful new device.
Wired
Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) on Friday introduced legislation aimed at safeguarding the privacy of consumer health data, specifically the data involved in DNA testing kits and health tracking apps.
The Hill
PRIVATE KEY

Cybersecurity news from the private sector:

Healthcare billing vendor got hacked last year and hackers put patient data for sale online.
ZDNet
A computer science student has scraped seven million Venmo transactions to prove that users’ public activity can still be easily obtained, a year after a privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat.
TechCrunch
THE NEW WILD WEST

Cybersecurity news from abroad:

Argentina said it isn’t ruling out a cyberattack after what President Mauricio Macri called an “unprecedented” power blackout struck five South American countries on Sunday.
Bloomberg
Exclusive: Yana Peel co-owns NSO Group that licensed Pegasus software to authoritarian regimes
The Guardian
ZERO DAYBOOK

Coming up:

  • On Tuesday, the Senate Committee on Foreign Relations will host a hearing on regional security in Ukraine.
  • The Senate Committee on Homeland Security and Governmental Affairs will consider a host of cybersecurity bills on Wednesday, including the IoT Cybersecurity Improvement Act of 2019.
  • Thursday the House Committee on the Judiciary hosts "Lessons from the Mueller Report, Part II: Bipartisan Perspectives"