The Trump administration has refused to share with Congress its secret new policy for hacking back against the United States’ digital adversaries — which raises the risks of a dangerous misfire that could make cyberspace less secure.

That’s the argument Rep. Jim Langevin (D-R.I.) is making, as he ramps up his quest to force the White House to bow to congressional oversight and share the policy. 

“As we’re having this more forward-leaning strategy, we also have an obligation to promote and preserve stability in cyberspace,” Langevin told me. “I want to make sure that everyone knows what their responsibilities are and that we’re staying in the proper parameters.”

Security experts have generally praised the Trump administration’s increasing muscularity in cyberspace, saying that other responses such as sanctions and indicting hackers, haven’t done enough to cow the United States’ digital adversaries.

But increased aggression also brings serious risks. For example, hackers at U.S. Cyber Command could accidentally do more damage to a target than intended, for example, increasing the possibility of a conventional military conflict — including with well-armed foes such as Russia or Iran. Or U.S. hackers could accidentally strike allies’ computer networks, ratcheting up international tension.

“We want to make sure we’re not creating more of a Wild West than already exists,” Langevin, who chairs the House Armed Services panel that oversees cyber operations, told me. 

Langevin is among a bipartisan group of lawmakers that has been pushing the White House to share the secret policy for nearly a year — ever since it was first reported that the White House had replaced an Obama-era policy, which kept much tighter reins on offensive hacking operations. 

The group also includes Armed Services Committee Chairman Adam Smith (D-Wash.), ranking Republican Mac Thornberry (Tex.) and Rep. Elise Stefanik (N.Y.), ranking Republican of the cyber-focused subcommittee.

The group sent a letter pushing for the policy in February, and last week they added a provision to the House version of a must-pass defense policy bill that would force the White House to release it. 

Now they’re pushing for the Senate to accept a similar provision in the final version of the defense bill that will become law, Langevin told me. 

“I’ve been asking for this for almost a year but with no resolution,” he told me. “I’m hoping the administration will provide the documents to Congress and allow us to perform our constitutional responsibility, but if that doesn’t happen, we’re prepared to require them to do so by law.”

The White House declined to comment directly on whether it would share the policy, which is officially called National Security Presidential Memorandum 13.

A senior administration official told me in a statement that “the administration keeps Congress appropriately informed of cyber operations, including by providing briefings and documents.” 

Langevin supports the Trump administration getting tougher on Russia, Iran and the United States’s other digital adversaries, he told me — especially an operation that shut down a Russian troll farm so it couldn’t interfere in the 2018 U.S. midterm elections. But he worries both about the risk the policy could be mishandled and the precedent of operating without congressional oversight. 

“This is the first time that such a major policy document has not been provided to Congress that I recall,” he said.


PINGED: U.S. tech companies are lobbying the Trump administration to allow them to sell chips and other cellphone and laptop parts to Huawei despite a government ban, my colleagues Jeanne Whalen and Reed Albergotti report.

The Trump administration imposed that ban because of fears that Huawei would spy for the Chinese government and U.S. equipment could help them do it. But the companies argue that, unlike telecom equipment, selling parts for phones and laptops wouldn’t pose a national security risk. Meanwhile, the Trump administration is divided between Treasury Secretary Steven Mnuchin, who favors relaxing the ban, and China hawks who want it to remain in place, Jeanne and Reed report. 

Separately, a China trade analyst argued Thursday that the Commerce Department ban is really about gaining leverage in trade negotiations with China, not cybersecurity.

“Could we damage Huawei — [China’s] national champion — as leverage in a trade deal. That’s what that was about,” Robert Atkinson, founder and president of the Information Technology and Innovation Foundation, said during a discussion hosted by the Brookings Institution and the right-leaning American Enterprise Institute.

Lawmakers who have argued Trump’s recent efforts to roll back the ban amount to going easy on China “are missing the boat completely,” he said.

PATCHED: A Georgia hacker who stole more than $300,000 from dozens of high-profile professional athletes and rappers was sentenced to prison yesterday, the Justice Department announced in a news release. The FBI didn't reveal names of his victims, but mentioned that they included both NBA and NFL players.

Kwamaine Jerell Ford, who was convicted of computer fraud and aggravated identity theft charges in March, tricked the celebrities into sending him their Apple logins by posing as a customer service representative for the company. After he gained access to the victims’ Apple accounts, he reset their logins and locked them out, prosecutors said.

Over the three-year period he operated the scheme, Ford stole credit card information found in the accounts to rack up hundreds of thousands of dollars in charges on travel, retail purchases, restaurants and cash transfers to his own accounts, prosecutors said. Ford will serve three years and one month in prison.

PWNED: Some anti-virus companies have touted artificial intelligence as a “silver bullet” for quickly spotting and blocking new hacking tools, but the system has some bugs of its own, Kim Zetter reports for Motherboard.

Researchers at Sydney-based Skylight Cyber were able to trick a major A.I.-based anti-virus tool built by BlackBerry Cylance into believing that malicious software was actually benign, Kim reports. They did it by inserting code from software the tool had already deemed “white-listed” into malicious code. The machine-learning algorithm was trained to prioritize ignoring white-listed code, so it never noticed the malicious code that came along with it. Researchers were even able to use the trick to get WannaCry, a notorious ransomware that locked up more than 230,000 computers around the globe in just a day in 2017, past the anti-virus software.

The new research shows that even if A.I. anti-virus software can help identify emerging new malware, its algorithms could also be exploited by hackers who can figure out how to dupe them. "After around four years of super hype [about AI], I think this is a humbling example,” Adi Ashkenazy, CEO of Skylight Cyber, told Kim.


— Cybersecurity news from the public sector:

A former National Security Agency contractor awaits sentencing in Baltimore’s federal court for storing two decades’ worth of classified documents at his Maryland home
Associated Press
Numerous security deficiencies in the agency’s IT ecosystem could leave data on millions of taxpayers at risk, according to the Government Accountability Office.
A Department of Defense cybersecurity contractor has been charged with threatening to kill a member of Congress over a bill that would require children in public schools to receive vaccinations, according to a criminal complaint filed in federal court earlier this month.
The president said on July 18 that he had received numerous complaints about a not-yet-awarded Pentagon cloud computing contract that could go to Amazon Web Services.
Aaron Gregg and Jay Greene
A bipartisan group of senators on Thursday introduced legislation to increase cybersecurity training for U.S.
The Hill

— Cybersecurity news from the private sector:

Consumer Tech
The app was having a viral moment until questions arose about privacy issues and its ownership.
Hannah Denham and Drew Harwell
CrowdStrike reports first earnings report since IPO.
Slack will reset the passwords of users it believes are affected by a historical data breach that affected the company more than four years ago. In 2015, the company said it was hit by hackers who gained access to its user profile database, including their scrambled passwords.
Tech Crunch
Consumer Tech
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.
Geoffrey Fowler
Cell phone carriers still have a long way to go before making your accounts truly secure.

— Cybersecurity news from abroad:

Britain's new prime minister must urgently make a decision on the role Chin...
European law enforcement agencies set to lose the ability to tap criminals'...