THE KEY

The Trump administration is blocking Congress from auditing a secret hacking policy it has already used for cyberattacks on Russia and Iran -- stonewalling that lawmakers say raises the risks of a dangerous misfire that could make cyberspace less secure.

The policy, which loosened the reins on military strikes against U.S. adversaries, has been withheld for more than a year from lawmakers -- even those who regularly review classified material. Lawmakers from both parties are concerned the Trump administration could plunge the country into a cyberwar without congressional approval or oversight, or at the very least, provoke retaliation that causes serious damage at home. 

“Congress needs to understand what that guidance is so we can ensure we are properly understanding how far this goes and what the parameters are,” Rep. Jim Langevin (D-R.I.), told me. “We need to...do our job and make sure the government is properly executing these authorities.” 

Langevin, who leads House Armed Services Committee's cybersecurity panel, is part of a bipartisan group of lawmakers that's been sending letters to the White House since February demanding the classified memo that outlines the muscular new hacking policy. 

Previous administrations routinely shared similar documents outlining when and how they'd hack back against adversaries, Langevin told me, but the Trump White House has not relented despite several months of negotiations. 

If the administration doesn’t share information about the policy soon, Langevin told me, the group plans to force the president’s hand, demanding the policy's release in an amendment to a must-pass defense policy bill that’s being negotiated now between the House and Senate. The White House declined to comment. 

Langevin generally supports the military striking back against government-backed hacking operations from Russia, China, Iran and North Korea, he said, but also warns that Congress must ensure those don’t undermine U.S. diplomatic priorities or prompt a wave of reprisals against U.S. businesses. 

Cyberspace is also a notoriously complicated and shadowy space where any attack the United States launches against an adversary could accidentally ricochet and damage an ally's computer networks — causing numerous complications. For example, Russia aimed the NotPetya worm at Ukraine, U.S. intelligence agencies concluded, but it ended up damaging computers in numerous other nations. 

“As we’re creating a more aggressive strategy in cyberspace, we need to make sure we’re doing it responsibly,” Langevin told me.

Trump's recently-departed National Security Adviser John Bolton, meanwhile, boasted in June that U.S. hacks had sucessfully deterred Russia from interfering in the 2018 midterm elections and promised to expand the scope of U.S. hacking operations. That same month, Trump approved a digital strike against an Iranian computer database used to attack oil tankers. 

The Trump administration has a long history of refusing congressional oversight on issues where lawmakers have accused the president of corruption or mismanagement, but it's comparatively rare for the administration to buck oversight in an area where lawmakers and experts have generally praised the administration’s efforts.

After House Speaker Nancy Pelosi’s (D-Calif.) decision to pursue an impeachment inquiry against Trump, though, the administration is unlikely to become more cooperative.

“It does seem a little bewildering that the doctrine hasn’t been shared,” Chris Painter, who was the State Department’s top cybersecurity diplomat during the Obama administration and the first months of the Trump administration, told me.

Painter also warned that with churn across much of the Trump administration — including a new national security adviser and defense secretary in recent months — it becomes more important that Congress monitor whether the hacking policy is doing what it’s supposed to.

“If you cut Congress out completely that takes away a valuable tool not just for oversight but for charting the way forward,” he said, “for seeing if other authorities are needed and seeing if we’re making the world a safer or less safe place.”

House Armed Services Chairman Adam Smith (D-Wash.) and ranking Republican Mac Thornberry (Tex.), who are leading negotiations with the Senate on the defense bill, have joined Langevin in pressing the administration for information about the policy, as has Rep. Elise Stefanik (N.Y.), the ranking Republican on the committee’s cybersecurity panel.

Smith and Thornberry both declined to comment on their efforts because negotiations with the Senate are ongoing.

PINGED, PATCHED, PWNED

PINGED: A bipartisan group of lawmakers wants to dedicate $1 billion to excising Huawei technology from U.S. telecommunications infrastructure by refunding small and rural companies that make the switch from the Chinese tech company that lawmakers say is complicit with Beijing’s spying. 

“America’s wireless future depends on our networks being secure from malicious foreign interference,” House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.), ranking Republican Greg Walden (R-Ore.), and Reps. Doris Matsui (D-Calif.) and Brett Guthrie (R-Ky.) wrote in a statement announcing the bill. Huawei and its affiliates can pose a significant threat to America’s commercial and security interests … We must get this done to protect our national security.”

The bill would also prohibit companies from using federal funds to purchase any equipment deemed a national security risk. It follows a May executive order that allows the U.S. government to block sales of Huawei equipment to U.S. companies and a presidential order banning Huawei from the United States' next-generation 5G wireless networks. The FCC, which would distribute the funding, has already moved to limit use of Huawei equipment in the United States.

PATCHED: Chinese hackers who targeted Uighur minorities in China also targeted Tibetan activists and government leaders, Reuters's Joseph Menn reports. Posing as journalists and human rights workers, the hackers sent the activists and officials malicious WhatsApp links that, if clicked, would have given them access to the target's location, contacts, call history, text messages and some app data.

Researchers at the University of Toronto's Citizen Lab linked the attacks to similar surveillance efforts against Uighurs identified by Google in the summer, which used the same exploits and spyware. Apple fixed the vulnerability after Google researchers flagged it, meaning that some of the potential victims in Tibet who had updated their software managed to avoid the attacks. Citizen Lab did not confirm how many phones were affected.

It's hard to say whether the Chinese government was behind the attacks, but the evidence points to a “very clear nexus with China,” Citizen Lab lead researcher Bill Marczak said.

PWNED: Add the nation's first Department of Homeland Security secretary to the list of former officials warning about the dangers of Huawei and other Chinese technology in America's telecommunications systems. There is an “undeclared digital war” between China and the United States and 5G is a battleground from which the United States can't retreat, former U.S. secretary of homeland security Tom Ridge told reporters yesterday.

“It’s one thing for them to try to secure as much information as they can about our country and everything related to it through the back door,” Ridge said. “But the notion that we would willingly, knowingly permit them to embed software into our telecommunications infrastructure for me is just a security risk that's not worth taking.”

Ridge also knocked arguments that Huawei gear is cheaper and possibly more advanced than competitors, saying that those advantages were not worth the risk of potentially giving foreign adversaries tens of billions of access points into U.S. critical infrastructure. Lawmakers and executive branch officials have recently called for the United States to invest in competing technologies to give consumers non-Huawei options.

PUBLIC KEY

— Cybersecurity news from the public sector:

Andrei Tyurin is the first person to be convicted in the case, in which prosecutors said cyberattacks targeted a dozen American companies, including JPMorgan Chase.
The New York Times
Two competing groups tied to the United Nations are trying to outmaneuver one another when it comes to establishing behavior norms in cyberspace.
CyberScoop
PRIVATE KEY

— Cybersecurity news from the private sector:

Exclusive: Another dating app fails to secure production server and puts users at risk.
ZDNet
The gang is thought to be behind ransomware attacks that have caused havoc in Texas.
BBC News
Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request “full access” permissions.
TechCrunch
THE NEW WILD WEST

— Cybersecurity news from abroad:

Carpet bombing - the DDoS technique that's just perfect for attacking ISPs, cloud services, and data centers.
ZDNet
ZERO DAYBOOK

— Today:

  • The House Committee on House Administration will host an oversight hearing for the Federal Election Commission at 9 a.m.
  • Michael Rogers, former US Navy Admiral, and previous chief of the National Security Agency, will join University of Virginia's Cyber Innovation and Society Initiative for its distinguished speaker series at 1 p.m. in Charlottesville (livestream here).

— Coming up:

  • Auburn University's Embassy of Estonia in partnership with the Embassy of Estonia and Center for Internet Security will host a forum on securing elections Thursday at 9:30 am in Washington, D.C. 
  • The House Energy and Commerce Committee will host a hearing to discuss securing America's wireless future and the deployment of 5G communications on Friday at 9:30 am.
  • The House Science Committe will host a hearing on "Online Imposters and Disinformation" Thursday at 2 p.m.
  • The House Judiciary Committee will host a hearing on securing America's elections at 9am on Friday.