The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: There's a fight brewing over Homeland Security's push for subpoena power

with Tonya Riley


The U.S. government is currently seeing warning signs of cyberattacks on industrial control systems that could cause massive financial damage or loss of life -- and there's nothing it can do to alert the companies that own them. 

That’s why the Homeland Security Department says it's appealing to Congress to grant it broad subpoena power to force Internet companies to share the names of vulnerable organizations. The agency's plan is to proactively alert companies that operate energy grids, oil and gas processing and chemical plants when it sees signs hackers might strike from Russia, Iran or other countries. 

But critics are already charging that this could result in vast government overreach. They argue this subpoena power would bypass individual companies' existing privacy rights -- and suggest DHS could use it to gather information about far more companies than just industrial control systems. 

“The [U.S. government’s] view of this appears to be... ‘Please trust us to not abuse any authority to demand identifying information,’” Stanford University cybersecurity policy scholar Herbert Lin told me. 

The concern is also that DHS could then use its inside view of companies' security to mandate they make digital protections that aren't in their best business interest. 

Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move a "huge power grab" and said the government might use it in a way lawmakers did not intend, per TechCrunch’s Zack Whittaker who first reported DHS’s interest in the subpoena power.

It will also be a tough sell in Congress where the pendulum is swinging toward privacy and many lawmakers will likely be wary of letting government demand even more information from industry.

"As proponents of [DHS’s Cybersecurity and Infrastructure Security agency]’s work, we are interested in ensuring CISA has the authorities it needs to do its work with the public and private sectors. We also need to be sure that proper privacy measures are in place,” an aide for the House Homeland Security committee, which is reviewing the DHS request, told me.

The Senate Homeland Security Committee has received a classified briefing on the proposal and is "reviewing potential legislative solutions," an aide told me. 

The problem is that DHS has Internet scanning tools that can find highly sensitive industrial systems that are vulnerable to attack, but it often doesn’t know where those systems are or who owns them. Internet service providers that have such information are legally barred right now from sharing it.

That means hackers from Russia, Iran or North Korea might figure out where those vulnerable facilities are before DHS or the company does and cause serious damage -- for example, by causing a leak at an energy plant or allowing contamination at a water treatment facility.

Those sorts of massively destructive attacks mostly haven't happened in the real world yet, but one terrifying scenario occurred in 2015 when Russia-linked hackers shut out the lights in large parts of Ukraine for hours — the most damaging known industrial cyberattack so far.

“We have multiple nation states, and in some cases criminals, who are actively seeking ways to get into our industrial control systems,” Jeanette Manfra, CISA’s second-in-command, told reporters during a briefing.

The agency only requested the subpoena power after years of trying other ways to identify and alert the companies but not finding a good fix, and is eager to work with Congress to make the subpoena authority as limited as possible so it won’t be misused, Manfra said,

“We are very aware of the concerns about overreach,” she said. “We have a long history of collecting similar types of data through voluntary programs and have demonstrated ways of protecting that as well as ensur[ing] that that information is only used for the purposes that it was collected for.”

Some experts thought the plan was reasonable. Robert Chesney, a former Justice Department official and University of Texas law professor, called the plan “quite modest” and said in an email it would be easy for Congress to “hedge this authority with all sorts of transparency, record keeping, and oversight provisions, in order to make sure it doesn’t get used for other purposes.”

Others questioned why DHS isn’t just asking Internet service providers to pass along cybersecurity concerns on its behalf and suggested the agency may want to bully companies into making specific fixes. 

“If the [government] wants trust, the [government] — all parts of it — have to behave in ways that engender trust from the business community,” Lin said. “In the absence of such behavior, it's not surprising that the business community would resist measures that could easily be abused.”


PINGED: The Trump administration will soon issue licenses allowing some U.S. companies to bypass a U.S. ban on selling software and other components to the Chinese telecom giant Huawei, Ana Swanson at the New York Times reports. Trump gave the greenlight in advance of sensitive trade negotiations with China this week, people familiar with the matter told Ana.  

The Commerce Department placed Huawei and dozens of its affiliates on a no-sell list in May citing national security concerns that the Chinese government could use Huawei equipment for espionage, an allegation that Huawei has adamantly denied. Trump promised to lift some of those restrictions after meeting with Chinese President Xi Jinping in June, but no licenses have been granted so far. And the pledge drew criticism from numerous lawmakwers who fretted Trump would damage national security as a bargaining chip in the trade dispute. 

The ban holds "as of the moment," a Commerce Department spokesman told the Times. 

PATCHED: A bipartisan group of senators wants to make sure that a new council tasked with preventing unsafe companies from working on government computer networks is also helping Congress and the judiciary keep their networks clean, according to a letter shared exclusively with The Cybersecurity 202.

Congress created the Federal Acquisition Security Council in 2018 as a fast track to bar dangerous companies from government networks after it took a massive effort to ban two companies suspected of foreign spying — Russia's Kaspersky Lab and China's Huawei.

But there’s no requirement for the council to share its expertise with Congress or the judiciary, leaving those branches vulnerable to cyberattacks, the letter from Senate Homeland Security Chairman Ron Johnson (R-Wis.), ranking Democrat Gary Peters (Mich.) and Sens. Tom Cotton (R-Ark.) and Ron Wyden (D-Ore.) to Office of Management and Budget Director Mick Mulvaney states.

The senators are asking Mulvaney to create a plan that specifically incorporates Congress and the judicial branch into the council’s work.

“Americans may accept the principle of the separation of branches of government, but our adversaries don’t abide by that principle,” the senators note.

PWNED: The European Union warned member states yesterday that the move to next-generation 5G telecommunication networks will substantially increase their risk of cyberattacks, but the long-awaited report stopped far short of endorsing a ban on Huawei that the United States has been pushing.  The U.S. has long urged E.U. allies to steer clear of Huawei, which is one of three main suppliers of 5G gear, over concerns the company is complicit in Chinese spying.

Instead, the E.U. report simply warns member states that an over reliance on one company could create risks — especially if that company has strong ties to a nation-state — and suggests members diversify their suppliers, Natasha Lomas at TechCrunch reports. The report doesn't mention which companies might pose risks.


-- Australia's cybersecurity agency is facing a whirlwind of criticism after it asked a lawyer to tone down his critiques of the country's encryption laws in a speech at a conference this week, The Guardian's Josh Taylor reports. Lawyer Ted Ringrose says conference organizers asked him to remove "biased" language from his speech saying that while Australia’s encryption laws look worse on the surface, in reality it is “just about as bad as China."

Officials eventually dropped the request, which comes as Australia is working with the U.S. to push Facebook to delay plans to expand encryption protections.

-- Trump is nominating Kirstjen Nielsen, a cybersecurity savvy former homeland security secretary who left her post in April amid controversy over immigration policy, for a new advisory role, the White House announced. If confirmed, Nielsen will serve as a member of the National Infrastructure Advisory Council.

More cybersecurity news from the public sector:

NSA director rebukes Beijing for 'weaponizing' disinformation in Hong Kong protests - CyberScoop (CyberScoop)

Counterterrorism Analyst Arrested for Leaking to Two Journalists (Wall Street Journal)

Mississippi audit finds ‘disregard’ for cybersecurity across state (StateScoop)

NIST is hunting for tech to secure the energy sector’s network (Nextgov)


Fewer than half of Americans can correctly identify when digital devices are protected with two-factor authentication, one of the most basic systems for keeping devices secure, according to a new study from the Pew Research Center. And only 30 percent know that "https://" means a site's data is encrypted.

Americans fared better when it came to phishing scams. Nearly 70 percent knew that phishing attacks target users with emails and text messages to steal their passwords.

But the wide-ranging study illustrates that there are significant gaps for most Americans when it comes to understanding their privacy online. Just 2 percent of the adults were able to answer all 10 digital-knowledge questions Pew posed correctly.

— More cybersecurity news from the private sector:

Apple Angers China by Approving Cop-Tracking Map App for Hong Kong (Wall Street Journal)

A controversial plan to encrypt more of the Internet (Wired)

Twitter transgression proves why its two-factor authentication is such a privacy trap (Ars Technica)


— Cybersecurity news from abroad:

Moroccan activist says NSO’s elite spy tools hacked his iPhone (Forbes)

Hong Kong protesters get pro bono cybersecurity help from Silicon Valley (MIT Technology Review)


— Coming up:

  • The House Committee on Homeland Security will host a Field hearing “Preparing for 2020: How Illinois is Securing Elections” on Oct. 15 at 10 a.m. in Gurnee, Ill.