THE KEY

A group of House Republicans could have created a field day for Russian and Chinese intelligence agencies when they stormed into a secure Capitol Hill room where their colleagues were taking impeachment testimony yesterday with their cellphones in tow.

The protest, which Republicans argued was intended to bring transparency into the probe into President Trump's Ukraine policy, violated the most basic cybersecurity protections technologists try to impose on the rooms where lawmakers receive and discuss classified information – basically giving insider access to any spy agency that had compromised a single lawmaker’s cellphone and could snoop through the camera or microphone.

“They may have brought in the Russians and the Chinese with their electronics … They violated our oath to protect national security by bringing electronics into that room,” said Rep. Eric Swalwell (D-Calif.), who was inside Sensitive Comparted Information Facility, or SCIF, at the time.

Mieke Eoyang, a former House Intelligence Committee staffer who managed meetings inside the same SCIF during the Obama administration, told me: “This is the kind of thing that, for people who work in national security, makes our hair stand on end.” 

The protest demonstrated how rank-and-file lawmakers can be one of government’s biggest cybersecurity vulnerabilities.

Members of Congress are high-value targets for Russian and Chinese hackers who routinely go after their personal devices and email accounts, but lawmakers don't get any special protection for those devices and often don’t have enough training or savvy to protect them themselves.

Google, for example, informed an unspecified number of senators that foreign hackers were targeting their gmail accounts last year.

“The likelihood that there has been an active campaign by foreign actors to infiltrate their devices is highly probable,” Steven VanRoekel, who was the government’s top IT official during the Obama administration, told me.

Despite that danger, efforts to mandate cybersecurity training for lawmakers or to add protections for their personal devices, pressed by Sen. Ron Wyden (D-Ore.) and others, have largely languished.

“My experience with members of Congress is unless they’re affirmatively taught how to be security conscious it doesn’t occur to them,” said Eoyang, who leads the Third Way think tank’s national security program. “They don’t realize what a target they are [for hackers].”

The approximately two dozen conservative lawmakers seemingly stormed their way into the SCIF before a guard could collect their personal devices. Once inside, the interlopers boasted about the invasion, seeming to tweet from inside the secure room, though they later said they were sending messages to staff who were doing the actual tweeting.

Here’s Rep. Matt Gaetz (R-Fla.), who led the effort:

And Rep. Mark Walker (R-N.C.):

The Republicans mostly surrendered their devices once they were inside the SCIF, but some refused, Swalwell told reporters. That was contradicted, however, by Rep. Mark Meadows (R-N.C.), who was also in the room. The House Sergeant-at-Arms, who is responsible for the chamber’s cybersecurity and whose office collected the devices, declined to comment.

Swalwell serves on the House Intelligence Committee and Meadows is on the House Oversight Committee, two of three committees, along with Foreign Affairs, whose members were allowed into the closed-door session.

The Republican protesters, who don’t serve on any of those three committees, arrived at the SCIF right before testimony from Laura Cooper, a Pentagon official responsible for Ukraine policy, as my colleagues Elise Viebeck, Rachael Bade and Kayla Epstein reported. The fracas delayed Cooper’s testimony for five hours.

The dispute also shows how Trump-allied lawmakers are mimicking the president’s fast-and-loose approach to cybersecurity.

Trump has refused entreaties from cybersecurity staff to regularly swap out the cellphone he uses to tweet because he considers it too inconvenient, Politico has reported.

And his administration has devalued cybersecurity — even as intelligence agencies warn the digital threat is increasing from adversaries including Russia, China, Iran and North Korea.

The administration eliminated a White House cybersecurity coordinator position, which formerly led cross-government responses to major digital threats, and devalued a White House chief information security officer, or CISO, job.

At least a dozen top officials have fled from the CISO’s office, including highly talented career staff who date back to the Obama administration, Axios’s Alexi McCammond reported.

In many cases, those staff believe they’re being forced out, according to an exit memo from Dimitrios Vastakis, who resigned in October as branch chief of the White House computer network defense, and which Alexi obtained.

“The White House is posturing itself to be electronically compromised once again,” the memo warned.

Security experts were quick to slam the lawmakers who crashed the SCIF.

“If people in Congress who make the laws don’t follow the rules, why should anybody else?” Joel Brenner, former head of U.S. counterintelligence during the Obama administration, told me. “Foreign intelligence agencies make a living off people who think they’re too important to follow rules like this.”

Here’s John Schindler, a professor at the Naval War College and former NSA intelligence analyst:

Former U.S. solicitor general Neal Katyal:

And national security attorney Bradley P. Moss:

There was also quick condemnation from Democratic lawmakers on Twitter.

Here’s Rep. Robin Kelly (D-Ill.), who serves on the House Oversight Committee:

And Rep. Ted Lieu (D-Calif.):

PINGED, PATCHED, PWNED

PINGED: Lawmakers grilled Facebook CEO Mark Zuckerberg about the company's plan to adopt warrant-proof encryption across all its services yesterday, saying the protection will lead to more content exploiting children on the site.

“If you enact end-to-end encryption, what will become of the children who will be harmed as a result?” Rep. Ann Wagner (R-Mo.) asked, echoing concerns from Attorney General William P. Barr, who has pushed to make child exploitation the face of his crusade against encryption technology. Wagner cited statistics from the National Center for Missing and Exploited Children that end-to-end encryption could reduce Facebook reporting of sexually exploitative content involving children by 70 percent.

Democrat Rep. Ben McAdams (Utah) also raised concerns about the technology, pointing out that Facebook's encrypted messaging app WhatsApp reported just a fraction as much exploitative child content as Facebook did. 

Zuckerberg cited tools the site is using to identify exploitative material even when it's encrypted but acknowledged that child exploitation is “one of the risks ... among others to safety” that encryption could pose. Technologists generally say the dangers of strong encryption are outweighed by its benefits, chiefly that it prevents hacking. 

The marathon six-hour hearing before the House Financial Services Committee was ostensibly about Facebook's planned digital currency Libra but frequently veered off topic.

PATCHED: The University of Southern California is launching a project to hold public election-security training conferences in all 50 states before the 2020 contest with $2.8 million in grant money from Google, The Cybersecurity 202 has learned. Some details of the program were shared in an email to school officials this week.

The project will be similar to an earlier series of trainings in six states that USC’s Annenberg Center on Communication Leadership and Policy did with the National Governor’s Association and will rely on faculty from across the six schools in the USC system as well as some outside experts.

The school’s goal is to tailor the workshops to each state’s needs and to fill in gaps left by other training programs offered by the Department of Homeland Security and state agencies. For example, the school may offer training in legal issues surrounding data protection or crisis communications after a digital attack, in addition to traditional cybersecurity training.

The workshops will all take place between January and October 2020 and the school may hold multiple workshops in some states if timing and funding allow.

PWNED: The House passed its third major election security bill yesterday in a 227-to-181 vote that basically broke along party lines. The White House has already condemned the bill, which would require campaigns to report foreign government contacts to the FBI and increase transparency guidelines for online political ads.

The bill will be particularly unpalatable for Trump, who has rejected traditional norms about not accepting campaign dirt from foreigners, saying he might look at information before deciding.

“Stopping Harmful Interference in Elections for a Lasting Democracy”/SHIELD Act would lead to over-reporting and “fruitless inquiries,” the White House said in a statement to Bloomberg News’s Jennifer Jacobs.

The bill also is unlikely to see a future in the Senate, where Majority Leader Mitch McConnell (R-Ky.) has staunchly opposed any new election security mandates. Sen. Amy Klobuchar (D-Minn.) tried to introduce a Senate version of the bill yesterday but Sen. Marsha Blackburn (R-Tenn.) blocked the attempt.

Here's more from The Hill's Maggie Miller.

CHAT ROOM

Are you tired of cybersecurity news articles with stock images of glowing keyboards and shadowy guys in hoodies? So’s the William and Flora Hewlett Foundation, which ran a contest for new cybersecurity art that publications can run without any copyright restrictions. Here are a few images from the five winning designers announced this morning.

Here's one from Abraham Pena of Doral, Fla.:

Here's another from Claudio Rousselon of Cancu, Mexio:

This is from Afsal CMK of Karnatka, India:

And here's a final one from IvanaTroselj of Canberra, Australia. (Hey, that's not a very cozy bear): 

PUBLIC KEY

— Cybersecurity news from the public sector:

The administration is split over restrictions on exporting sensitive technologies that are vital to protecting national security.
New York Times
Democratic senators are asking the Federal Trade Commission to investigate Amazon over concerns the company ignored security warnings about a vulnerability that enabled the hack of Capital One customer data in one of the biggest-ever heists of such banking records.
Wall Street Journal
DHS officials may soon issue an order that would require federal civilian agencies to establish vulnerability disclosure programs.
CyberScoop
The U.S. is trailing China in numerous critical technologies, making the role of the private tech sector more important than ever to American national and economic security, a Defense Department official said.
Wall Street Journal
Air Force Materiel Command's 96th Test Wing is modernizing the way the service tests weapons systems for cybersecurity vulnerabilities.
Federal Computer Week
As state and local governments face rising cyber threats, the legislation would give them free access to the tools provided under the Continuous Diagnostics and Mitigation program.
Nextgov

PRIVATE KEY

— Cybersecurity news from the private sector:
 

Motherboard has obtained a leaked presentation internet service providers are using to try and lobby lawmakers against a form of encrypted browsing data.
Vice
It is Huawei's first 5G research centre in Europe.
ZDNet
Researchers at Google say their latest quantum-computing experiment helps usher in a new era of next-generation computers. The business impact, however, is small.
Wall Street Journal

THE NEW WILD WEST

— Cybersecurity news from abroad:

The Czech Republic is likely to follow the approach of Germany and other neighbo...
Spyware should be able to turn on device cameras and microphones, get encrypted chat logs.
ZDNet

ZERO DAYBOOK

— Today:

  • The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday.