National security-focused lawmakers won the right yesterday to review the Trump administration’s muscular new offensive hacking policy after a nine-month battle, turning the tables on an administration that has resisted oversight of its cybersecurity policy.
The shift, which comes after the policy has already been used to justify hacking operations against Russia and Iran, marks a rare win for lawmakers who have pressed the administration to open up its cybersecurity work to broader oversight.
But it also comes amid concern in Congress that overeager Trump officials might stumble into a tit-for-tat digital conflict that harms U.S. businesses or even escalates into a conventional military fight. The administration has also eliminated top cybersecurity coordinator positions at the White House and State Department that might have acted as a check on operations that were poorly thought out.
“Given the sensitive nature of cyber operations and this administration’s dramatic shift in official cyber policy, this … was necessary to ensure proper congressional oversight,” Rep. Jim Langevin (D-R.I.), who helped lead the bipartisan charge to disclose the hacking policy, told me.
Langevin and other lawmakers inserted a provision allowing Congress to review the policy called National Security Presidential Memorandum 13, or NSPM 13, into a mammoth $738 billion defense policy bill that cleared Congress yesterday and that also establishes a Space Force and parental leave for federal workers. Trump has pledged to sign the bill quickly.
The secret policy had been withheld for more than a year from lawmakers — even those who regularly review classified material. In general, it loosens the reins on military hackers to engage enemies under a far simpler approval process for actions that fall beneath a level that would cause death, destruction or significant economic impacts, individuals familiar with the policy told The Post last year.
When former national security adviser John Bolton announced the policy in September 2018, he pledged the United States would no longer sit by while Russia, China and Iran pummeled it in cyberspace. “Our hands are not tied as they were in the Obama administration,” he declared.
Bolton later boasted that U.S. hacks had successfully deterred Russia from interfering in the 2018 midterms and Trump himself approved a cyberstrike that disabled Iranian computer systems used to plan attacks on oil tankers in the Persian Gulf.
The Obama administration didn’t ban offensive hacking by the military, but decisions about operations went through a far more rigorous review. That policy was also regularly reviewed by congressional overseers.
The shift to a more aggressive posture was good news even for many Democratic lawmakers and cybersecurity hawks who feared the Obama administration’s cautious approach to punching back in cyberspace had emboldened adversaries and was out of step with an increasingly dangerous digital world.
But Democrats and some Republicans were also worried the administration could easily go too far — especially without congressional oversight. And an escalating hacking conflict might pose outsize dangers for the United States, which is more reliant on the Internet than many of its adversaries.
“Cyber is a rapidly evolving domain of warfare, and Congress has to understand how any president is approaching it,” a Republican aide on the House Armed Services Committee told me.
He compared it to the authority to capture and kill enemy fighters outside of active war zones — an area where Rep. Mac Thornberry (Tex.), the top Republican on the Armed Services panel, demanded more congressional oversight in 2016.
“[Thornberry] sees this spectrum of very dynamic domains of warfare, of which cyber is one, where they move so fast that Congress really has to stay very current on how operations are being executed,” the aide said.
Thornberry was among the lawmakers who pushed for the Trump administration to be more transparent about its hacking policy along with committee Chairman Adam Smith (D-Wash.), Langevin, who leads the committee’s emerging threats panel, and that panel’s ranking Republican Elise Stefanik (N.Y.).
PINGED, PATCHED, PWNED
PINGED: A secretive federal court charged with overseeing requests for surveillance warrants against foreign terrorists and spies slammed the FBI for misleading it in an application to monitor former Trump adviser Carter Page, my colleague Devlin Barrett reports. The court ordered the bureau to explain how it will avoid misleading it in the future.
It’s a rare public rebuke from the court that oversees the country's most sensitive national security cases and could cast doubt on other FBI investigations. The four-page order details 17 errors and omissions in the bureau's application to monitor the former Trump adviser.
The condemnation follows a report issued by the Justice Department inspector general last week that found an FBI lawyer manipulated evidence to back its case to monitor Page. The IG will now audit other FBI applications for abuse.
“The frequency with which representations made by FBI personnel turned out to be unsupported calls into question whether the information contained in other FBI applications is reliable,” Judge Rosemary M. Collyer wrote.
PATCHED: German lawmakers are delaying until next year a decision on whether to bar the Chinese firm Huawei from building portions of the country's next-generation 5G wireless networks, Reuters's Andreas Rinke and Holger Hansen report. The reprieve could agitate the White House, which has pushed European allies to ban Huawei, citing national security concerns.
The delay follows months of clashes between security-minded officials who worry Huawei could assist Beijing spying and pragmatists who fear barring the company could lead to years of delays and a far higher price tag for the 5G transition. All German phone and internet operators currently rely on Huawei gear.
PWNED: Government agencies that ask for public feedback on their policy changes may be highly vulnerable to phony comments generated by computer bots and artificial intelligence, according to a study by a Harvard University undergraduate shared with the Cybersecurity 202.
The student Max Weiss submitted over 1,000 phony comments to a Centers for Medicare and Medicaid Services online system seeking input on an Idaho Medicaid waiver -- none of which was flagged as phony. One reason they got through is because CMS doesn’t require users to fill in a CAPTCHA phrase or use other techniques to prove they're human, he said.
The loophole could allow malicious actors to outweigh authentic voices on a number of other serious policy debates.
Weiss’s comments were particularly difficult to spot as phony because he used artificial intelligence to make sure they didn’t repeat the same text. Ultimately, the faked comments comprised over half of the total public comments submitted to CMS about the proposal, though Weiss withdrew his comments after the experiment was over.
Fraudsters have flooded public comment systems before — most notably during the Federal Communications Commission's 2017 debate over net neutrality. Researchers eventually pressured the FCC into admitting it had been duped.
CMS said that it would look into the issue after Weiss alerted it to his findings last month. The agency did not respond by publication time to the Post's request for comment.
— Cybersecurity news from the public sector:
— The Global Cyber Alliance launched a $750,000 initiative yesterday to provide free cybersecurity tool kits to election officials, news organizations and community groups among others. It was funded by Craigslist founder Craig Newmark.
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: