with Tonya Riley
A bipartisan group of lawmakers is pushing to create a new White House czar to lead cybersecurity decision-making throughout the government.
Creating a new national cybersecurity director would mark the largest change in years to how the government manages cybersecurity. It would also leave the nation far better prepared to avert or respond to a digital calamity such as a major cyberattack against the electric grid or transportation systems, say sponsors of the new legislation.
“This is one of the glaring gaps in our national strategy,” Rep. Jim Langevin (D-R.I.), one of the bill’s lead sponsors, told me. “In a time of crisis, you want someone sitting at the top of the whole enterprise who can coordinate the response. You need a point person.”
But the effort faces opposition from the Trump administration, which eliminated a far weaker White House cybersecurity coordinator position in 2018 and has generally pushed back on Congress interfering in its cybersecurity operations.
If lawmakers can push it through, the bill will be a major victory for bipartisan cooperation on cybersecurity, which has faced several tough tests during the Trump administration.
“The bipartisan support makes creating a position like this a real possibility,” Michael Daniel, who held the White House cybersecurity coordinator post during the Obama administration, told me. “This reinforces that most of cybersecurity is a nonpartisan issue. It’s one of the few things that’s true of in Washington.”
The director would make cybersecurity recommendations directly to the president.
The official would also oversee cybersecurity plans, operations and budgets throughout the government, according to the bill.
Creating the new position was a top priority for the Cyberspace Solarium Commission, a congressionally-led group that released a report in March calling for a raft of changes to government cybersecurity operations.
The new position is a key part of those changes because it’s the best way of ensuring vital cybersecurity work across the government is actually completed, said Langevin, who was one of four members of Congress on the commission.
“How are we going to prevent the next OPM if we don’t have someone really coordinating?” he said, referring to a 2015 data breach at the Office of Personnel Management that has been tied to China and compromised highly sensitive security clearance information of 21 million current and former federal employees and their families.
“That’s an intelligence loss that we’ll be feeling for a generation,” Langevin said. “A national cyber director could have zeroed in and forced the department to close the vulnerability.”
The other congressional members of the commission were Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), who co-chaired the panel, and Sen. Ben Sasse (R-Neb.).
Gallagher is co-sponsoring the national cyber director bill along with House Oversight Chair Carolyn Maloney (D-N.Y.) and Reps. John Katko (R-N.Y.), Will Hurd (R-Tex.) and Dutch Ruppersberger (D-Md.).
Ruppersberger, a former top Democrat on the House Intelligence Committee, described the job on Twitter as a “cybersecurity quarterback” who could “call the shots when we’re attacked.”
Joining @JimLangevin in introducing #bipartisan bill to create Natl Cyber Director. We need a #cybersecurity quarterback. One central figure to coordinate budget, call the shots when we’re attacked and create partnerships with biz partners. More: https://t.co/EHk0wQvlk2— Dutch Ruppersberger (@Call_Me_Dutch) June 25, 2020
A bipartisan Senate version of the bill is also in the works.
But senators are trying to get the White House on board before releasing it, King told me.
“The real issue is resistance from the White House,” he said. “We’re trying to satisfy their objections and convince them this is a favor to the president to have a single point of contact, someone who can be held accountable. I think it’s self-evident there needs to be some central authority for an issue that transcends so many parts of government.”
King said the White House has not described to him specific objections to the bill. The White House didn’t reply to a request for comment about the bill.
The Obama-era cybersecurity director did similar work but had far fewer authorities over budgets and policy.
The role also didn’t require Senate confirmation.
Former national security adviser John Bolton argued when he eliminated the role it wasn’t necessary because the government tackles numerous other large problems without a White House coordinator.
Critics, however, said cybersecurity is too broad and multifaceted of a challenge to be managed by different agencies overseeing disparate parts of it.
The issue of Chinese digital theft of intellectual property belonging to U.S. companies, for example, affects a broad range of interests and areas in the government, with various parts of the subject overseen by the State, Commerce and Homeland Security Departments as well as intelligence agencies and the FBI.
“There’s no one agency that can really take the lead on cybersecurity policy because it’s such a big issue,” said Daniel, president of the Cyber Threat Alliance, a coalition of companies that share cybersecurity data. “If you don’t have a strong entity in the White House driving that coordination, it’s not going to happen as well or as extensively as it should.”
Tech companies are slamming a bill that would require them to help law enforcement access their users’ encrypted data.
The “Lawful Access to Encrypted Data Act,” would threaten the sensitive data of billions of tech users, the Reform Government Surveillance Coalition argues. The group's members include Apple, Facebook, Microsoft, Google, Twitter and Verizon.
“The global pandemic has forced everyone to rely on the Internet in critical ways, making digital security more important than ever before for our economy and national security,” the group writes. The bill was introduced this week by Senate Judiciary Chairman Lindsey O. Graham (R-S.C.) and other Republicans
The Internet Society also blasted the bill, saying its passage would be “utterly devastating” for personal security.
“Preventing crime is important, but we can't achieve that goal by making everyone more at-risk to the criminal activity we're trying to address,” the group said. It has more than 100 tech company members including Amazon and the Swedish telecom Ericsson. (Amazon CEO Jeff Bezos owns The Washington Post.)
The lawmakers backing the bill argue that encryption shields terrorists, child predators and other criminals from law enforcement. Encryption proponents and tech companies say criminals could hack into any encryption back door for law enforcement, undermining everyone's cybersecurity.
The bill follows a months-long push against strong encryption by Attorney General William P. Barr that has ensnared both Apple and Facebook. A competing bill called the EARN IT Act would threaten tech companies with losing a prized liability shield for what users post on their services if they can’t reduce the spread of child pornography on encrypted networks.
Democrats will introduce legislation banning government from using facial recognition.
The legislation responds to growing concerns facial recognition tools may contribute to discriminatory policing. Privacy advocates have also criticized law enforcement’s use of the tools in recent protests against police violence.
The bill, which will be introduced in both the House and Senate, would prohibit the federal government from using facial recognition and voice recognition technologies. It would also require state and local governments to ban the technology if they want to receive federal funding. Any information collected in violation of the law would be blocked as evidence in any court cases.
“Facial recognition technology is fundamentally flawed, systemically biased, and has no place in our society,” said Rep. Ayanna Pressley (D-Mass.), who will introduce the bill alongside Rep. Pramila Jayapal (D-Wash.) in the House. Sens. Edward J. Markey (D-Mass.) and Jeff Merkley (D-Ore.) will introduce the legislation in the Senate.
More than a dozen groups including the American Civil Liberties Union and Electronic Frontier Foundations are also backing the bill.
Social media should take political misinformation as seriously as it does coronavirus misinformation, the DNC says.
The Democratic National Committee listed a slew of ways it says social media companies could learn from their coronavirus response to better police political misinformation.
For instance, Twitter removed misleading coronavirus posts from leading conservatives it said could cause physical harm but isn't willing to do the same for misleading political posts, the DNC says. YouTube and Facebook have also proved more willing to remove misleading coronavirus content, the committee says.
"In reality, there’s no reason why social media companies couldn’t employ their ‘infodemic’ playbook against political misinformation," Timothy Durigan, DNC security data analyst, wrote. "Their failure to do so, so far, reflects a lack of will, not ability."
Twitter recently appended fact checks to a few of President Trump's misleading Tweet, including baseless claims mail-in voting would produce widespread fraud. That prompted a wave of blowback from Trump and congressional Republicans.
The DNC is also ramping up pressure on social media platforms to establish policies against users sharing hacked materials. Hacked information shared by WikiLeaks and DC Leaks helped undermine Hillary Clinton’s candidacy in 2016 and 2020 Democratic presidential candidates all pledged not to use such information. President Trump, however, refused to make such a pledge.
The government’s cybersecurity standards body is looking at changing technical terms with racist connotations, Politico's Eric Geller reports:
Based on the new comments that were made at the board meeting right after I sent this initial tweet, I think it's safe to say that NIST *will* stop using these terms. Seems like the only question is what to replace them with. https://t.co/xOF8vph599— Eric Geller (@ericgeller) June 25, 2020
More government news:
Former Democratic Senate Majority Leader Harry Reid (D-Nev.) took heat from reporters for claiming without evidence that Russian hackers altered the results of the 2016 election. U.S. intelligence agencies, the Mueller report and the Senate Intelligence Committee all concluded Russian hackers probed numerous election systems but found no evidence they manipulated any data or changed any votes.
NBC News's Kevin Collier:
To paraphrase @benhovland the other day, election fraud does sometimes happen — mostly in small races where a couple of changed votes can swing it. A national election where even on election night the candidates don't know which states might swing requires an enormous conspiracy.— Kevin Collier (@kevincollier) June 25, 2020
Vice's Lorenzo Franceschi-Bicchierai:
Dear Democrats, nobody needs this bullshit. Either you have evidence, or you don’t make these claims. https://t.co/DTWCQQbOX5— Lorenzo Franceschi-Bicchierai (@lorenzofb) June 25, 2020
Sen. Elizabeth Warren (D-Mass.) is slamming a mobile data company for spying on protesters.
Mobilewalla publicized its surveillance in a report about protester demographics in four cities that analyzed more than 16,000 protesters' mobile phones, BuzzFeed News reports. It's unclear how accurate the analysis is, but advocacy groups say the practice could undermine freedom of assembly of protesters who weren't aware they were being tracked.
“This report shows that an enormous number of Americans — probably without even knowing it — are handing over their full location history to shady location data brokers with zero restrictions on what companies can do with it,” the senator from Massachusetts said of the report.
Warren recently joined with the House Oversight Committee to launch an investigation into another major data broker, Venntel, that works with government agencies.
More news about hacks, breaches and vulnerabilities:
- Carnegie's Partnership for Countering Influence Operations and Twitter will host an event on influence operations on Twitter on July 9 at 1 p.m.
Secure log off