The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

IRS dodged a cyber minefield by ditching facial recognition

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! I was reacquainted with the neo-noir film “Night Moves” this weekend, which I highly recommend. Not to be confused with the Bob Seger song, which isn’t half bad either. 

Below: Lawmakers are taking another shot at mandatory cyber incident reporting, and there’s a new threat of data thefts from tech-savvy insider threats.

Cybersecurity advocates are relieved taxpayers won't have to show their faces

A wave of relief swept through the cybersecurity community yesterday as the Internal Revenue Service scrapped plans to make taxpayers share the most personal of personal information: the identifying features of their faces.

The now-scrapped system run by by contractor had prompted dire warnings from Democratic and Republican lawmakers and privacy and security advocates, who said it could make taxpayers even more vulnerable to damaging hacking and privacy violations, as Drew Harwell reports

“Facial recognition technology is based on your face and that’s something you can’t change easily. Once you lose control of it, it’s extremely hard, if not impossible, to regain control of your identity,” Jeramie D. Scott, senior counsel with the Electronic Privacy Information Center, told me. 

The program, which was already being rolled out, would have required all taxpayers to submit a “video selfie” to to access tax records and other services on the IRS website. The about-face came in a letter to Sen. Ron Wyden (D-Ore.), who had urged the IRS to jettison the system, calling it “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.”

Privacy worries

This is the big promise of facial recognition: it could improve cybersecurity. It could be more effective at keeping out fraudsters who’ve become adept at stealing other identifying information such as people’s names, birth dates, Social Security numbers and common passwords. 

But there’s no guarantee hackers won’t become similarly adept at stealing and deploying facial images to access websites, critics warn. And people can’t change their faces like they can their passwords once they’re compromised.

More concerningly, a huge cache of facial images such as the one that would have connected to tax documents, is guaranteed to be a prime target for hackers — both criminals looking to steal data that could turn a profit and hackers backed by foreign governments who want to collect as much information as possible about Americans.

That sparked a lot of concerns in Congress

“The government and private companies have an unfortunate history of data breaches. … There is ample evidence to be very concerned about an IRS contractor’s ability to safely manage, collect and store this unprecedented level of confidential, personal data,” a group of Republican senators wrote in a letter to IRS Commissioner Charles P. Rettig last week. 

A letter from House Democrats pointed to a 2019 breach of a U.S. Customs and Border Protection subcontractor which exposed a trove of facial and license plate images of U.S. travelers, warning that the fallout from a hack of the IRS database would be far greater. 

“Millions of Americans use the IRS website annually for a variety of vital functions, and, as a result, each of them will be forced to trust a private contractor with some of their most sensitive data,” the lawmakers wrote.

Lawmakers’ concerns were further exacerbated by a long history of facial recognition technology being less precise at recognizing people with darker skin — raising concerns that Black people could face more challenges and errors in accessing their tax documents than White people.

Details, details

Complicating matters further: There aren’t yet any federal regulations in place for how facial recognition companies should store and use their data. 

That raises the specter of data held by the companies being shared with business partners or ending up with successor companies after they go out of business — all of which would create a slew of additional hacking threats. 

Privacy advocates have also raised alarms about ways facial recognition data that’s collected for seemingly harmless purposes today might be used in the future for more controversial purposes — such as identifying people without their consent at protests or to identify criminals. 

“It’s never just about a particular implementation of facial recognition technology, it’s about the larger implications for our society if we continue to move forward with invasive and dangerous surveillance technology without stopping to consider the consequences,” Scott said. 

Here’s more from Scott on Twitter:

Even after the IRS shift, facial recognition issues will continue to roil the government

There are nine other federal agencies already using services — though none for systems as far reaching as the IRS proposal. 

It’s also not clear what will happen with video selfies that people have already submitted to for IRS services. Here’s more from CyberScoop’s Tonya Riley.

The keys

Lawmakers are taking another shot at mandatory hacking reporting requirements

Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) and the committee's top Republican, Sen. Rob Portman (R-Ohio) will reintroduce the requirements today, which would critical infrastructure firms — like pipelines, dams and water facilities — to alert the Department of Homeland Security when they're hacked. 

They'd have 72 hours to alert about regular cyber incidents and 24 hours to alert if they pay a ransom to hackers. 

The bill comes about two months after the Senate cut a similar reporting requirement from a must-pass defense bill. 

The new measure is part of a package that also includes bills to update the U.S. government's cloud security requirements and modernize cybersecurity requirements for federal agencies. 

Tech-savvy corporate insiders can pose major cybersecurity risks, MITRE and DTEX say

Governments and critical organizations are increasingly at risk from malicious employees who want to steal information and are tech-savvy enough to do it without detection, the U.S. government-backed research agency MITRE and Silicon Valley firm DTEX warn in a report out this morning. 

That danger has spiked as vastly more employees work from home during the pandemic where managers are less likely to note anomalous or suspicious behavior, the firms write. 

The warning comes after roughly a decade of efforts by the U.S. government and top industries to root out malicious insiders who could steal secrets for sabotage or to sell them to competitors — partly spurred by Edward Snowden’s leak of a trove of NSA secrets in 2013. 

MITRE and DTEX based their findings on an extensive study on the tactics malicious insiders use to steal data from their organizations. They’re launching a program to provide insider threat detection services to government agencies and critical companies across the United States, United Kingdom, Australia, Canada and New Zealand. 

Israel’s former attorney general suspended police use of NSO Group’s Pegasus spyware on his way out of office

Former attorney general Avichai Mandelblit ordered Israel’s police to stop using Pegasus amid an internal probe into potential misuse of the powerful spyware, the Times of Israel reports. Mandelblit’s decision came after Israeli business newspaper Calcalist reported police repeatedly used spyware without court orders on high-value targets. Mandelblit retired at the end of January.

Per Calcalist, the Pegasus targets included:

  • Two advisers of former prime minister Benjamin Netanyahu and his son, Avner Netanyahu
  • The chief executives of Israel’s ministries of transportation, finance and justice
  • Disability rights group leaders who protested for higher stipends for disabled Israeli citizens
  • Protest leaders among Israelis of Ethiopian descent, “who ironically were protesting against the way they are treated by police”

Israel’s deputy attorney general is “looking quickly into” the claims about police misuse of Pegasus, Israeli Prime Minister Naftali Bennett said. Public security minister Omer Barlev said he would launch a state inquiry, the New York Times’s Patrick Kingsley reports.

Government scan

A Pentagon cybersecurity official resigned

Katie Arrington left her role as chief information security officer of the Pentagon’s acquisition and sustainment office after a months-long battle with the Pentagon, which she said removed her security clearance for political reasons, Bloomberg News’s Anthony Capaccio reports.

“Her resignation came almost nine months after she was informed in May that her security clearance for access to classified information was being suspended as ‘a result of a reported Unauthorized Disclosure of Classified Information,’ ” Carpaccio writes. Arrington subsequently fought in court to get the Pentagon to restore her security clearance and detail the allegations against her.

 Arrington and the Pentagon settled the lawsuit last month, and the Pentagon will pay for her attorney’s fees, Capaccio reports.

DHS wants to know how cyber hygiene contract clauses are affecting vendors (FedScoop)

Industry report

  • Google is launching a Campaign Security Project ahead of the midterm elections to ramp up cyber protections for campaign and election workers. The company will be working with groups including Veterans Campaign, Collective Future, Women’s Public Leadership Network, and LGBTQ Victory Institute.
  • Cybersecurity firm Recorded Future’s publication the Record is launching a new podcast called “Click Here” today. The podcast is hosted by the Record senior correspondent Dina Temple-Raston.

Global cyberspace

Russia arrests third hacking group, seizes carding forums (Bleeping Computer)

Vodafone Portugal hit by hackers, says no client data breach

Palestinian hacking group evolving with new malware, researchers say

Securing the ballot

This county wants right-wing ‘audit’ group knocking on doors (The Daily Beast)

Newsmax counter-sues Smartmatic in bid to block election defamation suit (Bloomberg)

Privacy patch

Secret DEA files sell for just $5 on Facebook—here’s how gangs (and cops) use social media (Forbes)

Cyber insecurity

Microsoft to block internet macros by default in five Office applications (The Record)


  • Yevheniya Kravchuk, the deputy chairwoman of the Ukrainian parliament’s humanitarian and information policy committee, discusses Russian disinformation at a Transatlantic Task Force on Ukraine event today at 10 a.m.
  • David Nalley, the president of the Apache Software Foundation, testifies at a Senate Homeland Security Committee hearing on a vulnerability in the Apache log4j library today at 10 a.m.
  • National Cyber Director Chris Inglis, CISA Chief of Staff Kiersten Todt and Principal Associate Deputy Attorney General John Carlin speak at the Cyber Initiatives Group’s first-quarter summit Wednesday.
  • The Securities and Exchange Commission is set to consider new cybersecurity rules for investment advisers and companies at a meeting Wednesday at 10 a.m.
  • The Senate Judiciary Committee is expected to discuss the EARN IT Act at a meeting Thursday at 9 a.m. The bill, which would remove social media sites’ liability protections when users share child pornography, has come under fire from encryption and privacy advocates.
  • INSF and WCAPS host an event on challenges and opportunities for Black women in the intelligence community Thursday at 11 a.m.
  • Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity on Monday at 1 p.m.

Secure log off

Thanks for reading. See you tomorrow.