Overnight Cybersecurity: Paris plotters used encryption

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–NOT LOOKING GOOD: Investigators of the Paris attacks have evidence they believe indicates that some of the terrorists used encrypted apps to plan the strikes, officials briefed on the inquiry say. This is the first time investigators have said definitively that the attackers communicated through encrypted technology, the focal point of a fierce debate between Silicon Valley and officials in Washington. The attackers used the popular apps Telegram and WhatsApp to communicate, according to officials. Both services use end-to-end encryption, giving only the sender and the receiver access to the communication. The contents of those messages may never be known. Officials declined to reveal how investigators know that the attackers used the apps to cloak their plot from law enforcement surveillance. In the wake of the attacks, which left 130 people dead, authorities revived warnings that terrorists are able to communicate beyond the reach of law enforcement by using encrypted technology. “If they communicate in darkness and you can’t shine a light on it, quite honestly you just can’t stop it,” House Homeland Security Committee Chairman Michael McCaul (R-Texas) said at a Christian Science Monitor panel last week. “People say why didn’t you see Paris? It was under the radar because they were using an app called Telegram and they were communicating through an encrypted application.” To read our full piece, click here.

{mosads}–DO WE HAVE A PROBLEM HERE?: More than 100 House members are demanding changes to a set of draft Obama administration regulations designed to keep hacking tools out of the hands of repressive regimes. The bipartisan coalition, spurred on by industry groups, warns the proposed rule — which has also led to a stalemate between a trio of federal agencies — could keep U.S. companies from adequately protecting their networks. At issue is the implementation of a little-known international agreement governing export regulations for so-called “intrusion software” — digital hacking and surveillance tools that the agreement’s crafters were concerned could be used to crack down on journalists and dissidents. Security experts have long argued that the arrangement defines “intrusion software” too broadly, effectively outlawing the export of legitimate tools that companies use to test and fortify their own defenses. Now, a formal push on Capitol Hill has given new force to their concerns. At least 125 lawmakers, led by House Cybersecurity Caucus co-chairs Michael McCaul (R-Texas) and Jim Langevin (D-R.I.), this week urged the White House to step in and help rework the proposed rule. “It seems like this relatively obscure issue, but we sent out this ‘Dear Colleague,’ and within two days — I’ve never seen a Dear Colleague catch that much steam that fast,” McCaul told The Hill, referring to the letters lawmakers circulate to drum up support for an issue. To read our full piece, check back tomorrow.

AN UPDATE ON CYBER POLICY:

–BETTER LUCK NEXT TIME. A group of conservatives led by Rep. Jim Jordan (R-Ohio) were stopped in a last-gasp attempt to strip major cybersecurity legislation out of the sweeping omnibus spending package.

The cyber bill, which would make it easier for businesses to share information on hacking threats with the government without the fear of lawsuits, was inserted into the $1.15 trillion spending bill at the last minute.

The decision spurred anger from the privacy- and civil-liberties-minded wing of the House, as well as the conservative Freedom Caucus.

Jordan, who chairs the Freedom Caucus, filed an amendment to the omnibus Wednesday that would have axed the legislation, known as the Cybersecurity Act of 2015.

The powerful Rules Committee, which decides what amendments will receive votes on the full House floor, voted down the edit, 9 to 2, late Wednesday.

To read our full piece, click here.

LIGHTER CLICK:

–ADULTING IS HARD. Kevin McCallister (YOU remember Macaulay Culkin from “Home Alone”) is not doing so well as an adult.

Watch, here.

WHO’S IN THE SPOTLIGHT:

–BLACKBERRY. The mobile phone manufacturer breaks with the standard Silicon Valley stance with encryption, arguing in a corporate blog that “corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us.”

“We reject the notion that tech companies should refuse reasonable, lawful access requests,” the blog reads.

Read on, here.

A FEATURE IN FOCUS:

–HACKABLE BARBIE IS BACK. As reporters on the receiving end of a veritable barrage of P.R. emails lauding the indescribable glories/cybersecurity risks of the Internet of Things, we appreciated this lengthy Q&A with the founder of a humorous Twitter account that illuminates the “bizarre and scary future with a steady stream of funny and smart (as in clever, not internet-connected) jokes.”

Read on, here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The House this week unanimously approved a bill to boost cybersecurity at U.S. ports. (The Hill)

A Brazilian court dealt a legal victory Thursday to the popular app WhatsApp, hours after another judge suspended the messaging tool.  (The Hill)

Identity theft protection firm LifeLock agreed to pay a record $100 million fine to settle a government lawsuit that it deceived customers about how secure their data was. (The Hill)

Companies would have to disclose publicly whether they have anyone on their board who is a “cybersecurity expert” under legislation introduced in the Senate on Thursday. (Reuters)

Outlook “letterbomb” exploit could auto-open attacks in e-mail. (Ars Technica)

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A