Overnight Cybersecurity: Senate encryption bill nears finish line

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–IN THE HOME STRETCH: Senate Intelligence Committee leaders could soon release a draft of a long-awaited bill that would give law enforcement access to encrypted data. The language may be circulated in the next few days, committee Chairman Richard Burr (R-N.C.) told The Hill on Thursday. The bill is undergoing final technical edits in response to Department of Justice (DOJ) comments that were received late Wednesday, Burr added. “It’s still our intent to get that out and to produce it as a draft so that the media can see it just like Silicon Valley can see it,” he said. The long-awaited bill — in the works since last fall’s terror attacks in Paris and San Bernardino, Calif. — is expected to force companies to comply with court orders seeking locked communications. The measure is intended to prevent terrorists and criminals from using encryption to hide their communications from law enforcement. Burr has been working on the bill with Sen. Dianne Feinstein (Calif.), the Intelligence panel’s top Democrat. Feinstein said she also received a “red-line” edit of the bill from the Obama administration on Thursday morning. She and her staff planned to digest the remarks starting Thursday afternoon. To read our full piece, click here.

{mosads}–AND SO IT BEGINS: The Homeland Security Department has begun sharing cyber threat data with federal agencies and private companies in accordance with a major cybersecurity bill passed last year. “This is the ‘if you see something, say something’ of cybersecurity,” Homeland Security Secretary Jeh Johnson said in remarks at the agency’s data-sharing hub, the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC will receive data on possible cyber threats from program participants, scrub it for personal information and disseminate it. The new law, the Cybersecurity Act of 2015, is intended to help defend against cyberattacks by boosting information sharing between private companies and the government. The program is voluntary and how many companies will participate — and how useful the information will be — remains unclear. Around six organizations had signed up as of Thursday, with others expressing interest, according to assistant cybersecurity secretary Andy Ozment. “This is a big deal,” Ozment said. “We’re not going to launch out the gates … and have thousands of companies sharing all sorts of information. We want to make sure we’re providing value and growing.” To read our full piece, click here.

–I RUN THIS TOWN: Deputy federal chief information officer Lisa Schlosser will assume the interim chief information officer (CIO) position at the Office of Personnel Management (OPM), according to an internal email from interim director Beth Cobert. Schlosser will be a senior adviser as well as acting CIO, Cobert writes. She gave no details as to the expected length of the assignment. She replaces Donna Seymour, who resigned in February after months of calls from some members of Congress for her firing. Schlosser comes to the OPM from a role as Deputy Administrator for the Office of E-Government as well as Deputy Federal Chief Information Officer at the Office of Management and Budget. She has a 29-year military career serving as a United States Army officer on both active duty and the reserves. “As we work to navigate the National Background Investigations Bureau transition, build on our cybersecurity effort, and find the permanent CIO, Lisa will be a major asset for OPM during her detail with our team,” Cobert wrote. To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

–PEACE TALKS. Rep. Randy Neugebauer (R-Texas) on Thursday said if discussions to combine two competing data breach bills are unsuccessful, he will look to push forward his own proposal before the House breaks in July for the presidential conventions.

“We’re operating on a pretty tight legislative schedule so I think we’re going to have to make a decision pretty soon if we’re going to be able to get some floor time,” Neugebauer said.

He added that if GOP leaders are able to advance a 2017 budget resolution and begin drafting spending bills, “floor time is going to begin to be pretty precious.”

The House Financial Services Committee in December advanced a bill put forward by Neugebauer that would set nationwide data security standards and require businesses to notify customers following a breach.

But a competing bill from the Energy and Commerce Committee has been bogged down by a partisan scuffle over whether the law would preempt existing state data security regulations.

The staffs of both committees have been in discussions over the future of the two bills, with an eye toward combining them into a single bill supported by both committees.

But although the issue is seen as the next likely target for Congressional action on cybersecurity, the two bills have garnered markedly different support amongst industry groups.

To read our full piece, click here.

 

 

LIGHTER CLICK:

–IT’S ALMOST FRIDAY. From The Onion…  

Topical: “Merrick Garland Kind Of Uncomfortable With Political Analysts Casually Pointing Out He’ll Die Relatively Soon After Nomination”

Wonderful: “Obama Receives Classified Briefing On Likelihood Of ‘Krull’ Reboot”

 

A REPORT IN FOCUS:

–A LOOK BACK. The Middle East Media Research Institute (MEMRI) on Thursday will release a report tracing the history of how the Islamic State in Iraq and Syria (ISIS) has used Apple products over the years.

Here’s a preview of the report:

“The current fight between the U.S. government and Apple, in which the FBI is seeking Apple’s assistance in unlocking the phone of San Bernardino shooter Syed Rizwan Farook is just the most recent example highlighting jihadis’ use of Apple devices and products. Among jihadi groups affiliated with the Islamic State (ISIS), Al-Qaeda, and other organizations, and their followers and sympathizers, Apple products — including iPhones — are widely popular, and the best ways of utilizing them is a topic of jihadi discussions. …

“The more secure iPhones, Apple products, and other companies’ products end up being, the more heavily jihadis will continue to rely on them, and the problem will not go away. The following report will give examples of how jihadis are using Apple products and how they are discussing and praising them on social media.”

Check out the MEMRI website tomorrow for the full report.

 

WHO’S IN THE SPOTLIGHT:

–APPLE (AGAIN). In a pair of op-eds in Time on Thursday, Apple CEO Tim Cook and Sen. Tom Cotton (R-Ark.) debated the validity of Apple’s claims that helping the FBI unlock one of the San Bernardino shooter’s iPhones would hurt Americans’ privacy.

Cotton argued that Apple has deliberately engineered its products to be impenetrable to law enforcement for marketing reasons, despite previously agreeing to assist the FBI in 70 prior cases involving older model phones.

“Apple is not fighting for privacy; it’s fighting for profit,” Cotton wrote.

The technology industry has broadly worked to regain consumer trust after ex-National Security Agency contractor Edward Snowden revealed the breadth of the government’s spying on U.S. citizens.

Cotton linked that effort with the rise of stiffer encryption algorithms that prevent even the manufacturer of a device from intercepting and decoding users’ messages.

“What’s changed? Apparently Apple’s marketing strategy did,” Cotton wrote. “In short, Apple says it can no longer cooperate with investigations because it’s now the business model of Apple to thwart these investigations.”

But Cook argued that the company has developed its encryption standards with no regard to Edward Snowden’s bombshell privacy disclosures in 2013.

“From the very start of Messages … we launched it with end-to-end encryption,” Cook said. “And so this didn’t just happen, we didn’t suddenly think of this after Snowden. I know everybody says that, but it’s not true.”

To read about Cotton’s op-ed, click here. To read about Cook’s interview, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The House Budget Committee late Wednesday voted down an amendment that would have funded the White House’s proposal for a $3 billion technology modernization initiative. (The Hill)

The National Security Agency’s internal civil liberties watchdog insisted on Thursday that the agency has no interest in spying on Americans under its controversial spying tools. (The Hill)

The National Institute of Standards and Technology this week released draft guidelines to bolster cybersecurity in agencies that routinely allow teleworking. (FedScoop)

The OPM left an internal system vulnerable to a known attack for several weeks. (Motherboard)

Spammers are abusing trust in US .gov domains. (KrebsonSecurity)

Three privacy groups issued a public letter to the Obama administration urging it to side with Apple in its feud with the FBI.

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A