Overnight Cybersecurity: Panama Papers leak stirs debate on encryption

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–ENCRYPTION, THE MODERN PARKING GARAGE: Privacy advocates are touting the so-called Panama Papers as a key example of how encryption can protect courageous whistleblowers and other vulnerable individuals. According to reporters and editors involved in the project, dozens of researchers and writers relied on anonymous chatting platforms and encrypted email to protect the whistleblower and keep under wraps leaked documents from Mossack Fonseca, a prominent Panamanian law firm that allegedly helped wealthy people stash fortunes from domestic tax laws. To this day, the leaker is not known, even by the journalists themselves. “For many of these people who are coming forward, it’s a matter of life and death and they’re putting a lot on the line and putting themselves at risk essentially for the greater good,” said Neema Singh Guliani, a legislative counsel with the American Civil Liberties Union (ACLU). Several of the principals overseeing the mountain of documents — easily the largest cache ever leaked at 2.6 terabytes, which includes 4.8 million emails, 3 million database files and 2.1 million PDFs — told Wired that encryption was vital from start to finish. To read our full piece, check back in the morning.

{mosads}–NOT LONG NOW: A working group of Europe’s privacy regulators is expected next week to hand down an opinion that could potentially kill a recent U.S.-EU data flow agreement. The test comes after the European Commission and the Commerce Department reached a deal permitting Facebook, Google and thousands of other companies to continue legally handling Europeans’ personal data. The working group of the EU nations’ 28 data protection authorities (DPAs) — domestic entities separate from the Commission that will be in charge of enforcing the new agreement — has spent the last two months picking through the 128-page agreement. Now, it is poised to announce whether it believes the so-called Privacy Shield sufficiently protects European citizens’ rights. Its approval is considered key to the ultimate success of the agreement. “The discussions are not over yet,” Isabelle Falque-Pierrotin, chairwoman of the working party, told reporters on Tuesday. “We have expressed our points of possible concerns. We still are discussing with the American public authorities on these points. Then we’ll see what we’ll be able to say next week.” She declined to speculate on how the working group might finally come down. Falque-Pierrotin did acknowledge that key to the group’s approval of the Shield would be the independence of a privacy ombudsman created by the new agreement. If the deal proceeds, the State Department will create an office to address complaints over possible access of personal information by national intelligence authorities. “I think it’s a very interesting innovation. Independence is the key criteria of assessing the position of this person,” she said. To read our full piece, click here.

–CAN YOU HANDLE THE TRUTH?: A prominent privacy advocate in the Senate is questioning whether the FBI was totally honest throughout its spat with Apple over a terrorist’s locked iPhone. “There are real questions about whether they’ve been straight with the public on this,” Sen. Ron Wyden (D-Ore.) told The Hill. Apple in February rebuffed an FBI court order directing the tech giant to unlock an iPhone used by Syed Rizwan Farook, one of the shooters behind the San Bernardino, Calif., terrorist attack. The bureau wanted Apple to create software that would allow investigators to bypass security features and hack the phone. Officials said the request was narrowly tailored to Farook’s phone. But Apple insisted such software was a dangerous “backdoor” that could be used to access millions of other iPhones. “There’s a real truthfulness question,” said Wyden, a vocal defender of encryption. “The FBI contended for weeks that this was about one phone. I, and others, said, ‘Well, you’re asking the company to recreate code. That is not one phone.'” Wyden is also troubled by the FBI’s response to local law enforcement officials who openly said they would use any precedent set in the Apple-FBI case to force the tech company to unlock phones they had seized. Manhattan District Attorney Cyrus Vance said he has 175 phones in custody he is hoping to access. “Even more troubling is toward the end of it, Cyrus Vance and the whole New York people said, ‘Oh we got lots of cases, you bet we’re going to use it,'” Wyden said. “The FBI didn’t brush that back.” To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

–I CAN HAS POLICY? Senators on Tuesday hammered the Obama administration over what they say is an incoherent cyber warfare policy.

“The administration’s cyber policy as a whole remains detached from reality,” Senate Armed Services Committee Chairman John McCain (R-Ariz.) said during a hearing.

“For years our enemies have been setting the norms in cyberspace while the White House sat idly by hoping the problem would fix itself,” he added.

And the lack of planning could have disastrous results, including muddled responses to cyberattacks and poorly structured Defense Department cyber teams, several senators told National Security Agency Director Adm. Michael Rogers, who was testifying.

“If we don’t have a policy, how are we going to develop plans?” Sen. Deb Fischer (R-Neb.) asked Rogers, who also heads the U.S. Cyber Command.

“Something terrible is going to happen and a lot of people are going say, ‘Why didn’t we have a policy?'” said Sen. Angus King (I-Maine).

Read up on Rogers’ response at our full piece here.

 

LIGHTER CLICK:

–THANKS A LOT, MAN. You can’t click on this, but we laughed. When he introduced FBI General Counsel James Baker at today’s Global Privacy Summit in Washington, D.C., Perkins & Coie partner Michael Sussman promised that Baker would be available in the hall afterwards — “to answer questions or unlock iPhones.”

 

A REPORT IN FOCUS:

–STATE YOUR PURPOSE. At Tuesday’s Senate Armed Services hearing, several senators, including James Inhofe (R-Okla.), brought up a Government Accountability Office (GAO) report released Monday that concluded the DOD has not clearly defined its own “roles and responsibilities for cyber incidents.”

The report fits into a broader narrative from Congress that the Obama administration has been dragging its feet on delineating everyone’s cyber responsibilities, and that it has yet to define the cyber rules of war.

The NSA’s Rogers agreed that greater clarification was needed, but said he had not yet read the report.

Check out the full report, here.

 

WHO’S IN THE SPOTLIGHT:

–WHATSAPP. The popular messaging app on Tuesday turned on full end-to-end for every single one of its billion users.

“WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp,” the Facebook-owned app explained.

It’s just the latest move by a prominent tech company to extend robust, default encryption to its users. While the decision will further ensure the privacy and security of Whatsapp chatters, it will also further frustrate lawmakers, who say they need visibility into these types of communications to catch criminals and terrorists.

Read on here, at Quartz.

 

WHAT’S IN THE SPOTLIGHT:

–THIS CRYPTIC EXCHANGE. We’re speculating here, but did NSA head Michael Rogers tip his hand about a cyberattack on a U.S. military base?

Check out this exchange during Tuesday’s Senate Armed Services Committee that seemed potentially revealing.

Sen. Deb Fischer (R-Neb.) asked Rogers, “Do you have any knowledge if our adversaries have targeted any infrastructure on our military bases?”

Rogers simply replied, “Yes,” generating a pregnant pause.

But after a beat, Fischer ceded the floor to the next senator.

We’ll see if anything comes of it.

 

THE WEEK AHEAD:

THURSDAY

–The House Homeland Security Committee’s cyber subcommittee will hold a hearing at Austin College in Sherman, Texas on cyber preparedness at the state and local level, at 12 p.m.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The FBI’s top lawyer on Tuesday refused to disclose what the agency found on San Bernardino shooter Syed Rizwan Farook’s iPhone, which it broke into last week. (The Hill)

Chinese hackers were possibly behind what is considered the largest cyber heist in history, a Philippines senator said Tuesday. (The Hill)

The feds warned that “a group of malicious cyber actors have compromised and stolen sensitive information from various government networks” since at least 2011. (Motherboard)

The hackers who disrupted operations at a large hospital chain recently broke into a server left vulnerable despite urgent public warnings that it needed to be fixed with a simple update. (The Associated Press)

“Good, it wasn’t a law firm in the United States that got breached,” said Arlette Hart, FBI’s chief information security officer, when asked for initial thoughts on the Panama Papers leak. (Next Gov)

 

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A