Overnight Cybersecurity

Overnight Cybersecurity: Tillerson proposes new cyber bureau at State | Senate bill would clarify cross-border data rules | Uber exec says ‘no justification’ for covering up breach

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORIES:

— TILLERSON PROPOSES NEW CYBER OFFICE AT STATE: Secretary of State Rex Tillerson is proposing the unification of two separate offices at the State Department to form a single bureau that will focus on a wide range of cyber issues. A State Department spokesperson told The Hill that the two offices, the Office of the Cybersecurity Coordinator and the Bureau of Economic Affairs’ Office of International Communications and Information Policy, would be unified in order to form the proposed Bureau for Cyberspace and the Digital Economy. “The combination of these offices in a new Bureau for Cyberspace and the Digital Economy will align existing resources under a single Department of State official to formulate and coordinate a strategic approach necessary to address current and emerging cyber security and digital economic challenges,” Tillerson said in a Tuesday letter to House Foreign Affairs Committee Chairman Ed Royce (R-Calif.). “The Department of State must be organized to lead diplomatic efforts related to all aspects of cyberspace,” the secretary added. The decision comes after Tillerson faced scrutiny from both parties last year over his decision to fold the standalone Office of Cybersecurity Coordinator into an economic-focused bureau as part of his broad efforts to reorganize the agency.

To read the rest of our piece, click here.

{mosads}

— SPEAKING OF THE STATE DEPARTMENT… GOP PROBES PUT NEW FOCUS ON STATE: Republicans have former President Obama’s State Department in their crosshairs as they question whether FBI and Justice Department investigations into President Trump were tainted by political bias and influence from key figures in Hillary Clinton’s orbit. Congressional Republicans have signaled that they are looking at whether the State Department, then run by John Kerry, passed along information from Clinton’s allies that may have been used by the FBI to launch an investigation into whether the Trump campaign had improper contacts with Russia. A highly redacted criminal referral from Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) to FBI Director Christopher Wray and Deputy Attorney General Rod Rosenstein offers new clues about the GOP probes. In the referral, Grassley writes that former British intelligence official Christopher Steele crafted a memo in addition to the infamous dossier of opposition research on Trump that was funded by the Democratic National Committee and Hillary Clinton’s presidential campaign. The conservative website Washington Free Beacon used the same opposition research firm, Fusion GPS, for research on Trump before Clinton and the DNC got involved, but that work did not involve Steele.

To read the rest of our piece, click here.

— HOUSE INTEL POSTPONES BANNON INTERVIEW IN DISPUTE OVER QUESTIONING: Former White House chief strategist Stephen Bannon’s testimony before the House Intelligence Committee has been postponed for the third time amidst fierce wrangling over what lawmakers will be able to question him about. Bannon was scheduled to make a return trip to Capitol Hill at 10 a.m. on Tuesday, as lawmakers seek answers about Russian meddling in the 2016 presidential election and whether Trump campaign officials had improper contacts with Moscow. Bannon frustrated lawmakers in both parties at a previous interview in which he refused to answer questions about his time in the Trump transition or administration, prompting the committee to issue a subpoena that remains in force. Rep. Mike Conaway (R-Texas), who is leading the Intelligence Committee’s Russia probe, said talks are ongoing and in a statement confirmed that committee negotiators had called off this week’s appearance. A spokesman for Conaway said the interview has been postponed until next week.

To read the rest of our piece, click here.

 

A LEGISLATIVE UPDATE: 

HATCH INTRODUCES BILL TO CLARIFY CROSS-BORDER DATA POLICIES:  Sen. Orrin Hatch (R-Utah) on Monday introduced a bill aimed at creating a clearer framework for law enforcement to access data stored in cloud computing systems.

Hatch’s “Clarifying Lawful Overseas Use of Data” (CLOUD) Act would make it easier for U.S. officials to create bilateral data sharing agreements. That would allow them to access data stored overseas and allow foreign law enforcement access to data stored on U.S. firms’ servers.

The legislation is cosponsored by Sens. Chris Coons (D-Del.), Lindsey Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.)

The law currently doesn’t specify whether or not the government can demand that U.S. companies give it data they have stored abroad. The CLOUD Act would amend this, likely impacting Microsoft’s pending Supreme Court case over data it has stored in Ireland. A lower court previously ruled that Microsoft doesn’t have to turn over data stored overseas, following a request for it to do so by the Department of Justice.

Microsoft CEO Brad Smith praised the legislation in a tweet, calling it an “important step toward enhancing & protecting privacy while reducing international legal conflicts.”

Tech trade associations, which lobby on behalf of Microsoft and other companies, signed onto a letter supporting the legislation.

To read the rest of our piece, click here.

 

A LIGHTER CLICK: 

A biotech CEO broadcasts himself self-injecting a herpes treatment on Facebook Live. Why? To market experimental gene treatments. (Technology Review)

 

A REPORT IN FOCUS:

DHS NEEDS TO BETTER ASSESS CYBER WORKFORCE: A government watchdog says there is an “urgent” need for the Department of Homeland Security (DHS) to identify critical positions in its cybersecurity workforce.

The Government Accountability Office (GAO) is out with a new report asserting that Homeland Security will not be able to best assess its cyber workforce and find critical gaps without addressing current shortcomings in the way that it identifies and reports critical posts.

The GAO says that the department has taken steps to identify critical cyber posts but that these actions have not been “timely and complete.” According to the report issued Tuesday, GAO found that Homeland Security had identified and assigned codes to 79 percent of its cybersecurity positions, even though officials told Congress in August of last year that it had accounted for and coded 95 percent of these positions.

“In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its department-wide cybersecurity critical needs that align with specialty areas,” the report states. “The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM), as required, and has not developed plans with clearly defined time frames for doing so.”

GAO is recommending Homeland Security take six actions to quantify these positions, “including ensuring that its cybersecurity workforce procedures identify position vacancies and responsibilities; reported workforce data are complete and accurate; and plans for reporting on critical needs are developed.”

To read more from the report, click here.

 

WHAT’S IN THE SPOTLIGHT:

UBER: An Uber executive told Congress on Tuesday that there was “no justification” for the company covering up a massive 2016 data breach that exposed the information of 57 million people.

“I think we made a misstep in not reporting to consumers and I think we made a misstep in not reporting to law enforcement,” John Flynn, Uber’s chief information security officer, told a Senate panel.

Flynn confirmed reports that the company paid one of the hackers $100,000 to destroy the stolen data and to not disclose the breach publicly.

Uber made the payment through a “bug bounty” program, which generally offers financial rewards for cybersecurity researchers who identify vulnerabilities for companies. Flynn on Tuesday said paying off malicious hackers was an improper use of such a program.

“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he said in his written testimony. “The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed.”

Lawmakers on the Senate Commerce consumer protection subcommittee blasted the company’s handling of the breach.

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Judge rejects Assange’s plea to drop UK arrest warrant. (The Hill)

Two House Dems accuse Uber of concealing 2016 data breach from FTC. (The Hill)

Dem senator presses FTC to ramp up Equifax hack probe. (The Hill)

National Weather Service investigating false tsunami warning. (The Hill)

Trump likely to approve release of Dem memo: report. (The Hill)

OP-ED: Bitcoin is the future, and it’s time for regulators to act accordingly. (The Hill)

OP-ED: The case for hiring a federal cyber officer. (The Hill)

Drones emerge as ‘hack and track‘ cyber warfare tools. (Cyberscoop)

Many cyber crimes remain unreported across U.S. (The New York Times)

British medical facilities are falling short on cybersecurity in the wake of ‘Wanna Cry.’ (Guardian)

This newsletter was updated at 7:47 p.m.