Overnight Cybersecurity: Trump budget includes $3.3B for DHS cyber office | US reportedly tried to recover stolen NSA tools | Experts identify malware targeting Olympics

by Morgan Chalfant and Olivia Beavers - 02/12/18 6:49 PM ET

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–SECRET OPERATION TO RECOVER STOLEN NSA TOOLS? The Intercept and the New York Times were out with blockbuster reports late last week that U.S. intelligence officials had engaged in a top-secret operation to recover stolen NSA files from Russian operatives. The botched effort resulted in U.S. officials turning over $100,000 to a Russian intermediary last year in hopes for recovering cyber weapons stolen from the NSA, the loss of which has wreaked havoc on the spy agency. The operatives also offered damaging information on President Trump, which U.S. officials reportedly made clear they were not after. The efforts took place over the last year and have since been cut off. In a rare public statement to AFP published Saturday, the CIA denied the reports. “The fictional story that CIA was bilked out of $100,000 is patently false,” the CIA said.

To read our coverage of this, click here and here.

{mosads}

–NO. 3 AT JUSTICE RESIGNS: News emerged last week that Associate Attorney General Rachel Brand resigned from her position as the no. 3 official at the Department of Justice. According to NBC News, Brand expressed fears that she would be asked to oversee the investigation into Russian meddling in the 2016 election prior to her decision to resign. President Trump’s public criticism of Deputy Attorney General Rod Rosenstein — the No. 2 official at the Department of Justice (DOJ) who is overseeing special counsel Robert Mueller’s probe — made Brand worry Rosenstein might get fired, leaving her to take over the investigation, NBC News reported. Sources close to Brand said she did not want to be under the political spotlight that the role would likely bring, according to NBC News. She also reportedly told friends that she was overwhelmed and unsupported at the DOJ, especially due to a lack of Senate-confirmed officials. In a statement to The Hill, the DOJ pushed back on the NBC report. “It is clear that these anonymous sources have never met Rachel Brand let alone know her thinking. All of this is false and frankly ridiculous,” spokeswoman Sarah Flores said. The DOJ announced Brand’s resignation on Friday.

To read the rest of our coverage, click here.

–‘OLYMPIC DESTROYER’: Cybersecurity experts say they have identified a destructive malware campaign likely used in a cyberattack against the 2018 Olympic Winter Games during the opening ceremony on Friday. Experts at Cisco’s threat intelligence arm Talos have dubbed the malware “Olympic Destroyer,” saying that initial analysis indicates that the malware was designed to destroy data. Officials organizing the 2018 games in Pyeongchang, South Korea, said Sunday that a cyberattack impacted the games’ systems resulting in technical failures during the opening ceremony, according to Reuters. Organizers have not disclosed much publicly about the incident, which disrupted internet access and Wi-Fi during the opening ceremonies and also took the Olympics website offline. It remains unclear who was behind the attack. “We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure,” a spokesman for the International Olympic Committee told Reuters. In a blog post, Talos said it had identified malware samples used in the attack with “moderate confidence.” The experts explained that the unknown attackers likely aimed to disrupt the games, rather than steal data. “The infection vector is currently unknown as we continue to investigate,” Talos said in the blog post. “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.” Separately, an expert at CrowdStrike said the cybersecurity firm had identified a new family of malware targeting the Olympics, apparently designed to destroy data. It first emerged Friday on the day of the opening ceremony.

To read the rest of our coverage, click here.

A BUDGET UPDATE:

TRUMP BUDGET INCLUDES OVER $3 BILLION FOR DHS CYBER OFFICE: President Trump is asking Congress to allocate $3.3 billion for the Department of Homeland Security (DHS) unit that protects federal networks and critical infrastructure from cyber threats.

The administration’s new fiscal 2019 funding proposal for the National Protection and Programs Directorate (NPPD) includes over $700 million to operate and support the directorate’s cybersecurity branch, according to documents released by the administration on Monday. Roughly $225 million would go toward cyber readiness and response efforts and $460 million for federal cybersecurity.

The funding is largely consistent with the president’s 2018 request.

NPPD is responsible for guarding federal networks from threats and helping owners and operators protect critical infrastructure from cyber and physical attacks.

An administration official told reporters Monday that the budget allows Homeland Security to invest in the “most critical” cybersecurity needs in the current fiscal climate.

“We believe that it is adequate,” the official said.

Trump’s summary document emphasizes the “important role that DHS plays in combating cyberattacks and protecting the Nation’s critical infrastructure.”

“As these threats continue to evolve, DHS cybersecurity programs are more important than ever,” the blueprint states.

Under the new proposal, NPPD would see its research and development budget increase significantly from $11 million to over $47 million, with much of the new funds bolstering cybersecurity research.

Administration officials said that the funds are being reallocated from the department’s Science and Technology directorate. Science and Technology, which is separate from NPPD, would again see its funding slashed under the new budget proposal. Trump’s 2018 budget proposed a trimmed-down figure of $627 million for the directorate, and the 2019 proposal allocates $583 million for it.

To read more of our coverage of the budget, click here, here, and here.

A LIGHTER CLICK:

Want to childproof your phone? A phone algorithm may be able to keep little fingers from swiping across the screen. And yes, it has come to that. (Technology Review)

A REPORT IN FOCUS:

Most state election systems remain at risk of interference or exploitation by foreign governments or malicious actors with the 2018 midterms rapidly approaching, according to a new report from the liberal Center for American Progress (CAP).

Researchers at CAP reviewed current election systems and interviewed relevant election officials on a state-by-state basis to determine the extent they are prepared for the midterms that are nine months away.

CAP dispensed grades “based on adherence to best practices under seven categories, including adopting minimum cybersecurity measures for voter registration databases, using paper ballots, and conducting post-election audits.”

The study found that each state could make improvements and further boost its defense against an outside attack. Only a few received a B grade, the highest awarded mark.

“No state received an A and only 11 states received a B. Another 23 states received a C, 12 states received a D, and five states received failing grades,” the report says.

The left-leaning think tank conducted the study in light of the intelligence community’s assessment that Russia attempted to meddle in the 2016 presidential election by targeting certain state voting systems.

“This report should spur demand across the country for urgent steps needed to defend America’s election security against another attempt by a foreign nation to disrupt our elections,” Danielle Root, lead author of the report, said in a statement.

The study identified several key vulnerability points for states including the “continued use of paperless electronic voting machines,” which are considered more susceptible to hacks because they do not produce a voter-verified paper backup to audit in the event a result is called into question. These systems are currently in use in fourteen states, with five exclusively using paperless voting machines.

The report also pointed out that 10 states do not provide their election officials with cybersecurity training and that 33 states have “unsatisfactory” post-election audit procedures.

“Overall, states still lack the necessary funding and resources to adequately protect future elections from interference by hostile nations such as Russia. Despite bipartisan efforts in Congress to bolster election security and provide needed funding, legislation remains blocked,” the report found.

To read more from CAP’s report, click here.

WHAT’S IN THE SPOTLIGHT:

YEP — IT’S EQUIFAX AGAIN: The Capitol Hill outrage over the massive Equifax data breach has returned, with Democrats suspicious that Republicans are delaying efforts to crack down on the credit reporting industry and secure consumer data.

The fresh outcry kicked off last week, when Reuters reported that Mick Mulvaney, the acting director of the Consumer Financial Protection Bureau (CFPB), had slowed the agency’s investigation into Equifax.

The 2017 breach exposed sensitive information, including Social Security numbers, of 143 million Americans.

A group of 32 Senate Democrats responded to the Reuters report by demanding answers from the agency about the progress of its investigation.

The CFPB declined to comment on the letter, instead pointing to an earlier statement from Mulvaney senior adviser John Czwartacki.

“Acting Director Mulvaney takes data security issues very seriously,” Czwartacki said. “Under his direction, the CFPB is working with our partners across government on Equifax’s data breach and response. We are committed to enforcing the law. As policy, we do not confirm or deny enforcement or supervisory matters.”

Democrats have kept up the heat on Equifax and other credit reporting agencies since the hack, using the breach to call for reforms.

Sen. Elizabeth Warren (D-Mass.) also released a report recently on the breach, excoriating Equifax for a lack of safeguards and calling on Congress to crack down on credit reporting agencies.

Last month, Warren and Sen. Mark Warner (D-Va.) introduced legislation that would make it easier for the Federal Trade Commission to police credit bureaus’ data security practices.

And in November, Democrats on the Senate Commerce Committee renewed their push for a law requiring companies to notify consumers of data breaches within 30 days of discovering them.

“[The breach] showed how a lack of oversight and accountability from credit reporting companies played a key role in the largest credit consumer data breach in history,” Warner said in a statement to The Hill. “Congress has a responsibility to ensure these companies are collecting and maintaining this data in an appropriate and secure manner, including by adopting effective system and data security safeguards.”

The calls for data breach laws grew in 2017, the same year Uber revealed a data breach a year earlier that compromised information from 57 million users and Yahoo announced that all of its 3 billion user accounts had been compromised in a 2013 breach.

“We’ve gotta do something to require much more protection for data,” Rep. Jan Schakowsky (Ill.), the ranking Democrat on the House Energy and Commerce consumer protection subcommittee, who introduced her own data breach bill in October. “I just think all of this just spurs on demand for a long-term solution.”

Former Equifax CEO Richard Smith faced four congressional hearings in October, with members of both parties furious about a breach that had exposed sensitive personal data for nearly half the country.

Despite the outrage from lawmakers, though, there’s been little movement in Congress toward cracking down on the industry or improving data security practices.

To read the rest of our piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Homeland Security calls NBC report on election hacking ‘false’. (The Hill)

Equifax hires new chief information security officer. (The Hill)

Questions swirl about aide’s security clearance. (The Hill)

German court rules Facebook data use, privacy settings illegal. (The Hill)

Government websites ensnared in crypto-mining scheme. (CyberScoop)

General Dynamics is buying government IT giant CSRA. (Defense News)

The United States and France strengthen their cyber ties. (State Department)