With help from Eric Geller and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.
— The latest from the RSA Conference: the internet of things, international cyber coordination, protecting “critical functions” and much more.
— A Senate panel holds a hearing today on major cyber breaches. The subcommittee hearing comes in conjunction with a new report on the Equifax hack.
— Cybersecurity remains a big problem for the federal government, according to a new watchdog assessment. Besides again making the “high-risk” list, there are plenty of unfulfilled recommendations.
HAPPY THURSDAY and welcome to Morning Cybersecurity! The rain in San Francisco has to end one of these days. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow@POLITICOPro and@MorningCybersec. Full team info below.
TODAY (AND TOMORROW) AT RSA — The RSA Conference slows down today and Friday. The remaining highlights include some election security focus both days, with the Democratic National Committee’s Bob Lord keynoting Friday. Assorted high-level DHS and NSA officials also appear on panels both days, including together sometimes.
AS TOLD TO MC — The Global Cyber Alliance, which focuses a lot of attention on DMARC, is shifting some toward another acronym: DNS, or Domain Name System. Phil Reitinger, president and CEO of the alliance, said it was preparing an analysis of protective DNS services, “in terms of looking at actual incident data and judging how effective use of a protective DNS service is in impairing real attacks.” The alliance is also looking at ways to use DNS to block malicious attacks on internet of things devices on a large scale, Reitinger said.
Reitinger also had a gripe about the RSA Conference itself: While FBI Director Chris Wray and NSA/Cyber Command leader Army Gen. Paul Nakasone got keynote stages, the head of the DHS Cybersecurity and Infrastructure Security Agency, Chris Krebs, was placed in a smaller meeting room. “I thought that was a missed opportunity for the conference to put a new agency up and give it a more public face,” he said. “It’s in charge of civilian cybersecurity. I think they’re doing great work. Some of that ought to be showcased more.” The Alliance added a couple new personnel this week, by the way.
OVERHEARD AT RSA — The U.N. Group of Governmental Experts wants to seek a broader consensus on cyber norms, Foggy Bottom’s top cyber official said at a panel Wednesday. “We want to go beyond the like-minded 20 or so countries that are very involved in these discussions,” said Rob Strayer, the State Department’s deputy assistant secretary for cyber and international communication and information policy. That might involve reaching out on a regional basis, such as communicating with the African Union, he said. At the same panel, Paul Rosenzweig, senior fellow at R Street Institute, said there’s just one kind of norm that truly works: “The only norms that are effective are the ones that are in their interest to do that.”
DHS is conducting a review of critical functions in U.S. infrastructure, but it’s going about it in a particular way when it approaches the private sector, said Jeanette Manfra, the department’s assistant director for cybersecurity. “We’re not trying to get way, way down in the weeds,” she said at a Wednesday panel. “There’s enough detail where we can orient ourselves around how to protect those.” She added: “The adversary potentially has a better understanding of some of these than we may.”
DATA BREACHES BACK IN VOGUE — The Senate Homeland Security Investigations subcommittee will gavel in this morning to hear from the chief executives of Equifax and Marriott International, companies that have come under congressional scrutiny after suffering historic data breaches in recent years. On Wednesday the subpanel unveiled a bipartisan report detailing how Equifax repeatedly failed to implement good cyber hygiene ahead of the 2017 data breach that impacted 145 million Americans. The report “shows that this breach could have been minimized, if not avoided,” Sen. Tom Carper, the subcommittee’s top Democrat, said. The subpanel will also hear from GAO and FTC officials and the head of the Center for Internet Security, a think tank.
STUCK IN THE MUD? — Hold on to your hats: Cybersecurity remains an area of high risk for the federal government, according to the Government Accountability Office, which said in a report published Wednesday that its findings in the cyber realm were unchanged from its previous report. President Donald Trump’s May 2017 executive order and a series of subsequent actions demonstrate the presence of “leadership commitment,” the report said, but concerns remain in other areas, including a workforce shortage, a lack of clear strategic guidance and failures of agencies’ security monitoring programs.
Nearly 700 of GAO’s 3,000 cybersecurity recommendations since 2010 remain unresolved, the report said, including 26 of 35 high-priority tasks. GAO reiterated its suggestion that Congress amend the 1974 Privacy Act and the 2002 E-Government Act, saying “they may not consistently protect [personally identifiable information] in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles.”
WITH GREAT POWER … — The Pentagon’s supply chain security program should accommodate businesses concerned about “opaque” decisions to ban their products from military networks, the software trade group BSA said Wednesday in a letter to the leaders of the House and Senate Amed Services committees. The most recent defense policy bill gave the Pentagon the authority to put companies on blacklists if their products are deemed insecure or risky, and BSA said that while it understood the need for these “potent tools,” there was “a risk that such opaque processes” would encourage foreign governments to make “non-risk management-based protectionist” decisions.
BSA recommended that this blacklist program be amended to require “processes to, absent exceptional circumstances, notify vendors excluded from a competition of their exclusion and the reasons for it and to ensure a viable means of protesting or appealing the exclusion decision.” The letter also made recommendations about supply chain research, vendor contract language, and relying on industry standards. And it encouraged Congress to direct the Pentagon to buy commercial off-the-shelf software wherever appropriate.
RECENTLY ON PRO CYBERSECURITY — The deputy director of the National Geospatial-Intelligence Agency was placed on leave over “personal misconduct.” … NSA and Cyber Command leader Army Gen. Paul Nakasone said he was skeptical Russia could disconnect from the global internet, but would be ready either way. … Huawei sued the U.S. over a federal agency ban.
The DHS inspector general said the department needs more election security staffers. … Reps. Jim Langevin and Gerry Connolly introduced a bill to create an election security grant program. … Georgia’s new election chief is mimicking the style of his controversial predecessor. … “A Georgia Senate committee today approved a bill to make barcode-based devices the new voting system for the state, despite the nearly unanimous objections of cybersecurity experts.” … China isn’t emulating Russia’s election interference attempts and is instead looking to use social media for other kind of influence operations, according to Recorded Future.
Hill aides said there’s bipartisan interest in Congress on cybersecurity workforce and supply chain security legislation. … All levels of government should commit to coordinated vulnerability disclosure programs, the Cybersecurity Coalition advocated. … Research this week from Accenture shed additional light on a Chinese hacking group interested in maritime technology.
TWEET OF THE DAY — Catchy!
POLITICO PLAYBOOK: Wake Up. Read Playbook. Eat Lunch. Read Playbook PM. Repeat. Be in the Know. Sign up todayhere.
— Facebook CEO Mark Zuckerberg said his company is shifting more toward privacy. The New York Times
— An Iranian hacking campaign appears more extensive than previously known. The Wall Street Journal
— A trio of Democratic senators asked the director of national intelligence to declassify any China election interference info it has.
— “The Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code.” Motherboard
— The NSA’s new reverse engineering tool got a good reception. Motherboard
— RunSafe and CyberScoop are launching a quarterly index that averages the price of cyber exploits targeting government agencies.
— Stalkers and debt collectors have impersonated cops to get phone location data. Motherboard
— A Russian spy agency “likely” hacked a U.K. agency that counters Russian fake news. Sky News
— The Thales-Gemalto merger got U.S. approval. Telecompaper
— The Cybersecurity Tech Accord added new signatories.
That’s all for today.
Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).