with Bastien Inzaurralde
Republican leaders of the House Oversight Committee released a scathing report about the Equifax data breach on Monday morning, detailing a series of security failures that preceded the 2017 compromise of 140 million Americans’ personal information.
A few hours later, committee Democrats released a competing report about the consumer credit reporting agency, lashing out at their Republican colleagues for not demanding new cybersecurity laws to prevent the next major data breach.
The competing reports highlight how cybersecurity, which was once considered a largely bipartisan topic, has been infected by partisan conflict.
The feud also underscores the supreme difficulty of reaching bipartisan consensus in cybersecurity: The fact that the parties can’t even agree on how to properly condemn Equifax makes it seem even less likely that they will be united on how to tackle more complex challenges that have serious political implications, such as election security or protecting the power grid.
Aspects of the cybersecurity debate “are more partisan than they ever were before,” Daniel Schuman, a former congressional staff member who is now the policy director at the liberal advocacy group Demand Progress, told me.
In other ways, though, cybersecurity has always been more partisan than it seemed, Schuman said. That’s especially true when cybersecurity intersects with other issues that can be more partisan — such as how much money the government should spend and how actively it should regulate private industry.
The dueling reports highlight these differences.
The Democrats’ Oversight report called for new laws that would raise financial penalties for data breaches, simplify how consumers are notified about breaches and boost federal regulators’ cybersecurity efforts. The Republican report hit many of the same issues — but urged government cooperation with the private sector rather than mandates.
The Democratic report proposed broadening the Federal Trade Commission’s regulatory power over credit ratings agencies, such as Equifax, for example, while the Republican report simply urged studying those regulatory powers.
“The sides have essentially come to different conclusions about the role of government in cybersecurity,” Jacob Olcott, a former cyber staffer in both the House and the Senate, told me. “The Republican members put out a very comprehensive analysis of the event. … and the Democratic version of the report is: ‘We sat through the same meetings and here’s what we think should be done.’ ”
The partisan cyber divide isn’t isolated in the Oversight Committee.
A staffer on the House Homeland Security Committee, which is among the most cyber-focused in Congress, told me the committee generally manages to stay nonpartisan when working on issues such as how the Department of Homeland Security helps protect other federal agencies’ computer networks.
When it comes to new regulations or raising budgets, however, the parties are far apart, the staffer told me.
The divisions aren’t new, either, Paul Rosenzweig, a former House investigations counsel and Bush administration cyber official, told me.
“My view is that the era of bipartisan agreement on cybersecurity is mostly myth,” said Rosenzweig, a senior fellow at the R Street Institute think tank.
“The Democrats have always had a more mandate-oriented, regulatory-based view of how to approach this,” Rosenzweig said.
Meanwhile, “you’d be hard-pressed to find any Republican who would vote for any security mandate as opposed to a security standard,” he said.
Those divisions could be overcome by a major catastrophe, such as a cyberattack against the energy grid or financial sector, Rosenzweig told me. Unfortunately, the highest-profile digital strike against the United States targeted the 2016 election, which automatically put it in a partisan frame, he said.
One difference that has emerged during the past two years is that cybersecurity has become a partisan football as Democrats criticize President Trump for allegedly making calls on an unsecured iPhone and other topics, Schuman told me.
That partisan acrimony can bleed into other topics and make the cyber divisions even worse, he said.
“The tech stuff gets all mushed together, so you do have some weird lines being drawn in a way that doesn’t make a lot of sense,” Schuman said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
|Not a regular subscriber?
PINGED: Rep. Robin L. Kelly (D-Ill.) this week plans to introduce legislation aiming to improve the security of Internet of Things devices that the government purchases, according to a statement from her office. The bill would require that IoT devices that the government buys meet basic cybersecurity standards. “As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” Kelly said in a statement. “Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices.”
Kelly had released a discussion draft of the bill in August 2017 and said she refined it with input from government agencies, lawmakers, advocates and others. Sen. Mark R. Warner, (D-Va.), introduced a similar bill in the Senate. The lame duck introduction suggests Kelly and Warner may press for action on similar bills next Congress. Jeff Greene, vice president for global government affairs and policy at Symantec, applauded Kelly’s bill in a statement, calling “unsecured IoT devices are an enormous — and growing — risk” and saying the federal government “can set an example for the private sector” by demanding that vendors secure them.
PATCHED: An inspector general report found that U.S. Customs and Border Protection officers conducting searches on devices from travelers entering the United States often did not delete data that they had downloaded onto portable devices, Nextgov’s Aaron Boyd reported. The rules governing the conduct of an “advanced search” — during which CBP officers download data from a traveler’s electronic device to a thumb drive — were not clearly laid out, the report found.
“During such searches, officers are required to sever any external connections so they can only review data stored on the device and must immediately delete the information from the thumb drive after transfer,” Boyd reported. “The IG’s analysis showed neither procedure was being properly followed.” As part of an advanced search, officers connect the thumb drive containing data from the traveler’s device to a program called Automated Targeting System for analysis. “During the review, investigators found travelers’ information stored on portable drives at three of five ports of entry, creating a significant privacy and security issue,” according to Nextgov.
PWNED: A cyber espionage group has compromised 30 organizations since September in Pakistan, Turkey, Russia and other countries in operations that aim to collect intelligence, the cybersecurity company Symantec said in a report. The hacking group, which Symantec refers to as Seedworm, has carried out cyberattacks against a broad range of organizations such as telecommunications firms, government agencies and a Russian oil and gas company that operates in the Middle East.
“Seedworm’s motivations are much like many cyber espionage groups that we observe — they seek to acquire actionable information about the targeted organizations and individuals,” the Symantec researchers said in the report. “They accomplish this with a preference for speed and agility over operational security, which ultimately led to our identification of their key operational infrastructure.” Symantec said Seedworm has operated since at least 2017 and “remains highly active.” Other recent targets of the hacking group include two major nongovernmental organizations, universities in the Middle East and embassies “primarily based in Europe representing Middle East countries,” Symantec researchers said.
— Silicon Valley isn’t thrilled with Australia’s new encryption legislation. The Reform Government Surveillance coalition, which includes tech giants such as Apple, Google and Facebook, said Australia’s encryption law “is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities,” as quoted by TechCrunch’s Zack Whittaker. TechCrunch noted that the law gives “Australian police and the intelligence agencies wide-reaching powers to issue ‘technical notices’ — essentially forcing companies and even websites operating in Australia to help the government undermine encryption or insert backdoors at the behest of the government.”
— The cybersecurity company Rapid7 said a trade agreement between the United States and the European Union should promote transparency of security features on IoT consumer devices. “The goal of this process should be to enable consumers to make informed purchasing decisions regarding data protection features of such devices,” the company said. The recommendation is part of a filing that Rapid7 submitted to the Office of the U.S. Trade Representative in response to a request for public comments on a potential trade deal. The company made eight recommendations in total.
Rapid7 said another objective of a trade negotiation with the European Union should be to prohibit requirements to weaken encryption. “Market access rules requiring weakened encryption would create technical barriers to trade and put products with weakened encryption at a competitive disadvantage with uncompromised products,” Rapid7 said. “Requirements to weaken encryption would impose significant security risks on US companies by creating diverse new attack surfaces for bad actors, including cybercriminals and unfriendly international governments.” You can read Rapid7’s filing here.
— Bots are becoming harder to track. “Security teams could once easily detect bot traffic by identifying visitors engaged in anomalous behavior, such as opening and closing windows millions of times,” CyberScoop’s Jeff Stone reported. “Now, ad-fraud scammers are using more advanced technology that more closely resembles actual human activity, making it far more difficult for digital crime-fighters to stop it. Gone are the days when scammers simply would only use networks of hacked computers to knock websites offline with distributed denial-of-service attacks.”
— More cybersecurity news from the private sector:
— Google will shut down Google+ five months sooner than initially scheduled following a new security bug. “Google revealed Monday that its soon-to-be shuttered social network suffered from another security lapse, a software bug that could have allowed third-party apps and developers to gain access to 52 million users’ personal information without their permission,” The Washington Post’s Tony Romm and Craig Timberg reported. “For six days in November, an update to the underlying code of Google+ meant that apps seeking to access users’ profile information — including their names, email addresses, occupations and ages — could view that data even if it was ‘set to not-public,’ Google said in a blog post.” However, as my colleagues noted, the company said its systems weren’t compromised.
- Google chief executive Sundar Pichai testifies before the House Judiciary Committee.
- House Armed Services subcommittee hearing on the Defense Department’s “artificial intelligence structure, investments, and applications.”
- 2018 Cloud Security Alliance Congress through tomorrow in ChampionsGate, Fla.
Three key moments from Jared Kushner’s interview with Fox News:
Who Trump wants in his inner circle:
Trump’s ever-shifting rhetoric on the Mueller probe: