Morning Cybersecurity
A NERD’S TOUR OF DUTY — Chris Lynch, head of the nearly one-year-old Defense Digital Service, sat down with Martin in the organization’s unconventional Pentagon office for a Q&A that’s out this morning. Lynch has already said he plans to stay on for the next administration, but other highlights include the state of recruiting for the elite IT office: “I think that it’s changed a lot. In the early days, I think that you had to tell the story of who we are. A lot of times now, we’ll show up and they’ve at least heard of either [the U.S. Digital Service], the HealthCare.gov story or they’ll have heard of Defense Digitial Service.”
He also talked about the thing that most surprised him at the Defense Department. “My biggest lesson learned is that there is simply no way that we can continue to function without having nerds in the room. I believe that to my core,” he said. That we live in a world where all of these things that we created are now run by, and eaten by, software. We make decisions that are so critically important to the safety of the American people and the men and women who are defending the country, all those systems have to work perfectly and we’re making decisions where there’s not a nerd in the room. And that is — it’s not OK.” The full interview — including Lynch’s favorite lightsaber color — is here for Pros.
HAPPY THURSDAY and welcome to Morning Cybersecurity! The next two days your regular MC host will again resume his semi-September-sabbatical. But then I’ll be back for the stretch run to the election. While I’m gone, you can still send thoughts, feedback and especially our tips to tstarks@politico.com, and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. But team info is below, and be generous with them, please!
COMEY ON DIY PHONE HACKING — FBI Director James Comey told a House panel Wednesday that the bureau might have to occasionally rely on others to help agents hack into locked phones at times, but that there’s some value in doing it in-house. Rep. Darrell Issa asked whether the FBI could also rely on the NSA. “That’s a reasonable question,” Comey replied. “It may be part of the solution. The real challenge is in using those techniques in the bulk of our work. Because it becomes public and exposed. But that has to be an important part of the conversation.” Likewise, while Comey said the FBI could again use contractors — as it did in breaking into the phone of a terrorist in San Bernardino — it’s also developing its own capabilities. “Whether that’s the best solution — it doesn’t strike me as the best solution — but we are, and I’ve asked for more money in the ’17 budget, trying to invest in building those capabilities, so when we really need to be able to get into a device, we can. It’s not scalable, and I’m not sure it would be thrilling to companies like Apple to know we’re investing money to try and figure out how to hack into their stuff.”
MINI Q&A WITH MCAFEE’S CHRIS YOUNG — This month, tech giant Intel agreed to sell a majority stake in its cybersecurity business to investment firm TPG and restore independence to veteran security company McAfee, a transition that’s expected to go into effect early next year. MC spoke with Chris Young, who will head up the newly independent McAfee. Below are some exchanges, edited for length.
What will be different under the new arrangement? The difference for us is, we’ll be 100 percent focused on cybersecurity. Intel has been great, but it does a lot of things, and cyber is one of them where Intel plays. This is going to allow us to continue to work closely, but as a standalone company, all we will do is cybersecurity.
What should the next president focus on? No. 1, the federal government needs to be investing in cybersecurity talent and training. The Obama administration has introduced some good programs in this space, and we think we can expand that. The next one is international cooperation. We’re pretty quiet around what we do across borders in cybersecurity. We’re probably going to see more standards, more ways to internationally cooperate around threat information sharing.
What threats are you thinking about most? The topic area I’m very interested in as I look forward is the convergence of new order types of attack categories with the penetration of security in our physical being. Ransomware converging with the Internet of Things creates a whole new set of attack scenarios that go beyond our traditional data breach view of the world. Physical safety threatened by a cyberattack is where I’m thinking.
LAWMAKER: MAKE IT EASIER TO GET A CYBER JOB — Rep. Derek Kilmer on Wednesday asked the Homeland Security Department to heed a recommendation from a think tank and industry report to reduce the minimum credentials needed for a cybersecurity gig. Most cyber jobs, according to the joint report from Intel Security and the Center for Strategic and International Studies, require a bachelor’s degree, but cyber skills aren’t always picked up via traditional education. “I encourage the department to examine whether it would be possible to develop a cybersecurity hiring approach which permits the federal government to access professionals with critically needed skill sets who otherwise might be excluded from consideration,” Kilmer wrote in a letter to Secretary Jeh Johnson.
NO THANKS, TOO RISKY — More than 15 million voters are so afraid of cyberattacks compromising November’s elections that they are considering not voting, according to a survey that cybersecurity firm Carbon Black will release today. The survey, released one month after an FBI flash alert about attacks on voter registration databases in Arizona and Illinois, found that 36 percent of voters thought their voter information was insecure. Carbon Black co-founder Ben Johnson told MC that his team was surprised how many people said they might not vote due to hacking fears. “We did the report really to drive awareness,” he said. “We are glad that people are waking up to the fact that there is a lot of risk.” The report urges states to implement paper audit trails for electronic voting machines, some models of which have been shown to be easily hackable. “We come from very intelligence community backgrounds,” said Johnson, a former NSA operator, “and we have had lots of experiences in the past where, if we had physical access to any kind of device, it was only a matter of time before we got in.”
CYBER IS DARK AND FULL OF TERRORS — Digital attacks are increasingly exploiting the Internet of Things as it grows, according to a new report from Darktrace. The cybersecurity firm’s 2016 threat report, out today, delves into six real-world threats and trends. “With the cyber black market reaching maturation, the barrier to entry for would-be attackers is lower than ever. All industries are now being targeted by non-traditional attacks, particularly by sophisticated software that blends into the background of day-to-day network activity. Artificial intelligence is now being deployed by attackers to emulate legitimate user behaviors, automatically. Cyber warfare has become an arms race,” the report states.
NOT TO BE CONFUSED WITH VENTURE BROS. — Two “enterprising” cyber criminals are outsourcing aspects of their illicit business to pilfer credit card information in the United States and Nordic countries, FireEye iSIGHT Intelligence reveal in a report out today. Nicknamed the “Vendetta Brothers,” the group partners with other cyber criminals to employ a variety of tactics — including “brick and mortar” methods like deploying physical skimmers — to capture payment card data. The outsourcing makes it harder for law enforcement to pin down who exactly is responsible, concluded FireEye’s report.
MORE JOURNALISTS TARGETED — Russian hackers have been discovered targeting the citizen-journalism website Bellingcat, which gained attention reporting on a Russian missile launcher used to shoot down Malaysian Airlines Flight 17. After running those stories, three Bellingcat researchers received spearphishing emails that tried to trick them into giving up their Gmail passwords. The security firm ThreatConnect analyzed the messages and determined they were consistent with the “tactics, techniques and procedures” of the hacking group “Fancy Bear,” which has been tied to Russia’s military intelligence service. Fancy Bear is also suspected in the hack of the Democratic National Committee. “As evidenced by these efforts and the attack on the World Anti-Doping Agency, organizations that negatively impact Russia’s image can expect Russian cyber operations intended to retaliate publicly or privately, influence, or otherwise maliciously affect them,” ThreatConnect’s team wrote in a blog post.
ENERGY’S CYBER RISKS: Per our friends at POLITICO Europe: Energy companies have seen a massive increase in successful cyberattacks over the past year, and they need to address the risks in order to maintain their security and keep their businesses resilient, according to a report the World Energy Council released today. As the energy industry grows more interconnected and digitized, thanks to smart grids and other devices, it also becomes a more attractive target for cyberattacks. The worst case scenario? Infrastructure shutdowns, economic and financial disruptions and even deaths and massive environmental damage, it says. On the plus side, awareness has grown over the past three years, with more than 30 countries putting “ambitious” cyber plans and strategies in place, Christoph Frei, the World Energy Council’s secretary general, said in a statement.
TWEET OF THE DAY — If this tweet were right, MC would be a very different newsletter.
RECENTLY ON PRO CYBERSECURITY — Comey said the FBI was investigating Russian tampering in U.S. elections. … He also said hackers have probed more states’ voter databases since it sent an alert about two states’ voter rolls being targeted. … Georgia Secretary of State Brian Kemp clashed with Rep. Gerry Connolly over the federal role in defending election infrastructure. … Computer science professor Andrew Appel told a House committee hackers could disrupt this election. … InfoArmor says the Yahoo breach doesn’t appear to be the work of state-sponsored hackers. … Rep. Ted Lieu wants the new federal chief information security officer to let him know how Congress can help. … The Marines Corps released a new operating procedure focused on high-tech threats. … Europol says ransomware has become the top cybercrime threat in Europe. … The European Commission has proposed tougher controls on the export of dual-use technology, including some cyber tools.
QUICK BYTES
— A Q&A with Overstock.com’s chief on blockchain. POLITICO.
— U.S. officials are growing more confident that self-proclaimed Democratic National Committee/Democratic Congressional Campaign Committee hacker Guccifer 2.0 is a front for Russia. The Wall Street Journal.
— CNN cites two law enforcement officials saying that hackers have probed a dozen states’ voter rolls.
— Rep. John Conyers says there’s a “clear consensus” that Russia hacked the DNC. Morning Consult.
— The House delayed a vote to hold a Hillary Clinton information technology aide in contempt of Congress. The Hill.
— “Defending against hackers took a back seat at Yahoo, insiders say.” New York Times.
— It took a lot of cameras for a record-breaking DDoS attack. Ars Technica.
— Rep. Robin Kelly says that the next president must win the cyber war on terror.
— “Apple logs your iMessage contacts and may share them with police.” The Intercept.
— The University of Texas at San Antonio has secured millions in government grants to boost its cybersecurity education. San Antonio Business Journal.
By: Tim Starks
Source: Politico