|
View in your browser |
|
|
|
|
Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you… |
|
|
|
|
THE BIG STORIES: |
|
–DAMAGE CONTROL: Hillary Clinton’s presidential campaign sought to minimize criticism Wednesday after a federal watchdog said she and her aides did not comply with State Department email policies, saying the record-keeping problems were longstanding. The department’s Office of the Inspector General reported that Clinton’s use of a private email address and server violated internal regulations. By exclusively using a personal email address routed through a private server, Clinton circumvented policies designed to follow federal records laws and might have jeopardized official secrets, the department’s Office of the Inspector General said in a report obtained by The Hill ahead of its official publication on Thursday. Clinton never requested permission to use the personal server, which was located at her New York home, and it “would not” have been approved, in part, because of “the security risks in doing so,” the watchdog agency wrote. Additionally, Clinton “never demonstrated” to State Department security officials that her personal server or BlackBerry device “met minimum information security requirements.” Clinton’s campaign pushed back on the report. The former secretary of State’s “use of personal email was not unique,” Clinton campaign spokesman Brian Fallon said in a statement, “and she took steps that went much further than others to appropriately preserve and release her records.”
To read about the IG report, click here. To read about the campaign response, click here. |
|
–NOT A GREAT SIGN: One of the last remaining means by which U.S. companies can handle European citizens’ data outside of the EU was thrown into further jeopardy on Wednesday. Ireland’s data privacy regulator revealed that it plans to ask Europe’s high court to review a certain kind of back-up contractual language Facebook — along with thousands of other companies — uses to transfer EU citizens’ data. The same court last year overturned a widely used arrangement between the U.S. and the EU that allowed companies to “self-certify” that they met Europe’s more stringent privacy requirements. Following the decision last fall, many companies who had previously relied on the agreement turned to so-called “model clauses” — snippets of pre-approved legal language — to make their transatlantic data transfers legal. If model clauses are also judged invalid, companies will be left with few choices but to house data on local servers. The decision touches thousands of firms that do business across the Atlantic, from the hospitality industry to social media. To read our full piece, click here. |
|
–ADMISSION: The Romanian hacker who claimed to have broken into Hillary Clinton’s personal email server on Wednesday pleaded guilty to charges of hacking and aggravated identity theft involving dozens of Americans’ email and social media accounts. Marcel Lehal Lazar, known by his online alias “Guccifer,” admitted in a statement as part of his plea deal that he intentionally gained access to about 100 Americans’ accounts between 2012 and 2014 without their consent. Victims included a family member of two former presidents, a former Cabinet member, former Joint Chiefs of Staff member and a former presidential advisor, according to prosecutors. Lazar was widely expected to plead guilty to the federal criminal charges. This month, Lazar claimed to have also broken into Clinton’s “completely unsecured” server, which he compared to “an open orchid on the internet.” Clinton’s campaign has dismissed the claim, and the State Department has said it has no reason to believe the hacker. Department of Justice officials said Lazar “admitted that in many instances, he publically released his victims’ private email correspondence, medical and financial information and personal photographs.” Lazar entered his guilty plea before U.S. District Judge James C. Cacheris in the Eastern District of Virginia. The judge set his sentencing for Sept. 1. To read our full piece, click here. |
|
|
|
|
UPDATE ON CYBER POLICY: |
|
–COME TOGETHER, RIGHT NOW. A bipartisan group of senators wants to bring the Senate version of a national defense bill in line with its House counterpart and give the U.S. military’s cyber unit more authority.An amendment to the National Defense Authorization Act (NDAA) would direct the president to elevate U.S. Cyber Command to a standalone warfighting entity, pulling it out from under the authority of Strategic Command.
The House version of the legislation, passed 277-147 last week, already includes a similar provision.
The move appears to have widespread support from lawmakers, as well as Adm. Michael Rogers, the unit’s head. He said last month that elevating the unit to a full combatant command would make it more nimble and “generate better mission outcomes.”
But the White House opposes Congress settling the issue, saying the Defense secretary and Joint Chiefs of Staff should make their recommendations to the president.
To read our full piece, click here. |
|
–MEANWHILE… Sen. Cory Gardner (R-Colo.) proposed an amendment that would require the Comptroller General of the United States to release a report on the Defense Department’s telecommunications equipment that was purchased from suppliers tied to leading cyber-threat actors, including Russia, China, Iran and North Korea.”It is simply commonsense to determine if leading cyber-threat actors may have access to sensitive government information,” Gardner said Wednesday. |
|
|
|
|
A LIGHTER CLICK: |
|
–LITERALLY, NO. We have never felt so justified in saying: I just can’t. |
|
|
|
|
A HEARING IN FOCUS: |
|
–WHOSE FAULT IS IT, REALLY? Rep. Elijah Cummings (D-Md.) on Wednesday accused Republicans of failing to provide adequate funding for federal cybersecruity, even as Oversight Chairman Jason Chaffetz (R-Utah) hammered agencies for using outdated technology.”The ticking time bomb here is that the Republicans keep slashing agency budgets year after year, and pretending that these actions have no negative repercussions,” Cummings said during a hearing.
The Maryland Democrat cited a proposed $236 million cut to the IRS in the House Appropriations Committee 2017 budget, which was released Tuesday.
The IRS has been dogged by a series of high-profile breaches that have put its IT infrastructure in Chaffetz’s crosshairs. Earlier in the hearing, Chaffetz hit IRS Commissioner John Koskinen for requiring the committee to subpoena the agency’s chief technology officer.
Koskinen had argued that “spending time preparing for a hearing would take [Terry Milholland] away from his important role in leading IT development and operation and we would be disruptive to the IRS.”
“That is wholly and totally unacceptable. This is part of the solution, not part of the problem,” Chaffetz said.
Cummings acknowledged the security risks of outdated technology, but placed the blame on budget cuts rather than agency recalcitrance, a common refrain from Koskinen.
To read our full piece, click here. |
|
–MEANWHILE… Elsewhere on Capitol Hill, healthcare security experts testifying at an House Energy and Commerce hearing stumped for the HHS Data Protection Act, which would establish an office of the Chief Information Security Officer (CISO) in the Department of Health and Human Services….except for the College of Healthcare Information Management Executives (CHIME), which warned that lawmakers should be cautious of “unintended consequences of complex reporting that instead may impede the coordination and flow of information necessary to thwart cyber threats.” |
|
|
|
|
WHO’S IN THE SPOTLIGHT: |
|
–THE STATE DEPARTMENT. A senior cyber official at the State Department on Wednesday refused to comment when asked if the State Department has ever denied a military request to conduct a retaliatory action in cyberspace.”I’m not really going to comment on the discussions. There are continuing discussions on any possible operation that we do,” Christopher Painter, coordinator for cyber issues, said during a Senate Foreign Relations Committee hearing on international cyber strategy.
“Are you in a position to say ‘no’ to a Department of Defense strategy?” Sen. Cory Gardner (R-Colo.) pressed.
“We have an intra-agency process,” Painter said. “This is not any one agency acting on their own.”
To read our full piece, click here. |
|
|
|
|
IN CASE YOU MISSED IT: |
Links from our blog, The Hill, and around the Web. |
|
The Defense Department’s system for sending emergency messages to nuclear forces is made up of aging technology that runs on a 1970s-era computer system and uses 8-inch floppy disks. (The Hill)
A Swedish district court on Wednesday upheld an arrest warrant for Julian Assange in a blow to the WikiLeaks founder’s hopes of ending his years-long stay at the Ecuadorian Embassy in London. (The Hill)
Hillary Clinton took steps to make sure her personal email account was not “accessible” while she was secretary of State, the State Department’s inspector general said. (The Hill)
The head of Austrian aerospace parts maker FACC has been fired after the company was hit by a cyber fraud that cost it 42 million euros ($47 million). (Reuters)
An Oregon firm on Wednesday announced it received a $10 million DARPA contract to shore up cybersecurity vulnerabilities in the code bases of legacy military and commercial communications systems. (Fierce Government IT) |
|
|