Cybersecurity and Cyberwarfare

The Cyber Vulnerability Disclosure Reporting Act (HR 3202) would require the Department of Homeland Security (DHS), within 240 days of the bill’s enactment, to submit a report to the Congress describing the policies and procedures used to coordinate the sharing of information on cyber vulnerabilities with businesses and other relevant entities. The report also would describe how those policies and procedures were used to disclose such vulnerabilities over the past year and, if available, how recipients of those disclosures acted upon the information.

Based on an analysis of information from DHS, CBO estimates that implementing the bill would cost less than $500,000 over the 2018-2022 period; such spending would be subject to the availability of appropriated funds. Enacting H.R. 3202 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3202 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

The Cybersecurity and Infrastructure Security Agency Act of 2017 (HR 3359) would rename the National Protection and Programs Directorate (NPPD) of the Department of Homeland Security (DHS) as the Cybersecurity and Infrastructure Security Agency. The bill also would consolidate certain missions of NPPD under two divisions: the Cybersecurity Division and the Infrastructure Security Division.

Based on information from DHS, CBO has concluded that the requirements in the bill would not impose any new operating requirements on the agency. On that basis, CBO estimates that implementing H.R. 3359 would have a negligible effect on the federal budget. Enacting HR 3359 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3359 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

Lenovo Inc., one of the world’s largest computer manufacturers, has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers. In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities.

As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

After an extensive review, the Nation has issued an editor’s note concerning an Aug 9 article that raised questions regarding a consensus finding of the U.S. intelligence community that the Democratic National Committee (DNC) was hacked by Russian actors seeking to tilt the playing field in the 2016 presidential election.

“Former NSA experts say it wasn’t a hack at all, but a leak—an inside job by someone with access to the DNC’s system,” reads the subhead on the story, which was written by Patrick Lawrence, a contributing writer for the magazine. In her note to readers, which now sits atop the Lawrence piece, Nation Editor and Publisher Katrina vanden Heuvel writes, “We believe it is important to challenge questionable conventional wisdom and to foster debate—not police it. Focusing on unreported or inadequately reported issues of major importance and raising questions that are not being asked have always been a central part of our work.”

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic e-mails and spreading of false or damaging information about Hillary Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

After a data breach exposes sensitive information, agencies usually offer victims credit monitoring as a catch-all solution to prevent fraud. But a group of lawmakers isn't convinced that strategy always gets the job done. “We are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims,” House Energy and Finance Committee Reps Frank Pallone, Jr., (D-NJ), Diana DeGette (D-CO), and Jan Schakowsky (D-IL) wrote in a letter to the Government Accountability Office. “Reliance on these products after the breach may result in consumers being lulled into a false sense of security.” They requested GAO examine how effective current strategies work for various types of breaches, the extent of the protection each one offers, and the factors agencies weigh in choosing a response to a breach. Lawmakers also would like GAO to see if there are better solutions not currently being offered.

President Donald Trump promised big changes on cybersecurity after his election. During the Obama administration, the nation’s cybersecurity was “run by people that don’t know what they’re doing,” the president said during a post-election press conference. The Trump administration, he promised, would gather “some of the greatest computer minds anywhere in the world” and “put those minds together … to form a defense.” Seven months into the president’s administration, however, analysts are wondering what’s so different.

On most major cybersecurity issues, such as securing federal networks and critical infrastructure, Trump officials are in near lockstep with their Obama-era predecessors. Where they differ, there’s no clear Trump cybersecurity doctrine to explain the divergence. “It’s schizophrenic,” said Peter Singer, a cyber theorist and senior fellow at the New America Foundation. “That may be because of the absence of a strategy or it may be because the chaotic execution of that strategy undermines it.”

The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain.

The system allows just about any file to be hosted on the FCC's site—potentially including malware. The application programming interface (API) for the FCC's Electronic Comment Filing System that enables public comment on proposed rule changes has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process' openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC's website, where it would be instantly published without screening. Because of the open nature of the API, an application key can be obtained with any e-mail address. While the content exposed via the site thus far is mostly harmless, the API could be used for malicious purposes as well. Since the API apparently accepts any file type, it could theoretically be used to host malicious documents and executable files on the FCC's Web server.

Rep Darrell Issa (R-CA) wants us to get real about how much faith we should put in encryption. Rep Issa argued on an Internet of Things panel that it’s high time for a straight-talk discussion about how secure popular encryption protocols actually are. ‘The former FBI director [James] Comey came before Congress and swore under oath that he had no ability to get what he needed from the San Bernardino bomber [sic] except by forcing Apple to create an active remote backdoor into the problem,’ Issa said. ‘Now a matter of weeks later, an Israeli company for a million dollars gave him the data he wanted.’ And, Issa pointed out, a few weeks after that, a University of Cambridge professor appeared to crack it again. Said Issa, ‘We have to have a real debate about whether encryptions and protections are real and unbreakable.’

I have directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations. This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our Nation’s defense. The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. United States Cyber Command’s elevation will also help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations. Elevation will also ensure that critical cyberspace operations are adequately funded. In connection with this elevation, the Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency. He will announce recommendations on this matter at a later date.