IT WASN’T HACKERS … THIS TIME — The false incoming missile alert that sent Hawaiians scrambling on Saturday for 38 dramatic minutes illustrates the psychological harm that hackers can wreak by going after the country’s emergency systems, which cybersecurity experts warn are dangerously ill-equipped to fend off digital deviants. And while numerous cyber firms told MC there is no evidence that hackers were involved in Saturday’s mistaken alert — officials have blamed human error — researchers caution that these types of hacks are actually already on the rise. “Geopolitical tensions are manifesting in cyberspace and widespread panic can be digitally enabled,” said Tom Kellermann, CEO of Strategic Cyber Ventures.
Just last year, in fact, a teen hacker in Arizona released malware that blocked 911 calls across several states, including Texas and California. And as far back as 2013, overseas hackers took over the emergency broadcast systems in Montana, Michigan, California, New Mexico and Utah and sent out a message to TV viewers that “the bodies of the dead are rising from their graves and attacking the living.”
These are not isolated incidents. The Department of Homeland Security in 2015 said it had seen over 600 cyber attacks that took out “critical government phone systems,” warning that the problem was “limited, but persistent.” And experts say the perpetrators behind these attacks can include cyber criminals looking to extract ransom payments, as well as nation-state cyber warriors probing America’s critical networks to determine the weak points.
That’s why many cyber specialists are using Saturday’s incident in Hawaii to raise awareness of the poor digital defenses protecting America’s emergency systems. “We should take this as quite literally the clarion call that it was,” said Carl Herberger, vice president of security at Radware, a cyber firm that tracks attacks on emergency networks. Herberger said pulling off attacks against these systems is “extremely easy.” The country’s 911 networks are especially prone to digital assaults, he added, given the ability of hackers to bombard them with internet-based phone calls. And much of the infrastructure undergirding these systems is “from the 50s and 60s,” making it a prime target for President Donald Trump’s long-promised influx of infrastructure spending, Herberger said.
In D.C., some lawmakers and regulators are heeding these calls. “This incident exposed serious weaknesses in our state’s emergency alert system that must be fixed,” said Hawaii Sen. Brian Schatz, the top Democrat on the Senate’s communications, technology and internet subcommittee. And at the Federal Communications Commission, Chairman Ajit Pai said his agency’s investigation “is well underway” and has already discovered that the local government “did not have reasonable safeguards” in place.
But it’s hard to know whether these probes will lead to an upgrade in digital protections, in addition to better protocols. And if those bolstered fortifications aren’t put in place, Herberger predicted, “we’ll look back … [at] these attacks and say, ‘Weren’t we forewarned, wasn’t there enough evidence?’”
HAPPY TUESDAY and welcome to Morning Cybersecurity! This is doing it wrong. Send your thoughts, feedback and especially tips to tstarks@politico.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
SENATE TAKES UP SURVEILLANCE — The upper chamber will begin debating in earnest a House-approved measure to reauthorize powerful surveillance programs for another six years. Senate leaders are planning to send to President Donald Trump’s desk a bill, (S.139), renewing Section 702 of the Foreign Intelligence Surveillance Act before the electronic spying tools expire on Jan. 19. But they’ll have to endure bipartisan opposition from a group of privacy and civil liberty-minded lawmakers and at least one potential 2020 presidential contender.
“This legislation is a significant step backward and does nothing substantive to protect the Fourth Amendment rights of innocent Americans,” Democratic Sens. Patrick Leahy and Ron Wyden and Republicans Rand Paul and Mike Lee argued in a “Dear Colleague” letter late last week. Paul and Wyden introduced an alternative renewal bill, (S.1997), as did Leahy and Lee. The group predicted that “if Leadership does not allow any amendments to the FISA Amendments Reauthorization Act and it does not pass this coming week, then Section 702 authorities can be extended again on the next Continuing Resolution to allow the Senate to fully debate how to appropriately reform this powerful surveillance tool.”
Over the holiday weekend, Sen. Elizabeth Warren tied the upcoming debate and vote on the legislation to the legacy of civil rights icon Martin Luther King Jr., who himself was subject to various kinds of government surveillance. “The day after we honor MLK Jr., the Senate will vote on whether to re-authorize a program that would allow intelligence agencies to continue spying on Americans without meaningful oversight or critical protections for Americans’ privacy,” Warren tweeted.
THIS WEEK’S HILL HEARINGS — Today, Homeland Security Secretary Kirstjen Nielsen appears before the Senate Judiciary Committee, which is sure to be focused on immigration and the difference between a hole and a house. But given that a number of panel members are focused on a range of cybersecurity problems, expect questions about election defenses, what role DHS might have in continuing the work of the disbanded election fraud commission and more.
Wednesday, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing on DHS’s Continuous Diagnostics and Mitigation program for protecting federal agency networks. Also Wednesday, the Senate Intelligence Committee meets in an open session to consider the nominations of Michael Atkinson, who President Donald Trump selected to be the intelligence community's inspector general, and Jason Klitenic, who was picked to be general counsel for the Office of the Director of National Intelligence.
CYBER DIPLOMACY GETS MOMENT IN CONGRESSIONAL SPOTLIGHT — This could be a big week for both America’s cyber diplomacy agenda and tensions between the Trump administration and the Republican-led Congress. On Friday, the House will vote on the Cyber Diplomacy Act (H.R. 3776), which would reestablish an independent, high-level State Department cyber office and require new reports from the president on international cyber negotiations and agreements. The bill, sponsored by retiring House Foreign Affairs Committee Chairman Ed Royce and ranking member Elliot Engel, is a response to Secretary of State Rex Tillerson’s decision to close the Office of the Coordinator for Cyber Issues and move its functions into the bowels of the department’s bureaucracy. Cyber experts decried the move as signaling a decreased focus on global cooperation to solve pressing security problems.
The House bill, which the Foreign Affairs Committee approved by voice vote in November, has strong support from the diplomatic and cybersecurity communities. And it is one of the few examples of congressional Republicans seriously challenging Trump appointees’ approach to running their agencies. The bill’s fate on the House floor is unclear, though it is likely to garner strong support from Democrats, especially those who argue that Tillerson’s closure of the cyber office was a gift to Russia and America’s other cyber adversaries. There is currently no Senate companion measure.
The scheduled House floor action follows passage last week of two bills with cybersecurity components: One (H.R. 3202) requiring the Homeland Security Department to produce a report to Congress describing the policies and procedures used to disclose software vulnerabilities and a second (H.R. 4559), directing the Transportation Security Administration to conduct a global aviation security review that must include cybersecurity advice.
CONAWAY EYES CHINESE TELECOM FIRMS — Rep. Mike Conaway late last week introduced legislation that would bar the federal government from using equipment or services from firms that utilize equipment produced by Chinese telecommunications companies Huawei and ZTE. “Chinese commercial technology is a vehicle for the Chinese government to spy on United States federal agencies, posing a severe national security threat,” Conaway, a member of the House Intelligence Committee, said in a statement. Huawei ranks among the world’s largest telecom network providers and producers of electronics, including smartphones. The company has faced Washington scrutiny before. A House Intelligence investigation in 2012 concluded Huawei and ZTE had connections to the Chinese government that could make them a national security threat. The companies denied the findings. Conaway called the report “incriminating” and warned the threat posed by the telecom firms is “now reemerging as the Chinese government is reattempting to embed themselves into U.S. technology.”
DMARCATION — Sixty three percent of federal domains have adopted an anti-email spoofing standard, according to a blog post set to publish today from cybersecurity firm Agari. DHS ordered implementation of the standard — known as Domain-based Message Authentication, Reporting and Conformance, or DMARC — in October.
WORK WITH US ON THIS — President Donald Trump cited Iran’s hacker army in a statement late last week urging America’s allies to join with the United States to combat Tehran’s malign influence around the world. After outlining his desire for a new nuclear agreement with Iran, Trump asked other countries to “take stronger steps with us to confront Iran’s other malign activities.” The world, he said, “should join us in countering Iran’s cyber threats.” Around the same time that the White House issued the statement, the Treasury Department announced >sanctions against several Iranian entities, including two government agencies involved in social media censorship. The sanctions followed news that Iran had blocked the encrypted messaging app Telegram amid a new round of protests against the regime.
UBER BREACH HIGHLIGHTS PROBLEM WITH BUG BOUNTIES — The massive data breach that rocked Uber has led other tech firms to reconsider their bug bounty programs, because they’re worried that cooperating with hackers who expose bugs in their systems could put them in legal jeopardy. “Since the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs,” the New York Times reported in a detailed examination of the Uber saga published late last week. According to the Times, at least three tech companies have paused their bug bounty programs, while others are concerned that “criminal prosecutions for not reporting [the person who found the Uber vulnerability] would deter ethical hackers who would otherwise come forward, causing even more security breaches.”
The Justice Department has not telegraphed a desire to prosecute companies that work with hackers, and last year its cyber unit even published guidance for setting up bug bounty programs. Thus, as the Times noted, the question of whether Uber executives committed a crime by paying a hacker $100,000 to keep quiet about a major security issue “is not legally clear cut.” But two law firms representing Uber warned the company that it should have disclosed the incident to state and federal regulators, a company employee told the Times. And Uber’s decision to fire its chief security officer and the lawyer who directly handled the payoff stemmed in large part from their decision to cover up the breach.
MICROSOFT SHARES ARGUMENT IN EMAIL CASE — Via our friends at Morning Tech: Microsoft late last week filed a brief detailing its arguments in a Supreme Court case examining whether U.S. authorities should be able to access data that’s stored overseas under current law. The company has long pushed for new legislation from Congress in the form of the International Communications Privacy Act that would set up a system offering more clarity regarding how legal warrants apply to data that’s stored abroad.
“U.S. companies are the world leaders in cloud storage. That lead is built on trust, which has already been shaken by Edward Snowden’s revelations about U.S. surveillance,” the company writes, in its brief. “It will evaporate entirely the moment this Court directs that U.S. companies must disclose emails stored in foreign nations even when doing so would violate the data-privacy laws of those nations.” The company has also argued that if U.S. authorities push for forceful access of data stored in foreign countries, that could lead other governments to do the same for data stored in the U.S. The 2nd Circuit Court of Appeals had previously ruled in favor of Microsoft, and said the company was not obliged to provide data stored in Ireland to comply with an American warrant. This Thursday marks the deadline for amicus brief submissions from other companies.
RECENTLY ON PRO CYBERSECURITY — Trend Micro concluded that Russian hackers were working to infiltrate the U.S. Senate. … In part inspired by that report, Sen. Ben Sasse asked the attorney general for an update on Russian attempts to target U.S. politicians and political organizations. … F-Secure spotlighted more security issues for Intel. … “A federal court has unsealed new details about how investigators tried to track down suspected sources for New York Times reporter David Sanger's book discussing how the U.S. and Israel used a computer virus known as ‘Stuxnet’ to sabotage Iran's nuclear program.” … Japan has joined the NATO Cooperative Cyber Defence Centre of Excellence.