Overnight Cybersecurity: EU dismayed by privacy bill changes

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you...

THE BIG STORIES:

--A SHOW OF STRENGTH?: The European Commission is dismayed by the final language of a key privacy bill that could influence already-tense negotiations over a new data flow agreement with the U.S., according to those familiar with the talks. The so-called Judicial Redress Act, passed out of a Senate committee on Thursday, includes a compromise offered in response to concerns from some Republicans that the bill was a "concession" to the EU. The amendment, circulated amid a flurry of eleventh-hour negotiations on Wednesday, would require the European countries covered by the bill to allow commercial data transfers with the U.S. In addition, it includes a provision stating that the bill cannot impede U.S. national security interests. Supporters have long hoped that passing the bill, which gives EU citizens the right to challenge misuse of their personal data in U.S. court, would help U.S. negotiators reach a deal on a new Safe Harbor agreement – with a deadline Sunday. Those familiar with the Safe Harbor talks say the European Commission, which is leading negotiations on the EU side, is weighing sending a letter to Congress expressing concerns over the last-minute addition to the legislation. But they say if the commission does take action, it will likely wait until after the Senate body votes on the bill. More realistically, the commission is expected to be pragmatic and accept the Senate compromise rather than derail the negotiations, several of those tracking the issue say. True pushback to the edit is more likely to come from Europe's more hard-line privacy regulators, set to meet in Brussels on Tuesday to set common guidelines on how U.S. companies can legally handle European citizens' data in the absence of Safe Harbor. To read about the committee vote, click here. To read about the European Commission's response, click here.

ADVERTISEMENT
--THE BOY IS BACK IN TOWN: The first hacker arrested for allegedly helping the Islamic State in Iraq and Syria (ISIS) has been extradited to the U.S. Ardit Ferizi, a 20-year-old Kosovo citizen, made his initial appearance in court on Wednesday afternoon in the Eastern District of Virginia. Ferizi is accused of hacking an American company to steal sensitive data on over 1,300 U.S. military and government employees. Malaysian authorities arrested Ferizi in October on Justice Department charges of providing material support to ISIS. "This case is a first of its kind," assistant attorney general John Carlin said in a statement when Ferizi was arrested. According to the department, Ferizi waived extradition. If convicted, he could face up to 35 years in prison. Prosecutors say Ferizi is the source of one of the most high-profile ISIS hacking incidents of all time. To read our full piece, click here.

--THE OTHER NEIGHBOR TO THE NORTH: Top senators expect a quick path through the chamber for legislation cracking down on North Korea after the country said it tested a hydrogen bomb. The bill would also authorize sanctions for Pyongyang's increasingly aggressive cyber warfare efforts. Sens. Bob CorkerBob CorkerHaley to meet with senators during Washington trip Senate: Act now to save Ukraine ExxonMobil CEO, retired admiral will meet with Trump about State: report MORE (R-Tenn.) and Ben CardinBen CardinAide: Trump invited Philippine leader to WH Dem senator: Hold hearing on Russian interference in election Overnight Finance: Questions swirl around Trump's plan for his business | Treasury pick promises major tax cut | White House downplays Carrier deal MORE (D-Md.), who oversee the Foreign Relations Committee, suggested that new sanctions legislation, which passed out of the committee earlier Thursday, could be on the Senate floor in a matter of weeks. Corker said he expects the Senate will take up the legislation during the second week of February. Senators are expected to go back to their home states the week of Feb. 15, giving them two weeks to bring up the legislation. To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

--PRIMUM NON NOCERE. Legislating encryption standards might "do more harm than good" in the fight against terrorism, Senate Homeland Security Committee Chairman Ron JohnsonRon JohnsonWeek ahead: GOP quickly laying groundwork for reg rollback The Hill's 12:30 Report Passing US-Canada preclearance would improve security and economy MORE (R-Wis.) said on Thursday.

In the wake of the terrorist attacks in Paris and San Bernardino, Calif., lawmakers have been debating whether to move a bill that would force U.S. companies to decrypt data for law enforcement. Sens. Richard BurrRichard BurrTop Intel Dem: Congress 'far from consensus' on encryption Trump must be an advocate for the Small Business Administration Dems pledge to fight Sessions nomination MORE (R-N.C.) and Dianne FeinsteinDianne FeinsteinOvernight Energy: Senate Dems set to fight water bill White House could make 'torture' report public, says Intel Dem Top Intel Dem: Congress 'far from consensus' on encryption MORE (D-Calif.) are currently working on such a bill.

Johnson's comments seemed to indicate he will oppose the upcoming measure.

"Is it really going to solve any problems if we force our companies to do something here in the U.S.?" Johnson asked at the American Enterprise Institute, a conservative think tank. "It's just going to move offshore. Determined actors, terrorists, are still going to be able to find a service provider that will be able to encrypt accounts."

To read our full piece, click here.

 

A LIGHTER CLICK:

--CHILDHOOD (READ: ADULT) DREAM REALIZED. The DeLorean is back.

 

A FEATURE IN FOCUS:

--15 MINUTES OR LESS...: U.S. utility companies are investigating whether they can get insurance to cover what could be multi-billion dollar losses if hackers are able to crash the grid.

The recent hack of a Ukrainian power company, which left roughly 80,000 homes without power, has exposed long-standing ambiguities over what insurers will cover under various cyberattack scenarios, Reuters reports.

"People in the insurance industry never did a great job clarifying the scope of coverage," said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.

Read on, here.

 

WHO'S IN THE SPOTLIGHT:

--ISIS' ENCRYPTION APPS(?). A widely-reported app allowing encrypted communications allegedly built by the Islamic State in Iraq and Syria (ISIS) may not exist.

"Basically, [it's] a lot of bullshit over nothing," one security researcher told The Daily Dot. "I think it is just a bad media mock-up to try and get some attention. There is nothing even remotely professional or functional about both these apps."

The alleged app, known as Alrawi, was originally reported by the self-proclaimed digital counterterrorism group Ghost Security Group.

Read on, here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

A new fraud detection system that the Internal Revenue Service is developing needs to be refined to spot identity theft, a watchdog said in a report publicly released Thursday. (The Hill)

The head of the National Security Agency's elite hacking unit shed some light on how the nation's top cyber spies do their thing. (ABC News)

Are we crying wolf over non-existent critical infrastructure hackers? (Motherboard)

The Federal Trade Commission has upgraded a web site designed to guide victims of identity theft in their efforts to mitigate the damage, the agency said on Thursday. (Reuters)

 

If you'd like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A