Overnight Cybersecurity: DOJ, IRS hacks worry Congress

Welcome to OVERNIGHT CYBERSECURITY, your daily run-down of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you...


--MONET? HE DID LANDSCAPES: Lawmakers in both parties say breaches reported this week at the Department of Justice and the Internal Revenue Service are the latest indication of the government's weak defenses against cyber criminals. While the administration has sought to downplay both incidents, some lawmakers are hitting the White House, arguing the intrusions offer further evidence that the government can't be trusted to protect its highly sensitive networks. "[President Obama] has neglected to take tangible steps to address these persistent cyberinfrastructure challenges," Sen. Steve Daines (R-Mont.) said in a Wednesday statement that accused the administration of trying to sweep the IRS breach "under the rug." But opinion is hardly unanimous. Unlike last spring's hack of the Office of Personnel Management, which provoked widespread criticism, some aren't sure what to make of the latest incidents. They say that the two breaches are unique cases that don't necessarily point to a systemic failure on the part of the government. "Not that these aren't bad things that happened, I'm certainly concerned any time there's information that's compromised, but in these two situations, it doesn't appear to fit in the rubric of what we generally think of as a cyberattack," Rep. Jim Langevin (D-R.I.) told The Hill. To read out full piece, check back in the morning.

--GOD HIMSELF COULD NOT SINK THIS SHIP: Homeland Security Secretary Jeh Johnson said on Thursday that improving the nation's cybersecurity and protecting against terrorism remain two of the department's "cornerstones" in the final year of the Obama administration. "As I have said many times, we are in a new phase in the global terrorist threat, requiring a whole new type of response," Johnson said in a speech at the Woodrow Wilson Center. "We have moved from a world of terrorist directed attacks to a world that includes the threat of terrorist inspired attacks -- in which the terrorist may have never come face to face with a single member of a terrorist organization, lives among us in the homeland, and self-radicalizes, inspired by something on the internet." On the cybersecurity side, Johnson said that he and President Obama are committed to making "tangible improvements" to the nation's defense before the end of the year. Much of that stems from a sweeping plan unveiled earlier this week, as part of the White House's budget proposal. It would double the number of advisors able to make "house calls," Johnson said, to help private companies with "in-person, customized cybersecurity assessments" and recommendations. The department is also planning to make sure all non-military federal agencies employ a new cyber monitoring system by the end of the year, and roll out the third generation of its "Einstein" detection system. Earlier in the day, the agency's top cyber official defended the White House's proposal to expand the system despite criticism the program is already over-cost and outdated. To read about Johnson's address, click here. To read about remarks from Phyllis Schneck, the DHS deputy undersecretary for cybersecurity, click here.



--I'M FLYING, JACK! A privacy bill considered integral to a pending transatlantic data transfer pact with the European Union is heading to President Obama's desk.

The House late Wednesday approved the Judicial Redress Act, which would give EU citizens the right to challenge the misuse of their personal data in a U.S. court. Americans already enjoy similar rights in most EU states.

The lower chamber passed the measure in October, but the Senate tacked on a heavily debated amendment before passing its companion version this week, necessitating either a second vote in the House or a conference committee between the chambers.

But the relatively noncontroversial bill, which passed the Senate by unanimous consent, was able to breeze through the House a second time by voice vote.

The measure now heads to the White House.

To read our full piece, click here.



--NEVER LET GO, JACK. Die-hard fans of the true Titanic experience will be disappointed to learn that a near-exact replica of the doomed ship will have lifeboats for all, according to New York.

Yes, gentlefolk, you read that right. You can now experience raptures of nostalgia by reliving one of the greatest disasters in human history. In full color. Er, scale.

But seriously y'all, the sheer breadth of the hubris here has just got to be tempting fate.

Read on, here.



--I'M THE KING OF THE WORLD! Well over half of the encryption products available today are developed outside of U.S. borders, according to a worldwide survey done by several Harvard researchers and released today.

The most common non-U.S. country for encryption products is Germany, with 112 products, according to the survey. The United Kingdom, Canada, France and Sweden follow, respectively.

Another key finding: There is no meaningful difference in quality between U.S.-developed encryption algorithms, and non-U.S.-developed ones.

What this means, according to the researchers, is that any legislation mandating that Apple and other U.S. manufacturers make their encrypted products accessible to law enforcement with a warrant won't actually solve the "going dark" problem.

"For this to be effective, those people using encryption to evade law enforcement must use Apple products. If they are able to use alternative encryption products, especially products created and distributed in countries that are not subject to U.S. law, they will naturally switch to those products if Apple's security weaknesses become known," they write.

Read the full study, here.



--UKRAINE. The cyberattack that took out portions of Ukraine's power grid was actually part of a coordinated digital assault that also targeted a mining company and railway operator in the country, according to security firm TrendMicro.

The company cautioned that these finding mean the malware family suspected in the blackout, BlackEnergy, "has evolved from being just an energy sector problem."

"Now it is a threat that organizations in all sectors -- public and private -- should be aware of and be prepared to defend themselves from," the firm added. "While the motivation for the said attacks has been the subject of heavy speculation, these appear to be aimed at crippling Ukrainian public and critical infrastructure in what could only be a politically motivated strike."

Russia is widely believed to have orchestrated the digital hit on Ukraine. The two countries have clashed in recent years after Russia annexed Ukraine's Crimean peninsula and began supporting pro-Russian rebels in the east of the country.

Read the full TrendMicro blog post here.

Check out some of our past coverage of what's believed to be the first blackout caused by hackers:

"Ukraine blames Russia for cyberattack on grid" here.

"US assisting Ukraine in cyberattack investigation" here.



Links from our blog, The Hill, and around the Web.

British lawmakers on Thursday told the government it must retool a proposed bill that would give law enforcement greater access to online data and encrypted communications. (The Hill)

The State Department pledged to release more than 500 of Hillary ClintonHillary Diane Rodham ClintonIntel Dem decries White House 'gag order' after Bannon testimony 'Total free-for-all' as Bannon clashes with Intel members Mellman: On Political Authenticity (Part 2) MORE's emails this weekend. (The Hil)

FireEye forecast a bigger-than-expected loss for the first quarter and said it expected growth in cyber security spending to slow this year. (Reuters)

The FBI is trying to scrub its employees' hacked information off of the internet. (Motherboard)


If you'd like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A