Overnight Cybersecurity: Hackers breach voting machines | Kelly's move to White House leaves void at DHS | House panel presses agencies for info on Russian cyber firm

Overnight Cybersecurity: Hackers breach voting machines | Kelly's move to White House leaves void at DHS | House panel presses agencies for info on Russian cyber firm

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...

 

THE BIG STORIES:

--DEF CON HACKERS BREACH VOTING MACHINES: One of the nation's largest cybersecurity conferences invited attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be. "It took me only a few minutes to see how to hack it," said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia. The DEF CON cybersecurity conference is held annually in Las Vegas. Concern over voting machine vulnerabilities has grown as a result of Russia's meddling in the U.S. presidential election, which involved targeting state and local election-related systems. While the systems targeted were not involved in vote tallying, the effort has nevertheless stirred fears of the possibility that hackers could use cyberattacks to change vote counts. This year, for the first time, the conference hosted a "Voting Machine Village," where attendees could try to hack a number of systems and help catch vulnerabilities. The conference acquired 30 machines for hackers to toy with. Every voting machine in the village was hacked. Though voting machines are technologically simple, they are difficult for researchers to obtain for independent research. The machine that Richards learned how to hack used beneath-the-surface software, known as firmware, designed in 2007. But a number of well-known vulnerabilities in that firmware have developed over the past decade.

To read the rest of our piece, click here.

ADVERTISEMENT

--DHS LOSES CHIEF TO WHITE HOUSE: President Trump's decision to replace embattled White House chief of staff Reince Priebus with John Kelly has left a void atop a department with key cybersecurity functions. Kelly was officially sworn in on Monday after a brief six-month term leading the Department of Homeland Security (DHS), the agency responsible for securing civilian federal networks and guarding critical infrastructure from cyber and physical threats. While the Trump administration has not selected a permanent replacement for Kelly, his deputy Elaine Duke will take the helm of DHS as acting secretary. Duke is widely regarded as a seasoned government professional with the chops to lead the department. James Norton, a former DHS official under the George W. Bush administration, praised Duke for her experience across multiple administrations. "Elaine is a very humble leader and experienced manager with strong bipartisan credentials burnished over a long career as first a public servant and then as a political appointee for three Presidents, Bush, Obama, and now Trump," Norton said. Kelly's exit comes as there continue to be vacancies across DHS, including the leading position at the National Protection and Programs Directorate (NPPD), the division responsible for securing federal and critical infrastructure from cyber threats.

To read our coverage of Kelly's swearing in, click here.

--CONGRESS PRESSES AGENCIES FOR INFO ON KASPERSKY: A House panel has asked nearly two dozen government agencies for documents on Russian-origin cybersecurity firm Kaspersky Lab. The House Science, Space and Technology Committee made the request to 22 different government agencies in letters that were released by the committee on Friday. House Science Chairman Lamar Smith (R-Texas) wrote in the letters, sent Thursday, of concern that the cybersecurity firm's products could be used to conduct "espionage" or "nefarious activities against the United States." Kaspersky Lab, which has headquarters in Moscow but operates around the world, including in the United States, has fallen under increased scrutiny over alleged ties to Russian intelligence. While the U.S. government has produced no public evidence showing the company to be somehow compromised by the Russian government, intelligence officials have nevertheless expressed concerns over its products. The issue was pushed to the forefront during a Senate Intelligence Committee hearing in May, when six top U.S. intelligence officials testified that they would not be comfortable with Kaspersky Lab software on their computers. The committee has requested documents and communications about Kaspersky products dating back to the start of 2013. The letters also ask for lists of systems that use Kaspersky products or services and government contractors or subcontractors that use them.

To read the rest of our piece, click here.

 

A FEW LEGISLATIVE UPDATES:  

--Rep. Terri SewellTerri SewellEx-CIA chief: Trump will do 'lasting harm to American society' Biden endorses Dem in Alabama Senate primary Overnight Cybersecurity: Hackers breach voting machines | Kelly's move to White House leaves void at DHS | House panel presses agencies for info on Russian cyber firm MORE (D-Ala.), a member of the House Intelligence Committee, on Friday introduced two bills aimed at strengthening the cybersecurity of federal, state, and local election campaigns.

The first bill, called the Securing and Heightening the Integrity of our Elections and Lawful Democracy (SHIELD) Act, would prompt the Department of Homeland Security to coordinate with political campaign committees on cybersecurity. The second piece of legislation, named the E-Security Act, would instruct the Election Assistance Commission to create a program to train campaign staffers on cybersecurity.

In a statement, Sewell said that "growing cybersecurity threats from Russia and other foreign nations pose serious risks to the integrity of our elections. "

"I have heard first hand from intelligence officials who warn that unless we develop measures to defend our elections against cyberattacks, our election infrastructure will remain vulnerable," Sewell said. "Here in Congress, we have a responsibility to defend our democracy by strengthening cybersecurity in our elections."

--SENATE PANELS TO TAKE UP CYBER LEGISLATION: The House left town on Friday, but the Senate is still pressing forward on its agenda as a result of Majority Leader Mitch McConnellAddison (Mitch) Mitchell McConnellSenate passes 0B defense bill Overnight Health Care: New GOP ObamaCare repeal bill gains momentum Overnight Finance: CBO to release limited analysis of ObamaCare repeal bill | DOJ investigates Equifax stock sales | House weighs tougher rules for banks dealing with North Korea MORE's (R-Ky.) decision to delay August recess weeks ago amid a fight to repeal and replace ObamaCare.

On Wednesday, the Senate Committee on Small Business and Entrepreneurship is due to mark up legislation introduced by Chairman James Risch (R-Idaho) that would require that small business development center counselors be trained in cybersecurity.

The same day, the Senate Committee on Commerce, Science and Transportation is scheduled to mark up a bipartisan bill that would expand a cyber scholarship-for-service program run by the National Science Foundation. The legislation, titled the "Cyber Scholarship Opportunities Act of 2017," is sponsored by Sens. Roger WickerRoger Frederick WickerWeek ahead: Crunch time for defense bill’s cyber reforms | Equifax under scrutiny Senator says he nearly has the votes for ObamaCare repeal GOP braces for Bannon primary attacks MORE (R-Miss.) and Tim KaineTimothy Michael KaineWeek ahead: Crunch time for defense bill’s cyber reforms | Equifax under scrutiny Insurer Anthem to cover bare ObamaCare counties in Virginia Senate votes down Paul's bid to revoke war authorizations MORE (D-Va.).

 

A LIGHTER (ISH?) CLICK:

Internet-connected car washes are dangerous.

 

A HACKER CONFERENCE UPDATE:

The Hill's Joe Uchill rounded out a week at the annual B-Sides, Black Hat and DEF CON cybersecurity conferences in Las Vegas, Nevada. Here are a few updates from his coverage over the weekend:

--DEARTH OF AUTO CYBER EXPERTS: As the need for automotive cybersecurity researchers grows, the supply is not keeping up with demand.

Many of the sponsors of the "Car Hacking Village" sub-conference at the influential cybersecurity conference DEF CON have been the victims of automotive hacking -- Fiat Chrysler, Volkswagen and Delphi Automotive.

"This year it's definitely bigger in terms of industry support," said Casey Ellis, founder of Bugcrowd, one of the sponsors of the Car Hacking Village.

Bugcrowd runs programs to offer researchers rewards for submitting security flaws in products back to the manufacturers for repair. Its clients include Fiat Chrysler. Ellis said the fastest growing sector in programs like his, known as bug bounties, is automotive.

The interest, said Ellis, is because automobile manufacturers recognize the dangers of their products being breached -- "I like to say 'cars are two-ton, gas-powered mobile phones," he said -- but are not able to find qualified candidates for the work.

"Hacking cars is hard. It requires specialized equipment and knowledge, not to mention the car. That's part of the reason [manufacturers] jumped into this. It's a good way to access talent they would otherwise be unable to hire."

The gap between the number of needed and trained researchers will only grow, said Ellis, as car manufacturers move toward driverless cars.

To read the rest of our piece, click here.

--SECURITY PROS STRESS 'BORING' CYBER MEASURES: Cyber threats have never been more complicated, but professionals at the most prominent research event in the hacker calendar are arguing that it has never been a better time to be more boring about security.

"Especially in recent months NotPetya and WannaCry have emphasized how important the boring parts of security are," said Ryan Kazanciyan, chief security architect at Tanium and a consultant for the television show "Mr. Robot."

Kazanciyan and other experts spoke to The Hill during the back-to-back cybersecurity conferences, which are sometimes collectively referred to as "hacker summer camp."

The fundamental flaw exploited in WannaCry – ransomware that infected hundreds of thousands of machines in under a week in May – had already been patched by Microsoft at the time of the attack. The infected machines had all put off updating their systems. NotPetya, which spread about three weeks later, used the same flaw.

Most high-profile research is in novel attacks, previously unseen security flaws in software and large – sometimes nation-driven – political actors. But most attacks use well-worn techniques like phishing and other forms of fraud and security vulnerabilities that have long since been patched.

To read the rest of our piece, click here.

--HURD GETS SERIOUS ON DATA SECURITY: Rep. Will Hurd (R-Texas) said Sunday that Europe can't pretend to be more idealistic on privacy issues than the U.S. while many of its nations try to enact laws limiting encryption.

Hurd is one of a sturdy number of legislators -- including a bipartisan House Judiciary working group on encryption -- that opposes laws allowing law enforcement agencies to access all encrypted data in the United States. Proponents believe access would help prevent and solve crime, including terrorist-related activities.

"Europe likes to act like they take privacy more severely than we do. That is patently false," he told The Hill at the DEF CON cybersecurity conference. "This notion we don't take this seriously in the U.S. is wrong."

Current encryption methods make it impossible for law enforcement to access chat apps or files from criminals in a timely manner, even with a warrant. Various U.S. law enforcement agencies have waged periodic efforts to force manufacturers to provide some form of access.

European nations including Germany and the United Kingdom have either enacted or are poised to enact these types of rules.

To read the rest of our piece, click here.

 

WHAT'S IN THE SPOTLIGHT: 

DHS CYBER SHAKEUP: An effort in Congress to reorganize the Department of Homeland Security's cybersecurity efforts is finally gaining steam, but faces an uncertain fate as lawmakers leave for the August recess.

The prospect for reorganizing the National Protection and Programs Directorate (NPPD) took a big step this week. A key House committee advanced legislation that would rename the DHS office and spin it out into its own operational agency--giving lawmakers pushing for changes new optimism.

Former officials say that elevating the department's cyber wing will add more muscle to DHS's cybersecurity efforts, giving it more credibility to handle the security of civilian federal government networks and critical infrastructure.

But while they are encouraged by the action on the issue, some warn lawmakers need to act more quickly and worry about additional obstacles ahead.

"I think Congress needs to have a greater sense of urgency about this," said Suzanne Spaulding, who served as NPPD undersecretary during the Obama administration. "Our adversaries are not slowing down. If anything, the pace of innovation ... among the bad guys is increasing."

Focus on DHS's cyber duties has increased as a result of Russian interference in the 2016 presidential election, which involved the targeting of state and local election-related systems.

The issue of reorganizing NPPD has been a priority of House Homeland Security Chairman Michael McCaul (R-Texas) since the last Congress. His latest bill to establish the Cybersecurity and Infrastructure Security Agency in place of NPPD advanced his committee with broad bipartisan support on Wednesday.

Officials at DHS called for reorganizing their cyber and infrastructure protection duties during the Obama administration. However, the issue was a source of tension between the executive branch and Congress last year, as lawmakers grew frustrated over an internal reorganization proposal leaked to the media that suggested DHS was moving forward without involving Congress.

This time around, McCaul and other committee members have been engaging with the Trump administration and senior officials at DHS to get feedback on the latest legislative effort, which has been underway since at least March.

Rep. John Ratcliffe (R-Texas), who leads the subcommittee with oversight of DHS's cybersecurity and infrastructure protection efforts, said that he recently met with White House officials, including President Trump's homeland security adviser Tom Bossert and cybersecurity coordinator Rob Joyce, to discuss cybersecurity. Ratcliffe said he received positive feedback on the legislation.

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

'Most dangerous' banking malware gets update. (The Hill)

ShadowBrokers leak probe said to be looking at NSA insiders. (The Hill)

Hackers claim 'breach' of cyber firm FireEye. (The Hill)

Hackers reportedly leak HBO episodes, 'Game of Thrones' script online. (The Hill)

RNC tells staff not to delete or alter any documents related to 2016 campaign. (The Hill)

House votes to authorize intelligence agencies. (The Hill)

Estonia becomes key destination for U.S. officials, including Vice President Mike PenceMichael (Mike) Richard PenceNew GOP ObamaCare repeal bill gains momentum Pence hires Freedom Caucus adviser for press secretary Lawmakers, pick up the ball on health care and reform Medicaid MORE this week. (Politico)

Small and medium-sized businesses in Britain are not investing in cybersecurity. (The Independent)

Vladimir Putin bans the use of virtual private networks (VPNs) in Russia. (Reuters)

India pressed to upgrade defenses against cyber crime. (Times of India)

If you'd like to receive our newsletter in your inbox, please sign up here.