Overnight Cybersecurity: Senate Intel releases election security findings | Facebook to meet with officials on Capitol Hill amid Cambridge Analytica fallout | Orbitz admits possible breach
Overnight Cybersecurity: Equifax CEO faces outraged lawmakers | Dem presses voting machine makers on cyber defense | Yahoo says 3 billion accounts affected by 2013 breach
Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...
THE BIG STORIES:
--EQUIFAX CEO FACES FRUSTRATED LAWMAKERS: Lawmakers got their first crack at former Equifax CEO Richard Smith on Tuesday, hitting him with criticism for the massive data breach that occurred on his watch. The lawmakers could barely mask their anger as they pressed Smith on why the company's data security practices were inadequate, given the mass amounts of personal data the company handles. Smith opened his testimony with a public apology. "The criminal hack happened on my watch and as CEO I'm ultimately responsible," said Smith, who retired from the company last week. In one exchange with Rep. Ben Ray Luj n (D-N.M.), Smith repeatedly dodged questions about whether Equifax's response will make consumers whole. Equifax revealed the breach last month, saying that hackers had stolen personal information for 143 million people. This week, the company said that 2.5 million more people were affected by the breach than had been initially estimated. The stolen data included Social Security numbers, names, birth dates and addresses. Smith said the breach could be attributed to a "combination of human error and technological error." The company neglected to patch key software, leaving consumer data vulnerable, and Equifax's security scanners did not detect the vulnerability, Smith said. Tuesday's House Energy and Commerce Committee was the first in a slew of congressional hearings at which Smith will testify this week. Next up: The Senate Banking Committee.
--WYDEN PRESSES VOTING MACHINE MAKERS ON CYBER DEFENSES: A Democratic U.S. senator is pressing six leading voting machine companies for information on their cybersecurity efforts amid alarm over Russian interference in the 2016 U.S. presidential election. Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, sent letters to six manufacturers of voting systems as well as two voting system test laboratories accredited by the U.S. Election Assistance Commission, asking them for information on their cybersecurity practices and any breaches that have resulted in hackers accessing their data or systems. The requests come about a week after the Department of Homeland Security notified 21 states that their election systems were targeted by Russian actors ahead of the election. None of the systems targeted were involved in vote tallying. "I write to seek public answers about cybersecurity threats to our election infrastructure and whether the election technology industry has taken steps to defend against hackers, including those working for foreign governments," Wyden wrote in near identical letters to the voting tech companies on Tuesday.
To read the rest of our piece, click here.
--10 MILLION FACEBOOK USERS SAW RUSSIAN ADS: Facebook revealed on Monday that roughly 10 million users saw political ads purchased by Russian actors around the time of the 2016 election. Some 44 percent of the ads were seen before the election, while 56 percent were seen after, according to the company's numbers. The company notes that a quarter of the 3,000 ads purchased were never seen by any Facebook users. Facebook's numbers comes amid mounting pressure from some lawmakers who want to see the social media behemoth publicly release the 3,000 ads purchased by the Kremlin-linked "Internet Research Agency." The company turned over the ads to lawmakers on Monday. "The American people deserve to see the ways that the Russian intelligence services manipulated and took advantage of online platforms to stoke and amplify social and political tensions, which remains a tactic we see the Russian government rely on today," the House Intelligence Committee's top Democrat, Rep. Adam Schiff (Calif.), said in a statement on Monday.
To read the rest of our piece, click here.
--DRIP DRIP DRIP: Ivanka Trump and her husband, Jared Kushner, have reportedly sent hundreds of emails from a third private email account while serving in their White House roles, Politico reported Monday, citing three sources familiar with the matter. A nonprofit watchdog, the Project On Government Oversight, helped the news outlet coordinate the report. The account, which both the first daughter and Kushner had access to, reportedly received hundreds of emails from White House government accounts since January. Many of the emails are internal travel documents and schedules, but some also contained official White House materials, Politico reported. White House officials' use of private email has triggered scrutiny since Politico first revealed last week that Kushner used a private account for some official business. The development has also opened the GOP up to hypocrisy charges, most notably from Hillary Clinton, who was criticized throughout the presidential campaign for her use of a private email server at the State Department. On Tuesday, Sen. Ben Cardin (D-Md.) sent a letter to White House counsel Don McGahn and Secretary of State Rex Tillerson asking if any White House staffers have been using "unofficial" channels to communicate with foreign governments. Meanwhile, USA Today is reporting that Kushner and Ivanka Trump's emails have been moved to servers operated by the Trump Organization.
To read the rest of our piece, click here.
--YAHOO SAYS 3 BILLION AFFECTED BY 2013 BREACH: Yahoo's massive data breach revealed last year affected all of its 3 billion accounts, the company announced on Tuesday, triple the number that it had said were impacted when it revealed the breach last year. After Yahoo was purchased by Verizon this year, it was rebranded as Oath. Oath announced that it would be notifying all of the additional users impacted by the breach. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources," said Chandra McMahon, Verizon's head of information security.
To read the rest of our piece, click here.
A LEGISLATIVE UPDATE:
SENATE APPROVES CYBER CRIME BILL: The Senate on Monday evening passed a bill intended to help state and local officials fight cyber crime, paving the way for the legislation to be signed by President Trump.
The bill would authorize into law the National Computer Forensics Institute, a center in Hoover, Ala. that gets federal funds to train state and local officials in investigating digital crimes.
The bill was introduced by Rep. John Ratcliffe (R-Texas) and cleared the House back in May. The Senate approved an amended version of the House legislation in a voice vote on Monday.
Ratcliffe, who chairs the House subcommittee with oversight of the Department of Homeland Security's (DHS) cybersecuriy and infrastructure protection missions, introduced the bill in the last Congress, when it passed the House but never came to the Senate floor for a vote.
Ratcliffe said back in May that the legislation would "give our officers a leg up on the criminals who are increasingly using digital means in cyber space to evade justice."
A LIGHTER CLICK: Need some personal space? There's a robot for that. (Motherboard)
A REPORT IN FOCUS: The company MediaPro is out with its second annual "State of Privacy and Security Awareness Report" just in time for National Cybersecurity Awarness Month. Among some of the more interesting findings, the survey found that 70 percent of U.S. employees lacked the awareness to stop preventable cyber incidents, down from 88 percent last year.
Twenty percent also demonstrated a lack of awareness when it comes to "safe social media posting, choosing risky actions such as posting on their personal social media accounts about a yet-to-be-released product of their employer."
The survey also found that 19 percent of employees did not report certain potential security or privacy incidents. The company surveyed 1,000 U.S. employees and members of the American public in August of this year to test their cyber knowledge.
To see the full results of the MediaPro survey, click here.
WHAT'S IN THE SPOTLIGHT: HOMELAND SECURITY'S CYBER MISSION: Top officials at the Department of Homeland Security (DHS) testified before House lawmakers on Tuesday about the state of the department's cybersecurity mission. The House Homeland Security Committee hearing took place about a week after the department notified 21 states that Russian actors targeted their election systems ahead of the 2016 election, a development that has produced tensions between the department and state officials who say they were given misleading information. Tuesday's hearing covered a number of topics, including the recently disclosed Securities and Exchange Commission (SEC) breach and DHS's challenges in hiring new personnel to cybersecurity roles. Some key takeaways:
--OFFICIALS PUSH FOR CYBER SHAKEUP: Christopher Krebs and Jeanette Manfra, both of whom work in DHS's National Protection and Programs Directorate (NPPD), urged Congress to quickly act on legislation that would reorganize and elevate NPPD, the department's main cybersecurity and infrastructure protection wing, into its own operational agency. The legislation is spearheaded by Homeland Security Chair Michael McCaul (R-Texas) and advanced the committee earlier this year, but has yet to make its way through other committees and to the House floor for a vote. Companion legislation also has not yet been introduced in the Senate. "That bill will give us three things. One, it will give us some operational efficiencies. ... Second, it will help with our branding and clarify roles and responsibilities. ... And finally, what that's going to do is give us the ability to attract talent," Krebs said Tuesday.
--DHS STILL HASN'T SUBMITTED CYBER STRATEGY TO CONGRESS: Much to the dismay of Rep. Cedric Richmond (D-La.), the subcommittee's ranking member, DHS still has not sent Congress its department-wide cybersecurity strategy, which was mandated by defense policy legislation passed last year. "The strategy is six months overdue, and that is unacceptable," Richmond said. Krebs told lawmakers that it's being held up by reports required by President Trump's executive order, and that the department will issue the strategy after conducting the assessments it is responsible for. "They are anticipated to have significant impacts on some of the priorities," Krebs said of the reports and assessments mandated by the EO. "When we have a broader understanding of where the department is going, that will then feed into the cybersecurity strategy."
--DHS IS 'ELEVATING' ITS ELECTION SECURITY MISSION: Krebs made a point to repeatedly emphasize that cybersecurity of election infrastructure--now categorized as "critical infrastructure"--is a top priority at the department. He said that DHS is "elevating" the mission and devoting more resources to fostering relationships with state and local officials who administer elections. "We're elevating it as a task force, bringing pieces from across the DHS components, including from the office of intelligence analysis, and resourcing it appropriately," Krebs said. "We're pulling the resources together in recognition that we don't have a lot of time, given that there are three elections this year."
--DHS RELIED ON 'OPEN SOURCE' INFORMATION FOR KASPERSKY DECISION: Krebs also disclosed that the department's decision to bar federal agencies and departments from using Kaspersky Lab software was primarily based on open-source information. "That determination was based on the totality of evidence, including on the most part open-source information," said Krebs during the hearing.
--SEC DIDN'T ASK FOR HELP AFTER BREACH: Manfra told lawmakers the SEC did not request help from DHS after its EDGAR financial database was breached last year. The SEC has come under scrutiny in Washington after disclosing the 2016 breach just last month, which it says may have allowed hackers to generate profits from stolen insider information. Manfra said the SEC notified the department of the breach on Nov. 4 of last year but that "at the time, the extent of the issue was not well understood." "We have very limited involvement in SEC," Jeanette Manfra said when pressed about DHS's involvement in the breach. "They did not request our follow-on assistance for response."
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
IRS gives Equifax multimillion dollar contract to prevent fraud. (The Hill)
White House official calls for ending Social Security numbers as means of identification. (The Hill)
European Union courts to hear case that could hobble Facebook. (The Hill)
OPM brings on new IT chief. (The Hill)
Private data of more than 1,100 NFL players, agents exposed. (The Hill)
Havana attacks hit U.S. intelligence operatives in Cuba. (Associated Press)
More than 1,000 incidents reported in British cyber center's first year of operation. (BBC)
White House cyber czar calls foreign government source code reviews 'problematic.' (Reuters)
If you'd like to receive our newsletter in your inbox, please sign up here.