Overnight Cybersecurity

Overnight Cybersecurity: Equifax security employee left after breach | Lawmakers float bill to reform warrantless surveillance | Intel leaders keeping collusion probe open

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...

THE BIG STORY:

--EQUIFAX TRILOGY PART 1: Wednesday saw a trio of hearings on the Equifax breach on Capitol Hill. Senators ripped former Equifax CEO Richard Smith over executives unloading almost $2 million worth of stock after the credit reporting firm suffered a massive hack but before the public was notified. "I've got to tell you something and this is just a fact. It may have been done with the best of intentions and no intent for insider trading, but this really stinks. I mean it really smells, really bad," said Sen. Jon Tester (D-Mont.). Smith defended the executives in question: John Gamble, the chief financial officer; Joseph Loughran, president of U.S. information solutions and Rodolfo Ploder, president of workforce solutions. He said they were not aware of the hack when they sold their stocks. At the time they unloaded their shares, Smith told lawmakers, Equifax only knew that "suspicious activity," had occurred but did not understand the extent of the breach. Smith said the company sees suspicious activity from attempted hacks millions of times a year and suggested this hack initially seemed no different. But lawmakers appeared skeptical. "The stock sales seem to suggest more information than we are getting here," said Sen. Tim Scott (R-S.C.).

To read the rest of our piece, click here.

--...PART 2: There may be a non-controversial explanation to a controversial no-bid contract the Internal Revenue Service granted Equifax amid the fallout of its recent cyberattack. Officials testified Wednesday it was a stopgap measure to prevent a taxpayer service from being shut off as the IRS attempts to move to a new vendor. On Tuesday night, reports emerged that the IRS had granted a $7 million fraud-prevention contract to Equifax on Sept. 29, well after the credit reporting firm announced a massive hack. Jeffrey Tribiano, IRS deputy commissioner for operations support, testified that the contract was to continue the electronic authentication service Equifax had already been providing as the agency attempted to move that contract to a new vendor. In July, after the IRS decided to replace Equifax with another company's successful bid, Equifax challenged the procurement. That challenge is currently under review at the Government Accountability Office (GAO). With the procurement still unresolved, the IRS entered into a temporary contract with Equifax to maintain services. "We had to either, one, stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it -- like in the hurricane disaster areas, they use those tools to get their transcripts -- or do a bridge contract with Equifax until GAO decides on the protest, and we move forward," Tribiano said.

To read the rest of our piece, click here.

--...PART 3: Former Equifax CEO Richard Smith testified Wednesday before a Senate Judiciary privacy subcommittee that the employee responsible for not updating the company's security software had stepped down in the weeks after the massive data breach was revealed. In a hearing on Tuesday, Smith had told lawmakers that the breach could be attributed to a "combination of human error and technological error." According to Smith's testimony, an employee had failed to patch software, leaving Equifax's consumer data vulnerable, and scanning software had failed to detect the vulnerability later on. That employee hasn't been identified and Equifax has stayed quiet until now about the person's employment status.

To read the rest of our piece, click here.

A LEGISLATIVE UPDATE:

--WARRANTLESS SURVEILLANCE: A powerful pair of House lawmakers is poised to introduce legislation this week that would place modest limits on the National Security Agency's warrantless surveillance program, likely reigniting debate on Capitol Hill and setting up a potential showdown with the Trump administration.

The bill, from the chairman and ranking member of the House Judiciary Committee, is set to be introduced as early as Thursday.

According to a draft version obtained by The Hill, the proposal would require criminal investigators to obtain a court order before viewing the content of any communications collected under that program - including those sent by Americans.

The standard for viewing metadata is set lower, requiring investigators only to seek higher-level approval. Metadata information includes things like call time and sender and receiver.

The Trump administration has been campaigning fiercely for a clean, permanent renewal of the surveillance program, which is set to expire at the end of this year. Intelligence officials, who briefed reporters on their use of the authority last week, believe it to be one of the most critical tools they have to combat terrorism.

But Judiciary Committee chairman Bob Goodlatte (R-Va.) has said that a wholesale permanent reauthorization of the law is a nonstarter in the House.

The proposal would extend the law until 2023, with a number of other tweaks aimed at boosting oversight and ensuring the agency is only spying on legal targets.

It would also prohibit the agency for six years from collecting communications that are about a foreign target but are neither sent nor received by that person. The NSA voluntarily halted such collection, known as "about" surveillance, earlier this year, but wants to retain the authority to resume it.

The Hill's Katie Bo Williams has more here.

A LIGHTER CLICK:

GREETINGS FROM AMAZON, GEORGIA.

THE MOSCOW MILE:

--SENATE INTEL SAYS COLLUSION INVESTIGATION ONGOING: The Senate Intelligence Committee is still investigating whether there was any collusion between the Trump campaign and Russia during the 2016 election, the panel's leaders said Wednesday. "The committee continues to look into all evidence to see if there was any hint of collusion," Chairman Richard Burr (R-N.C.) told a room packed with reporters. "I'm not even going to discuss initial findings because we haven't any." But, he added later, "The issue of collusion is still open." In one significant development, they said committee members and staff have reached "general consensus" that they trust the intelligence community's formal assessment that Russia launched a wide-scale disinformation campaign targeted at the 2016 election. That assessment was issued during the Obama administration. Burr stopped short, however, of giving a complete endorsement of the Obama-era report, which claimed that Russia had intervened on behalf of Trump. The committee has not come to a conclusion on Russia's preferences, he said, only that Moscow intended to sow "chaos on every level."

To read the rest of our piece, click here

--...BUT DONE SOLICITING COMEY INFO, FOR THE TIME BEING: The leaders of the Senate Intelligence Committee announced Wednesday they will no longer pursue details surrounding the memos former FBI Director James Comey wrote as personal recollections of his conversations with President Trump about the Russia investigation. "This topic has been hotly debated and the committee is satisfied that our involvement with this issue has reached a logical end as it relates to the Russia investigation," Sen. Richard Burr (R-N.C.), the chairman of the panel, said during a press conference. The committee told reporters it was leaving any further probing of the Comey memos to Special Counsel Robert Mueller. "Now again, this is not something that we have closed, but we have exhausted every person we can talk to get information that is pertinent to us relative to the Russia investigation," he told a room of reporters.

To read the rest of our piece, click here.

WHAT'S IN THE SPOTLIGHT:

--A DHS BUG BOUNTY PROGRAM:

A Senate panel with oversight of the Department of Homeland Security (DHS) has approved legislation that would set up a "bug bounty" program to pay researchers for catching vulnerabilities in the department's information systems.

The "Hack DHS Act" would direct the Department of Homeland Security to set up a pilot bug bounty program that would offer cash to security researchers who identify and report vulnerabilities in DHS's information systems, giving DHS an opportunity to patch them.

The idea is common in the business world and now slowly emerging in government. The Act was modeled after a similar program established at the Pentagon to catch undiscovered vulnerabilities in the Defense Department's systems.

The bipartisan bill, introduced by Sens. Maggie Hassan (D-N.H.) and Rob Portman (R-Ohio) in May, advanced the Senate Homeland Security and Governmental Affairs Committee during a meeting Wednesday. Sen. Claire McCaskill (D-Mo.), the committee's ranking member, is cosponsoring the legislation, along with Sen. Kamala Harris (D-Calif.).

To read the rest of our piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The U.S. cleared major hurdles for the extradition of two accused Russian cybercriminals from E.U. nations - suspects Russia fought to prevent the extradition of. (The Hill)

Mr. Moneybags, of Monopoly fame, attended one of the Equifax hearings. (The Hill)

Headline of the day "Here's the Leaked Anti-Leak Training Email Sent to DOE Staff." (Wired)

There was a coup at the internet's premier Donald Trump forum. (Motherboard)

The FBI issued a flash warning for companies to fix the security flaw that snagged Equifax. (Cyberscoop)

If you'd like to receive our newsletter in your inbox, please sign up here.

Outbrain
View desktop version