Overnight Cybersecurity: Privacy Shield takes effect

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--MAKE IT OFFICIAL IF YA LIKE: European officials on Tuesday gave the final stamp of approval to a long-awaited data transfer deal between the U.S. and the European Union, allowing the agreement to go into effect after more than eight months of negotiations. The so-called Privacy Shield is intended to allow thousands of companies -- from social media to hospitality -- to continue freely transferring European citizens' data across the Atlantic. It replaces a widely used 2000 agreement that was struck down by the European high court over privacy concerns last fall. Businesses have long feared a chilling of transatlantic trade -- valued at $1 trillion in 2014 -- if officials were unable to reach a deal that satisfied Europe's stiffer privacy protections. "We know that individuals and industry alike have faced uncertainty, but I want to assure you that all of us are committed to a smooth transition to the Privacy Shield," Commerce Secretary Penny PritzkerPenny Sue PritzkerThe Hill's Morning Report - Sanders steamrolls to South Carolina primary, Super Tuesday Biden's new campaign ad features Obama speech praising him Obama Commerce secretary backs Biden's 2020 bid MORE said in remarks given early Tuesday morning. "With the approval of the EU-U.S. Privacy Shield, we send an important message to the world: The sharing of ideas and information across borders is not only good for our businesses but also for our communities and our people." Companies can begin signing up for the new program Aug. 1, officials said. The inking of the deal was immediately hailed as a victory by business and tech groups in the U.S., as well as lawmakers. "In addition to bolstering American businesses, the Privacy Shield strikes the right balance between personal privacy and public security while ensuring that cross-border data transfers between the two regions continue without interruption," said Sen. Orrin HatchOrrin Grant HatchMellman: What happened after Ginsburg? Bottom line Bottom line MORE (R-Utah), who co-sponsored a bill giving Europeans judicial redress for privacy violations in the U.S., which was seen as a prerequisite of the deal. The U.S. Chamber of Commerce hailed the privacy shield as a "strong agreement." To read our full piece, click here.

--YOUR DAILY CLINTON EMAIL UPDATE: Any alleged violation of federal record keeping laws by Hillary ClintonHillary Diane Rodham ClintonBiden budget pick sparks battle with GOP Senate Katko fends off Democratic opponent in New York race Harris County GOP chairman who made racist Facebook post resigns MORE was "not under the purview" of the federal investigation into her use of a private email server while secretary of State, Attorney General Loretta Lynch said Tuesday. "Do you agree with [FBI Director James Comey] that Mrs. Clinton violated the Federal Records Act?" Rep. Lamar Smith (R-Texas) asked Lynch during her testimony before the House Judiciary Committee. "I don't recall Director Comey speaking on that point. I'd have to go back and check, so I don't have a comment on that," Lynch said. "Do you feel that she violated the Federal Records Act?" Smith asked. "I don't know if that was under the purview of the investigation," Lynch said. "I don't recall a specific opinion on that." In its May report on Clinton's email practices, the State Department's inspector general found that her decision not to use an official department email address "is not an appropriate method" of preserving emails under the Federal Records Act. Beyond Lynch's bemused deferral, little other new information came out of Tuesday's hearing, during which she largely refused to address the content of the investigation. "While I understand that this investigation has generated significant public interest, as attorney general, it would be inappropriate for me to comment further on the underlying facts of the investigation or the legal basis for the team's recommendation," Lynch said. To read about her Federal Records Act comments, click here. To read a recap of the hearing, by Julian Hattem, click here.



--STILL WORKING. Sen. Angus KingAngus KingLeadership changes at top cyber agency raise national security concerns Top cybersecurity official ousted by Trump Republicans start turning the page on Trump era MORE (I-Maine) continues to stump for a bill that would replace computer-connected operating systems that are vulnerable to cyberattack with analog and human-operated systems -- a so-called "retro" approach.

"This is a very straight-forward bill, and it does grow out of the experience in Ukraine where they found that they had analog and human intervention at certain key points," King said during a Senate Energy and Natural Resources' Subcommittee on Energy hearing on the bill Tuesday.

Late last year, during a massive blackout in the Ukraine caused by malware, grid operators switched their systems to manual control to mitigate the damage -- an approach security experts say is part of a toolbox of responses in the event of a cyberattack.

"I do not want to go home to Maine after a disastrous attack somewhere in the United States on our critical infrastructure and explain that we didn't try," King said.



A really good Pokemon idea. Really.



Targeted, sophisticated malware was recently found aimed at specific European power plants and is likely the result of a nation-state attack, a security company reported Tuesday.

In a blog post, SentinelOne claimed it had reverse-engineered malware known as a dropper, a kind of injection mechanism for a payload that contained more specific instructions.

The dropper was built to evade specific antivirus companies – including expensive, industrial systems -- and avoid a bevy of secure testing environments known as sandboxes. It targeted specific systems in an Eastern European power company, terminating if it tried to infect highly-protected systems that ran plant security, like biometrics or radio-frequency identification. It also was designed not to install on two specific computers, identified by a code embedded in their network cards.

"We think it was a state actor because of the amount of resources it would have taken to build. Normally, in malware, we only see one or two checks for sandboxes," said Joseph Landry, the main author of the report. "And also because of the Windows expertise involved in designing the malware."

To read the rest of our piece, click here.




--The House Foreign Affairs Committee holds a hearing on countering the "virtual caliphate" at 10 a.m.

--The House Oversight Subcommittee on Information Technology will hold a hearing on "Digital Acts of War: Evolving the Cybersecurity Conversation" at 1 p.m.


--The Homeland Security Committee will receive testimony on worldwide threats from FBI Director James Comey and Homeland Security Secretary Jeh Johnson, at 10 a.m.

--The House Science Committee will hold a hearing evaluating the Federal Deposit Insurance Corporation's response to data breaches, at 10 a.m.

--Senate Intelligence receives a closed door briefing at 2 p.m.



--GOVERNMENT CYBER RECRUITS. The White House released its new cybersecurity workforce strategy on Tuesday, with measures intended to help agencies recruit and retain skilled information security employees.

Read the blog post, from Office of Management and Budget Director Shaun DonovanShaun L. S. DonovanJacobin Editor-at-Large: Valerie Jarrett's support for Citigroup executive's mayoral campaign 'microcosm' of Democrats' relationship with Wall Street Citigroup executive to run for NYC mayor: report House Dems call on OMB to analyze Senate budget plan MORE, Office of Personnel Management acting Director Beth Cobert, White House Cybersecurity Coordinator Michael Daniel and U.S. Chief Information Officer Tony Scott, here.

To read our piece on the challenges the government has in hiring talented security personnel, click here.  



Links from our blog, The Hill, and around the Web.

The Hill profiles the first-ever full-time chairman of the Privacy and Civil Liberties Oversight Board.

Google notifies customers of 4,000 state-sponsored cyber attacks a month, an executive said at a conference. (The Hill)

Google will soon reduce the amount of information that the widely popular Pokemon Go app can collect after reports that the game was requesting "full access" to users' Google accounts. (The Hill)

Microsoft says it has patched a "critical" security flaw that affected all versions of its Windows software dating back years. (The Hill)

A prominent marketplace for hacked servers is back online, after shutting down in June when it was outed by the software security firm Kaspersky Lab. (The Hill)

trove of communications from ISIS plots and activity in Europe reveals a mix of direct control and improvisation and shows the crucial importance of encrypted messaging tools. (ProPublica)

Here's why hackers are targeting the GOP convention. (Yahoo)

Does decrypting encrypted data "fundamentally alter" it, therefore contaminating it as forensic evidence? (Motherboard)


If you'd like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A