Overnight Cybersecurity: Lawmakers demand answers on Equifax breach | Virginia drops touchscreen voting machines | Best Buy removes Kaspersky from shelves

by Morgan Chalfant - 09/11/17 6:17 PM ET

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–EQUIFAX FALLOUT INTENSIFIES: Outrage is building over the massive security breach revealed by credit reporting firm Equifax last week. The company has attracted significant scrutiny after disclosing that hackers may have gained access to personal information, including Social Security numbers, on as many as 143 million Americans. On Capitol Hill, lawmakers from both parties have expressed concern, with many calling for hearings on the matter. Multiple House committees have said that they will hold hearings. Meanwhile, the New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack. On Monday, Democratic Sen. Brian Schatz (Hawaii) went after the company on Twitter, accusing Equifax of “ripping off” consumers by not covering costs for credit freezes.

To read the rest of our coverage, click here for more on the outrage. Click here for more on Schatz.

{mosads}

–WHITE HOUSE SAYS BREACH COULD WARRANT NEW REGS: White House press secretary Sarah Huckabee Sanders said Monday that the massive Equifax breach could warrant more regulations to protect Americans’ personal data. Sanders said the White House would look into “the best ways to make sure that Americans are protected” from breaches, days after the credit reporting firm acknowledged that consumers had their personal data exposed to hackers. Sanders was responding to a reporter’s question about whether the breach warrants new regulations on the handling of Americans’ personal data at the White House briefing Monday afternoon. “I think this is something we have to look into extensively,” Sanders replied. “Certainly, something we have to explore — the best ways to make sure that Americans are protected in that sense.”

To read the rest of our piece, click here.

–HERE COME THE LAWSUITS: The data breach has already triggered class-action lawsuits. Two suits have been filed in federal courts in Georgia and Oregon, CyberScoop reports. In the Oregon case, the plaintiffs argue that Equifax “negligently failed to maintain adequate technological safeguards to protect” information from hackers. Similar accusations are being made in Georgia. According to the statement from Equifax Thursday evening, hackers had unauthorized access to sensitive consumer information for more than a month before the company discovered the breach at the end of July. Consumers only became aware of the breach when it became public on Thursday, more than a month after the initial detection.

–QUESTIONS REMAIN: The Equifax breach is potentially of a scale and scope the country has never seen, with a hacker pilfering personal information on up to 143 million people — close to half the U.S. population. The situation is still fluid, however, and many important questions — even some that seem to be answered — are not entirely resolved. These include the number of people actually affected, and whether the controversy surrounding the forced arbitration clause associated with the company’s free identity theft protection will scare people away from credit monitoring.

To read the rest of our piece, click here.

A LEGISLATIVE UPDATE:

SENATE POISED TO TAKE UP DEFENSE POLICY BILL: The full Senate is poised to begin consideration of annual defense policy legislation beginning Tuesday, following a procedural vote Monday evening to kick off debate.

The Senate is using the House version of the fiscal 2018 National Defense Authorization Act (NDAA), approved back in July, as a vehicle for its version. The bill includes provisions related to cybersecurity, and fully funds President Trump’s budget request for U.S. Cyber Command, which he officially elevated back in August.

The White House spelled out its objections to the upper chamber’s version of the bill approved by the Senate Armed Services Committee earlier this summer in a statement released by the Office of Management and Budget (OMB) on Friday. In particular, the Trump administration is not happy with a section of the bill establishing a policy for deterring and responding to cyberattacks, which it says “would enact certain foreign policy and military determinations that are traditionally within the purview of the president.”

“This would severely constrain the president’s decision space and undermine the ability of the armed forces to act rapidly and decisively, in accordance with applicable law, to neutralize threats and to defend United States national interests in cyberspace,” the White House said.

There are sure to be a number of cyber-focused amendments to the bill. Sen. Jeanne Shaheeen (D-N.H.), for instance, has offered a measure that would bar any government agency or department from using security software produced by Kaspersky Lab, a Russian-origin cyber firm that has fallen under increased scrutiny for alleged ties to Russian intelligence. For more on Kaspersky, keep reading…

A LIGHTER (but slightly terrifying) CLICK:

Killer sex robots?

A DECISION IN FOCUS:

VIRGINIA SCRAPS VOTING MACHINES VULNERABLE TO HACKING: The Virginia State Board of Elections on Friday moved to do away with touchscreen voting machines in the state by November’s election, a move aimed at boosting security.

The board decided to phase out the machines this year after the Virginia Department of Elections recommended that the touchscreen voting machines be decertified. The recommendation came after security experts breached numerous types of voting machines with ease at the DEF CON cybersecurity conference in Las Vegas in July, according to The Richmond Times-Dispatch.

The move comes amid heightened concerns over foreign interference in future elections, in light of the U.S. intelligence community’s conclusion that Russia used cyberattacks and disinformation to interfere in the 2016 presidential election.

Virginia’s gubernatorial election will take place in November, meaning that the move to get rid of the machines would result in 22 localities having to replace their equipment less than two months before the vote.

The state has already passed a law mandating that the machines be phased out by 2020. According to the Times-Dispatch, 10 localities have already started purchasing new equipment. The remaining 12 would need to work quickly to phase out the old equipment by Nov. 7.

“The security of the election process is always of paramount importance. The Department is continually vigilant on matters related to security of voting equipment used in Virginia,” Edgardo Cortés, the state’s election commissioner, said in a news release Friday.

Cyber experts have raised alarm over the touchscreen devices, called direct-recording electronic, or DRE, voting machines, because they yield no paper records that can be checked with the electronic records to make sure votes are tallied accurately.

To read the rest of our piece, click here.

WHAT’S IN THE SPOTLIGHT?

KASPERSKY: Russian-origin Kaspersky Lab is again making headlines, a week after Democratic Sen. Jeanne Shaheen (N.H.) penned an op-ed pushing for a government-wide ban on the firm’s security software over concerns about alleged ties to Russian intelligence.

Best Buy has stopped selling anti-virus software produced by Kaspersky Lab, a spokesman for Best Buy confirmed to The Hill. Kaspersky also confirmed that it had parted ways with Best Buy in an emailed statement.

“Kaspersky Lab and Best Buy have suspended their relationship at this time; however, the relationship may be re-evaluated in the future,” the software firm said. “Kaspersky Lab has enjoyed an almost decade-long partnership with Best Buy and its customer base, and the company will continue to offer its industry-leading cybersecurity solutions to consumers through its website and other retailers.”

The development comes amid heightened scrutiny of Kaspersky in the wake of Russia’s interference in the U.S. presidential election. The company has fought allegations in recent years that it has ties to Russian intelligence.

Reports surfaced late last week that Best Buy was pulling the company’s anti-virus software from its shelves and online retail store. Reuters cited an unnamed source who said Best Buy believed there were “too many unanswered questions” about the company.

The Best Buy spokesman told The Hill the retailer does not “comment on contracts with specific vendors.”

Best Buy is the largest electronics retailer in the United States.

To read the rest of our piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Top Obama IT official joins Squire Patton Boggs. (The Hill)

Five major revelations from Congress’s Russia probes. (The Hill)

Son of Russian lawmaker pleads guilty in credit card theft scheme. (The Hill)

Russian pol: US intel missed ‘Russian intelligence‘ stealing ‘the president of the United States.’ (The Hill)

Lawmakers push credit report legislation after Equifax breach. (The Hill)

Senators press for answers on Equifax executives who sold stock after breach (The Hill)

The DNC is working to bolster cybersecurity in preparation for the 2018 midterms. (BuzzFeed)