Overnight Cybersecurity: Equifax hit by earlier hack | What to know about Kaspersky controversy | Officials review EU-US privacy pact

Overnight Cybersecurity: Equifax hit by earlier hack | What to know about Kaspersky controversy | Officials review EU-US privacy pact
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--EARLIER EQUIFAX HACK: The Equifax controversy continues to churn, more than a week after the credit reporting firm disclosed a breach that compromised personal information on as many as 143 million Americans. Credit reporting firm Equifax reportedly knew about a major hack of its computer systems in March, nearly five months before the hack disclosed to the public. A source told Bloomberg, which first reported the earlier hack, that same hackers are behind both breaches. But the company in a statement to The Hill denied the March breach was tied to the hack in which the personal and financial information of as many as 143 million U.S. consumers was exposed. The second hack, which has dominated headlines and crashed Equifax's stock since it was announced earlier this month, exposed Social Security numbers, birth dates and other personal information.

To read the rest of our piece, click here.


--MORE EQUIFAX FALLOUT: The company announced late Friday that two Equifax executives, its chief information officer and chief security officer, would resign from their positions effective immediately. Meanwhile, Bloomberg reported Monday that the Justice Department is investigating possible violations of insider trading laws by three top Equifax executives who sold stock in the company totaling nearly $2 million before the breach was publicly disclosed. The Equifax probe is reportedly being handled by the U.S. attorney's office in Atlanta, where the credit reporting firm is based. In a statement, a representative for the U.S. attorney's office for the Northern District of Georgia said that it is working with the FBI in its criminal investigation into the breach and the "resulting theft of personal information," but declined to comment further. The company has said the executives did not know about the breach at the time they made the sales. Nevertheless, the development has prompted scrutiny on Capitol Hill, with a bipartisan pair of lawmakers pressing the company for information on when top executives were notified of the breach.

To read the rest of our piece, click here.

--KASPERSKY CONTROVERSY: FIVE THINGS TO KNOW: Government scrutiny of Moscow-based cybersecurity firm Kaspersky Lab has grown after the Trump administration barred federal agencies and departments from using software produced by the company on Wednesday, citing potential risks to U.S. national security. The multinational firm, which boasts more than 400 million customers globally, has come under fire in Washington as lawmakers have grappled with Moscow's alleged interference in the 2016 presidential election. The U.S. government has never produced public evidence linking the company to the Kremlin. But the Department of Homeland Security (DHS) made waves this week by issuing a public directive ordering federal executive bodies to come up with "detailed plans" to discontinue their use of Kaspersky anti-virus software. In light of the latest development, here are five things you need to know about Kaspersky and the controversy around whether its anti-virus products can be trusted.

To read the rest of our piece, click here.

--FACEBOOK UNDER FIRE: Facebook is under fire after revealing that a Russian group tied to the Kremlin bought political ads on its platform during the 2016 elections. Lawmakers are demanding answers, and liberal groups, who say the company failed to crack down on fake news, are seizing on the new disclosure. Even Hillary ClintonHillary Diane Rodham ClintonRepublicans seem set to win the midterms — unless they defeat themselves Poll: Democracy is under attack, and more violence may be the future Popping the progressive bubble MORE, the 2016 Democratic presidential nominee, has cited the ads when discussing her loss during a book tour. Sen. Mark WarnerMark Robert WarnerFive Senate Democrats reportedly opposed to Biden banking nominee The Hill's Morning Report - Presented by ExxonMobil - House to vote on Biden social spending bill after McCarthy delay Overnight Defense & National Security — Presented by Boeing — US mulls Afghan evacuees' future MORE (Va.), the top Democrat on the Senate Intelligence Committee, has said the company needs to be more forthcoming about the full extent of the ad buys. Beyond revealing that Kremlin-linked Internet Research Group spent $100,000 buying ads on the social media platform in 2016, Facebook has said little else publicly. The company is sharing more privately with federal investigators. But lawmakers on intelligence committees in the House and Senate are complaining that Facebook still isn't providing enough details. "We need to get a lot more from the technology companies," Rep. Adam SchiffAdam Bennett SchiffJan. 6 panel may see leverage from Bannon prosecution An unquestioning press promotes Rep. Adam Schiff's book based on Russia fiction Stoltenberg says Jan. 6 siege was attack on 'core values of NATO' MORE (Calif.), the top Democrat on the House Intelligence Committee, said Friday on "Morning Joe." The Wall Street Journal reports that Facebook has turned over more information on the ad buys, including details on the accounts that purchased them, to special counsel Robert Mueller, as members of Congress have scrutinized the company for not coming clean on all the facts. Schiff suggested Friday that Facebook has been slow to release details because "it's against their economic interest to be advertising problems about how a foreign government was exploiting their technologies."

To read the rest of our piece, click here.



--SENATORS PUSH FOR 9/11-STYLE COMMISSION TO PROBE RUSSIAN HACKING: A bipartisan pair of senators is moving to create a 9/11-style commission to examine the cyberattacks that took place during the 2016 presidential election campaign. Sens. Kirsten GillibrandKirsten GillibrandThis Thanksgiving, skip the political food fights and talk UFOs instead Lobbying world Democrats optimistic as social spending bill heads to Senate MORE (D-N.Y.) and Lindsey GrahamLindsey Olin GrahamGraham emerges as go-to ally for Biden's judicial picks This Thanksgiving, skip the political food fights and talk UFOs instead Biden move to tap oil reserves draws GOP pushback MORE (R-S.C.) announced legislation on Friday to establish the National Commission on Cybersecurity of U.S. Election Systems to study the election-related cyberattacks, which the intelligence community has attributed to Russia, and make recommendations on how to guard against such activity going forward. The commission would be modeled after the 9/11 Commission tasked with investigating the Sept. 11, 2001, terrorist attacks against the United States. There have previously been calls from lawmakers, mostly Democrats, for a 9/11-style commission to examine Russia's interference campaign. The new legislation comes several months after Reps. Eric Swalwell (D-Calif.) and Elijah Cummings (D-Md.) introduced similar legislation in the House at the beginning of this year, which has accumulated support from all House Democrats and two Republicans. The commission would be required to report on its findings to federal, state and local governments. The panel would be comprised of experts selected by state election authorities and congressional leaders. "We need a public accounting of how [the Russians] were able to do it so effectively, and how we can protect our country when Russia or any other nation tries to attack us again," Gillibrand said in a statement, noting that "the clock is ticking before our next election."

To read the rest of our piece, click here.

--BREACH NOTIFICATION LEGISLATION BACK AFTER EQUIFAX: Rep. Jim Langevin (D-R.I.) reintroduced a bill establishing a national breach notification law on Monday, the latest piece of legislation positioned as a response to the Equifax data breach. "There is much still to learn about the Equifax breach and its ramifications, what is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen," Langevin said announcing the reintroduction of the Personal Data Notification and Protection Act, considered an Obama administration priority when it was introduced in 2015. "Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly," Langevin continued. The laws designating how businesses must react after a data breach currently vary wildly from state to state. Langevin's bill will make all states abide by the same standard, giving companies 30 days to notify all victims of a breach and requiring companies to coordinate notifications with the Federal Trade Commission.

To read the rest of our piece, click here.

--DEFENSE BILL PASSES SENATE: The full Senate Monday evening passed the fiscal 2018 National Defense Authorization Act (NDAA) by an 89-8 vote after about a week of debate on the bill. The debate was hampered by delays over four of the more controversial amendments to the bill. The final defense policy bill, which passed the chamber Monday evening, includes a number of cyber-related provisions, including language that would bar the federal government from using software produced by Kaspersky Lab--essentially codifying into law the ban announced by Homeland Security last week.

To read more, click here.



President Trump has decided to nominate Walter Copan to lead the federal body responsible for producing cybersecurity guidance for the federal government and private sector entities. Trump late last week nominated Copan to serve as undersecretary of commerce for standards and technology, which would make him the leader of the non-regulatory National Institute of Standards and Technology (NIST). Copan is currently president and CEO of IP Engineering Group Corp. in Colorado, a company that helps clients "achieve the full technical and economic potential of their intellectual property." Copan will replace Kent Rochford, currently the acting undersecretary, if confirmed to the top Commerce post.

Copan's nomination generated praise from the top Republican on the House Science Committee. "I am pleased that President Trump has nominated Walter Copan to lead NIST," said Rep. Lamar Smith (R-Texas). "Because our federal systems are prime targets for cyber-attacks, it is crucial that we maintain and heighten cybersecurity. NIST has the expertise necessary to help protect our information systems and is the front line of defense against cyber-attacks on the federal government and private sector."  






PRIVACY SHIELD: U.S. and European Union officials are meeting this week to conduct the first annual review of the data transfer agreement known as the EU-U.S. Privacy Shield, a framework that helps companies transfer personal data across the Atlantic while complying with data protection requirements.

The agreement was designed by the U.S. Department of Commerce and the European Commission and approved last July, replacing the Safe Harbor agreement that was struck down by the European Court of Justice.

Now, officials are conducting the first joint review to assess U.S. compliance with the agreement. The review is being spearheaded by Commerce Secretary Wilbur RossWilbur Louis RossBannon's subpoena snub sets up big decision for Biden DOJ House panel, Commerce Department reach agreement on census documents China sanctions Wilbur Ross, others after US warns of doing business in Hong Kong MORE and European Commissioner for Justice Vera Jourová, who is in Washington this week meeting with American officials. "A robust Annual Review is crucial for continued success of #PrivacyShield. Happy to see all U.S. authorities involved participating today," Jourová tweeted on Monday.

In anticipation of the review, the White House put out a statement late last week expressing confidence that the review "will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic." The review is bringing together U.S. and EU officials, in addition to industry representatives.

While officials have billed the pact as one that bolsters data privacy protections for Europeans, it has become subject to scrutiny. The data transfer agreement is currently being challenged in European court on the grounds that it does not contain adequate privacy protections.

Roughly 2,400 U.S. companies have adopted the framework in order to transfer data out of the European Union to the United States.

"The number one thing that Commissioner Jourová and the EU delegation [are] concerned with is certainly the U.S. government obligations under the Privacy Shield framework and the enforcement of the company commitments," said Kendall Burman, a cybersecurity and data privacy attorney at Mayer Brown and former deputy general counsel for the Department of Commerce.

BSA The Software Alliance, a tech industry group, released a statement last week encouraging EU and U.S. officials to "hold fruitful and constructive discussions to further solidify the success" of the framework, casting the pact as one that balances privacy protections with the need for swift data flows.

The review is likely to wrap up in the next few days, after which Jourová is scheduled to travel to Silicon Valley to meet with tech company representatives, including Facebook's Sheryl Sandberg and executives at Apple and Google.

Following the review, the European Commission will produce a report spelling out its findings, expected to be completed in October, according to Reuters.



MOZILLA REIGNITES SECURITY DEBATE: Mozilla, the maker of the Firefox browser, is taking another stab at promoting reform of the Vulnerabilities Equities Process (VEP), a federal process used to grant permission to keep certain hacking techniques secret.

Intelligence agencies that research ways to break into computers are supposed to work with the presumption that they will notify computer equipment makers of any security flaw and allow them to patch it. When an agency feels it absolutely must keep a flaw secret to use for espionage, it is supposed to apply to do so in front of a third party board -- a system known as the VEP.

It is not without drawbacks. Every vulnerability the government keeps secret is a security flaw hackers can discover and use undetected. The NSA, for example, reportedly knew about the vulnerabilities used in "NotPetya" and "WannaCry" for years before both malware strains were used in massive malware outbreaks this year.

Mozilla wants to codify the VEP to include more input from consumer protection agencies, with more independence from the NSA. It is launching a six-hour workshop on the issue, "Cyber(in)security," that will be held on Tuesday, October 24th.

"User security is a priority and we believe it is necessary to have a conversation about the reforms needed to strengthen and improve the Vulnerabilities Equities Process to ensure that it is properly transparent and doesn't compromise our national security or our fellow citizens' privacy," said Denelle Dixon, Mozilla's chief business and legal officer. 



Links from our blog, The Hill, and around the Web.

NY Gov. Cuomo eyes expanding cyber regs to credit reporting agencies. (The Hill)

Google no longer contesting most cross border data warrants. (The Hill)

Bipartisan House bill would save State Department's cyber office. (The Hill)

Feds move to ramp up cyber hiring. (The Hill)

Alt-right Twitter rival may lose its web domain. (The Hill)

John Podesta speaks with Senate Intelligence Committee staffers. (The Hill)

Secretary of State Tillerson eliminated the State Department's delegation to the United Nations on cyber issues. (New York Times)

Music-streaming service Vevo got hacked. (Variety)

Probe into House IT worker produces no evidence of espionage. (Washington Post)

If you'd like to receive our newsletter in your inbox, please sign up here.