Overnight Cybersecurity: WH details rules for handling hacking tools | UK claims Russia behind widespread hacks | Bill to save cyber diplomacy office advances

Overnight Cybersecurity: WH details rules for handling hacking tools | UK claims Russia behind widespread hacks | Bill to save cyber diplomacy office advances
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--WHITE HOUSE LIFTS VEIL OVER VULNERABILITIES EQUITY PROCESS: The White House released a charter Wednesday publicly describing the principles and goals of the secretive process it uses to decide what hacking tools to keep in its arsenal and which to report to tech companies so they can fix security flaws. It marked the first time cybersecurity and policy professionals had a chance to investigate what had been a shadowy system. For years, the cybersecurity community tried to piece together how that system - known as the vulnerabilities equity process (VEP) – worked, through Freedom of Information Act requests, innuendo and complex modeling of what little information had been shared with the public. The Obama administration made clear the VEP existed and involved some sort of executive office panel to weigh whether the benefits of using a particular vulnerability for espionage would outweigh the potential damage that would occur if criminal hackers or foreign spies exploited the same vulnerability for their own gain.

To read the rest of our piece, click here.


--...CYBER CZAR WEIGHS IN: At an event in Washington D.C., White House cyber czar Rob Joyce emphasized that more voices represent the advantages of disclosing vulnerabilities than had been previously assumed. "There was a proposal to add [the Department of] Commerce to the process. Commerce was already there," he said during an onstage interview at The Aspen Institute.  "So much of the fabric of our society relies on the bedrock that is [information technology]," he said, later adding "If there is a flaw in those systems, there's an imperative to make sure that flaw is not exploited." "Both sides have to come away from that table a little unhappy," he said.

To read the rest of our piece, click here.

--...THE BIG REVEAL: One big disclosure of the VEP charter was how many civilian agencies and interests are represented. There are so many agencies in the room that, at a early Wednesday event, White House Cybersecurity Czar Rob Joyce needed to read it from a list. In addition to the Office of the Director of National Intelligence, Department of Justice, FBI, NSA, Cyber Command Department of Defense and CIA – all of whom have interests in adding new tools to the arsenal – the VEP contains representatives from the Office of Management and Budget (representing defensive security interests of government systems), Treasury (banks), Energy (the power grid), Commerce (private sector firms, including tech companies), State (foreign interests) and Homeland Security (critical infrastructure).

--...PROCESS DOESN'T CLOSE LOOPHOLE: After the San Bernardino terrorist attacks, the FBI purchased the use of a vulnerability from a contractor to break into a suspect's iPhone. That vulnerability never went through the VEP because it was purchased under a non-disclosure agreement (NDA). There were fears from some digital rights quarters that non-disclosure agreements could be used as a loophole to prevent agencies from needing to go through the VEP. The charter leaves in an exemption for vulnerabilities acquired under NDAs.

--…BUT MORE TRANSPARENCY GOING FORWARD: A new addition to the VEP will be an annual public report on how many vulnerabilities were discovered and were kept secret. Joyce said the rate of notifying tech firms has historically been above 90 percent.

To read the full story on the process behind the government's hack toolkit, click here.



CYBER DIPLOMACY ACT CLEARS COMMITTEE: A bill to save a standalone cybersecurity office in the State Department at risk from Secretary Rex TillersonRex Wayne TillersonPresident Trump: To know him is to 'No' him Ocasio-Cortez, progressives call on Senate not to confirm lobbyists or executives to future administration posts Gary Cohn: 'I haven't made up my mind' on vote for president in November MORE's axe passed the House Foreign Affairs Committee.

"The U.S. cannot lead on international cyber issues if we don't have anyone sitting at the negotiating table or a clearly-defined strategy to guide them," said Rep. Ted Lieu (D-Calif.), one of the lawmakers co-sponsoring the bill.

The Tillerson plan would place cybersecurity responsibilities within an office devoted to economics.

Critics note that not all cybersecurity problems relate to economics – others touch on issues ranging from espionage to human rights -- and are fighting to save the office.


A LIGHTER CLICK: Simplifying nomenclature.



IT REPORT CARD TIME: The latest edition of a report card measuring the efficiency and speed of managing agencies' information technology showed modest declines in grades. Much of the decline could be attributed to a change in formula.

The FITARA report card, released Tuesday evening and discussed in a House Oversight Subcommittee Wednesday, grades adherence to policies and timelines to improve IT.

"[P]rogress is being made - just not as quick as it should be and needs to be - legacy IT is a continuing fiscal and cybersecurity risk to our nation," said subcommittee Chairman Will HurdWilliam Ballard HurdHouse Hispanic Republicans welcome four new members Democrats lead in diversity in new Congress despite GOP gains Senate passes bill to secure internet-connected devices against cyber vulnerabilities MORE (R-Texas).

Since July's report card, which had agencies getting one A, seven Bs, ten Cs, five Ds and an F, grades slipped to one A, ten Bs, 14 Cs, three Ds and two Fs.

However, the latest report card took into account software licensing criteria that were not included in previous drafts.



IT'S STILL RUSSIA: The U.K.'s top cybersecurity official has confirmed for the first time that Russian hackers targeted British media, telecommunications and energy firms over the past year.

Ciaran Martin, head of the National Cyber Security Center (NCSC), made the remarks during the Times Tech Summit on Wednesday. His comments are one of the strongest acknowledgments so far from a top official of the extent to which the British government has faced cyberattacks from Russia.

"That is clearly a cause for concern -- Russia is seeking to undermine the international system," Martin said.

To read the rest of our piece, click here.



'Links from our blog, The Hill, and around the Web.

The National Counterterrorism chief will retire at year's end. (The Hill)

We might also lose CIA honcho Mike Pompeo, if he's tapped to replace Rex Tillerson. (The Hill)

Facebook added two new lobbyists to deal with scrutiny amid the Russia probe. (The Hill)

Sandia National lab will study the biology of hackers at work. (The Register)

How much does it cost to do what's on dark web markets? (Flashpoint)

If you'd like to receive our newsletter in your inbox, please sign up here.