Overnight Cybersecurity: Facebook says Cambridge Analytica had data on 87M users | Zuckerberg to face lawmakers next week | Trump mulling 'offensive' cyber strategy | White House email domains lack security tool

Overnight Cybersecurity: Facebook says Cambridge Analytica had data on 87M users | Zuckerberg to face lawmakers next week | Trump mulling 'offensive' cyber strategy | White House email domains lack security tool
© Hill Illustration

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...




--FACEBOOK SAYS UP TO 87M IMPACTED BY CAMBRIDGE ANALYTICA BREACH: Facebook said on Wednesday that as many as 87 million people have been affected in the Cambridge Analytica data breach. The company previously estimated that the British research firm hired by the Trump campaign had improperly harvested data from around 50 million Facebook users. Facebook's new estimate came in a post outlining new steps it is taking to restrict third-parties' access to user data on its platform. As a part of the data policy changes, Facebook said that it will now delete Android users' call and text logs that are older than a year following outcry over the practice. The social media platform has been scrambling to temper criticism it has received following its disclosure that Cambridge Analytica improperly took user data and then did not delete the information after telling Facebook that it would.

To read more from our piece, click here.


--ZUCKERBERG TO TESTIFY ON APRIL 11: Facebook chief executive Mark ZuckerbergMark ZuckerbergTwo lawyers who filed suit challenging election results ordered to pay nearly 7K Hillicon Valley — Presented by Ericsson — DOJ unveils new election hacking charges State attorneys general launch probe into Instagram's impact on children, teens MORE will testify before the House Energy and Commerce Committee later this month, lawmakers said on Wednesday. The Facebook CEO's testimony will address how the British research firm used by the Trump campaign, Cambridge Analytica, improperly harvested data from 50 million Facebook users. "This hearing will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online," said Energy and Commerce Chairman Greg WaldenGregory (Greg) Paul WaldenEx-Sen. Cory Gardner joins lobbying firm Ex-Rep. John Shimkus joins lobbying firm Lobbying world MORE (R-Ore.) and the committee's top Democrat, Rep. Frank Pallone Jr.Frank Joseph PalloneLawmakers discussing potential compromise to revive drug pricing measure House Democrats announce bill to rein in tech algorithms House Democrats ramp up probe of FDA approval of Alzheimer's drug MORE (N.J.) in a statement. "We appreciate Mr. Zuckerberg's willingness to testify before the committee, and we look forward to him answering our questions on April 11th," they added. Facebook officials had previously briefed the Energy and Commerce Committee, as well as other congressional committees on the Cambridge Analytica breach, but Walden said that "many questions were unanswered."

To read more from our piece, click here.


--MORE FACEBOOK... NEW TERMS OF SERVICE: Facebook is rewriting its terms of service and data policy in an effort to make them more clear to users as the company faces scrutiny in the U.S. over its privacy practices and prepares for a new European Union law that will require more transparency with users. "These updates are about making things clearer," Facebook said Wednesday in a blog post. "We're not asking for new rights to collect, use or share your data on Facebook. We're also not changing any of the privacy choices you've made in the past." The revisions detail what information the company uses, what users consent to and how Facebook's advertising practices work. The updated policies also make clear how Facebook shares information across the brands it controls, like Instagram, WhatsApp and Messenger. "For example, we can suggest that you join a group on Facebook that includes people you follow on Instagram or communicate with using Messenger," reads the new data policy. Facebook and other internet companies are preparing themselves for a sweeping new data law in the EU that requires them to give users better control over their personal information. Under the new regulations, users will have the ability to easily adjust the permissions they grant to digital services.

To read more from our piece, click here.



TRUMP MULLS OFFENSIVE CYBER STRATEGY: Director of National Intelligence Dan CoatsDaniel (Dan) Ray CoatsAn independent commission should review our National Defense Strategy Overnight Hillicon Valley — Scrutiny over Instagram's impact on teens Former national security officials warn antitrust bills could help China in tech race MORE on Wednesday indicated that the U.S. government is seriously considering adopting an offensive cyber warfare strategy.

When asked during a media breakfast in Washington, D.C., whether U.S. intelligence agencies should go on the offensive in terms of information warfare, Coats said such an idea is under "serious consideration" because the U.S. cannot constantly be playing defensive in the cyber space.

"I'm publicly onboard with the idea that you can't just play defense, you have to play offense. How we play offense, what kind of offense is under serious consideration," the cyber chief told reporters.

"Cyber falls under that grey zone of is this warfare or not warfare?" he continued in part. "In that grey zone -- I use the word 'attack.' I wanted people's attention that we have a cyber problem, a cyber issue that we need to deal with. It is affecting a lot of elements of our society and our economy."

His remarks come as longstanding frustrations continue to simmer among a bipartisan group of senators who say the federal government lacks a clear policy on how to respond if the U.S. faces a cyberattack -- a concern legislators raised during both the Obama and Trump administrations.

Over a dozen lawmakers across the aisle wrote to the Trump administration last month expressing a sense of urgency and urging officials to develop a comprehensive strategy to deter as well as adequately respond to malicious cyber behavior.

Coats, who has previously acknowledged a lack of a comprehensive U.S. cyber strategy, said new laws, policies and presidential directives may all be possible if the federal government does decide to adopt such a strategy.

"It could be all of the above, depending on what we feel we need in order to protect our self -- not only defensively, but we are not going to tolerate somebody using this method to attack our systems," he said.

While Coats did not provide a specific timeline for such a decision, he emphasized that the entire government is engaged on this matter.

"There is more going relative to this issue than I think has been reported," he said, calling it "one of our major challenges."

To read more from our piece, click here.




WHITE HOUSE EMAIL DOMAINS LACK SECURITY TOOL: More than half of the email domains managed by the White House's Executive Office of the President (EOP) have not yet implemented an email security tool designed to protect users from phishing attacks, according to new research.

The Department of Homeland Security (DHS) has required that federal agencies and departments operating .gov domains implement the tool, known as the Domain-based Message Authentication, Reporting, and Conformance (DMARC).

DMARC enables organizations to flag potentially fraudulent emails that fail authentication tests or, when stronger settings are turned on, send the messages directly to a recipient's spam folder or block them entirely.

According to the Global Cyber Alliance, only one of the 26 email domains managed by the EOP -- Max.gov -- has implemented the highest DMARC setting.

Seven EOP domains, including WhiteHouse.gov and EOP.gov, have implemented the tool on its lowest security setting, while the remaining 18 have yet to deploy DMARC at all.


Homeland Security announced last year that it would require federal agencies to implement DMARC, setting a mid-January deadline for agencies to comply with the directive.

The binding operational directive issued in October applies to all federal and executive branch .gov domains, with the exception of those used for national security, military or intelligence purposes.

To read more from our piece, click here.


A LIGHTER, COMPLETELY NON-CYBER, CLICK: "Even monkeys need a spa day." (AFP)




CHINESE CYBER CAMPAIGNS: Chinese espionage activity is posing a challenge for the Trump administration as it seeks to crack down on China for allegedly unfair trade practices, including persistent cyber intrusions targeting U.S. businesses.

While China has largely stopped hacking into U.S. companies to steal intellectual property in accordance with a 2015 Obama-era pact, security experts say Beijing's spies have continued to break into U.S. networks to advance China's economic and national security ambitions--testing the limits of the deal.

Chinese hackers continue to steal information from U.S. defense contractors, likely to gain a strategic edge over the U.S. military. There has also been a surge of new activity of Chinese hackers targeting Western think tanks, U.S. law firms and the U.S. maritime industry.

Meanwhile, the security community is warning that some of President TrumpDonald TrumpJan. 6 panel faces double-edged sword with Alex Jones, Roger Stone Trump goes after Woodward, Costa over China Republicans seem set to win the midterms — unless they defeat themselves MORE's recent decisions regarding China, including moves to slap tariffs on Beijing and block Chinese acquisitions of U.S. firms, could trigger potential blowback in cyberspace.

"We're warning some of our high tech customers that this 'honeymoon' period they've had for the last couple years could be over if the trade conflict between Beijing and Washington intensifies and Chinese companies are no longer able to acquire their U.S. counterparts," said Christopher Porter, chief intelligence strategist at FireEye.

Chinese cyber activity has long posed a challenge for the U.S. government, which has sought to crack down on Chinese efforts to break into U.S. corporate networks for commercial gain. China is also widely suspected in the massive Office of Personnel Management (OPM) breach that exposed personal data on over 20 million federal workers, though Beijing's government has denied any involvement.

In September 2015, then-President Obama and Chinese President Xi Jinping reached a watershed agreement to stop supporting cyber-enabled intellectual property theft against businesses in their respective borders.

Since the agreement, security experts have observed a significant decline in Chinese cyber-enabled intellectual property theft from U.S. companies, and the pact has been largely cheered as a diplomatic accomplishment. Indeed, the Trump administration reaffirmed the cyber pact with Beijing in October.

But last month, Trump accused China of continuing to conduct and support "unauthorized intrusions into, and theft from" U.S. company networks when announcing new tariffs on China -- raising the specter that Beijing may have run afoul of the agreement. On Wednesday, Trump said intellectual property theft has cost the U.S. economy $300 billion annually.

Experts say that Chinese hackers, widely viewed as among the most sophisticated, have shifted their operations so as not to explicitly violate the agreement while still maintaining a presence in U.S. networks.

Porter said that FireEye, which monitors more than two-dozen groups linked to the Chinese government, has seen espionage activity continue against U.S. firms, including those producing sensitive military technology like satellite navigation systems and semiconductors.

"We do see these same Chinese groups aggressively going after the U.S. private sector," said Porter. "They are collecting confidential business information, it's just the intellectual property theft that has been stopped."

In March, FireEye revealed that Chinese hackers have stepped up attacks on the U.S. maritime and engineering targets. While the espionage group has not been definitively linked to the Chinese government, the hackers appeared to be after information on South China Sea issues, which would be valuable to the Chinese navy.

"In the end of 2016 and beginning of 2017, we saw an uptick in offensive operations against U.S. targets by China," said Adam Meyers, vice president of intelligence at CrowdStrike.

Meyers also told The Hill that the firm has seen a large increase in activity targeting U.S. law firms since June 2017.

To read more of our piece, click here.



Links from our blog, The Hill, and around the Web.

Google employees urge company to drop Pentagon A.I. work. (The Hill)

Tech rivalries spill into Washington. (The Hill)

Several White House domains lack anti-phishing tool: research. (The Hill)

OP-ED: When it comes to online data, the feds appear to believe in privacy for some, but not all. (The Hill)

OP-ED: A ransomware attack brought Atlanta to its knees -- and no one seems to care. (The Hill)

Hackers change display of multiple Israeli sites to read: 'Jerusalem is the capital of Palestine.' (The Times of Israel)

U.S. Air Force shifting towards outsourcing IT operations in effort to boost cybersecurity workforce. (Cyberscoop)

The ACLU has eight questions for Mark Zuckerberg. (ACLU)

Judge says Massachusetts can sue Equifax. (Reuters)

The mysterious hacking group behind major recent breaches. (Wired)

New survey says hiring gamers could fill cybersecurity workforce gap. (McAfee)

New report details latest global cyber trends like workforce skills gap, targeted organizations. (FireEye)

New America offers policymakers some election security advice. (New America)