Overnight Cybersecurity: Pompeo pressed on cyber plans at State | Equifax hit with new lawsuit over breach | Uber expands privacy settlement with FTC

Overnight Cybersecurity: Pompeo pressed on cyber plans at State | Equifax hit with new lawsuit over breach | Uber expands privacy settlement with FTC
© Greg Nash

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ..



--POMPEO ON THE HOT SEAT: CIA Director Mike PompeoMichael (Mike) Richard PompeoGrassley to administration: You must consult Congress on refugee cap Graham knocks South Korea over summit with North Shrapnel in Yemen strikes links US-made bombs to 63 civilian deaths: report MORE appeared before the Senate Foreign Relations Committee on Thursday for his confirmation hearing to be President TrumpDonald John TrumpTrump: I hope voters pay attention to Dem tactics amid Kavanaugh fight South Korea leader: North Korea agrees to take steps toward denuclearization Graham calls handling of Kavanaugh allegations 'a drive-by shooting' MORE's secretary of State. Cyber-related issues came up at a few points during the hearing.


--POMPEO PRESSED ON STATE CYBER OFFICE. In one exchange with Sen. Cory GardnerCory Scott GardnerSome employees' personal data revealed in State Department email breach: report Colorado governor sets up federal PAC before potential 2020 campaign Hillicon Valley: Trump signs off on sanctions for election meddlers | Russian hacker pleads guilty over botnet | Reddit bans QAnon forum | FCC delays review of T-Mobile, Sprint merger | EU approves controversial copyright law MORE (R-Colo.), Pompeo would not say what his plans would be for the top cyber position at the State Department, though he said he would put "a great deal of resources" toward cybersecurity efforts if confirmed. Gardner asked Pompeo about his plans for the cybersecurity position at the State Department, an apparent reference to the now-defunct role of cybersecurity coordinator. Former Secretary of State Rex TillersonRex Wayne TillersonPompeo working to rebuild ties with US diplomats: report NYT says it was unfair on Haley curtain story Rubio defends Haley over curtains story: Example of media pushing bias MORE, who President Trump fired last month, eliminated the position as part of his broader reorganization plan for the department -- a move that irked both Republicans and Democrats. Tillerson told Congress last summer that he was closing the Office of Cybersecurity Coordinator and folding its responsibilities into a bureau focused on economic and business affairs.


"I have had the [organization] chart shown to me. I have seen the holes," Pompeo said Thursday. "Beyond that, I haven't given a great deal of consideration to people filling particular positions." "I can only say that, every element of government has a piece of its cyber duty. It's one of the challenges that it's so deeply divided, that we don't have a central place to do cyber work," Pompeo said. "At the CIA, we've spent a great deal of resources. I hope we have delivered value on our cyber efforts. I would hope we do the same thing at the State Department," he said.

Read more on that here.


--POMPEO ALSO WOULD NOT RESIGN if he were secretary of State and President Trump fired Deputy Attorney General Rod RosensteinRod Jay RosensteinDem lawmakers slam Trump’s declassification of Russia documents as ‘brazen abuse of power’ Time for sunshine on Trump-Russia investigation The Hill's Morning Report — Sponsored by United Against Nuclear Iran — Kavanaugh confirmation in sudden turmoil MORE to stymie the investigation into Russian election interference. Pompeo was asked by Sen. Christopher CoonsChristopher (Chris) Andrew CoonsJudiciary Democrat calls for additional witnesses to testify on Kavanaugh Kavanaugh allegations could be monster storm brewing for midterm elections      Sunday shows preview: White House officials on offensive in wake of anonymous NY Times op-ed MORE (D-Del.) if he would resign his position "in order to demonstrate that we are a nation of laws, not of men" if Rosenstein were fired." My instincts tell me no," Pompeo said. "My instincts tell me that my obligation is to continue to serve as America's senior diplomat would be more important at increased times of political and domestic turmoil." "We've seen this in America before, right? This wouldn't be the first time that there's been enormous political turmoil. My recollection of history is that previous secretaries of State stayed the course," he continued.

Background: Trump has reportedly been mulling whether to fire Rosenstein, who is overseeing special counsel Robert MuellerRobert Swan MuellerSasse: US should applaud choice of Mueller to lead Russia probe MORE's investigation into Russian interference. Earlier this week, the FBI raided the office, home and hotel room of Trump's personal lawyer, Michael Cohen, in connection with the Mueller investigation. Rosenstein is said to have personally approved the search. Trump assailed the Russia investigation following the events, calling it "fake and corrupt." "Mueller is most conflicted of all (except Rosenstein who signed FISA & Comey letter). No Collusion, so they go crazy!" the president tweeted Wednesday.  Pompeo said Thursday he is "confident" he would not resign his post if Trump moved to fire the deputy attorney general.

Read more on that here.


--POMPEO ON WIKILEAKS: Pompeo reaffirmed his past characterization of WikiLeaks as a "non-state hostile intelligence service," as well as his agreement with the U.S. intelligence community's conclusions about Russian interference in the 2016 presidential election. And he stressed the need for the United States to push back against Moscow's efforts to undermine democracy worldwide--including using cyber means. "We need to push back in each place that we confront them, and by every vector--cyber, economic, each of those tools that Vladimir Putin is using, we need to do our best to make sure that he does not succeed in what we believe his ultimate goal is," Pompeo said.

Read more on that here.



EQUIFAX. The Attorney General of West Virginia on Thursday filed suit against Equifax, accusing the credit reporting agency of failing to secure its systems, resulting in the data breach that affected roughly 148 million people in the United States.

Attorney General Patrick Morrisey said the company not only failed to heed four separate warnings that its online dispute portal systems were vulnerable, Equifax also stalled in alerting the affected consumers.

"Equifax's failure to secure consumers' personal information constitutes a shocking betrayal of public trust and an egregious violation of West Virginia consumer protection and data privacy laws," Morrisey said in a statement.

More than 730,000 West Virginians were impacted by the breach, putting the residents at risk of "identity theft, tax return scams, financial fraud and other harm," according to a press release detailing the lawsuit, which was filed in Boone County Circuit Court.

The lawsuit said Equifax did not detect the breach for roughly six weeks when it found hackers had infiltrated its system in May 2017. The company then sat on that information until September before customers were notified.

During that time, Equifax's CIO reviewed his "available stock options and sold roughly 6,815 shares of Equifax stock by Aug. 28, 2017," Morrisey alleges in the court documents.

He also accuses them of dealing with the crisis in a way that deceived its customers by offering  "complimentary" monitoring service that ultimately left them paying for a service that waived their right to a class action lawsuit.

Morrisey wants Equifax to pay $150,000 for each security breach, $5,000 for each violation of West Virginia's Consumer Credit and Protection Act, and reimburse the state for all legal fees.



A former cyber official on Thursday laid out nine recommendations the federal government should consider in order to better secure U.S. systems from outside attacks carried out by foreign intelligence as well as other hacker groups.

Kate Charlet, Carnegie Endowment's director for Tech and International Affairs Program and former acting deputy assistant secretary of defense for cyber policy, said Congress should prioritize appropriating meaningful funds to information technology (IT) modernization in the 2019 fiscal year.

"A larger-scale, up-front investment--one that can reinvest savings from use of modern approaches--would keep momentum going on much-needed modernization efforts," she wrote in a post.

The passage of the Modernizing Government Act was a good step toward "addressing the government's legacy information technology problem," she continued, but the $100 million appropriated for the 2018 fiscal year "is a drop in the bucket of what is needed."

Charlet said the Trump administration should shift their primary focus of protecting important assets and systems to protecting missions and functions.

"The National Security Council (NSC) and Office of Management and Budget (OMB) should direct each agency to first identify its core missions and functions, second identify the network infrastructure that supports those functions, and finally develop risk mitigation measures to ensure continuation of the core function even if that infrastructure were subject to cyber attack," she wrote.

Agencies should continue to work to strengthen initiatives, like their "capabilities to detect threats and vulnerabilities in agency networks," as well as "demand better risk-based decision-making tools," she advises.

In addition, Charlet proposed that certain agencies undertake measures to better protect U.S. systems in cyberspace. She suggested that the Department of Homeland Security (DHS) begin to strategize on how best to leverage its ability to issue Binding Operational Directives -- orders that direct executive branch agencies how to better safeguard federal information systems.

"The DHS and the Office of Science and Technology Policy should develop a strategy for automation in federal cybersecurity," Charlet added.

Her other steps for security included boosting the federal workforce.

"Agencies and Congress should expand special hiring authorities for cyberspace expertise, but should also focus on retention. Getting and keeping the right talent can have an outsized impact on protecting government networks," she wrote.



Think your card tricks are cool? A.I. can measure brain cells. (Wired)



Uber has agreed to expand a settlement it reached with the Federal Trade Commission (FTC) last year in light of a massive data breach that the company revealed months after the agreement with regulators to settle previous privacy violations.

Like the previous settlement, which was reached in August, the revised agreement does not include a monetary fine for the breach that compromised information for 57 million people.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," Maureen Ohlhausen, the acting FTC chairwoman, said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

Under the terms of the new agreement, Uber has to disclose any future data breaches to the FTC or risk fines.

Uber did not reveal the 2016 breach until November of last year, after Dara Khosrowshahi took over as CEO, replacing the embattled founder Travis Kalanick.

To read more from our piece, click here.



Links from our blog, The Hill, and around the Web.

EU privacy watchdogs: Facebook apology 'simply is not enough'. (The Hill)

Majority of Facebook users 'very concerned' about sale, use of personal data. (The Hill)

DOJ gives House Intel original document that prompted Russia investigation. (The Hill)

FCC chairman rejects senators' request to investigate Sinclair. (The Hill)

OP-ED: Russia's assault on Telegram the first salvo in its war against encryption. (The Hill)

OP-ED: Is critical infrastructure vulnerable to catastrophic attack? (The Hill)

UK's National Cyber Security Centre implementing new cyber threat prioritization framework. (Press Release)

UK carries out 'major offensive cyber-campaign' against Islamic State group. (BBC)

GOP plans to discredit Comey ahead of book tour. (CNN)

MySpace sold user data much like Facebook. (Motherboard)

Mueller's team prepares to move forward without Trump interview. (NBC)