Overnight Cybersecurity: Senators eye path forward on election security bill | Facebook isn't winning over privacy advocates | New hacks target health care

Overnight Cybersecurity: Senators eye path forward on election security bill | Facebook isn't winning over privacy advocates | New hacks target health care
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--SENATORS CHART PATH FORWARD ON ELECTION SECURITY BILL: Senators are working to again revise legislation designed to help guard digital voting infrastructure from cyberattacks after meeting with state officials. Sen. James LankfordJames Paul LankfordCollusion judgment looms for key Senate panel GOP loads up lame-duck agenda as House control teeters The Hill's Morning Report — Kavanaugh, Ford saga approaches bitter end MORE (R-Okla.) told The Hill that he expects to work out the final details of the bill within "weeks," after state election officials expressed some remaining concerns with the current version. Lankford and a slate of bipartisan co-sponsors originally introduced the legislation, called the Secure Elections Act, last December, months after the Department of Homeland Security acknowledged that Russian hackers tried to break into voting systems in 21 states as part of a broader effort to interfere in the 2016 presidential election.



--CONGRESS HAS ALREADY sent $380 million to states to upgrade voting equipment and address security concerns. The proposal -- spearheaded by Sens. Lankford, Amy KlobucharAmy Jean KlobucharIs there a difference between good and bad online election targeting? Election Countdown: Minnesota Dems worry Ellison allegations could cost them key race | Dems struggle to mobilize Latino voters | Takeaways from Tennessee Senate debate | Poll puts Cruz up 9 in Texas Clusters of polio-like illness in the US not a cause for panic MORE (D-Minn.) and others -- would go further. It would codify into law many of the actions already underway at the Department of Homeland Security, seeking to expedite security clearances to state officials and bolster information sharing between the federal government and the states on cybersecurity threats and breaches. It would also set up a grant program for states to take steps to secure their voting infrastructures. It would be guided by a federal advisory panel that would develop guidelines and recommendations for states to follow on election cybersecurity. "The biggest consideration is, 10 years from now, we don't want people to lose focus and to take their eye off the ball," Lankford told The Hill on Thursday.


The hold up: State officials have been wary of efforts to address election security at the federal level, given that states -- not the federal government -- have historically been responsible for administering elections. The senators brought the states to the table to hammer out the legislation. Last week, Klobuchar and Lankford met with secretaries of state from Indiana, Louisiana, Minnesota and Missouri to discuss the proposal.


--BY ALL ACCOUNTS, the meeting went smoothly. Lankford described it as "very productive," adding that the biggest concern was whether the advisory panel created by the bill would be redundant, given other groups already in place at the federal level to advise states. Minnesota Secretary of State Steve Simon (D) told The Hill he was encouraged that the lawmakers were open to changing the legislation based on states' input, describing himself as "supportive of the overall approach."


Not so fast... Still, the secretaries are not signing on to support the legislation -- at least not yet. "I'm not ready to support the legislation in its current form," said Missouri Secretary of State Jay Ashcroft (R). "I probably disagree a little bit with some of the senators on how important the bill is," he said, adding that he believes the extent of Russia's efforts have been "exaggerated" by federal officials.  Ashcroft said that the revised version should do more to increase the flow of information from the federal side to the states, which was a source of concern ahead of the 2016 vote.


The bottom line: Senators are going to have to make some changes to get state officials to back the bill. We expect to see a new draft in coming weeks.

To read more from our piece, click here.


-- FACEBOOK ISN'T CONVINCING PRIVACY ADVOCATES. Facebook's response to a massive data scandal is doing little to appease privacy advocates. It's been a month since the news broke that Cambridge Analytica, a political consulting firm that did work for the Trump campaign, had obtained data on millions of Facebook users without their knowledge.  The revelation spurred investigations from regulators in the U.S. and Europe and drove Facebook CEO Mark ZuckerbergMark Elliot ZuckerbergHillicon Valley: Russia-linked hackers hit Eastern European companies | Twitter shares data on influence campaigns | Dems blast Trump over China interference claims | Saudi crisis tests Silicon Valley | Apple to let customers download their data Public funds support proposal to remove Zuckerberg as Facebook chairman Obama responds to several excuses people give for not voting in new video MORE to testify before Congress for the first time. And in the face of scrutiny from governments and consumers around the world, Facebook has mounted an apology tour, pledging to re-evaluate its responsibility to its users. As part of that effort, and as the company readies itself for a sweeping European Union (EU) privacy law, Facebook has announced a series of changes to its platform that it says will better protect user data and provide more transparency.


--PRIVACY ADVOCATES, many of whom have been criticizing Silicon Valley's data collection practices for years, are skeptical that the changes will have any real effect. "It doesn't look to me like they're sincere about that at all," said John Simpson of Consumer Watchdog. "I'm not particularly impressed yet about their so-called commitment to privacy." Facebook said that it would restrict third-party apps' data collection and announced that it would be severing ties with data brokers, which have helped advertisers link Facebook data with consumer information from other sources. Some watchdogs see the moves as promising first steps, but insist they fall short of alleviating their concerns about the way Facebook operates. Some of the reforms appear to be in preparation for the EU's General Data Protection Regulation (GDPR), a law going into effect next month that will require websites to offer users greater control over their own data and be more upfront about how they collect and use personal information.


The critics' argument: Facebook has been using the changes for GDPR as a way to deflect concerns that bubbled up following the Cambridge Analytica scandal, they say. And many who support the European data law worry that Facebook is only doing the bare minimum required by the law.


The bottom line: A month after the Cambridge Analytica bombshell, Facebook isn't out of the dog house.

To read more from our piece, click here.



IN THE SENATE, the Judiciary Committee is slated to vote on a bill Thursday that aims to block President TrumpDonald John TrumpFive takeaways from Gillum and DeSantis’s first debate GOP warns economy will tank if Dems win Gorbachev calls Trump's withdrawal from arms treaty 'a mistake' MORE from firing special counsel Robert MuellerRobert Swan MuellerSasse: US should applaud choice of Mueller to lead Russia probe MORE amid his federal investigation into Russian interference.

Judiciary Chairman Sen. Chuck GrassleyCharles (Chuck) Ernest GrassleyGOP plays hardball in race to confirm Trump's court picks Trump officials ratchet up drug pricing fight Dems angered by GOP plan to hold judicial hearings in October MORE (R-Iowa), who has raised some doubts about the legality of the legislation, said he will allow for a vote on the Special Counsel Independence and Integrity Act if lawmakers can reach a bipartisan agreement on the matter.

Sens. Cory BookerCory Anthony BookerBig Dem donors stick to sidelines as 2020 approaches Sanders: Trump setting 'terrible example' for our children Sanders, Harris set to criss-cross Iowa MORE (D-N.J.), Lindsey GrahamLindsey Olin GrahamLawmakers point fingers at Saudi crown prince in Khashoggi's death The Memo: Trump in a corner on Saudi Arabia Trump should stick to his guns and close failed South Carolina nuclear MOX project MORE (R-S.C.), Christopher CoonsChristopher (Chris) Andrew CoonsDem senators urge Pompeo to reverse visa policy on diplomats' same-sex partners 15 Saudis identified in disappearance of Washington Post columnist The Senate needs to cool it MORE (D-Del.) and Thom TillisThomas (Thom) Roland TillisLawmakers point fingers at Saudi crown prince in Khashoggi's death GOP senator on potential additional tax cuts: 'We can't go further into debt' GOP senator: If crown prince involved in Khashoggi killing, removal should be ‘explored’ MORE (R-N.C.) introduced the bipartisan bill that would let Mueller, or any other special counsel, receive an "expedited judicial review." The review would determine whether the firing was for a "good cause." If it was determined the firing was not for a good cause, then the special counsel would be reinstated.

The lawmakers introduced the legislation shortly after Trump became enraged over the FBI's recent raid on the offices, home and hotel room of his personal attorney, Michael Cohen. Mueller's team reportedly had given a referral to the New York bureau, prompting the raid.

Grassley's decision to plow forward with a vote on the matter comes after Senate Majority Leader Mitch McConnellAddison (Mitch) Mitchell McConnellEx-lawmaker urges Americans to publicly confront officials Manchin wrestles with progressive backlash in West Virginia Democrats slide in battle for Senate MORE (R-Ky.) said he will not bring the bill to the Senate floor for a vote. McConnell has repeatedly argued that he does not believe Trump will fire Mueller, therefore such legislation is unnecessary.

Grassley, however, said he'll allow a vote.


IN THE HOUSE, lawmakers are set to vote on a bill introduced last week that would reauthorize the Federal Aviation Administration through 2023. The bill contains a number of provisions related to cybersecurity.

The head of the agency, under the FAA Reauthorization Act of 2018, would need "to develop an integrated Cyber Testbed" that aims to develop, test and evaluate air traffic control modernization programs or technologies before they enter U.S. airspace.

Michael Huerta, who is presently serving as the acting FAA administrator, would have six months to establish a research and development program that focuses on improving the "cybersecurity of civil aircraft and the national airspace system." And after a year, the FAA would also need to present a program that "contains objectives, proposed tasks, milestones, and a 5-year budgetary profile."

The bill lists a series of areas for the Testbed to address in its search for cybersecurity vulnerabilities including the "cabin communications, entertainment, and information technology systems on civil passenger aircraft." The administrator would also need to determine how the agency can coordinate with the private sector as well as other organizations on the matter.

The bill would also require the FAA to consult the National Institute of Standards and Technology (NIST) about creating an internal cybersecurity threat-modeling program to identify and combat cybersecurity vulnerabilities, updating the model at least every 5 years.


Timeline: The Rules Committee is scheduled to mark up the legislation on Tuesday before the House votes on the bill on Wednesday.



NEW HACKER GROUP HITS HEALTH CARE: A new hacking group has been spying on health-care organizations in the United States and across the globe likely for commercial purposes, according to cybersecurity firm Symantec.

The group, which Symantec has named "Orangeworm," has been installing backdoors in large international corporations based in the U.S., Europe and Asia from the health-care sector.

Among its victims are health-care providers and pharmaceutical companies, as well as IT companies and equipment manufacturers that work for health organizations.

Health-care organizations have in recent years emerged as a prime target for cyber criminals, including those looking to deploy ransomware in order to generate a profit.

Symantec suspects that the Orangeworm hackers are breaching these organizations likely to carry out corporate espionage, such as the theft of trade secrets. The cyber firm found no evidence that the group is operating on behalf of a nation-state.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking," Symantec said in a report published Monday. "Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack."

The hackers, who have been active since early 2015, infiltrate networks of their victims and install malware that allows them remote access to the compromised machine.

To read more click here.



The new royal baby is here! (BBC)



THE G7: Cybersecurity was a topic of discussion at the "Group of Seven" meeting in Toronto, Canada, in recent days, according to U.S. officials.

Acting Secretary of State John Sullivan, attending with other foreign ministers, told reporters Monday that the U.S. is calling on its allies to hold Iran accountable for sponsoring cyberattacks in addition to other "destabilizing activities."

"The United States calls on all of our partners to continue working alongside us as we counter Iran's destabilizing activities in the region and hold the Iranian Government accountable for their actions: supporting terrorist organizations, launching cyber attacks, threatening international shipping interests, and committing unconscionable human rights abuses," Sullivan said.

In response to a question, Sullivan also stressed that the Trump administration is committed to "confronting Russian malign behavior," pointing to the expulsion of Russian intelligence agents and sanctions on Russian companies and oligarchs recently imposed under a law designed to punish Moscow for meddling in the 2016 presidential election.

"We have undertaken significant actions in response" to Russia's behavior, Sullivan said. "We stand with our G7 allies in confronting Russian malign behavior where – wherever we see it."

He added, however, that the U.S. still wants to work with Russia on some issues, including the New START agreement and counterterrorism.

Meanwhile, Homeland Security Secretary Kirstjen NielsenKirstjen Michele NielsenEx-lawmaker urges Americans to publicly confront officials Migrant caravan expands to 5000 DHS to 'closely monitor' caravan of migrants headed for US border MORE met with her foreign counterparts at the G7 Security Ministerial, urging other nations to call out foreign nations for misbehavior "especially in cyberspace," according to a readout from her meeting provided by the department on Monday.

"The G7 participants also outlined their strong opposition to foreign efforts to undermine democracy and discussed Russian malign activity overseas, online, and within G7 nations. Secretary Nielsen pressed G7 nations to continue calling out foreign adversaries for misbehavior--especially in cyberspace--and to deliver consequences to deter it," the department said.



Links from our blog, The Hill, and around the Web.

Privacy group sues FTC for records on Facebook's privacy program. (The Hill)

Paul backs Pompeo, clearing path for confirmation. (The Hill)

White House stresses Trump has 'no intention' of firing Mueller. (The Hill)

OP-ED: Can Silicon Valley expect European-style regulation here at home? (The Hill)

The Trump administration is considering sanctioning Russia-based Kaspersky Lab. (CyberScoop)

Google has more of your personal data than Facebook. (Wall Street Journal)

DARPA looks to combine humans, computers to defend networks. (NextGov)

The Cambridge Analytica whistleblower says he will testify before Congress. (Mashable)

Portugal is joining a NATO-sponsored cyber center. (NATO Cooperative Cyber Defence Centre of Excellence)

Half of British manufacturers have been successfully targeted by cyberattacks. (The Telegraph)