Overnight Cybersecurity: Homeland Security official says Russia likely targeted more than 21 states | Senate approves Trump's NSA chief | Lawmakers unveil bipartisan internet privacy bill

Overnight Cybersecurity: Homeland Security official says Russia likely targeted more than 21 states | Senate approves Trump's NSA chief | Lawmakers unveil bipartisan internet privacy bill
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...

 

THE BIG STORIES:

--DHS OFFICIAL SAYS RUSSIA LIKELY TARGETED MORE THAN 21 STATES: A top Department of Homeland Security official said Tuesday that Russian hackers likely targeted more than 21 states before the 2016 election as part of a broader effort to interfere in the vote. Jeanette Manfra, the official, acknowledged that the department only had enough "visibility" to confirm activity targeting 21 states because of sensors in place in the state systems and information provided by the intelligence community. "I think we can assume that the majority of the states were probably a target," Manfra said during a Senate Homeland Security Committee hearing in response to questioning from ranking member Sen. Claire McCaskillClaire Conner McCaskillLobbying world Dem candidate has Hawley served subpoena at CPAC Annual scorecard ranks GOP environmental efforts far below Dems in 2018 MORE (D-Mo.). But Manfra pushed back on McCaskill's assertion that states where activity was not detected were likely more vulnerable to Russian hackers because they didn't have tools in place to detect breach attempts. Manfra noted that most of the activity Homeland Security analyzed involved hackers scanning for vulnerabilities, rather than trying to break into systems. Manfra stressed that only a small number of state systems were actually breached.

 

ADVERTISEMENT

--HOMELAND SECURITY OFFICIALS said last year that Russian hackers targeted election-related digital systems in 21 states before the 2016 presidential election. Federal officials maintain that hackers did not target systems involved in vote-tallying, and that there is no evidence any vote tallies were changed. The disclosure has prompted broad concerns about future interference efforts by Russia or other foreign actors. On Tuesday, Manfra said the department has seen no activity of Russia or other actors targeting election systems ahead of the 2018 midterm elections. She also stressed that the agency has adopted an "aggressive posture" to election security. Manfra faced a broad slate of questions from lawmakers about Homeland Security's efforts to guard federal networks and critical infrastructure from cyber threats. Topics covered at the hearing included the department's decision to bar federal agencies from using software produced by Kaspersky Lab, recent Russian attacks on routers and other internet infrastructure, and the definition of "cyber warfare." The hearing focused broadly on mitigating America's cybersecurity risk and also featured testimony from Greg Wilshusen, an official at the Government Accountability Office, and Eric Rosenbach, a former Pentagon official and cyber expert at Harvard's Belfer Center. At the conclusion of the hearing, Chairman Ron JohnsonRonald (Ron) Harold JohnsonGOP moves to rein in president's emergency powers The Hill's 12:30 Report: O'Rourke jumps into 2020 fray Trump vows veto ahead of Senate vote on emergency declaration MORE (R-Wis.) said it was clear from testimony that the U.S. has "come a long way" in terms of cybersecurity, but that more needs to be done. "We're getting our act together, but it's difficult, it's complex," Johnson said.

To read more of our coverage, click here.

 

--CAMBRIDGE ANALYTICA WHISTLEBLOWER BRIEFS HOUSE DEMS: Christopher Wylie, the whistleblower behind revelations about Cambridge Analytica's handling of Facebook user data, on Tuesday briefed a group of House Democrats behind closed doors. Following the interview, Democrats from the House Judiciary and the Oversight and Government Reform committees warned about the prospect of election interference on social media and urged the panels' leaders to hold full hearings on the data scandal. "We must do more to learn how foreign actors collect and weaponize our data against us, and what impact social media has on our democratic processes," the members said in a joint statement. "Cambridge Analytica is not the first company to engage in these types of tactics, nor will they be last if we fail to conduct oversight and investigate this matter thoroughly." The Democrats said that Republicans had refused an invitation to participate in the interview. Members leaving the briefing said they were struck by how Cambridge Analytica, which is based in London, operated with the sophistication of a military unit and worried that the U.S. was vulnerable to such firms manipulating elections. "A very disturbing testimony in my view, because it really shows how there was a coordinated effort to mislead and to use propaganda to influence an American presidential election," Rep. David CicillineDavid Nicola CicillineHouse panel approves controversial changes to Violence Against Women Act Business groups urge Congress to combat LGBTQ discrimination in workplace Hillicon Valley: Google takes heat at privacy hearing | 2020 Dems to debate 'monopoly power' | GOP rips net neutrality bill | Warren throws down gauntlet over big tech | New scrutiny for Trump over AT&T merger MORE (D-R.I.) told reporters. Cambridge Analytica has denied using the improperly obtained data during its work for President TrumpDonald John TrumpWarren: 'White supremacists pose a threat to the United States like any other terrorist group' National Enquirer paid 0,000 for Bezos texts: report Santorum: Trump should 'send emails to a therapist' instead of tweeting MORE's 2016 campaign.

To read more of our coverage, click here.

 

A LEGISLATIVE UPDATE: 

IN THE SENATE: Sens. Amy KlobucharAmy Jean KlobucharPoll: Biden leads among millennial voters Sanders fundraises off O'Rourke's announcement that he pulled in .1M The Hill's 12:30 Report: Trump hits media over New Zealand coverage MORE (D-Minn.) and John KennedyJohn Neely KennedyMORE (R-La.) on Tuesday introduced a bipartisan internet privacy bill that would give users more control over what websites can do with their data.

The new bill, the Social Media Privacy Protection and Consumer Rights Act, comes just weeks after Congress threatened Facebook CEO Mark ZuckerbergMark Elliot ZuckerbergConservatives face a tough fight as Big Tech's censorship expands Actually, consumers love Big Tech, even if they say they don't Top Instagram communications staffer leaves for Michelle Obama's staff MORE with tougher regulations when he testified in back-to-back hearings earlier this month.

"I don't want to hurt Facebook, and I don't want to regulate them half to death, either," Kennedy said in a statement. "But I have a job to do, and that's protecting the rights and privacy of our citizens."

What it does: The bill would give users the right to opt out of having their data collected and require websites to make their terms of service easily understandable. Users would also have the ability to order websites to delete their data and request copies of what has been collected about them.

Timeline: Zuckerberg promised Congress that Facebook would take a broader view of its responsibility to consumers after it was revealed that Cambridge Analytica, a political firm that contracted with President Trump's 2016 campaign, obtained data on more than 87 million users without their knowledge.

Still, some lawmakers, such as Kennedy and Klobuchar, see the need for privacy legislation to rein in internet giants. Their bill would require websites to inform users of privacy violations within 72 hours of any breach.

To read more of our piece, click here.

 

A CONFIRMATION IN FOCUS: 

TRUMP'S NSA DIRECTOR: The Senate has approved President Trump's choice to lead the National Security Agency (NSA) and U.S. Cyber Command.

The upper chamber approved the nomination of Lt. Gen. Paul Nakasone in a voice vote Tuesday morning. Nakasone will replace outgoing NSA Director Mike RogersMichael (Mike) Dennis RogersWhy states should push forward with cyber laws Getting real about Huawei Ex-House Intel chair: Intel panel is wrong forum to investigate Trump's finances MORE.

Nakasone, who has most recently helmed the U.S. Army's cyber operations, is widely cheered by current and former officials as a qualified choice. He was commissioned as a military intelligence officer more than three decades ago, serving in key roles at the NSA and Cyber Command.

Nakasone sailed through confirmation hearings before the Senate Armed Services and Intelligence committees last month, earning broad praise from lawmakers in both parties.

At the helm of the NSA, Nakasone will oversee the U.S. government's foreign and counterintelligence collection, an operation that has increasingly drawn scrutiny since the 2013 disclosures by NSA contractor-turned-whistleblower Edward Snowden.

The bottom line: Nakasone will serve in the dual-hatted position of NSA director and commander of Cyber Command, the Pentagon's burgeoning cyber warfare unit, while the Trump administration continues to study whether to separate the two organizations.

To read more of our coverage, click here.

 

A LIGHTER TWITTER CLICK: 

You know that person who talks too loudly on their phone in a public space? That appears to be President Trump's attorney Ty Cobbs. (Tweet)

 

WHAT'S IN THE SPOTLIGHT: 

YAHOO PAYS FOR EMAIL BREACH: Yahoo has agreed to pay a $35 million penalty after failing to properly notify customers and investors that hackers had compromised hundreds of millions of user accounts, the Securities and Exchange Commission (SEC) announced Tuesday.

Yahoo, which was rebranded after being purchased by Verizon last year, first learned about the cyber intrusion in December of 2014, but did not alert the public until December 2016, according to the SEC's order.

The company's information security team first discovered that Russian hackers had obtained a trove of personal user information in their hack four days after the breach took place, the SEC order says. The cyber criminals gained access to internal data like usernames, email addresses, passwords, phone numbers and birthdates, as well as security questions and answers for hundreds of millions of user accounts.

Yahoo only disclosed the breach to the public when Verizon was in the process of acquiring Yahoo's operating business, which it ultimately did in June, the SEC said.

"Although information relating to the breach was reported to members of Yahoo's senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors," the SEC said.

After the hack, the company continued to file both quarterly and annual reports that failed to disclose how one of the world's largest data breaches could affect their potential business. In addition, the company did not seek an outside party to assess the impact of the hack, the SEC found.

To read more of our piece, click here.

Why this matters: This settlement marks the first time the SEC has pursued a company for failing to properly disclose a cyber breach. While Yahoo agreed to pay the charges without admitting or denying wrongdoing, they still agreed to pay a multi-million dollar settlement.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Facebook unveils standards on policing users. (The Hill)

Twitter announces updated privacy policy ahead of new EU laws. (The Hill)

Facebook to let users appeal censored content. (The Hill)

Trump's CIA pick facing brutal confirmation fight. (The Hill)

GOP chairmen say they have deal with Justice on documents. (The Hill)

Comey book sales top 600,000 in first week. (The Hill)

OP-ED: Congress is walking the online privacy tightrope with oversight. (The Hill)

OP-ED: To solve the Facebook problem, think big (data). (The Hill)

Coalition of tech companies add 'Importance of Strong Encryption' to policy principles. (Reform Government Surveillance)

Pentagon program wants to combine cyber experts with computer defenders to confront cyberattacks. (Defense One)

Amazon is now delivering to your trunk for free -- if you're a Prime member. (CNN Money)

The G7 Communique has a lot of cyber talk. (G7 Foreign Ministers' Communique)