Overnight Cybersecurity: Homeland Security official says Russia likely targeted more than 21 states | Senate approves Trump's NSA chief | Lawmakers unveil bipartisan internet privacy bill

Overnight Cybersecurity: Homeland Security official says Russia likely targeted more than 21 states | Senate approves Trump's NSA chief | Lawmakers unveil bipartisan internet privacy bill
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...



--DHS OFFICIAL SAYS RUSSIA LIKELY TARGETED MORE THAN 21 STATES: A top Department of Homeland Security official said Tuesday that Russian hackers likely targeted more than 21 states before the 2016 election as part of a broader effort to interfere in the vote. Jeanette Manfra, the official, acknowledged that the department only had enough "visibility" to confirm activity targeting 21 states because of sensors in place in the state systems and information provided by the intelligence community. "I think we can assume that the majority of the states were probably a target," Manfra said during a Senate Homeland Security Committee hearing in response to questioning from ranking member Sen. Claire McCaskillClaire Conner McCaskillDemocratic-linked group runs ads in Kansas GOP Senate primary Trump mocked for low attendance at rally Missouri county issues travel advisory for Lake of the Ozarks after Memorial Day parties MORE (D-Mo.). But Manfra pushed back on McCaskill's assertion that states where activity was not detected were likely more vulnerable to Russian hackers because they didn't have tools in place to detect breach attempts. Manfra noted that most of the activity Homeland Security analyzed involved hackers scanning for vulnerabilities, rather than trying to break into systems. Manfra stressed that only a small number of state systems were actually breached.



--HOMELAND SECURITY OFFICIALS said last year that Russian hackers targeted election-related digital systems in 21 states before the 2016 presidential election. Federal officials maintain that hackers did not target systems involved in vote-tallying, and that there is no evidence any vote tallies were changed. The disclosure has prompted broad concerns about future interference efforts by Russia or other foreign actors. On Tuesday, Manfra said the department has seen no activity of Russia or other actors targeting election systems ahead of the 2018 midterm elections. She also stressed that the agency has adopted an "aggressive posture" to election security. Manfra faced a broad slate of questions from lawmakers about Homeland Security's efforts to guard federal networks and critical infrastructure from cyber threats. Topics covered at the hearing included the department's decision to bar federal agencies from using software produced by Kaspersky Lab, recent Russian attacks on routers and other internet infrastructure, and the definition of "cyber warfare." The hearing focused broadly on mitigating America's cybersecurity risk and also featured testimony from Greg Wilshusen, an official at the Government Accountability Office, and Eric Rosenbach, a former Pentagon official and cyber expert at Harvard's Belfer Center. At the conclusion of the hearing, Chairman Ron JohnsonRonald (Ron) Harold JohnsonHillicon Valley: Facebook removed over 22 million posts for hate speech in second quarter | Republicans introduce bill to defend universities against hackers targeting COVID-19 research | Facebook's Sandberg backs Harris as VP pick Republicans set sights on FBI chief as Russia probe investigations ramp up Davis: The Hall of Shame for GOP senators who remain silent on Donald Trump MORE (R-Wis.) said it was clear from testimony that the U.S. has "come a long way" in terms of cybersecurity, but that more needs to be done. "We're getting our act together, but it's difficult, it's complex," Johnson said.

To read more of our coverage, click here.


--CAMBRIDGE ANALYTICA WHISTLEBLOWER BRIEFS HOUSE DEMS: Christopher Wylie, the whistleblower behind revelations about Cambridge Analytica's handling of Facebook user data, on Tuesday briefed a group of House Democrats behind closed doors. Following the interview, Democrats from the House Judiciary and the Oversight and Government Reform committees warned about the prospect of election interference on social media and urged the panels' leaders to hold full hearings on the data scandal. "We must do more to learn how foreign actors collect and weaponize our data against us, and what impact social media has on our democratic processes," the members said in a joint statement. "Cambridge Analytica is not the first company to engage in these types of tactics, nor will they be last if we fail to conduct oversight and investigate this matter thoroughly." The Democrats said that Republicans had refused an invitation to participate in the interview. Members leaving the briefing said they were struck by how Cambridge Analytica, which is based in London, operated with the sophistication of a military unit and worried that the U.S. was vulnerable to such firms manipulating elections. "A very disturbing testimony in my view, because it really shows how there was a coordinated effort to mislead and to use propaganda to influence an American presidential election," Rep. David CicillineDavid Nicola CicillineNew report finds majority of Americans support merger moratorium Five takeaways from Big Tech's blowout earnings What factors will shape Big Tech regulation? MORE (D-R.I.) told reporters. Cambridge Analytica has denied using the improperly obtained data during its work for President TrumpDonald John TrumpDemocrat calls on White House to withdraw ambassador to Belarus nominee TikTok collected data from mobile devices to track Android users: report Peterson wins Minnesota House primary in crucial swing district MORE's 2016 campaign.

To read more of our coverage, click here.



IN THE SENATE: Sens. Amy KlobucharAmy KlobucharCalifornia Dems back Yang after he expresses disappointment over initial DNC lineup Senate Democrats demand answers on migrant child trafficking during pandemic Senate Democrats push to include free phone calls for incarcerated people in next relief package MORE (D-Minn.) and John KennedyJohn Neely KennedyMORE (R-La.) on Tuesday introduced a bipartisan internet privacy bill that would give users more control over what websites can do with their data.

The new bill, the Social Media Privacy Protection and Consumer Rights Act, comes just weeks after Congress threatened Facebook CEO Mark ZuckerbergMark Elliot ZuckerbergFacebook removed over 22 million posts for hate speech in the second quarter Hillicon Valley: Trump order targets TikTok, WeChat | TikTok fires back | Chinese firms hit hard in aftermath Female lawmakers pressure Facebook to crack down on disinformation targeting women leaders MORE with tougher regulations when he testified in back-to-back hearings earlier this month.

"I don't want to hurt Facebook, and I don't want to regulate them half to death, either," Kennedy said in a statement. "But I have a job to do, and that's protecting the rights and privacy of our citizens."

What it does: The bill would give users the right to opt out of having their data collected and require websites to make their terms of service easily understandable. Users would also have the ability to order websites to delete their data and request copies of what has been collected about them.

Timeline: Zuckerberg promised Congress that Facebook would take a broader view of its responsibility to consumers after it was revealed that Cambridge Analytica, a political firm that contracted with President Trump's 2016 campaign, obtained data on more than 87 million users without their knowledge.

Still, some lawmakers, such as Kennedy and Klobuchar, see the need for privacy legislation to rein in internet giants. Their bill would require websites to inform users of privacy violations within 72 hours of any breach.

To read more of our piece, click here.



TRUMP'S NSA DIRECTOR: The Senate has approved President Trump's choice to lead the National Security Agency (NSA) and U.S. Cyber Command.

The upper chamber approved the nomination of Lt. Gen. Paul Nakasone in a voice vote Tuesday morning. Nakasone will replace outgoing NSA Director Mike RogersMichael (Mike) Dennis RogersHillicon Valley: Tech CEOs brace for House grilling | Senate GOP faces backlash over election funds | Twitter limits Trump Jr.'s account The Hill's Coronavirus Report: INOVIO R&D Chief Kate Broderick 'completely confident' world will develop a safe and effective COVID-19 vaccine; GOP boxed in on virus negotiations The Hill's 12:30 Report - Presented by Facebook - Barr's showdown with House Democrats MORE.

Nakasone, who has most recently helmed the U.S. Army's cyber operations, is widely cheered by current and former officials as a qualified choice. He was commissioned as a military intelligence officer more than three decades ago, serving in key roles at the NSA and Cyber Command.

Nakasone sailed through confirmation hearings before the Senate Armed Services and Intelligence committees last month, earning broad praise from lawmakers in both parties.

At the helm of the NSA, Nakasone will oversee the U.S. government's foreign and counterintelligence collection, an operation that has increasingly drawn scrutiny since the 2013 disclosures by NSA contractor-turned-whistleblower Edward Snowden.

The bottom line: Nakasone will serve in the dual-hatted position of NSA director and commander of Cyber Command, the Pentagon's burgeoning cyber warfare unit, while the Trump administration continues to study whether to separate the two organizations.

To read more of our coverage, click here.



You know that person who talks too loudly on their phone in a public space? That appears to be President Trump's attorney Ty Cobbs. (Tweet)



YAHOO PAYS FOR EMAIL BREACH: Yahoo has agreed to pay a $35 million penalty after failing to properly notify customers and investors that hackers had compromised hundreds of millions of user accounts, the Securities and Exchange Commission (SEC) announced Tuesday.

Yahoo, which was rebranded after being purchased by Verizon last year, first learned about the cyber intrusion in December of 2014, but did not alert the public until December 2016, according to the SEC's order.

The company's information security team first discovered that Russian hackers had obtained a trove of personal user information in their hack four days after the breach took place, the SEC order says. The cyber criminals gained access to internal data like usernames, email addresses, passwords, phone numbers and birthdates, as well as security questions and answers for hundreds of millions of user accounts.

Yahoo only disclosed the breach to the public when Verizon was in the process of acquiring Yahoo's operating business, which it ultimately did in June, the SEC said.

"Although information relating to the breach was reported to members of Yahoo's senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors," the SEC said.

After the hack, the company continued to file both quarterly and annual reports that failed to disclose how one of the world's largest data breaches could affect their potential business. In addition, the company did not seek an outside party to assess the impact of the hack, the SEC found.

To read more of our piece, click here.

Why this matters: This settlement marks the first time the SEC has pursued a company for failing to properly disclose a cyber breach. While Yahoo agreed to pay the charges without admitting or denying wrongdoing, they still agreed to pay a multi-million dollar settlement.



Links from our blog, The Hill, and around the Web.

Facebook unveils standards on policing users. (The Hill)

Twitter announces updated privacy policy ahead of new EU laws. (The Hill)

Facebook to let users appeal censored content. (The Hill)

Trump's CIA pick facing brutal confirmation fight. (The Hill)

GOP chairmen say they have deal with Justice on documents. (The Hill)

Comey book sales top 600,000 in first week. (The Hill)

OP-ED: Congress is walking the online privacy tightrope with oversight. (The Hill)

OP-ED: To solve the Facebook problem, think big (data). (The Hill)

Coalition of tech companies add 'Importance of Strong Encryption' to policy principles. (Reform Government Surveillance)

Pentagon program wants to combine cyber experts with computer defenders to confront cyberattacks. (Defense One)

Amazon is now delivering to your trunk for free -- if you're a Prime member. (CNN Money)

The G7 Communique has a lot of cyber talk. (G7 Foreign Ministers' Communique)