3 May 2016

What OMB is doing on federal cybersecurity, and what it should be doing

04/27/16

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk. 

With help from Darren Goode 

NEXT UP FOR FEDERAL COMPUTER SYSTEMS — U.S. Chief Information Officer Tony Scott is thinking two steps ahead about how to modernize federal information technology, whose aging systems are often at the root of cybersecurity vulnerabilities. He again pushed the Information Technology Modernization Fund at a conference Tuesday, cautioning that lawmakers and the executive branch shouldn’t encumber it with other proposals that could make it confusing or hard to implement. But he’s got something in the works next that he says would complement the fund.

The Office of Management and Budget is in the process of figuring out how to use the bimodal IT model of information technology management in federal government, he said at the FedScoop-hosted conference. What that involves is simultaneously maintaining the old, legacy systems while also innovating. “You always have this set of things that’s the old stuff — the legacy stuff, the bread-and-butter stuff that runs your agency — and you have to have some way of managing the old stack and the new stack,” Scott said. “It’s time to say goodbye to the ‘wait until it breaks’ mentality, and get on to a continuous upgrade, continuous refresh kind of motion.” (Of note: The bimodal IT model is far from universally embraced.)

— ALSO IN THE WORKS AT OMB: Leaders of the Senate Homeland Security Committee want OMB to hurry up in revising a policy document that they say serves as an impediment to automated monitoring of the cybersecurity of federal computer systems. Sens. Ron Johnson and Tom Carper sent aletter to OMB Director Shaun Donovan on Tuesday requesting a deadline for when his office will complete planned changes to Circular A-130, which requires audits every three years that the pair said generate a large volume of paperwork. Because of that, it “remains an obstacle to the full adoption of this modern, automated approach to cybersecurity across government.” Johnson and Carper also want a series of briefings on the status of the update. Carper had mandated changes to A-130 under legislation he wrote that became law in 2014. 

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! At long last, “Robocop” is real. Send thoughts, feedback and especially your tips to tstarks@politico.com and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

TODAY: HOUSE VOTES ON EMAIL PRIVACY, TRADE SECRETS — The House is set to take up the Email Privacy Act (which would require cops to get a warrant before accessing a person’s emails) and Defend Trade Secrets Act (which would let companies go after trade secrets thieves in federal court). Our friends at Morning Tech observe that it’s worth watching how big a vote the Email Privacy Act gets because it could influence a skeptical Senate.

ROGERS OFFERS NO DETAIL IN CYBER WAR AGAINST ISIL — U.S. Cyber Command chief Adm. Mike Rogers confirmed that the U.S. is using cyber tools to go after ISIL but wouldn’t offer details at a public cyber forum hosted by Georgetown University. “We are working against an adaptive, agile opponent. I’m not interested in giving them any advantage,” Rogers said. But it is important that ISIL and other terrorists know that “we are committed in this fight against you,” Rogers said. “Cyber is one tool of many that we will use.” He added that while the U.S. can probably deter nation-states from using cyber weapons, it’s unclear if it can find a way to deter groups like ISIL. “They have zero interest in the status quo, their mission is the destruction of the status quo,” Rogers said. But he said that “every entity, every individual has something ultimately that they value, in my experience,” and the trick is finding how that can lead to cyber deterrence. 

COMEY SAYS CHINA CYBER SYNDROME IMPROVING — FBI Director James Comey said China is becoming a better cybersecurity partner, seven months after President Barack Obama and Chinese leader Xi Jinping announced an agreement to limit cyber thefts of economically valuable intellectual property. “There’s been some positive conversations,” leading him to be “reasonably optimistic,” he said at the Georgetown cyber event. “And we seem to have agreed upon a framework for what is nation-state appropriate … and what is theft.” He said that is “less so in Russia,” while cyber relations are “working really well as you would expect throughout the EU, especially in the former Soviet states” because of the high amount of highly trained talent there.

APPLE VULNERABILITY DISCLOSURE? NOT SO FAST — Comey indicated at the same event that the FBI was still deciding whether to disclose the vulnerability it exploited to break into an iPhone used by San Bernardino shooter Syed Farook, but the FBI chief was swiftly contradicted by anonymous officials quoted by The Wall Street Journal. "We are in the midst of trying to sort that out," Comey said, adding that “I think we're close to a resolution." Shortly after his remarks, though, the WSJ reported that the FBI is going to recommend against a review to the White House that could result in the vulnerability’s disclosure, on the grounds that the bureau knew so little about the exploit. (Reuters also reported the same in the early evening.)

Kiran Raj, senior counsel to Deputy Attorney General Sally Yates, said at the Georgetown event later in the afternoon that he wasn’t aware of the Wall Street Journal report and declined to confirm, opting to defer to Comey’s earlier comments there. “The FBI is close to working out that question but they have not announced that to my knowledge,” Raj said. Then there’s this.

COMEY DEPRESSED ABOUT ENCRYPTION DEFENSE — Comey also said it is “depressing” that software companies and others who have pushed against letting law enforcement tap into encrypted data aren’t talking about the costs tied to blocking that access. “Because it meant either these very, very smart people didn’t understand the costs as well as they understood the tremendous benefits or they weren’t being fair minded,” Comey said. “Either one of those things was depressing to me.”

FOREIGN CYBER INSURANCE LANGUAGE — Cyber insurance remains in a period of “slow growth,” according to the latest survey data from the Council of Insurance Agents & Brokers out Tuesday. For the past six-month period, agents and brokers reported 24 percent of their clients purchased some form of cyber insurance; for the most recent, the number was 25 percent. One of the biggest challenges in the market is that there’s no uniform lexicon, respondents agreed. “Cyber insurance presents a unique challenge for brokers, because the technical language is foreign to most buyers and there are no common, agreed-upon terms across the industry,” said Ken A. Crerar, president and CEO of the council. Here’s the executive summary.

A PRECAUTIONARY ATTACK ON A DATA BREACH BILL — Data breach notification and standards legislation is on hold in the House, although one sponsor of two rival bills, Rep. Randy Neugebauer, has said he hoped GOP leaders would bring his measure to the floor this spring. Retailers, who dislike Neugebauer’s bill intensely because it models its broader standards on existing regulations in the financial sector, prefer a bill written by Rep. Marsha Blackburn, and they’re applying pressure to House leadership just in case there’s movement. “This legislation would not only have a detrimental effect on the retail community but would also negatively impact businesses of all sizes across the country,” the Retail Industry Leaders Association wrote of Neugebauer’s legislation in a letter Tuesday to House Speaker Paul Ryan, House Minority Leader Nancy Pelosi and others. “It makes no sense to take one industry’s regulations and apply it to a large segment of the economy without understanding the consequences.”

Meanwhile, the National Association of Federal Credit Unions issued a counterstrike, writing to Ryan and Pelosi in favor of the Neugebauer legislation. “Many large retailers who handle financial data have become the vulnerable targets of choice for cybercriminals,” thanks to not subscribing to the standards for the financial services sector, the organization wrote. “Credit unions suffer steep losses in re-establishing member safety after a data breach occurs. They are often forced to absorb fraud-related losses, many of which stem from a negligent entity’s failure to protect sensitive financial and personal information in their systems.”

SMALL BIZ TEAM-UP — New bipartisan legislation aims to help small businesses better secure their computer systems. Reps. Richard Hanna and Derek Kilmer introduced the bill Tuesday with the support of the leaders of the House Small Business Committee. Under the legislation, Small Business Development Centers — which are hosted by universities and state agencies and receive funding from the Small Business Administration — would assist businesses under a strategy developed jointly by SBA and the Homeland Security Department. They would help small businesses develop cybersecurity plans and take other steps to enhance security.

House Homeland Security Committee Chairman Mike McCaul has a stake in the bill, too, with a committee aide saying McCaul supports ways to help small companies. “Today, these businesses are being attacked by nation states, transnational criminal organizations, terrorists, and other hacker groups,” the aide said. “To combat these growing threats, we must improve coordination across government to more effectively support these small companies.”

THEORY, PRACTICE — Now that information sharing legislation is the law of the land, it’s time to put it into practice, and PwC has some recommendations out today on how. One focus should be on Information Sharing and Analysis Organizations, a construct that the Obama administration has been trying to foster. The bottom line: “This means government agencies declassifying as much cyber threat information as possible and sharing it with the private sector. This means the private sector actively seeking ways to share their knowledge with each other, committing the time and resources to do so. And this means helping ISAOs fulfill their promise.”

White House Correspondents' Association Weekend Event - Playbook Lunch with Billy Eichner and Mike Farah. Join POLITICO's Chief White House Correspondent Mike Allen as he takes Playbook live for a conversation with Billy Eichner, who hosts "Billy on the Street" and is seen in Hulu's “Difficult People”; and Mike Farah, president of production of Funny or Die. Friday — Doors at 11:30 a.m — The Newseum. RSVP here.

QUICK BYTES

— Reps. Billy Long and Doris Matsui introduced legislation that would elevate the chief information security officer within Health and Human Services.

— A second judge, in the U.S. District for Northern Oklahoma, has ruled that the government’s mass hacking in the “Playpen” sting was invalid. 

— Leaders of the House Energy and Commerce Committee have questions for telecom carriers about a vulnerability in the global mobile network (Signalling System No. 7) that could grant hackers access to phone conversations. POLITICO Pro.

— Spotify says its users haven’t been hacked. Fox News.

— A security researcher says a “Minecraft” community has been. Softpedia.

Krebs on Security explains how criminals get the CVV off payment cards.

— A timeline on Crypto Wars 2.0, going all the way back to 2003, from Daily Dot.

— The trial of two former PwC employees in the LuxLeaks case has begun. Accountancy Age.

Financial Times features Iran’s surging cyber capability.

— Canada’s solution to cyberbullying might raise other concerns. Motherboard.

That’s all for today. I’d buy that for a dollar!

No comments: