Overnight Cybersecurity: US, China start cyber talks on Tuesday

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–GATHER ROUND NOW: The U.S. and China on Tuesday will come to the table for their first official cybersecurity talks since the Asian power pulled out of a joint working group over a year ago. The high-level discussions in Washington, D.C., which will include Homeland Security Secretary Jeh Johnson and China’s Public Security Minister Guo Shengkun, aren’t expected to produce any major outcomes. But the mere fact that the meeting is taking place is seen as a positive step in rebuilding the fractured cyber relations between the two digital adversaries. The focus of the meetings will be the recent U.S.-China agreement to end commercial espionage. The deal was struck during Chinese President Xi Jinping’s state visit in September. In the agreement, both countries pledged to neither engage in, nor knowingly support, the digital theft of business secrets. But before either side can assess compliance, there are a number of questions that must be hammered out. What exactly is commercial espionage? What does “knowingly support” mean? What evidence is required to prove a country has broken the agreement? How will the two countries coordinate on cyber investigations? To read our full piece, click here.

{mosads}–ENCRYPTION BACKLASH: Privacy advocates are pushing back at arguments from the intelligence community that more surveillance powers would have prevented the Paris terrorist attacks that left 130 dead. They’re offended at what they see as naked opportunism from supporters of tough surveillance powers, and they argue the rhetoric — including suggestions that National Security Agency leaker Edward Snowden has blood on his hands — has gone too far. “Unfortunately, it’s somewhat par for the course,” said Evan Greer, campaign director for the digital rights activist group Fight For The Future. “Anytime these types of attacks happen, it’s a disturbing but expected moment that politicians will seize that opportunity to push for policies they’ve wanted for ages, regardless of whether they think it would actually have helped in that situation,” she said. The fight over whether Americans must trade security for privacy is playing out in two debates, one over encrypted data and one over the National Security Agency’s surveillance programs. In the wake of the attacks, law enforcement and intelligence officials as well as lawmakers revived arguments that tech companies stonewalled needed investigations by refusing to provide some form of guaranteed access or “back door” to encrypted devices. Some suggested that such access could have prevented the attacks, which were planned virtually under the noses of Belgian and French authorities — yet no evidence has been made public demonstrating the use of encryption by the attackers and preliminary reports show that at least some of the terrorists weren’t communicating through encrypted channels. To read our full piece, check back tomorrow.

–AS ETTA JAMES WOULD SAY: At last, an email privacy bill with more than 300 cosponsors will get a hearing in the lower chamber on Tuesday, but plans for a markup or vote on the legislation are still unclear. The House Judiciary Committee appears poised to cover much of the same ground as its Senate counterpart did during a hearing in September, when many of the same witnesses testified. The Email Privacy Act — led by Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) — has failed to move in the past two and a half years despite having support from a supermajority of the chamber. Supporters have opted against attempting to force a vote through a discharge petition. The legislation would close a loophole in the 1986 Electronic Communications Privacy Act (ECPA) that lets the government use a subpoena, rather than a warrant, to force companies such as Google and other service providers to hand over customers’ electronic communications if they are more than 180 days old. To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

–I’M JUST A BILL. The House passed legislation on Monday to authorize a program to help train local law enforcement on preventing cyber crimes. The bill, approved easily by voice vote, would formally establish a National Computer Forensics Institute within the Secret Service for educating state and local law enforcement officers, prosecutors and judges on methods for investigating cyber threats and forensic examinations of mobile devices. In addition to training, the institute would provide local law enforcement agencies with computer equipment and software for investigating cyber and electronic crimes. The measure now heads to the Senate for approval. Check out our story, here.

–DON’T YOU, FORGET ABOUT ME … OR MY CLAUSE: A bipartisan group of senators wants to ensure that the major cybersecurity legislation headed for President Obama’s desk includes a provision they believe would help defend the nation’s critical infrastructure against a cyberattack. The clause would require the Department of Homeland Security (DHS) to assess the cybersecurity readiness at roughly 65 companies behind the nation’s infrastructure, and develop a plan for preventing a “catastrophic” cyberattack. Eight senators wrote the House and Senate co-sponsors of the companion cyber bills, encouraging them to include the line in the final bill, which will be hammered out in conference in the coming months. The cyber measures are intended to voluntarily encourage the private sector to share more information on hacking threats with the government. The House passed its two complementary measures in April, and the Senate followed by approving its companion bill in October. Read more about the provision and controversy surrounding it, here.

 

LIGHTER CLICK:

–IN A BARBIE WORLD. If you went shopping for a “smart” Barbie over cyber Monday, maybe think twice. Turns out Barbie is the latest on the list of unexpectedly hackable items. Read on, here.

 

A REPORT IN FOCUS:

–BALL, BALL, BALL, BALL! Sen. James Lankford (R-Okla.) on Monday issued his “Federal Fumbles” report, which details “100 ways the government dropped the ball.” Topping the list? This summer’s data breach at the Office of Personnel Management (OPM), which exposed over 20 million federal workers’ sensitive data.

From the report: “The federal government still does not know — and may not know for years to come — the extent of the damage done by the massive OPM breach. The monetary damage alone could be astronomical. But perhaps even more troubling has been OPM’s failure to heed multiple warnings to fortify its security systems that house federal workers’ personal information.”

Read the full thing, here.

 

WHO’S IN THE SPOTLIGHT:

–THE ARGENTINES. The New York Times details the skilled hackers and security researchers in Argentina, not often thought of as a hotbed of cyberspace talent. We’ll turn it over to The Times: “Want to learn how to break into the computerized heart of a medical device or an electronic voting machine? Maybe a smartphone or even a car? Thanks to the legacy of military rule and a culture of breaking rules of all sorts, Argentina has become one of the best places on earth to find people who could show you how.”

Read on, here.

 

A LOOK AHEAD:

TUESDAY

–The House Subcommittee on Commerce, Manufacturing and Trade will hold a hearing at 10:15 a.m. on mobile payments.

–The House Judiciary Committee will hold a hearing at 10 a.m. on the Electronic Communications Privacy Act (ECPA).

–Intel will host an event titled “Paying Down the Cybersecurity Debt” at 5 p.m. Former White House senior director for cybersecurity Ari Schwartz will speak as part of a panel discussion.

WEDNESDAY

–The Senate Judiciary Committee will hold a hearing at 10 a.m. on trade secret theft.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The educational toy maker VTech confirmed on Friday that it has been the victim of a cyberattack, potentially exposing the personal details of hundreds of thousands of children. (The Hill)

The European Union is pushing to give its national privacy regulators more power under a new U.S.-EU data transfer agreement currently under negotiations. (The Hill)

Target’s website was downed by a flood of shoppers seeking deep discounts on Cyber Monday. (The Hill)

Donald Trump is aligning himself with GOP presidential rivals Sen. Marco Rubio (Fla.) and former Florida Gov. Jeb Bush in the Republican Party’s divide over federal surveillance powers. (The Hill)

The Chinese military significantly reduced its cyber theft of American corporate secrets following the Justice Department’s May 2014 indictment of five Chinese officers, U.S. officials say. (The Hill)

The Hewlett Foundation has awarded $400,000 in grant money to the Center for Democracy and Technology to study “obstacles to cybersecurity research and identify policy options to overcome them.” (Hewlett Foundation)

The Office of Personnel Management has put together an inventory of its servers, months after the agency breach was revealed. (The Atlantic)

Hong Kong is battling an influx of increasingly-sophisticated cyberattacks conducted by Chinese hackers. (Reuters)

 

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A