Overnight Cybersecurity: House weighs export rules for cyber weapons

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–SOUND AND VISION: The House on Tuesday will discuss concerns over a set of proposed Obama administration regulations designed to keep hacking tools out of the hands of repressive regimes. Lawmakers will try to break a stalemate on how the administration will rewrite the regulations, which have been bashed by the cybersecurity industry, researchers and a large bipartisan coalition of lawmakers. These opponents have warned the current proposal would stunt growth in a burgeoning industry and actually weaken cybersecurity worldwide. “It’s an important issue,” said Rep. Will Hurd (R-Texas), who chairs the House Oversight subcommittee on Information Technology, one of two subpanels holding Tuesday’s hearing. “We just want to make sure we get this right.” Lawmakers will hear testimony from the federal agencies currently locked in discussions over the regulations, as well as a number of industry representatives. The rules are part of the effort to implement the Wassenaar Agreement, a little-known pact with 40 other nations that governs the export of weapons and so-called “dual-use” technologies that can be corrupted. To read our full piece, click here.

{mosads}–WATCH THAT MAN: Police departments are using a software program to calculate a suspect’s potential threat level, similar to running a credit score. Although many departments are reluctant to discuss whether they use such tools, one version used in Fresno, Calif., creates color-coded scores based on billions of data points, including arrest reports, commercial databases, Web searches and social media postings. It’s not clear how widespread the use of the software is. Police officials say such software can help ensure the safety of officers, find suspects and even prevent terrorist attacks or mass shootings. But privacy advocates warn that these tools have been implemented with little to no public oversight and open up the possibility for abuse or error. Exactly how the Beware software used in Fresno calculates its scores is something that the maker, Intrado, considers a trade secret — leaving some civil rights advocates concerned that police could be relying on faulty information. Beware might misinterpret harmless postings on social media, for example, and influence an officer’s response. Fresno Police Chief Jerry Dyer dismissed such concerns, saying that officers on the street never see the scores and that they are instead used by operators to guide deeper investigation into a suspect. “Our officers are expected to know the unknown and see the unseen,” Dyer told the Washington Post. “They are making split-second decisions based on limited facts. The more you can provide in terms of intelligence and video, the more safely you can respond to calls.” To read our full piece, click here.

–IT’S GONNA BE ME: Fiat Chrysler cars were the only ones vulnerable to the cybersecurity defects that prompted the recall of 1.4 million vehicles, according to federal regulators. The conclusion ends a five-month investigation into whether other automakers had also left their vehicles exposed to the same security shortcomings that allowed hackers to remotely hijack a Jeep last year. The National Highway Traffic Safety Administration (NHTSA) explained its findings in documents posted to its website over the weekend. The Jeep hack in July demonstrated that researchers could take control of a car on the highway while stationed in a house 10 miles away. The two researchers manipulated the air-conditioning, toggled on the windshield wipers and then cut the car’s transmission. The bug was apparently in the vehicle’s radio system. The event, profiled in a Wired article, caused Chrysler’s recall and spurred the NHTSA to launch an investigation to see whether other automakers had received similarly defective parts from radio manufacturers. The agency said that similar radios made by Harman International had been installed in cars made by Volkswagen, Audi and Bentley, but that those vehicles included security systems that would block hackers. To read our full piece, click here.

AN HONORARY CLICK:

–GOLDEN YEARS. David Bowie, who died late Sunday, gave the world too many artistic achievements to document here.

But, in chronological order, here are a few albums to spin this week: “Hunky Dory,” “Aladdin Sane,” “Young Americans,” “Low,” “Heroes,” “Scary Monsters,” “1. Outside,” “The Next Day” and, of course, his beautiful and directly poignant new album, “Blackstar,” released just two days before his death.

Also, this wonderfully bizarre BBC special from the 70s captures Bowie at the end of early-70s Bowie, just before the Thin White Duke was born. Watch it here.

A REPORT IN FOCUS:

–SPACE ODDITY. The recent cyberattack on a Ukrainian power company was a coordinated effort consisting of several distinct elements, according to a group of researchers focused on industrial control systems.

The Dec. 23 incident, which left roughly 700,000 homes without power, has drawn widespread attention as what is thought to be the first major blackout caused by hackers.

The attack was comprised of “multiple elements,” SANS ICS director Michael Assante wrote in a blog post published Saturday.

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping… servers after they caused the outage,” Assante wrote.

Assante’s analysis shows that while malware enabled the attackers to carry out certain elements of their plan, it was not the direct cause of the outage.

Instead, malware was likely used to prevent system operators from detecting the attack while a remote attacker opened “breakers,” disconnecting parts of the network.

The attackers also a launched a DDoS attack on the power company’s customer service center, flooding it with phony calls to prevent customers from reporting the outages.

To read our full piece, click here.

WHO’S IN THE SPOTLIGHT:

–PRESIDENT OBAMA. Onlookers are waiting to see whether President Obama will address cybersecurity in his eighth and final State of the Union address on Tuesday. The White House has yet to tip its hand in its various previews of the upcoming speech.

The issue has come up in several of his previous addresses, most notably last year when he made an urgent plea for action.

“If we don’t act, we’ll leave our nation and our economy vulnerable,” Obama said. “If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

Since then, Congress has passed a significant piece of cybersecurity legislation, the Cybersecurity Information Sharing Act.

Now, Washington is grappling with a debate over the extent to which law enforcement should be allowed guaranteed access to encrypted devices.

The White House is expected soon to hand down a highly-anticipated statement detailing its policy.

A LOOK AHEAD:

TUESDAY

–The House Homeland Security and House Oversight Committees will host a joint hearing on the impact of the recently-amended Wassenaar Arrangement at 2 p.m.

–President Obama will deliver the State of the Union address at 9 p.m.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Hundreds of technologists, privacy advocates and industry groups on Monday called on governments worldwide to reject any policy that could infringe on people’s ability to use robust encryption. (The Hill)

GM has become the first major automaker, aside from Tesla, to issue guidelines promising not to sue “white hat” security researchers. (ArsTechnica)

Should the cyberattack on a dam in New York be considered an armed attack? (Just Security)

A dental software provider has agreed to settle with the Federal Trade Commission over charges it misled customers on the level of encryption its software provided to protect sensitive patient data. (Infosecurity Magazine)

Renewed tension between longtime regional rivals Saudi Arabia and Iran appears to be spilling online, signaling a sectarian-motivated cyber conflict in the Middle East. (CSM Passcode)

A look inside cyber criminal call centers. (KrebsonSecurity)

A car breathalyzer maker got hacked. (Motherboard)

Israel is bringing its tech expertise to protecting connected cars. (Reuters)

Tor wants to be less reliant on the U.S. government for funding. (ArsTechnica)

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A