Overnight Cybersecurity: Obama encryption policy could shift global debate

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–STATE YOUR PURPOSE: The Obama administration is poised to unveil its long-term policy vision on encryption amid a global debate sparked by the recent terror attacks in Paris and San Bernardino, Calif. Privacy advocates are urging the White House to take a strong stand in favor of encryption technologies, which prevent anyone — including law enforcement — from accessing private data. The FBI and other law enforcement agencies have called for guaranteed access to encrypted communications. Without access, terrorists might freely be able to communicate, they have argued. It’s not clear where the administration will come down on the issue when it releases its policy statement on encryption, which is expected to explain what role the government should — or shouldn’t — play in regulating encryption. Publicly, the White House says it supports the use of strong encryption, but understands the concerns raised by law enforcement. For the time being, officials have backed away from endorsing any legislative effort or mandate on tech companies. Whatever the administration decides in the coming weeks is likely to have a major effect on decisions by other governments. “I think it’s enormously important because America does often set the standard in many areas,” said Rep. Ted Lieu (D-Calif.), one of Congress’s most prominent voices on encryption. “I hope the White House will continue to push back against efforts for government to mandate backdoors into encryption systems.” To read our full piece, check back tomorrow morning.

{mosads}–A MAN WITH A PLAN: The House Homeland Security Chairman expects President Obama to address the nation’s cybersecurity policy during his annual State of the Union address on Tuesday evening. “I do think he is going to reference it and come up with a national strategy for cybersecurity that we’ve been calling for for many years,” Rep. Michael McCaul (R-Texas) told The Hill on Tuesday. Many lawmakers are clamoring for the codification of a more holistic national cybersecurity strategy. Critics say the administration hasn’t drawn a clear distinction between different kinds of cyberattacks — what constitutes an act of cyber warfare versus a cybercrime, for example. Reps. Lynn Westmoreland (R-Ga.) and Jim Himes (D-Conn), the chair and ranking member of the House Subcommittee on the National Security Agency, recently sent a letter to the State Department calling for “a Geneva Convention” in cyberspace. They say the agency must create a “plan of action” for how Secretary of State John Kerry will work to develop international cyberspace norms. McCaul has warned before that a lack of global cyberspace rules poses serious dangers, noting in December that “there are no rules of the game.” “My side of the aisle, we’re very critical of the president, but that’s one area where we’ll applaud him and commend him for doing that,” he said Tuesday. To read our full piece, click here.

–HOW CAN WE HELP?: The Department of Homeland Security said Tuesday that it is helping Ukraine investigate a recent cyberattack on its power grid that left roughly 700,000 people without power for several hours. The notice, which was published by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the Obama administration’s first public comment about the Dec. 23 incident. The outage has drawn attention as the first known blackout caused by hackers, reportedly through the implantation of malware. DHS identified a specific piece of malicious code known as “BlackEnergy.” The department stopped short of confirming that the malware was the principle culprit behind the blackout. ICS-CERT “can confirm that a BlackEnergy 3 variant was present in the system,” but “based on the technical artifacts, we cannot confirm a causal link between the power outage with the presence of the malware,” the agency said. A report issued this weekend found that while malware enabled the attackers to carry out certain elements of their plan, it was not the direct cause of the outage. To read our full piece, click here.

 

A POLICY UPDATE:

–THE UPDATE IS NO UPDATE. The Obama administration has not yet decided how to move forward on controversial regulations designed to keep hacking tools out of the hands of repressive regimes, officials told lawmakers on Tuesday.

At a House hearing, lawmakers expressed concerns about the proposed set of rules that many argue could impede security research, curtail cyber threat information sharing and actually weaken digital defenses worldwide.

The rules are part of the implementation of the little-known Wassenaar Arrangement, which governs the export of weapons and so-called “dual-use” technologies that have both civilian and military uses.

Officials on Tuesday acknowledged that these concerns have sent them back to the drawing board.

But the government hasn’t decided exactly what the next step is. Some believe the State Department should first renegotiate the 2013 extension of the Wassenaar pact, which extended the agreement to cover surveillance and hacking tools.

Rep. John Ratcliffe (R-Texas) — who chairs one of the two subpanels holding the hearing, the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies — pressed a State Department official on the issue.

Ann Ganzer, who heads the Wassenaar delegation at the department, said it would be “premature” to say whether the government should return to the negotiating table.

“This is something that we need to fix, and we are working interagency, analyzing the comments, following up with them to determine what our next step forward will be,” she said.

Check out our full piece, here.

 

A LIGHTER CLICK:

–WELCOME TO HOGWARTS. We can’t stop reading this incredible Q&A with a witch who claims to cast viruses out of computers with magic.

Some highlights:

“I literally feel [the virus] in my body. I can feel the smoothness where the energy’s running, and then I feel a snag. That’s where the virus got in.”

“When I go into the room where somebody’s computer is, I go in fresh, I step in like a fresh sheet, and I’m open to feel what’s going on with the computer.

Read on, here.

 

A REPORT IN FOCUS:

–BETTER SAFE THAN SORRY. Pentagon officials have reportedly completed a classified assessment of the effectiveness of different defense agencies’ cybersecurity.

“We’re looking at the existing tools… and we look at those different tools, and we say, ‘What is the threat that they’re defeating, and what is the value of that threat?'” John Hickey, a cybersecurity risk management executive at the Defense Information Systems Agency, told FCW.

The agency wants to ensure that defense officials aren’t getting a “stale” picture of their networks’ defenses, part of a broader federal push to shore up vulnerable networks after the massive hack on the Office of Personnel Management revealed last spring.

Read on, here.

 

WHO’S IN THE SPOTLIGHT:

–SQUIRRELS. The attention of both the security community and critical infrastructure providers is fixed on Ukraine, where investigators are still tracing the origins of the first known blackout to be caused by hackers.

The threat to the grid has drawn increasing concern from cyber-conscious lawmakers, but at least one security industry professional is fed up with the hysteria and has taken to the Internet (as you do) to document a far more prolific perpetrator of blackouts: The squirrel.

Cybersquirrel1.com tracks “all unclassified Cyber Squirrel Operations that have been released to the public that we have been able to confirm.”

“[T]here is tons of hype about how we are at so much risk from a devastating cyber attack and yet we can’t even protect our infrastructure from squirrels, or birds or snakes,” the site’s anonymous creator told The Washington Post.

Read on, here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Ande Smith, who owns a cybersecurity consulting firm, is seeking the Republican nomination for Maine’s 1st Congressional District, according to local reports. (The Hill)

Rep. Matt Salmon (R-Ariz.) has joined a group of lawmakers expressing concerns that China is continuing to misrepresent its behavior in cyberspace. (The Hill)

A hacker appears to have broken into personal accounts of the nation’s top spy chief. (The Hill)

A U.K. privacy watchdog has heavily criticized the draft Investigatory Powers bill for attacking individuals’ privacy. (The Guardian)

A cyberespionage group has been discovered using a new remote access malware whose detection rate was very low among antivirus products. (CSO Online)

Police believe they have nabbed a key figure behind a series of online extortion attacks that have taken place around the world over the last 18 months. (CSO Online)

The French government is considering a legislative provision that would ban strong encryption. (The Daily Dot)

A look at how the little-known National Institute of Standards and Technology is reshaping the government’s approach to privacy. (The Daily Dot)

 

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A