Overnight Cybersecurity: Negotiators say data deal close at hand

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you…

THE BIG STORIES:

–SIX O’CLOCK NEWS: The government may have used compromised software for up to three years, exposing national security secrets to foreign spies, according to lawmakers and security experts. Observers increasingly believe the software defect derived from an encryption “backdoor” created by the National Security Agency. Foreign hackers likely repurposed it for their own snooping purposes. The House Oversight Committee has launched an investigation into the matter, but specialists and former government officials say confidentiality concerns might prevent the public from ever knowing if a breach occurred. “There’s a lot of very sketchy stuff here,” said Matthew Green, a cryptology expert from Johns Hopkins University who has been reverse-engineering the compromised code. The software vulnerability was spotted in December, when Juniper Networks, which makes a variety of IT products widely used in government, said it had found unauthorized code in its ScreenOS product. Security experts said the code had been intentionally altered, and Juniper acknowledged that the alteration could let hackers infiltrate networks and decrypt traffic. One U.S. official compared the alteration to “stealing a master key to get into any government building,” according to CNN. “It’s a very serious problem,” said Sen. Ron Johnson (R-Wis.), who heads the Senate Homeland Security and Governmental and Governmental Affairs Committee. “It affects everybody’s IT systems.” To read our full piece, check back tomorrow.

{mosads}–ILLEGAL SMILE: The U.S. and the European Union have missed the deadline for a critical transatlantic data flow agreement — but negotiators are close to reaching a deal, EU Justice Commissioner Vera Jourova told European lawmakers on Monday. She declined to offer many details on the negotiations, citing the ongoing nature of the talks, but indicated that substantial progress had been made. “I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences,” she told lawmakers. “We are close, but an additional effort is needed.” But despite her assurances, European Parliament members expressed deep skepticism that a new Safe Harbor arrangement with the U.S. would stand up to legal scrutiny. “We have to be absolutely sure that this stands in court. I want to be reassured, but I am not reassured yet,” said Dutch member Sophie in ‘t Veld, who led criticism of Jourova’s presentation. Europe’s data privacy regulators gave the two governments until Jan. 31 to come up with a satisfactory replacement when the original Safe Harbor framework was struck down in October. They vowed to take no collective action until that deadline, now come and gone — but industry sources tracking the talks say that negotiators have treated Tuesday as a the true drop-dead date for a deal. A working group of each EU country’s regulators is set to meet on Feb. 2 to discuss how firms can legally handle data in the absence of a Safe Harbor. Jourova said she is set to speak with Pritzker tonight to hammer out the remaining discrepancies in the deal. To read about the missed deadline, click here. To read about European Parliament members’ reactions, click here.

AN UPDATE ON CYBER POLICY:

–BRUISED ORANGE. House Majority Leader Kevin McCarthy (R-Calif.) on Monday said a House panel had overstepped its jurisdiction with its probe into the security of former Secretary of State Hillary Clinton’s private email server.

In mid-January, House Science, Space and Technology Committee Chairman Lamar Smith (R-Texas) sent letters to four companies that played roles in maintaining and protecting Clinton’s personal server.

The letters have caught McCarthy’s attention, who told reporters he believed those inquiries should have been purview of the House Select Committee on Benghazi, chaired by Rep. Trey Gowdy (R-S.C.)

“I have the same impression as you, that it would be Gowdy’s jurisdiction,” McCarthy said Monday afternoon, when asked whether Gowdy’s panel should be overseeing the investigation.

McCarthy then repeated his answer verbatim when pressed on whether Smith had given the Republican leader a heads up before sending the letters.

After Clinton’s email practices at the State Department were revealed, former Speaker John Boehner (R-Ohio) pushed for Gowdy’s committee to handle any future probes.

To read our full piece, click here.

A LIGHTER CLICK:

–ANGEL FROM MONTGOMERY. The Dutch police are experimenting with training eagles to attack drones in the sky. This is almost as great as the Rescuers Down Under, minus Joanna the Goanna.

Read on at The Hacker News, here.

A REPORT IN FOCUS:

–IN SPITE OF OURSELVES. There is an “overwhelming” amount of illicit content on the dark Web, according to a new research project from two King’s College London authors.

Of  5,205 live websites, over 50 percent hosted illicit material, the study revealed.

“The results suggest that the most common uses for websites on Tor hidden services are criminal, including drugs, illicit finances and pornography involving violence, children and animals,” Daniel Moore and Thomas Rid write.

Read on at Motherboard, here. You can find the full study here.

WHO’S IN THE SPOTLIGHT:

–EINSTEIN. Homeland Security Secretary Jeh Johnson over the weekend defended the government’s main cyber defense system after a government audit knocked the $6 billion technology as falling far short of its expectations.

Johnson said the so-called “Einstein” program has considerably improved the government’s ability to detect hackers.

“Einstein has in fact proven invaluable to identify significant incidents,” he said in a statement.

But the Department of Homeland Security (DHS) head also cautioned that Einstein is still in its final stages of implementation, and even then is not meant to be “a silver bullet.”

“It does not stop all attacks, nor is it intended to do so,” he said. “It is part of a broader array of defenses.”  

Johnson was responding to a recent audit from the Government Accountability Office (GAO) that concluded Einstein was largely ineffective at thwarting hackers. The report echoed long-standing criticism from security experts who describe the program as a much-delayed boondoggle that is already outdated.

“While [Einstein’s] ability to detect and prevent intrusions, analyze network data, and share information is useful, its capabilities are limited,” the report said.

To read our full piece, click here.

A LOOK AHEAD:

TUESDAY:

–The House Judiciary Committee will hold a closed hearing on the FISA Amendments Act at 10 a.m.

–The House Oversight Committee will hold a hearing to review the security of the Education Department’s IT systems and the conduct of its CIO, Danny Harris, at 10 a.m.

THURSDAY:

–The Senate Homeland Security and Governmental Affairs Committee at 10 a.m. will hold a hearing to vet the nomination of Office of Personnel Management acting director Beth Cobert to hold the position permanently.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The FBI and other officials are overstating their case when they warn that criminals are using encryption to “go dark,” according to a new study. (The Hill)

Hillary Clinton did not know how to use a computer to read and send emails when she entered office as the nation’s top diplomat in 2009. (The Hill)

Veterans, first responders and teachers are urging lawmakers to reject legislation that would require asbestos victims to share personal information when seeking compensation in court. (The Hill)

The federal workforce, already shaken by a massive cyber theft of personal data, now confronts another reality — ISIS has some of that same information. (Associated Press)

Fifteen years ago, hackers attacked a database belonging to an attendee of the World Economic Forum’s annual meeting in Davos — one of the first acts of hacktivism. (Motherboard)

The UK government must clarify its stance on end-to-end encryption, a parliamentary committee said. (TechCrunch)

If you’d like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A