Overnight Cybersecurity

Overnight Cybersecurity: FBI won’t tell Apple how it hacked iPhone

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–NOT HAPPENING: The FBI will not be able to disclose how it broke into an iPhone used by one of the San Bernardino shooters. Top FBI cyber official Amy Hess on Wednesday said the FBI does not “have enough technical information” about the software vulnerability that allowed it to hack the phone. Without this information, the FBI said it cannot participate in a White House review that would determine whether it should share the technique with Apple. “The FBI purchased the method from an outside party so that we could unlock the San Bernardino device,” said Hess, the FBI’s executive assistant director for science and technology. “We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.” The so-called Vulnerabilities Equities Process, used to determine whether a government-discovered hacking method should be disclosed to the manufacturer to be patched, has been in the spotlight since the agency revealed that it has purchased the hacking tool from a third party during the standoff with Apple over cracking into shooter Syed Rizwan Farook’s iPhone 5c. Although the White House says that the process is weighted toward disclosing vulnerabilities, critics argue that an exception for national security concerns allows the government to hoard hacking techniques at the expense of public cybersecurity. By failing to disclose flaws, onlookers say, the government is undermining online security and alienating tech companies. The FBI reportedly told Apple about a security vulnerability in its Mac and iPhone software earlier this month, the first time the agency has disclosed such a flaw under the Vulnerabilities Equities Process — but the security hole impacted only older devices and had already been patched by the company. The move may have been intended to demonstrate that the agency can and does use the review process to disclose software flaws it finds, but Apple was unimpressed: A company executive told Reuters that the disclosure did nothing to change its perception that the Vulnerabilities Equities Process isn’t as effective as the White House claims. To read about the San Bernardino shooter’s phone, click here. To read about the older flaw disclosed by the FBI, click here.

{mosads}–MINE! The House on Wednesday easily passed a measure that would provide a federal remedy for U.S. companies seeking relief from the theft of trade secrets. The vote of 410-2 clears the measure for President Obama’s signature. The vote wraps up about two years of work to craft the measure aimed at harmonizing federal law and giving businesses more consistent legal protections when their trade secrets are stolen. The Senate passed the measure on an 87-0 vote on April 4. House Judiciary Committee Chairman Bob Goodlatte (R-Va.), whose committee approved the measure by voice vote last week, said that trade secrets include everything from Kentucky Fried Chicken’s secret spices to Coke’s soda formula and algorithms for search engines like Google. Goodlatte and one of the bill’s authors Rep. Jerrold Nadler (D-N.Y.) expressed concern that technology has made it even easier for thieves to steal intellectual property, driving up theft to an all-time high. Nadler called the bill is a long overdue remedy to protect businesses across the country from “the growing threat of trade secret theft by creating a uniform federal civil cause of action for theft of trade secrets.” To read our full piece, click here.

 

UPDATE ON CYBER POLICY:

–MOVING ON’ UP. The House on Wednesday unanimously passed an email privacy bill that the technology industry and advocates pushed for years.

The Email Privacy Act had the most public backers of any bill in Congress, and it passed 419-0. Attention now turns to the Senate.

The bill closes off a loophole in the 1986 Electronic Communications Privacy Act to ensure that law enforcement gets a warrant before forcing technology companies to hand over customers’ emails or other electronic communications, no matter how old they are.

Though the outdated provision is no longer used by most agencies, the law technically allows law enforcement to use a subpoena — rather than a warrant — to get emails if they are more than 180 days old. When the law was enacted, there were large technical limits to storing data online.

“We know the ways that Americans communicate today is in a way in which they expect that those transmissions are private, and they expect that the government will honor that and not search those emails and not capture them for other purposes,” said Rep. Kevin Yoder (R-Kan.), who was the lead sponsor of the bill along with Democratic Rep. Jared Polis (Colo.).

To read our full piece, click here.

 

A LIGHTER CLICK:

–EDWARD SNOWDEN. The trailer for Oliver Stone’s film about the National Security Agency leaker was released today — months before the movie’s premiere date in September.

Our thoughts: Nicolas Cage at his most Nicolas Cage-y and not enough of Timothy Olyphant’s face. (Well, one of us thinks there’s not enough Timothy Olyphant, anyway.)

To read our full piece, click here.

 

A REPORT IN FOCUS:

–BE HELPFUL. In order for threat-sharing facilitated under last year’s cybersecurity information-sharing bill to function effectively, both industry and government are going to have to play ball, according to a report out from PwC today.

“This means government agencies declassifying as much cyber threat information as possible and sharing it with the private sector,” the report reads. “This means the private sector actively seeking ways to share their knowledge with each other, committing the time and resources to do so.

Read the report, here.

 

WHO’S IN THE SPOTLIGHT:

–CHINA. (AGAIN.) The government is still investigating last summer’s massive hacks at the Office of Personnel Management (OPM) to determine the “exact source,” a top State Department official told lawmakers on Wednesday.

The digital intrusions, which exposed over 20 million federal workers’ personal data, have been widely attributed to China. Administration officials have even hinted at this publicly, while admitting it privately.

But in response to a question from Sen. David Perdue (R-Ga.), Deputy Secretary of State Antony Blinken said the government is still working to pin down the culprit.

“Trying to attribute the exact source of that intrusion is an ongoing effort,” he said during a Senate Foreign Relations Committee hearing on U.S.-China relations.

Perdue wanted to know whether acknowledgement of the OPM hacks was a part of a cyber deal struck last September between President Obama and Chinese President Xi Jinping.

The agreement mainly served as a pact to eradicate digital espionage for commercial gain, but also included a number of other commitments to better cooperate on cyber issues, which have been a major irritant between the U.S. and China in recent years.

“I’m not recalling [anything], except other than to say we’ve made it clear to the Chinese that there are some actions in the cyber realm … that are too big to ignore, and certainly what happened with OPM would fall into that category,” Blinken said.

Read more about the exchange, here.

 

A LOOK AHEAD:

THURSDAY:

–The House Homeland Security Committee will mark up the National Cybersecurity Preparedness Consortium Act of 2016 at 2 p.m.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

Leaders of the Senate Homeland Security Committee pressed the Obama administration to speed the update of a 15-year-old guidance they say is hampering agencies from catching hackers. (The Hill)

The House of Representatives late Tuesday overwhelmingly passed a bill intended to counter the online recruitment efforts of the Islamic State in Iraq and Syria (ISIS).

Edward Snowden’s bombshell disclosures of the government’s massive digital surveillance programs dramatically curtailed people’s web browsing habits, according to new research. (The Hill)

Two House Energy and Commerce Committee members are backing a bill that would create a new cybersecurity official at the Department of Health and Human Services (HHS). (The Hill)

Hackers can track your whereabouts with a Waze vulnerability. (CSO Online)

Qatar’s largest bank is investigating a security breach that appears to have exposed sensitive personal data for what could be hundreds of customers, including government officials. (The Associated Press)

The Electronic Payments Coalition pushed back against retailers’ criticism of a controversial data breach notification bill.

Toronto is getting its own free encrypted network. (Motherboard)

A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. (ArsTechnica)

If you’d like to receive our newsletter in your inbox, please sign up here.