Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORIES:
–JUST SO YOU KNOW…: The departments of Homeland Security and Justice on Wednesday released final guidance on Tuesday night clarifying the Cybersecurity Information Sharing Act (CISA). The measure, which passed in the 2015 omnibus, was designed to allow companies to share threat information with the federal government and other industry members while limiting potential civil liabilities for doing so. But since its passage, businesses have questioned whether the wording of the bill limited the information-sharing to just government. The Tuesday release was a revision of a privacy report required under the law, released in preliminary form in February, and included a new section clarifying the liability protections extended to business-to-business communications. It explicitly states: “CISA authorizes private entities to share cyber threat indicators and defensive measures with other private entities. … It also provides private entities with liability protection for conducting such sharing in accordance with CISA.” To read our full piece, click here.
{mosads}–IT WAS ME: A Kosovo man has pleaded guilty to stealing the personal information of over 1,000 U.S. servicemen and federal employees and sending it to the Islamic State in Iraq and Syria (ISIS) “with the understanding that they would incite terrorist attacks against those individuals,” the Justice Department said Wednesday. The 20-year-old man, Ardit Ferizi, last summer hacked the servers of a U.S. company that held personally identifiable information on tens of thousands of customers, according to the DOJ. He then passed that information along to ISIS’s former lead hacker, Junaid Hussain. In August, an ISIS hacking group tweeted a “kill list” of 1,300 U.S. military and government personnel, using the data stolen by Ferizi. Ferizi admitted that he provided the data to Hussain with the understanding that ISIS would use it to “hit them hard.” Hussain was killed in a drone strike shortly thereafter. Malaysian authorities arrested Ferizi in October on Justice Department charges of providing material support to ISIS. He was extradited to the U.S. in January. Assistant Attorney General John P. Carlin called the case “the first of its kind, representing the nexus of the terror and cyber threats.” To read our full piece, click here.
A POLICY UPDATE:
–SIX MONTHS IN. At a Wednesday hearing, lawmakers and industry representatives lamented how difficult small businesses find recent cybersecurity threat information sharing initiatives.
Ostensibly a hearing about the entirety of the Cybersecurity Act of 2015, the House Homeland Security’s cybersecurity subcommittee, as well as witnesses from the Chamber of Commerce, the United States Telecom Association and the security industry, quickly narrowed the focus to problems facing small- to medium-sized businesses.
“In the law itself, there are only two references to small businesses,” said witness Ola Sage, founder and chief executive of the small business e-Management. That “highlights that the law isn’t directly focused on small businesses,” she said.
The law is intended to clear the way for businesses to share threat information with each other and the federal government without fear of lawsuits.
That makes perfect sense for large businesses, said Sage, but small businesses are largely unaware of information sharing opportunities. Those that are aware don’t know of the benefits from participating.
CISA is not the only federal information sharing initiative and, in Sage’s experience, navigating such a vast field is confusing. Worse yet, she said, the initial outlay of capital to buy the equipment necessary to participate can be cost prohibitive.
Lawmakers were receptive to her message.
“I don’t see [small businesses] get from point A to point B,” said Rep. Scott Perry (R-Pa.).
Sage referenced a cybersecurity adage John Ratcliffe (R-Texas) raised during his opening testimony: “There are two kinds of companies, those that are hacked and those that do not know they have been hacked.”
“Small businesses ask, ‘If that’s the case, why do we need to spend any more money?'”
A LIGHTER CLICK:
–“I’M GONNA HAVE TO GO WITH ‘NO’ ON THAT. I AM NOT A LIZARD.” This Mark Zuckerburg Q and A gets whatever the opposite of personal is.
A LOOK AHEAD:
THURSDAY
–The House Homeland Security Subcommittee on Emergency Preparedness will mark up the Cyber Preparedness Act of 2016, at 10 a.m.
WHO’S IN THE SPOTLIGHT:
–DONALD TRUMP. (AGAIN.) (SORRY.) More than 200 pages of what appears to be the Democratic National Committee’s (DNC) opposition research on Donald Trump was leaked to Gawker Wednesday, after Russian government hackers infiltrated the DNC’s computer networks.
The document, titled “Donald Trump Report,” includes an attack on the presumptive Republican presidential nominee’s character and record, and hundreds of pages describing instances of Trump changing his stance or saying something false or inflammatory.
Trump’s marriages are also covered extensively, according to Gawker.
The document was sent to Gawker by an individual calling himself “Guccifer 2.0,” a play off the infamous Romanian hacker who first exposed the existence of former Secretary of State Hillary Clinton’s private email server.
To read our full piece, click here.
A REPORT IN FOCUS:
–GETTING WORSE ALL THE TIME. Booz Allen Hamilton on Wednesday released a new report on cybersecurity for critical infrastructure that analyzed hundreds of cross-industry threats from the last 18 months.
Key findings: For the first time since ICS-CERT began tracking reported incidents in 2009, critical manufacturing experienced more incidents than the energy sector, according to the report.
Also, spearphishing attacks on Incident Command Systems increased 160 percent from FY 2014 to FY 2015, which we feel like should surprise no one but is still a massive growth.
Read the full report, here.
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
The House is gearing up to take a new stab at reforming U.S. surveillance powers, after overwhelmingly passing similar measures in the past but failing to get them signed into law. (The Hill)
The Defense Department is seeking to cut back on the use of a “smart” ID card that has long been used by military personnel and contractors. (The Hill)
FireEye rebuffed takeover proposals from multiple parties earlier this year after hiring Morgan Stanley to field interest, according to people with knowledge of the matter. (Bloomberg)
Hackers are renting out 70,000 hijacked servers for as little as $6 a piece. (Reuters)
Is your smart microwave set to 0:07? (New York Times)
Researchers are still fascinated by the last totally secure computer. (Smithsonian)
Spam King Sanford Wallace has been sentenced to 30 months in prison. (The Register)
The Army is using “cyber cannons” to knock down drones. (Popular Science)
Regulators across Australia, Hong Kong and Singapore are moving to tighten personal data protection guidelines as cyberattacks grow more costly. (The Wall Street Journal)
Illinois is strengthening its data breach notification laws.
If you’d like to receive our newsletter in your inbox, please sign up here.