Overnight Cybersecurity: Lawmakers pile on Yahoo | House delays contempt vote on Clinton IT aide

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORIES:

–LET’S TALK ABOUT THIS: Senate Judiciary Committee Ranking Member Pat Leahy (D-Vt.) is seeking a hearing on the Yahoo data breach, an aide to the panel told The Hill Wednesday. The recently announced hack of 500 million Yahoo accounts is the largest of a single company to date. The ask comes as a New York Times report found that Yahoo failed to provide resources to its security team and implement steps to protect users’ data in recent years, adding to scrutiny of the tech giant’s practices. The Times reported that CEO Marissa Mayer, the former Google executive brought on to turn Yahoo around, opted not to pursue certain security solutions. That included a mandatory password reset for all users, according to the report, because that could have hurt Yahoo’s core email business. Yahoo said in a statement that it had invested heavily in security in recent years. “Today’s security landscape is complex and ever-evolving, but, at Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure,” a spokesperson said in a statement. To read about Leahy, click here. To read about Yahoo’s security practices contributing to the problem, click here.

{mosads}–BEHIND BARS: A 37-year-old Syrian national once affiliated with the Syrian Electronic Army (SEA) hacker group pleaded guilty in federal court in Virginia on Wednesday to conspiring to receive extortion proceeds and conspiring to unlawfully access computers. Beginning in 2011, Peter Romar defaced media and government websites belonging to those the SEA felt were overly critical of Syrian President Bashar al-Assad. By 2013, the SEA’s methods had evolved into extorting money from hacking victims under threat of the group destroying or leaking information from compromised systems. Romar, who was living in Germany, acted as a go-between for extortion payments when victims could not transfer money directly to Syria. His partner in the schemes is still at large. To read our full piece, click here.

–NO MATTER HOW MANY TIMES YOU ASK IT: The FBI found no evidence that either Hillary Clinton or her aides ordered an IT technician to delete an email archive that was under congressional subpoena, Director James Comey testified Wednesday. “We did not have evidence to disbelieve [the technician’s account] and establish someone told him to do that. No email, no phone call, nothing,” Comey told the House Judiciary Committee during an oversight hearing that was largely taken up with questioning about Clinton’s server. The technician, Paul Combetta, has become a focus in the latest congressional investigation into the private server Clinton used while secretary of State. Earlier this month, Combetta invoked his Fifth Amendment right against self-incrimination before the House Oversight Committee. To read our full piece, click here.

A POLICY UPDATE:

–CYBER EXPORT CONTROLS. A new proposal in the European Union would address many of the controversies over an international export control agreement that includes the United States.

The European Council proposed updates to the European Union’s export controls of militarized spyware on Wednesday. Those controls were a widely derided result of the annual 41-nation Wassenaar Arrangement of which the United States is part.

Wassenaar covers dual-use technologies – those with military and civilian uses. In 2013, the list of controlled products expanded to include surveillance software that member nations wanted to keep out of the hands of authoritarian states.

The Arrangement tasks each country to develop its own implementation – the EU operates as a bloc – and, though many nations had already passed their own implementations, when the U.S. announced its own implementation plans, the potential for conflict was met with international concern.

The U.S. is home to the lion’s share of the cybersecurity industry and it became clear that any faithful implementation of the Wassenaar Arrangement terms would slow or even prevent the export of legitimate, critical network security testing products, stifle international presentations of research and, in general, hinder necessary cybersecurity practices worldwide. The U.S. is now trying to renegotiate the terms.

The new legislation creates stricter criteria for EU countries to issue licenses and would also carve out an exemption for exports made with “legitimate purposes, including law enforcement and internet security research.”

To read the rest of our piece, click here.

A LIGHTER CLICK: YOU AREN’T SPECIAL. Computer science skill isn’t genetic. You were smart enough to subscribe to this through your own hard work.

A DEBATE IN FOCUS:

–RULE 41 ALERT. Rep. Zoe Lofgren (D-Calif.) on Wednesday briefly pressed FBI Director James B. Comey on pending changes to what’s known as Rule 41.

The changes — which would allow investigators to seek a single warrant to search computers in multiple different jurisdictions — will go into effect at the end of the year unless Congress steps in.

“One of the challenges we face especially in dealing with these huge criminal botnets is how do we execute a search warrant to try and figure out where the bad guys are and get them away from innocent people,” Comey said, during a House Judiciary hearing on bureau oversight.

“The challenge that we’ve been facing is to go to every single jurisdiction and get a warrant [which] would take literally years,” he said.

“I’d like to [express the hope] that the FBI might seek the guidance of some of the computer experts at our national labs on this question of [whether the change will] trigger malware attacks,” Lofgren said.

WHO’S IN THE SPOTLIGHT:

–BRYAN PAGLIANO. (AGAIN.) (SORRY.) The House’s vote on holding the former State Department staffer responsible for setting up Hillary Clinton’s private email server in contempt of Congress will wait until after the elections.

Aides said Wednesday that a vote to hold Pagliano in contempt of Congress is no longer expected before the House leaves Capitol Hill for the pre-election recess.

The House is expected to adjourn as soon as Wednesday night to let members return to their districts to campaign for reelection. Neither the House nor Senate are scheduled to return until the week after Election Day.

Lawmakers were originally slated to vote Thursday on a resolution to hold Pagliano in contempt for declining to appear at a House Oversight Committee hearing on Clinton’s server earlier this month despite a subpoena demanding his presence.

To read our full piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

A kickstarter device will make mesh networks far easier. (Motherboard)

It’s the first annual “International Day for Access to Information,” which the UN promises us is a real thing. (EPIC)

Meet the Russian citizen who owns the web-hosting firm used to hack into elections boards in Arizona and Illinois. (New York Times)

Rep. Ted Lieu (D-Calif.) is asking the new federal chief information security officer why agencies keep putting off making necessary upgrades recommended by the GAO. (Ted Lieu)

Fancy Bear appears to have hacked a citizen journalism organization looking into the Malaysia Airlines flight 17 incident over the Ukraine. (ThreatConnect)

Europol says ransomware is the top cyber threat, echoing a number of other reports saying the same thing. (ABC News)

Buy a dinner for two at one of London’s swankiest restaurants from dark net thieves. (Motherboard).