March is encryption bill month

With help from Joseph Marks, David Perera, Alex Byers and Kate Tummarello

BEWARE THE IDES — Two rival legislative proposals to tackle encryption now have general due dates: the month of March. Whenever they finally land, it’ll be against a backdrop of open warfare between Apple and the federal government over the iPhone used by one of the San Bernardino, Calif., terrorists.


— Burr and Feinstein: The Senate Intelligence Committee’s chairman and ranking Democrat met Monday to discuss their legislation, which would guarantee law enforcement and spy agencies access to encrypted tech products with a search warrant. Chairman Richard Burr (R-N.C.) said Tuesday that he’s targeting March for introducing his bill, though he still isn’t sure how it will work. He did say that it won’t be confined to just encryption. "We’re talking about an emergence of technology that's going to last for decades and how we deal with this," he said, which means the bill might be open-ended enough to account for future developments. “Tell me where technology’s going to go that would provide the inability for law enforcement to make their case in court,” he added.

California’s Dianne Feinstein, the panel’s top Democrat, said the bill is “coming along,” but obstacles remain. “It’s not easy, and some people are making it a lot harder than we think it needs to be,” she said, declining to elaborate.

— McCaul and Warner: An alternative proposal from Rep. Mike McCaul (R-Texas) and Sen. Mark Warner (D-Va.) would create a commission to “would bring together experts who understand the complexity and the stakes to develop viable recommendations on how to balance competing digital security priorities.” The goal is to introduce the commission legislation next week, a congressional aide with knowledge of the situation told MC. At a Bipartisan Policy Center event today, McCaul and Warner will tout the idea’s importance and provide a few specifics about the commission, the aide said.

The commission legislation enjoys some built-in momentum: Apple this week endorsed the idea, and the conservative editorial page of The Wall Street Journal last week gave it a boost, too. “Blue-ribbon commissions are usually a form of Beltway escapism,” the Journal wrote, “but in this case a detailed report and recommendations from leading minds in technology, law, computer science, police and intelligence could help shape a rough consensus — or at least establish a common set of facts.”

— On the case itself: A pair of privacy stalwarts jumped into the Apple vs. FBI dispute on Tuesday. Rep. Ted Lieu (D-Calif.) wrote to FBI boss James Comey asking him to withdraw the bureau’s demand that Apple help crack a terrorist’s iPhone and instead let Congress settle the matter. “The difficult and challenging issues of balancing privacy, liberty, safety, and national security should not be decided by unelected entities, such as private sector companies, governmental investigatory bodies, or magistrate judges,” Lieu wrote. Rep. Jared Polis (D-Colo.) offered similar counsel: “Creating any type of a backdoor will impact users and businesses, ultimately making our data less secure and more vulnerable. The courts should overturn this misguided decision and leave the debate over encryption to the proper venue in Congress.”

— Off the fence: Many key lawmakers remain undecided about both this case and the overall subject of encryption. On Tuesday, the House Intelligence Committee announced its worldwide threat briefing would happen Thursday, and FBI Director James Comey is expected to appear. Panel chairman Devin Nunes (R-Calif.) said he plans to probe Comey with questions that might help him come to a conclusion of his own. (Attorney General Loretta Lynch could face questioning from the House Appropriations Committee sooner: today.) Meanwhile, our friends from Morning Tech heard from the chairmen of the Senate Homeland Security and Commerce panels that they’re considering weighing in with their own legislation.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Your regular MC host is back in the saddle — thanks to Joe for filling in a few days lately. Send thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

SAVE TIME SO YOU CAN SLEEP MORE : Do you waste too much time trying to gather information to ensure that you fully understand what is happening with legislation? POLITICO Pro, POLITICO’s premier solution for policy professionals offers Legislative Compass. Use it to predict how likely bills are to move, find members’ voting records, compare bill language, get whip counts and more. Spend your time acting on that information, instead of gathering it – ultimately allowing you to hit the snooze button a few extra times each morning! Sounds amazing, right? See if you qualify for a complimentary Legislative Compass trial.

FBI WARNS ON ISIL HACKERS — The FBI is sounding the alarm about ISIL-linked cyberattackers while acknowledging they tend to be unsophisticated, according to a document obtained by Motherboard. “Over the past 18-24 months, an unknown number of online extremists have conducted ‘hacktivist’ cyber operations — primarily website defacements, denial-of-service attacks, and release of personally identifiable information (PII) in an effort to spread pro-Islamic State of Iraq and the Levant (ISIL) propaganda and to incite violence against the United States and the West,” the document reads. It also notes a Daily Mail report that ISIL is trying to recruit Indian hackers at up to $10,000 per operation, though it can’t confirm the reports. The FBI did not immediately respond to MC’s request for the document. But Joe was way ahead on this issue for Pros.

BETTER LATE THAN NEVER — Private email servers are now banned for State Department employees, Secretary John Kerry told a Senate panel Tuesday. “In today’s world, given all that we’ve learned and what we understand about the vulnerability of our system, we don’t do that, no,” Kerry told Sen. Ron Johnson (R-Wis.) at a Foreign Relations Committee hearing. The Republican National Committee distributed the video, which potentially stood to embarrass a certain Democratic presidential candidate over her use of a private server while working at State. But Kerry’s carefully phrased statement — “in today’s world” — provides just a smidge of cover for his predecessor.

CLEARING THE DUST — Since 2010, a sophisticated hacking ring that’s likely backed by a foreign government has been stealing data from Japanese utilities, oil and gas producers, and transportation and finance companies, according to a report out Tuesday from the cybersecurity firm Cylance. The hackers, dubbed Operation Dust Storm, earlier targeted key facilities in South Korea, Southeast Asia, Europe and the United States, but recently have focused exclusively on Japan, the report says. No word on which country is backing the hackers, though China is notably absent on the target list. Cylance expects to have more to say about this in coming months.

BRING THE 707 OUT — The number of records compromised in 2015 reached 707 million, via 1,673 data breaches, digital security company Gemalto said Tuesday. If that sounds like bad news, it is. The number of data breaches rose compared with the previous year, when the total was just above 1,500. On the bright side, the number of affected records dipped from 2014, when it reached 1 billion.

RECENTLY ON PRO CYBERSECURITY — “The National Institute of Standards and Technology this year plans to update its catalog of security controls that federal agencies use in constructing their cybersecurity programs.” … Taiwan-based ASUS has settled with the FTC over agency charges that its routers put personal data at risk.

There are a dozen pending Apple unlocking cases beyond San Bernardino … Former NSA Director Michael Hayden is siding with Apple, mostly … Microsoft founder Bill Gates has explained and re-explained his allegiance.

REPORT WATCH

— The framework of mutual legal assistance treaties by which nations request law enforcement data from each other is unprepared for the cloud computing age and the U.S. ought to lead updating efforts, says Vivek Krishnamurthy, a clinical instructor at Harvard Law School's Cyberlaw Clinic, in a paper for the university’s Berkman Center for Internet and Society.

— A survey by cybersecurity company Venafi found that 85 percent of chief information officers are worried about hackers hiding via encryption and one-third had already encountered scenarios where attackers used encrypted traffic to disguise their activity.

QUICK BYTES

— In an op-ed for POLITICO, Reps. Will Hurd and John Ratcliffe urge the State Department to renegotiate an international agreement establishing export controls for cybersecurity products.

— Sean Penn will speak at RSA, Boston Business Journal reports. Yes, that Sean Penn.

— The Broadcasting Board of Governors, the government’s foreign media wing, has canceled a contracting notice for an insider threat detection program, saying it doesn’t need the capability.

— Bastille found that “seven different companies’ wireless keyboards and mice are vulnerable to an exploit they’ve dubbed ‘mousejacking.’” Wired.

— Encrypted mobile messaging app Telegram has hit 100 million monthly users. VentureBeat.

— Hackers took aim at human error in 2015. Infosecurity Magazine.

— The latest investors in Israeli cybersecurity startup Team8 include AT&T. Fortune.

— How much is funding drying up for cybersecurity firms? Reuters.

— “A rogue IT manager has been sentenced to 30 months in prison after he changed jobs and decided to take revenge on his former employer.” The Register.

— A court ruling requiring Hillary Clinton’s aides to talk about her private server could be trouble for her. The Washington Post.

That’s all for today. I’d like to know, so I can be all that and more.

Stay in touch with the whole team: David J. Lynch ([email protected], @davidjlynch), Joseph Marks ( [email protected], @Joseph_Marks_ ); David Perera ([email protected], @daveperera ); and Tim Starks ( [email protected], @timstarks)

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks