Sizing up the FBI’s new cyber leadership

With help from Eric Geller and Martin Matishak

FBI CYBER PICKS WIN PRAISE — The FBI made an excellent choice in tapping Amy Hess to lead the Criminal, Cyber, Response and Services Branch, which oversees the bureau’s Cyber Division, according to former FBI officials and agents who spoke to MC on Tuesday after the bureau filled two of its key vacant cyber positions. “She’ll do a fantastic job,” said a former senior cyber official. “She’s been on the seventh floor before. She knows what she’s getting into.” Prior to her most recent role leading the Louisville Field Office, Hess oversaw the Science and Technology Branch, and before that its Operational Technology Division, putting her at the vanguard of the bureau’s “going dark” campaign against end-to-end encryption. The former senior official said he was “impressed with her intellect and her willingness to ask tough questions.” He noted that as head of STB, Hess had “a lot of experience with cybersecurity in general and issues that are adjacent to cyber.”


Former officials also generally praised the selection of the new head of the Cyber Division: Matt Gorham, who most recently led the counterterrorism division of the Washington Field Office. Gorham also led the FBI’s key National Cyber Joint Investigative Task Force. “Matt’s experience running NCIJTF gives him the interagency credibility to reach across the aisle and work with other agencies in the cyber arena,” said Andre McGregor, a former supervisory special agent handling cyber cases in New York. Another former FBI cyber official said that while Gorham was “not a cyber, technical person,” he had “a good grasp of the high-level realities around cyber and politics between agencies and sense of the mission. … He’s well respected in the bureau as a good agent and leader.”

“I think both are great selections and I wish them all the success,” said James Trainor, who led the Cyber Division from 2015 to 2016. “I’ve worked with both and know them to be highly capable agents and executives.” McGregor, now the global head of security at TLDR Capital, said the two picks “show that the FBI is becoming a serious player against the ever looming cyber threat.” Sean Farrell, the former head of the cyber law unit in the FBI general counsel’s office, tweeted that both Gorham and Hess “are proven leaders who have shown their ability to manage those on the front lines of some of the most technically complex issues facing the FBI.”

Gorham replaces Scott Smith, who left the bureau last month along with several other FBI cyber officials, including Howard Marshall, the No. 2 official in the Cyber Division. Marshall previously led the Louisville Field Office; Hess replaced him when he moved to Washington. The former senior FBI cyber official said Hess “had a chance to see significant cyber investigations up close” in Louisville, where the cyber program “was absolutely growing and a high performer for such a small field office.” Louisville was the lead field office for “a particular threat, which they wrestled away from another [office] because of talents they have there,” said the former senior official, who declined to identify that threat. “She has dealt with folks that are very knowledgeable in that line of work.”

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Yeah, this makes no sense. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

MODERNIZING THE FEDS — The U.S. Digital Service is trying to get government agencies to move away from “checklists” and toward industry practices like red teams and bug bounties, the executive director of the service’s implant at Health and Human Services, Shannon Sartin, told MC. But she said it hasn’t always been easy. “People in government are motivated by fear,” she said. “They’re afraid of something bad happening and being called in front of Congress. People don’t want to change.” Too much of what the government does in IT is informed by habit, Sartin said, but officials might be relying on, say, Office of Management and Budget guidance from 1994 that isn’t applicable anymore. She highlighted some Digital Service initiatives at HHS like moving to the cloud and baking security into procurement instead of making it an “afterthought.”

Sartin will be part of a panel discussion on cybersecurity and technology at the opening of Okta’s Washington office today. At the event, Okta CEO Todd McKinnon will have a “fireside chat” with former Deputy Assistant Secretary of Defense for Russia Evelyn Farkas on foreign cyber threats. On Tuesday, the company released research on Microsoft's Active Directory Federation Services that would allow attackers to bypass multifactor authentication safeguards.

WE’RE LIKE COMMUNISTS, SORT OF — The federal government’s ban on Russian cyber firm Kaspersky Lab’s software is an unconstitutional “bill of attainder,” a legislative act declaring Kaspersky to be guilty of facilitating Russian cyber espionage, the software company’s lawyers said in a brief filed late Monday with the federal appeals court in Washington. The brief dismisses the government’s argument that the ban, which was contained in last year’s defense policy bill, does not prevent Kaspersky from continuing to sell its software. That claim “evokes the argument that banning confederates or communists from working as lawyers, priests, trade unionists, or government employees does not prevent them from working altogether,” the lawyers wrote. “That argument has not prevented the Supreme Court from repeatedly striking down such bans as bills of attainder.”

Kaspersky, which unsuccessfully tried to get the appeals court to temporarily pause the ban while the case proceeded, also argued that the ban was based on a flimsy premise: supposed intelligence showing that the Kremlin piggy-backed on its software to steal classified documents. “Congress cannot invoke the specter of ‘national security’ and expect the courts to relent without further inquiry,” the company said. In arguing that the appeals court should overturn a district court’s ruling upholding the ban, Kaspersky said that Congress ignored less burdensome options for addressing security risks, such as passing a general ban on companies with servers in Russia. Oral arguments in the case are scheduled for Sept. 14.

CYBER BILL BECOMES CYBER LAW — President Donald Trump on Tuesday signed a cybersecurity bill. The legislation, the NIST Small Business Cybersecurity Act (S. 770), directs the technical standards agency to devote resources to helping small businesses reduce their cybersecurity risk. Sen. Brian Schatz was the lead Senate sponsor, while Rep. Daniel Webster introduced the House version (H.R. 2105), which passed last October.

HACKER ACCOLADES — Rep. Jackie Speier on Tuesday praised the hackers who participated in last weekend’s DEF CON Voting Village for uncovering a host of vulnerabilities in an array of voting machines. “The examples from the Voting Village would be comical if they weren’t so terrifying,” Speier, a member of the House Intelligence Committee, said in a statement. Fallout from the event has pitted the hacker community against election vendors and officials, who feel the challenge didn’t accurately duplicate the digital and physical protections that would be employed on Election Day. Speier called for paper ballots and risk limiting audits in all state elections. “Too many voters — in part or all of 36 states in this year’s midterm election — will still use direct record electronic machines from the 2000s that prevent voters and election officials from keeping a paper trail to audit,” she said. “Now it is time for the Republican-led Congress to provide additional funding for states and for the president to admit our elections are vulnerable.”

Rep. Tulsi Gabbard also voiced concern. “Kids being able to hack into our election infrastructure in mere minutes highlights the severe vulnerabilities in our election infrastructure that threaten our American democracy,” she said. “These vulnerabilities erode voter confidence and expose our election outcomes to manipulation.” Gabbard is the sponsor of an election security bill (H.R. 5147).

ELECTION SECURITY GRAB BAG — Virginia Sen. Tim Kaine and fellow Virginia Democratic House candidate Elaine Luria discussed election security this week, with Kaine saying the Trump administration isn’t taking the subject seriously enough. The DNC’s chief security officer, Bob Lord, penned an op-ed in USA Today on election security, urging everyone to protect their own systems to make everyone else safer. Pennsylvania’s acting secretary of state, Robert Torres, outlined his plans for securing the election. Early voting kicked off in Florida amid Sen. Bill Nelson’s confusing comments about its election system being hacked. Also in Florida, Palm Beach County’s election supervisor, Susan Bucher, spent grant money on iPads to help voters to check in this fall.

UBER TRIES A SECURITY COMEBACK — Uber said Tuesday it hired Matt Olsen, former general counsel at the NSA and ex-director of the National Counterterrorism Center, as its chief security officer. The announcement cements a relationship between Uber and Olsen that began after Dara Khosrowshahi became the company's CEO last year. As part of the Uber's efforts to make amends with customers for all sorts of wrongs (from poor service to treatment of drivers) Khosrowshahi began working with Olsen to recover from a serious cybersecurity lapse — failing to tell customers about a massive data breach. In fact, the company paid the hackers $100,000 so they wouldn't reveal the intrusion. Olsen told The New York Times that now Uber understands "the need to be transparent and ethical."

RECENTLY ON PRO CYBERSECURITY — Democrats on the House Energy and Commerce panel want FCC Chairman Ajit Pai to disclose when he first knew that there was no distributed denial of service attack on the agency’s website during the net neutrality debate. … The intelligence community is advancing to the second phase of its IT modernization effort.

PEOPLE ON THE MOVE

— Col. Jaak Tarien, the former commander of the Estonian Air Force, will take over the role of director of the NATO Cooperative Cyber Defence Centre of Excellence from outgoing director Merle Maigre.

— Stacey Dixon is the incoming director of the Intelligence Advanced Research Projects Activity, the intelligence community’s futuristic tech shop. She has held a number of science and technology positions across spy agencies, and most recently served as deputy director. She replaces Jason Matheny.

— Seema Gahlaut has joined the Stimson Center as a senior fellow with its trade, technology and security program. She comes over from the University of Georgia’s Center for International Trade and Security, where she directed the training and outreach program.

TWEET OF THE DAY — All we can say is “LOL.”

QUICK BYTES

— Intel’s latest security problem: Foreshadow. Wired

— Former NATO supreme allied commander James Stavridis wrote for Bloomberg about how the military needs a cyber force more than it needs a space force.

— “NASA Is Testing Hardware to Fend Off GPS Hackers.” Bloomberg

— Omarosa Manigault-Newman claimed that Trump knew about hacked Democratic emails before they became public, but offered no proof. Vox

— Documents obtained by George Washington University’s National Security Archive show that U.S. Cyber Command’s effort to combat ISIS online is getting some results.

— Location tracking on internet-connected cars can aid abusers tracking their victims. Motherboard

— A bank in India lost $13.5 million from a cyberattack. Reuters

— The FBI warned of a coordinated cybercrime campaign targeting ATMs. Computer Weekly

CORRECTION: The Aug. 14 edition of Morning Cybersecurity misidentified the Milwaukee election office.

That’s all for today. “Now the joy of my world is in Zion.”

Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks

Follow Us