DoD won’t release e-voting penetration tests - Paper: De-identification possible - On the Hill this week

With help from David Perera, Erin Mershon and Joe Marks

DoD WON’T RELEASE E-VOTING PEN TESTS – Officials have yet to release the results of a 2011 set of penetration tests on Internet voting software conducted by the Department of Defense, prompting election watchdogs to ask what the Pentagon might be hiding. A few months after the 2011 tests, an official said the results would be publicly available, and a year later, another said the first release was slated by the end of 2012. A representative now says it will release results in 2015, as material is considered “pre-decisional.” Meanwhile, elections officials and lawmakers from across the country are joining watchdogs in demanding the results.


Interviews with organizations involved in the tests and reviews of federal officials’ presentations reveal that the tests targeted a 72-hour mock election, and attacks consisted of scanning, SQL injection, cookie management, attempts to gain admin rights and more. While the testers were ultimately unable to change or decrypt votes, some critics say they just weren’t trying hard enough. The story, from David Perera: http://politico.pro/UFdIKF

PAPER: DE-IDENTIFICATION ATTAINABLE – “Big data” analysis shouldn’t be held back by concerns that it is possible to re-identify individuals from anonymized data, argues a new paper out this morning. In fact, it is possible to collect data on individuals and analyze it without identifying them, argues the paper from the Information Technology and Innovation Foundation and the Ontario Privacy and Information Commission. The authors of the report take on commonly cited examples of re-identification, showing that if de-identification is done properly, the risk of ID’ing individuals is less than 1 percent in most cases.

The debate is important as the government and private sector are increasingly turning to “big data” analysis, using it both for commercial purposes and open government efforts. Meanwhile, advocates are increasingly worried about the privacy implications of data collection, and how the information is used and protected. More, from your host: http://politico.pro/1n3aaZ9

HAPPY MONDAY and welcome to Morning Cybersecurity, where Saturday was the official one month-aversary of POLITICO Pro Cybersecurity! In that time span, we produced nearly 100 full-length stories and more than 110 urgent Whiteboard alerts, not to mention delivering this newsletter to your inboxes at 6 a.m. every non-holiday weekday. It’s been a great month, and we’re excited for many to come. As always, send your thoughts, tips, and feedback to [email protected] and follow @ talkopan, @ POLITICOPro and @ MorningCybersec. Full team info is below.

ON THE HILL THIS WEEK – Cyber-watchers should keep an eye on a few different hearings happening this week that have the potential to dive into our territory. The farthest away but potentially most impactful is a Friday subcommittee hearing on the soon-to-be released Quadrennial Homeland Security Review, a once-every-four-years assessment described by officials as a “strategic framework.” This will be the second QHSR, and, and it’ll have “a stronger risk-based approach” than the first one, said DHS Assistant Secretary Alan Cohn this time last year. Cybersecurity is one of five homeland security missions identified in the first QHSR. The House Homeland Security’s Subcommittee on Oversight and Management Efficiency will hear from three well-known experts: former DHS Assistant Secretary Stewart Baker, George Washington University’s Frank J. Cilluffo and former DHS Undersecretary Elaine Duke. http://1.usa.gov/1lxx5i3.

Tomorrow, Senate and House subcommittees are slated to mark up FY15 appropriations bills for State and Foreign Operations. Among other items that touch cyber, those bills have historically funded circumvention tools that keep Voice of America, Alhurra and other broadcasting initiatives beaming into places where they’re blocked by national governments. Also Tuesday, the House Rules Committee will meet on the FY15 Defense Appropriations Act, which will pave the way for floor action and amendment proceedings. A spokesman told our friends at Morning Defense the spending measure will probably come to the House floor under a “modified open rule,” with time limits on amendment debates. Keep an eye out for NSA surveillance-related amendments.

Wednesday, the Senate Homeland Security and Governmental Affairs Committee takes on intelligence contractors, holding a previously postponed hearing on a January GAO report ( http://1.usa.gov/1p6m7BB) that found an inadequate inventory of the contractor workforce in the intelligence community. While not strictly cyber-related, the insider threat and shadow of Edward Snowden is likely to feature. ODNI’s Stephanie O’Sullivan and GAO’s Timothy DiNapoli will testify. Also on Wednesday, the Senate Appropriations Defense Subcommittee will hold a hearing on the Defense Department’s fiscal 2015 budget request. That request includes $5.1 billion for defensive and offensive cyber operations, including funds to continue construction on the Joint Operations Center for U.S. Cyber Command at Fort Meade, which is slated to open in FY18. Defense Secretary Chuck Hagel and Joint Chiefs of Staff Chairman Gen. Martin Dempsey will testify. Do we even need to say it? We’ll be tracking.

CHINA’S TAKE: SNOWDEN EQUALIZED U.S.-SINO CYBER-RELATIONS – The South China Morning Post takes a look at what the Snowden revelations last year meant for relations between the U.S. and China. “On the issue of cybersecurity negotiations, for instance, China had suddenly gained greater leverage. ‘In the past, cybersecurity talks [between China and the U.S.] were a one-way thing — the U.S. always made accusations about China's cyberattacks and internet thefts in a condescending tone,’ said Richard Hu Weixing, director of the University of Hong Kong's department of politics and public administration. ‘But now the cybersecurity dialogue has expanded a lot and the U.S. has lost its moral high ground, as the world now sees it as the most intrusive country on the internet.’ Washington's weakened position was evident last month, Hu said, when the Justice Department announced the prosecution of five Chinese military officers on hacking charges. ‘As you could see, no one clapped their hands,’ Hu said.” The story: http://bit.ly/U099Kr

DOMINO’S PIZZA HACKED, EXTORTED — Hackers who say they stole data on more than 600,000 Domino’s Pizza customers in France and Belgium from the company network are threatening to publish it all today unless a €30,000 ($40,573.50) ransom is paid. The company acknowledged the breach over the weekend on Twitter, but has said it won’t pay the ransom. Notorious Euro-hacker crew Rex Mundi said in a Web post Friday they had downloaded 592,000 customer records from French customers and over 58,000 records from Belgian ones. The data includes “customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not),” the group wrote. It posted a sample of the stolen data — records for six customers. Rex Mundi have made a series of similar, and unsuccessful, ransom demands in the past, according to the UK’s Register: http://bit.ly/1p7Au91

ICYMI: FRIDAY AFTERNOON R&D SOLICITATION DROP – DHS let loose on Friday afternoon three cybersecurity research solicitations, known as “broad agency announcements.” The solicitations stem from an earlier promise to periodically fund over the next five years practical R&D efforts for curing current technical problems. The three areas targeted in the solicitations are mobile tech security, defense against DDoS attacks, and cyber-physical system security. The dollar value of the research contracts are modest by federal standards, ranging from $500,000 to $3 million. The Science and Technology Directorate’s Cyber Security Division has plans for industry days in Washington for each solicitation — June 24 for mobile, and the remaining two on June 26. The solicitations: http://1.usa.gov/1kEwnv8

QUICK BYTES

-- Dominance by a single Bitcoin miner could mean trouble for the currency’s security. Ars Technica: http://bit.ly/1q29tTJ

-- A Social Security Administration inspector general report finds the SSA did not always revoke IT access in a timely fashion at the end of a contract. OIG: http://1.usa.gov/1neCr09

-- U.S. officials hoped Edward Snowden would make a misstep so they could bring him into custody. But he hasn’t, and they haven’t. Washington Post: http://wapo.st/1p5zMsB

-- Rep. Kevin McCarthy's potential assent to majority leader could be good for the tech community in D.C. The Hill: http://bit.ly/1p5xD0b

-- The Information Systems Audit and Control Association appointed Debbie Lew, an executive director of Ernst & Young LLP's Advisory practice, as international director of ISACA. http://bit.ly/T0pgXx

That’s all for today. Have a great week.

Stay in touch with the whole team: Tal Kopan ( [email protected] , @ TalKopan ); Shaun Waterman ( [email protected] , @ WatermanReports ); Joseph Marks ( [email protected] , @ Joseph_Marks_ ); and David Perera ( [email protected] , @daveperera).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks