Rand Paul holds court

With help from Joseph Marks and David Perera

RAND PAUL, CYBER MAVERICK — Rand Paul on Thursday made the most extensive comments on cyber issues in the 2016 campaign so far. The Kentucky Republican spoke at length about a wide swath of cyber topics, hitting hardest on the desire by law enforcement and spy agencies for a “back door” into encrypted devices such as mobile phones. The problem? “The moment you build an opening,” bad guys can get in just as easily as good guys, Paul said at the Yahoo Digital Democracy conference in Des Moines. Plus, the U.S. push may set a dangerous precedent. “What’s China going to say? ‘Apple, you want to do business with us, you’ll have to give us an opening so we can watch,’” Paul said. “I don’t think we want that.”


Paul also took a moment to slag rival Chris Christie – with whom he clashed over encryption at the first GOP debate – while responding to a question about whether a President Paul would prevent any back doors. “Without question,” Paul answered. “And then some will respond and say: ‘What about terrorists? Does that mean you don't care about terrorists?’ And I've tried to explain this to the governor of New Jersey on the stage. ... You can use the Fourth Amendment and still get terrorists.” http://yhoo.it/1Qyw6xM

Among the GOP candidates, Paul stands virtually alone on cyber and related matters. He wouldn’t call Edward Snowden a “traitor,” although he suggested he would need to face trial. Yet he also proposed that Snowden share a jail cell with Director of National Intelligence James Clapper, who falsely told Congress before Snowden’s disclosures that spy agencies weren’t collecting mass data on U.S. citizens. Paul said the intel chief’s comments constituted perjury. (Clapper later apologized.) “So do I lack some trust when they tell me they’re not reading my phone conversations — or listening to my phone conversations or reading my email?” asked Paul. “Do I lack trust from the same people who told me they weren’t collecting any of my information at all? There’s a huge trust gap.” http://yhoo.it/1Qyw6xM

SNOWDEN AS DEAR ABBY — There’s little surprising in Ed Snowden’s tips for leading a more secure and private online life, which appeared in an interview with The Intercept published Thursday. But they bear repeating, since if there’s someone who knows of what he speaks, it’s clearly Snowden -- and because his recommendations mirror what other experts also urge, often in vain. So pay attention! First, download open source iOS and the Android app Signal to make encrypted voice calls and hold secure instant messenger conversations. Encrypt your computer hard drive. Use a password manager to change all your accounts to unique and impossible-to-hack alphanumeric combination passwords.

Snowden also praised the anonymity network Tor as “the most important privacy-enhancing technology project being used today.” For advanced users, Snowden name-checked Qubes, a security-oriented open source operating system that relies heavily on virtualization. More: http://bit.ly/1PqhbpX

HAPPY FRIDAY and welcome to Morning Cybersecurity! In honor of the return of “Mr. Show” (aka “With Bob and David” on Netflix), here is one of its finest send-ups of reporters desperate for news. We’ve been there, although we don’t endorse the methods of Channel 6: http://bit.ly/1QyAblx So we don’t have to set anything on fire, send your thoughts, feedback and especially your tips to [email protected] and follow @timstarks , @POLITICOPro and @MorningCybersec. Full team info is below.

MAKING THE CHINA HACKING DEAL WORK — The Department of Homeland Security’s deputy secretary, Alejandro Mayorkas, is in China today for the first batch of talks over implementing September’s cyber agreement between Presidents Xi Jinping and Barack Obama. This is the prelude to another set of high-level talks in December, and there’s a lot at stake in these discussions, Joe reports. "I think China might well try to win in ministerial negotiations what they seem to have given away, to operationalize a definition [of commercial hacking] that allows them to continue what they want to do," said Paul Rosenzweig, a former deputy assistant secretary for policy at DHS. More for Pros: http://politico.pro/1lmjCgX

ALSO YESTERDAY ON PRO CYBER — U.S. and British officials were happy with the results of a joint cyber exercise involving the two countries’ top financial institutions: http://politico.pro/1lm8ZKT The company Zerodium vowed to pay anyone who could help unlock the Tor anonymity network: http://politico.pro/1MMwHWG The FBI, meanwhile, flatly denied paying Carnegie Mellon University to unmask Tor users: http://politico.pro/1WPJnH8 Securus Technologies says it wasn’t hacked, and that it didn’t violate anyone’s attorney-client privilege by recording prisoner phone calls, contrary to a story in The Intercept: http://politico.pro/1kQk1aI The Health Information Trust Alliance determined that only 5 percent of its members are sharing information through its private information sharing network: http://politico.pro/1ksmXuw

NTIA SCHEDULES VULNERABILITY DISCLOSURE WORKSHOPS — The National Telecommunications and Information Administration has settled on Dec. 2 as the next date for its ongoing process to bring all parties together on vulnerability disclosure. It’ll be inside the Beltway, in contrast to the September kickoff meeting that occurred in the Bay Area. On the agenda: “progress on the four areas identified by stakeholders in the first meeting: awareness and adoption, multi-party disclosure, economic incentives, and disclosure & safety,” said NTIA’s Allan Friedman, who’s spearheading the effort. The agency also plans to hold its third workshop in mid-January, again in D.C., and a fourth meeting in the Bay Area timed to the RSA conference, which is set for Feb. 29 to March 4. Background for Pros: http://politico.pro/1VmDnjc

CYBERWAR’S PRICE TAG — Military forces and defense contractors around the world will spend an estimated $10 billion on cyber in 2015, according to a report out Thursday from ABI Research. While much of that spending will be focused on security, “a designated portion will be allocated to cyber offensive investments: custom designed malware, military cyber command units, covert surveillance programs and the acquisition of zero-day vulnerabilities and exploits, among other measures.” Regionally, North America leads the way with $4.8 billion in spending, followed by $3.3 billion for Europe and $1.4 billion for the Asia-Pacific, according to research director Michela Menting. Private contractors account for most of that spending, with government agencies and militaries next. An asterisk: Because much cyberwar spending is classified or otherwise unavailable, the report doesn’t account for every dollar. More: http://bit.ly/1WULG6E

CLAPPER BACKS COBERT FOR OPM — Clapper gave an official thumbs-up to Office of Personnel Management Director-designate Beth Cobert on Thursday. It was a sign of the value the administration now puts on good PR for the post, which went from federal backwater to front page news with the agency’s massive employee data breach this summer. “Beth is a valued colleague … and supportive partner to the Intelligence Community,” Clapper said in a statement, adding that he “look[s] forward to working with her and the OPM staff to address mutual challenges.” Cobert has been acting OPM director since her predecessor Katherine Archuleta resigned under congressional pressure in July. The release: http://1.usa.gov/1PEeGPz

IG: OPM BROKE CONTRACTING RULES — The process OPM used in awarding a $20 million credit monitoring contract after the first OPM breach violated federal contacting rules, the agency’s inspector general said in a report out Thursday. The contract solicitation went to Winvale Group LLC and its subcontractor CSIdentity just days after it was issued. “While we are unable to determine whether the issues we uncovered are significant enough to have impacted the award of the contract … it is evident that significant deficiencies existed,” the IG said. The contract was roundly criticized, including by Sen. Mark Warner. The report: http://1.usa.gov/1O69XEz

COULD GROCERIES HACK A COMPUTER? — Here’s one more thing to worry about. Tencent's Xuanwu Lab has discovered a vulnerability in barcode scanners that can allow something like a fake boarding pass to take over a computer. The company’s founder, Yang Yu, demonstrated in a series of tweets this week how a fake boarding pass could be used to hack into a laptop. Yu will be giving a presentation at an upcoming conference on the subject entitled “BadBarcode: How to hack a starship with a piece of paper.” More: http://bit.ly/1iXOtyh

QUICK BYTES

— “Several companies that worked on Hillary Clinton’s private email server are refusing interview and document requests from congressional investigators, even as they are cooperating with the FBI.” POLITICO: http://politi.co/1PFyVw1

— A majority of voters believe Hillary Clinton acted unethically with her private email server, while 40 percent thought it was the wrong thing to do but legal, according to a McClatchy-Marist Poll: http://bit.ly/1WOGvu1

— ”Cybersecurity has become the No. 1 topic” in the financial industry, according to some conference-goers at a Charles Schwab-hosted event in Boston this week. CNBC: http://cnb.cx/1MZjf83

— Why China isn’t a cyber power on the scale of the United States, according to the Council on Foreign Relations’ Lincoln Davidson: http://on.cfr.org/1lmcocK

— The Government Accountability Office identified numerous deficiencies in IRS information security controls, including missed security updates and weak passwords. GAO: http://1.usa.gov/1MqRy2q

— The Rainbow PUSH Coalition took Wall Street to task over paycard security. The Huffington Post: http://huff.to/1iX5TeC

— Sen. Orrin Hatch bemoaned the state of government and private-sector cybersecurity and urged passage of both CISA and his Federal Computer Security Act, a version of which was rolled into the version of CISA that passed the Senate last month. Medium: http://bit.ly/1LcBH5F

That’s all for today. "Would you please get your own news? Curson, leave me alone!" http://bit.ly/1HEmKyy

Stay in touch with the whole team: David J. Lynch ( [email protected], @davidjlynch), Joseph Marks ( [email protected], @Joseph_Marks_); David Perera ( [email protected], @daveperera); and Tim Starks ( [email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks