Senate passes energy bill granting DOE secretary emergency cyber powers

With help from Darren Goode, Matthew Nussbaum, Kate Tummarello and Ben Weyl

GOOD AND PLENTY — A House Oversight subcommittee hearing on Wednesday was chock full of cyber goodies, some looking back, some looking forward:


— CHAFFETZ SKEPTICAL: Full committee Chairman Jason Chaffetz is key to whether the administration can push through a $3 billion legislative proposal to modernize federal government information technology, since those aging computer systems present vulnerabilities to hackers. Despite the fact that House Minority Whip Steny Hoyer is carrying the bill, Chaffetz sounds like he’ll be a tough sell; he had already sounded skeptical when the president first floated the plan in February. “The federal government has spent more than $525 billion on IT — and it doesn’t work. It doesn’t work,” he said at the hearing Wednesday. “And so I see that the president has a proposal, he needs another $3 billion — as if $525 billion wasn’t enough — he needs $528 billion in order to actually solve these problems. I have a hard time believing that we’re just three more billion away from actually solving this.”

— DHS TOUTS INFO SHARING EFFORT: Fourteen private entities are connected to a federal cybersecurity information sharing server, while another 82 have signed terms-of-use agreements and will become connected, Assistant Homeland Security Secretary Andy Ozment told the House Information Technology Subcommittee. “So there is clearly interest in doing this,” he said. The system will continue to grow incrementally, he said. “I am very happy with our rate of growth to date.” Since March 17, when Secretary Jeh Johnson certified the info-sharing network that Congress had created in a broader cyber bill in December, DHS has shared more than 2,000 threat indicators to the private sector and received additional indicators that were shared internally in the administration, Ozment said.

— HURD SAYS NASA, COMMERCE SLOW ON JUNIPER: Subcommittee Chairman Will Hurd slammed NASA and the Commerce Department for their slowness in responding to the software breach announced in December by federal contractor Juniper Networks, lumping them in with the Treasury Department as three agencies that took more than 50 days to fully install patches Juniper provided. Hurd highlighted Treasury’s response at Wednesday’s hearing, and said the nine other agencies infected by the software breach took between a few days to a little over a week to determine any risks their network. “In this day and age, it shouldn’t take you that long to even determine what’s on your network. You should already have the tools in place to do that,” the Texas Republican told reporters after the hearing.

— REMAINDERS: The Treasury witness told the subcommittee that the department could have patched the Juniper vulnerability more quickly. While Hurd suggested another country was probably responsible for the backdoor, Ozment said that was a question for the director of national intelligence to answer. Ozment also told the subcommittee that DHS will press wireless carriers to address a Signaling System No. 7 vulnerability that could allow hackers to access callers’ conversations.

HAPPY THURSDAY and welcome to Morning Cybersecurity! In light of Wednesday’s currency news, here’s “ Drunk History” on Harriet Tubman. (Slight naughty language warning, though, since it was on Comedy Central.) Send thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

SENATE PASSES ENERGY BILL WITH CYBER STUFF — The Senate on Wednesday passed legislation granting emergency authority to the Energy secretary to issue orders to the North American Electric Reliability Corp. when the bulk-power system is under dire cyber threat. The bill also requires the Energy Department to write regulations defining “critical electric infrastructure information” and preventing its unauthorized disclosure, although it would not include any mandatory information sharing. It’s the first broad energy bill passed in the Senate since 2007. Next, the Senate must reconcile its measure with House-passed legislation.

NO NEW IRS MONEY IN THE SENATE — While the IRS and Democrats have been warning that the agency is left more vulnerable to cyberattacks because of budget cuts, don’t expect the Senate Appropriations Committee to offer a spending hike. Sen. John Boozman, chairman of the Financial Services Subcommittee, said the agency probably won’t get a budget boost from his panel in fiscal 2017, and he’s not worried that it will leave the agency vulnerable online. “No, because we simply have to — we simply make them spend money on things they should be spending on,” he told our Budget and Appropriations Brief colleagues. “We have real concerns over cybersecurity, real concerns over identification loss. Sadly, that doesn't seem to be on the top of their radar, which it should be. … You give them more money, but it just doesn't seem to be going to the places where they need to go, or they're so inefficient with the dollars that they get, they simply don't do a very good job at all.”

SENATE COMMERCE TO MARK UP IOT BILL — The Senate Commerce Committee is preparing to mark up the DIGIT Act next Wednesday, Chairman John Thune told Morning Tech. That bill from Internet of Things-enthusiasts Kelly Ayotte, Deb Fischer, Cory Booker and Brian Schatz would have the Commerce Department create an Internet of Things working group, made up of federal, industry and consumer group representatives and tasked with reporting to Congress within a year on recommendations to boost connected devices.

— ELSEWHERE IN THE IOT: Rep. Jim Langevin, one of Capitol Hill’s top cyber experts, is telling the FDA today that he supports the agency’s guidance on securing medical devices — but it needs to do more. The guidance is smart because it’s risk-based and voluntary, he said. But “[b]eyond promulgating this guidance, FDA has an important responsibility to ensure that manufacturers are properly complying with the proposed mitigation methods or are properly reporting cybersecurity risks” under existing regulations, Langevin wrote in a letter to the FDA.

JUDGE REBUFFS FBI IN HACKING CASE — A federal judge ruled Wednesday that the warrant the FBI used to hack thousands of computers in a child porn sting wasn’t issued properly. The reason: The court that issued it doesn’t have jurisdiction, wrote Judge William G. Young. The case sheds light on the Justice Department’s pursuit of changes to Rule 41 to allow law enforcement to seek warrants that apply outside a judge’s jurisdiction, since anonymized suspects might be hard to pinpoint by location. In this case, the FBI was going after users of Playpen, hosted on a hidden Tor service. The ruling came with a scolding from Young over the FBI continuing to keep Playpen operational during its case. “Unlike those undercover stings where the government buys contraband drugs to catch the dealers, here the government disseminated child obscenity to catch the purchasers — something akin to the government itself selling drugs to make the sting,” he wrote.

SPIES FIGHT THUMBPRINT HACKING — The intelligence community’s futuristic research wing took note of how the massive Office of Personnel Management breach exposed the thumbprints of current and former federal employees. Now the Intelligence Advanced Research Projects Activity wants to figure out how to keep anyone from using them, employing artificial intelligence. On Wednesday it launched a four-year program aiming to combat fraudsters who want to get around biometric methods of identity verification, be they iris scans or thumbprint readers. Although IARPA cited the OPM hack in an online notice, it plans to go beyond that with its Norse-themed program. “The intent of Odin is to not only work to find solutions for the current issues but also seek to identify solutions to those issues of the future,” the notice reads. Look for a solicitation soon, the Office of Director of National Intelligence predicted.

AIR FORCE IN CYBERSPACE — The Air Force recently issued a new directive that spells out its cyber mission. “The AF will execute Cyberspace Operations to support joint warfighter requirements, increase effectiveness of its core missions, increase resiliency, survivability, and cybersecurity of its information and systems, and realize efficiencies through innovative IT solutions,” says the document, dated April 12 but highlighted Wednesday by Steven Aftergood of Secrecy News. The updated doctrine isn’t classified. Aftergood observed that “although the Obama administration generally neither claims nor receives credit for it, military cyberspace doctrine has become one of a number of significant policy areas in which this administration is demonstrably ‘more transparent’ than its predecessors.”

NO MORE PEN AND PAPER? In a notice set for publication in the Federal Register today, DHS is seeking public comment on a proposal to move away from paper records and toward electronic records for its storehouse of sensitive data on important physical and cyber infrastructure. The Protected Critical Infrastructure Information Program might use the same process created to share cyber threat data that it established last year in advance of Congress passing a new information sharing law. The lack of audits of the current PCII database has come under criticism from House Intelligence Chairman Devin Nunes.

CYBERVIZ — The Center for Strategic and International Studies this week launched a new competition under the name CyberViz. “The goal of the project is to enable a deeper understanding of vulnerability, crime, and conflict in cyberspace through interactive visualizations that include multiple layers of data related to cybersecurity,” according to the CSIS website. Learn more here.

QUICK BYTES

— “A public advocate appointed by the nation’s secretive surveillance court last year argued that a little-known provision of the PRISM program, which enables the FBI to query foreign intelligence information for evidence of domestic crime, violated the Constitution.” The Washington Post.

— Viber is going full encryption for its 700 million users. Wired.

— Sen. Dianne Feinstein told POLITICO that Ted Olson, the lawyer for Apple in the San Bernardino phone unlocking case, said her encryption legislation was a “good bill.”

— FireEye and iSIGHT Partners issued a report on a cybercrime gang that has potentially earned hundreds of millions of dollars.

— “Citing a recent and large increase in credit card fraud, Washington, D.C.-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards.” Krebs on Security.

— The creator of the malware program SpyEye, used to steal financial info, was sentenced to 15 years in prison. The Washington Post.

— The director of the Defense Information Systems Agency says new tools are needed to fight today’s cyber threats. Federal News Radio.

That’s all for today. She was also quite the athlete.

Stay in touch with the whole team: Darren Goode ([email protected], @DarrenGoode); Bob King ([email protected], @BKingDC); and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks