Equifax hack prompts regulatory chatter from both parties

With help from Eric Geller and Martin Matishak

SAY WHAT NOW? — Equifax’s massive data breach might reflect the need for new regulations on credit agencies and other companies that hold vast troves of Americans’ sensitive personal data, the White House said Monday. “I think it’s something we have to look into extensively,” press secretary Sarah Huckabee Sanders told reporters when asked if new regulations were on the table. “We have to explore all the best ways to make sure that Americans are protected in that sense.” Homeland security adviser Tom Bossert, whose portfolio includes cybersecurity, “will be one of the primary people taking the lead on that front,” Huckabee Sanders said. The Equifax hack has renewed a debate about oversight of the credit reporting industry, which is almost unique in its ability to collect detailed information about virtually all American adults without their permission. But so far, most of the people calling for new regulations have been Democrats.


… FOR INSTANCE — On Monday, five liberal senators reintroduced a bill that would impose new requirements on credit reporting agencies and give Americans who sue them under the Fair Credit Reporting Act more legal remedies. “Because these credit agencies operate in the dark, they are allowed to be terribly unfair and unaccountable,” said lead sponsor Brian Schatz, who has gone after Equifax on Twitter. “Millions of Americans have bad credit because of mistakes from credit agencies, and it can ruin lives, stopping people from getting a job or owning a home or car.” Sen. Dick Durbin, the second-ranking Democrat in the chamber, called the breach “exhibit A” in the need for stronger regulation to protect consumers. Other Democrats also continued to put pressure on Equifax.

In a letter set for release today, Sen. Gary Peters, a member of the Commerce Committee, asked the FTC to get involved. “The stated touchstone of the FTC’s approach to data security is reasonableness, which means a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities,” Peters wrote. “Based on Equifax’s disclosure of this breach and the potential volume of affected consumers, I respectfully urge the FTC to immediately initiate an investigation into whether Equifax failed to establish and maintain a comprehensive information security program to protect consumers’ sensitive personal information.”

— THE REST OF THE STORY: Meanwhile, the leaders of the Senate Finance Committee joined forces Monday on a letter asking extensive questions of Equifax. The company has faced numerous new security questions post-breach. It moved to shore upthe security of personal identification numbers for consumers trying to freeze their credit reports. Some complained that its website was directing users to less secure links. And debates raged on over responsibility for the breach.

HAPPY TUESDAY and welcome to Morning Cybersecurity! Your regular MC host is going to hand off duties to his colleagues for a stretch. Please be good to them. You can still send your thoughts, feedback and especially tips to [email protected], and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec, but full team info below.

DEFENSE POLICY BILL MOVES FORWARD — The Senate on Monday cleared the first procedural hurdle to considering the annual defense policy measure, voting 89-3 to move forward with debate. Only 60 votes were needed to proceed to the chamber’s draft of the National Defense Authorization Act ( H.R. 2810). Senators filed over 400 amendments to the sprawling policy roadmap, many of which will never see floor time. One of the cyber-focused proposals is an add-on that would prohibitthe use of federal funds to establish or support a "joint cybersecurity initiative" with Russia — a widely condemned idea President Donald Trump briefly floated this summer. Another amendment would ban the use of software from Russia-based Kaspersky Lab, while yet another offering would block the Pentagon from doing business with telecommunications firms found to have assisted North Korean cyberattacks.

The White House last week issued a statement objecting to language in the authorization bill that would establish the U.S. government’s cyber warfare policy, with an emphasis on deterrence. On Monday, Senate Armed Services Committee Chairman John McCain brushed off the administration’s concerns. “What’s their policy? That’s my answer to that. What’s their policy? They have none,” McCain told reporters, reprising a criticism he frequently used against the Obama White House. The Arizona Republican said he hoped lawmakers would wrap up the measure this week. “We’ll see.”

PROGRESS ON CAMPAIGN THREAT INFORMATION SHARING INITIATIVE — Former Clinton Campaign Manger Robby Mook, via POLITICO's Lauren Dezenski: "A lot of companies, take the retail sector for example, they have set up systems to share information and warn each other when there’s trouble out there. But outside of security, they’re really tough competitors and they don’t like eqch other and they’re trying to get ahead of each other. We want to bring that same culture into the political space, where when it comes to security, it’s one team, one fight."

Fomer Mitt Romney Campaign Manager Matt Rhoades: “Our goal isn’t to make the DNC and RNC love each other. But at the end of the day, I’ve been pleased to understand and see campaign committees and campaigns as they’re starting to gear up, take the issue seriously.” They’ve had off-the-record conversations with campaigns but won’t say who. Not everyone wants to talk about it, because if you’r talking about it you’re not talking about your campaign, your candidate, and you’re also putting a target on your back, I totally get that. A lot of the meetings that we have, the discussions we have, are completely off the record for those reasons."

SLOWLY BUT SURELY — New voting machine security guidelines moved one step closer to reality on Monday, after a federal advisory committee reviewed draft high-level principles for the development of updated standards. The Voluntary Voting System Guidelines, or VVSGs, are optional for states to adopt, but in states that do so, voting machine vendors must meet the VVSGs — as certified by federal testing labs — before selling their equipment to election officials. The Election Assistance Commission and the technical standards agency NIST have been working on version 2.0 of the VVSGs, and the voting security part of that work has taken on increased urgency in the wake of Russia’s 2016 digital meddling. On Monday, the Technical Guidelines Development Committee, which advises the EAC and NIST, received a briefing on a NIST-EAC working group’s blueprint for VVSG 2.0.

Cybersecurity appears in the VVSG blueprint in the form of five of its principles: auditability, access control, data protection, system integrity and detection and monitoring. Auditability refers to a voting machine’s ability to produce tamper-proof records of what happened on the machine and to its ability to support “efficient audits.” The data protection principle covers the prevention of unauthorized access to machines’ data and the verifiability of vote tally records. Detection and monitoring covers the need for machines to have defenses against malware and error logging. And system integrity, a new component of the VVSGs, will cover the use of digital redundancies, the verification of software code and the reduction of unnecessary physical and digital design elements to reduce machines’ “attack surface.”

The technical committee is expected to approve the high-level guidelines at tomorrow’s meeting. The working group will then begin crafting the actual standards that voting machine vendors will have to meet in states that adopt the VVSGs. But that effort could generate criticism over how it balances security and accessibility. Diane Golden, who chairs the accessibility working group, pointed out this tension at Monday’s meeting. “Quite frankly, in order to be accessible, it has to be digital,” she said. “You can’t make paper accessible otherwise. It has to be digital at some point to be accessible.” But security experts favor paper-based systems to prevent vote hacking. “We just have this balancing act tug-of-war going back and forth,” Golden said.

The EAC expects to present the finished VVSG overhaul to its standards board and its board of advisers in October, after which the boards will deliberate and a 60-day public comment period will open. The EAC hopes to present the final VVSG 2.0 to its three commissioners for a vote sometime in May. But the new VVSGs won’t make a difference for the 2018 midterm elections, when Russian government hackers are expected to return with a vengeance. The first machines certified to VVSG 2.0 standards aren’t expected to appear until 2020 or 2021.

HELPING THE LABS OF DEMOCRACY — Democrats on the House Homeland Security Committee want Congress to do more to help states on cybersecurity. In a report released in conjunction with the anniversary of legislation passed to implement recommendations from the 9/11 Commission — which Congress set up to investigate the terrorist attacks — the panel members made a range of proposals on homeland security issues. Notably, the group urged DHS to “take a look at whether the resources provided through existing grant programs are sufficient to build robust cybersecurity capabilities at the state and local level.” If it believes those programs are lacking, the Democrats encouraged the agency to submit a proposal to lawmakers. The group also said Congress should enact a House-passed DHS authorization bill that contains provisions meant to aid states on cybersecurity.

CYBER MONEY THE ADMINISTRATION DOESN’T WANT — A Senate spending bill would continue sending money to the State Department’s Office of the Coordinator of Cyber Issues, despite the Trump administration’s plans to close it. The fiscal 2018 State and Foreign Operations funding measure, which the Senate Appropriations Committee approved last week, would direct$5.5 million to the office. The House version of the bill would do the same. Plans for closing the office have drawn widespread criticism, including from Christopher Painter, the last man to lead the office.

PEOPLE BIG ON SAFETY — Google’s Safe Browsing Tool — which turns a computer screen into a big, red warning sign when encountering a suspicious website — is at work on 3 billion devices, Gizmodo reports. The feature was originally designed in 2007 but has undergone a number of technical tweaks that seem to have boosted its popularity. “Over the last few years, we’ve rethought how Safe Browsing delivers data. We built new technologies to make its data as compact as possible: We only send the information that’s most protective to a given device, and we make sure this data is compressed as tightly as possible,” Stephan Somogyi and Allison Miller of Google’s Safe Browsing team wrote in a blog post.

TWEET OF THE DAY — Never click links.

PEOPLE ON THE MOVE

— Cheryl Davis, former director of cybersecurity policy at the National Security Council and former principal director of cyber policy at DHS, is joining FTI Consulting as a managing director in its technology segment.

QUICK BYTES

— Attorney General Jeff Sessions and Director of National Intelligence Dan Coats pressed Congress to make controversial spying powers permanent. POLITICO Pro.

— The Senate’s self-driving vehicle legislation encourages bug bounty programs. Nextgov.

— A Russian politician’s comments about Russia stealing the U.S. election is open to interpretation. The Hill.

— Twitter was asked to tell Reality Winner that the FBI had obtained her social media activity. Emptywheel.

— Spain hit Facebook with a $1.2 million fine over privacy. The Next Web.

— Microsoft has recommendations for Europe’s revised cybersecurity strategy.

— The English football association is beefing up its cybersecurity in anticipation of Russian hackers for the 2018 World Cup. Guardian.

— Routers and zero-day flaws. ZDNet.

That’s all for today. There they are. Right down there.

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks