CISA could come up soon

With help from Joseph Marks and David Perera

CISA COULD COME UP SOON, BUT NOT THIS WEEK — The Cybersecurity Information Sharing Act is still on the Senate’s short-term list of things to do, but neither of CISA’s lead sponsors expect any action this week, they told MC. “Not this week, I don’t think so,” said Senate Intelligence Chairman Richard Burr.


Sen. Dianne Feinstein said they’re still trying to chop down the number of amendments, possibly by adding some to a manager’s amendment. She didn’t sound excited about more being added – a possibility under the existing agreement. “I wouldn’t be for any more amendments. Twenty-two seems like enough,” she said. But Burr said he’s ready to go within five minutes of getting word that he’ll have floor time: “I can process 22 amendments in a couple days,” he said.

A whip notice from Tuesday that includes the word “cybersecurity” also suggests CISA is likely on deck: http://politico.pro/1Gfe0c2

Also Tuesday, the privacy group Fight for the Future released its scorecard on who is “team Internet” and who is “team surveillance,” ahead of potential votes on CISA. Check it out here: http://bit.ly/1QJT7Ly

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! On Tuesday, your MC host learned that Trent Lott’s nickname for Sen. Burr is “Burrito,” or at least that’s what he called Burr yesterday. As usual, send your thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

NOW AVAILABLE: POLITICO PRO EUROPE BRIEF –POLITICO Pro, POLITICO’s premium subscription service, has launched a new product dedicated to making sense of European policy and politics through an American lens. Drawing on POLITICO resources in both Brussels and in DC, POLITICO Pro Europe Brief will track and analyze European policy from taxes to trade to mergers and acquisitions, energy and financial services as well as pull back the curtain on who’s influencing who when it comes to politics and regulatory issues. Contact us to learn more about POLITICO Pro Europe Brief.

CYBER DETERRENCE TODAY, CYBER DETERRENCE YESTERDAY — Tuesday was a DoD-focused, cyber-heavy day on the Hill, and there’s more on the way today. Both the House and Senate Armed Services committees dived into cyber Tuesday, with the Senate panel hearing from top intel and DoD officials and the House panel slated to inherit most of those same witnesses today. Since the House committee dipped its toes into the issue of deterrence a little with its panel of non-government cyber experts Tuesday, expect it to delve more into the topic today as well.

On the Senate side Tuesday, administration officials caught repeated hell from both sides of the aisle for not clearly signaling when the U.S. would retaliate for cyberattacks. Sen. Angus King cited “Dr. Strangelove,” saying the film “taught us that if you have a doomsday machine and no one knows about it, it’s useless. … The deal is they have to know how we’ll respond and therefore not attack in the first place.” More from Joe: http://politico.pro/1VlZc7V

Also Tuesday, the two committees came together on the fiscal 2016 defense authorization bill, which contains a number of cyber provisions, chief among them “automatic liability protection for certain defense contractors that share cyber threat information with the Defense Department.” For Pros: http://politico.pro/1PMmU6o

INTEL LEADERS WARN SHUTDOWN COULD HARM CYBER — Top spy agency officials have been sending the message in recent days and weeks that cybersecurity could suffer in a government shutdown. Director of National Intelligence James Clapper said during the Senate Armed Services hearing, “I’m rather struck by the irony here of, before I left my office to come to this hearing, I was reviewing the directions we’re putting out to our people for shutting down or furloughing people. What better time for a cyberattack by an adversary when much of our expertise might be furloughed.” (Essential security personnel are exempt from furloughs in a shutdown, but apparently Clapper is planning for losing at least some of them.) Deputy Defense Secretary Bob Work said at the same hearing that while DoD was on track to hit its personnel and team targets for its Cyber Mission Force by 2018, that’s only if there’s no shutdown. The last shutdown set back work on a Cyber Mission Force by six months, Work said.

Adm. Mike Rogers, head of the NSA and U.S. Cyber Command, warned last week at a Senate Intelligence hearing that even the possibility of a shutdown hurts. Elite cyber personnel can “easily get jobs on the outside and earn significantly more amounts of money,” Rogers said, but they are motivated to stay because of the importance of the mission. Instability makes their lives harder. A threatened government shutdown, Rogers said, sends a signal to employees that they are “a secondary consideration in a much larger game. It just drives the workforce to the point where today I literally was talking to the leadership, talking about how to keep these men and women.”

ARE WE HELPING IRAN WITHSTAND OUR CYBER SURVEILLANCE? — Sen. Mike Lee is concerned that a provision in the Iran nuclear agreement requires the U.S. to help strengthen Iran’s nuclear infrastructure against cyberattacks — from the likes of us. Lee questioned Director of National Intelligence James Clapper about the provision — which calls on the P5+1 nations that negotiated the agreement to “strengthen Iran’s ability to protect against and respond to nuclear security threats including sabotage” — during Tuesday’s Armed Services hearing. Lee wanted to know if the provision extended to cyberthreats and asked, “Why would we want to give Iran the ability to defend against cyber weapons we … might one day want to use against Iran?”

Clapper declined to discuss the issue in detail during an open session but said it would not impede the U.S. Intelligence Community’s ability to monitor Iranian compliance with the agreement. “I’m not aware of any strictures on our ability to collect on their behavior and their compliance,” he said. The U.S. and Israel are widely believed to have developed the Stuxnet worm, a cyber exploit that set back the Iranian nuclear program by a year or more.

** A message from Northrop Grumman: Today’s enemy threats have taken on forms like never before. That’s why our full-spectrum cyber capabilities enable our military to tackle challenges at the push of a button. See how at http://bit.ly/1IM0OAJ **

HOWSABOUT A FEDERAL CISO? A CYBER WARRIOR REVOLVING DOOR PROGRAM? — Some members of the House Armed Services Committee were intrigued by two ideas thrown out by Richard Bejtlich, chief security strategist at FireEye, during a hearing on cyber Tuesday. One was to create a federal Chief Information Security Officer; many companies get a CISO after a breach, Bejtlich said, but the federal government hasn’t. Rep. Jim Langevin asked what the CISO’s responsibilities would be, and Bejtlich answered: protect civilian government networks but stay away from DoD networks. Bejtlich’s other idea would allow military cyber experts to take two-year hiatuses into the private sector to get a sense of how things work there and for businesses to pick up some government techniques. It would serve as career enhancement for those personnel, some of whom find the current career path in government too limiting, he said.

TWITTER, OTHERS PETITION W.H. TO BACK STRONG ENCRYPTION — A bevy of activist groups and companies including Twitter and Dropbox are urging President Barack Obama to make a public declaration of support for strong encryption without backdoors. Led by human rights group Access, they’ve filed a “We the People” WhiteHouse.gov petition they will unveil today. It needs 100,000 signatures within 30 days to get an official response. “You simply cannot weaken encryption or create secret backdoors for law enforcement without making those same vulnerabilities available to bad actors,” said Nathan White, Access’ senior legislative manager. More: http://bit.ly/1OF6srd

NTIA VULNERABILITY DISCLOSURE PROCESS LIMPS ONWARD — The first in a series of planned meetings convened by the National Telecommunications and Information Administration on the subject of vulnerability disclosure ended Tuesday without a clear conclusion. But a plurality of participants appeared to agree to form working groups dedicated to specific disclosure-related issues such as economic incentives or disclosures affecting multiple parties. At least, that’s “my interpretation,” said Joseph Lorenzo Hall, chief technologist of the Center for Democracy and Technology, who flew in to attend the meeting in Berkeley, Calif.

It was a day punctuated by occasional attacks on the idea of an NTIA process at all, especially from cyber attorney Jennifer Granick, who noted the agency’s lack of power to change the things that really bedevil researchers, such as broad application of anti-hacking laws. “We have to start somewhere,” retorted NTIA deputy associate administrator Evelyn Remaley. The next meeting is likely to be held in Washington in November. Here’s background: http://politico.pro/1VmDnjc And more from NTIA: http://1.usa.gov/1hs0Z8Q

DOD WATCHDOG TO CHECK ON CONTRACTORS’ REPORTING OF CYBER BREACHES — The Defense Department’s inspector general plans to launch an audit this month “to determine whether DoD contractors are reporting and investigating cyber incidents in accordance with DoD requirements,” according to a notice out Tuesday. The audit will begin at the offices of the Under Secretary of Defense for Acquisition, Technology, and Logistics and the DoD Chief Information Officer, then proceed to other offices “based on our sample of contracts reviewed,” the notice states. More details here: http://bit.ly/1YNm5A6

THE FIVE AREAS OF SUBSTANDARD FEDERAL CYBERSECURITY — Federal agencies are particularly bad at five areas of cybersecurity, says the Government Accountability Office. They are: access control; configuration management; segregation of duties; contingency planning; and agency-wide security management. GAO came to that conclusion after studying the last two years’ worth of inspector general reports on agency cybersecurity practices. Nevertheless, the GAO only had one, generalized recommendation: The federal government should “enhance reporting guidance … for all rating components of agency security programs.” More: http://1.usa.gov/1jvtzaN

QUICK BYTES

— The CIA pulled personnel from Beijing after the Office of Personnel Management breach, The Washington Post reports. http://wapo.st/1iJEugs

— A former top Chinese official blasted the United States for its “double standard” on cyber. The New York Times: http://nyti.ms/1LNAjfb

— Employers are increasingly relying on surveillance techniques, such as monitoring emails, to deal with insider espionage, reports The Wall Street Journal. http://on.wsj.com/1LiWBXs

— Apple has substantially revised its privacy policy. Washington Post: http://wapo.st/1FGsYwF

— Selfies as identification verification tools? That’s a thing now. NextGov: http://bit.ly/1Wx3LcD

— The U.K. turns to gamers for cyber help. Motherboard: http://bit.ly/1Lj3Kad

— A case that tests how much information the federal government can extract from your hard drive during investigations, via Ars Technica: http://bit.ly/1KQDf6E

— Non-targeted attacks are growing rapidly, and companies take an average of 100-120 days to remediate found vulnerabilities, according to a report from Kenna Security. http://bit.ly/1jwbM3p

That’s all for today. Here’s a tiny hamster scarfing down a bunch of tiny burritos: http://bit.ly/1iykz21

Stay in touch with the whole team: Joseph Marks ([email protected] , @Joseph_Marks_ ); David Perera ([email protected] , @daveperera ); and Tim Starks ([email protected] , @timstarks ).

** A message from Northrop Grumman: To meet today’s most advanced enemy threats, our military needs to be able to eliminate them — without putting troops in harm’s way. That’s why we’re the leader in full-spectrum cyber. Learn more at http://bit.ly/1IM0OAJ **

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks