The encryption hot potato

With help from Joseph Marks and David Perera

CLINTON’S PRIVATE EMAIL SERVER SAFER? — The federal government has been hacked plenty. Clinton’s server? No proof of it. That’s the new tack the pro-Hillary Clinton camp is using to defend her use of a private email server.


The pro-Hillary group Correct the Record is going against the grain on how secure Hillary Clinton’s server was — many security experts have pointed out that government systems are, by and large, more secure than private email servers. Correct the Record details a slew of government hacks — many of which occurred during President Barack Obama’s time in office — compared to the lack of evidence that Clinton’s email system has been breached. (The FBI is looking deeper into whether the private system has been accessed by intruders.)

“The U.S. government has been hacked on numerous occasions, compromising even the most sensitive of information,” the report states. “Anyone who attempts to argue that the contents of Hillary Clinton’s email would have been more secure on a government server must contend with these facts.” More for Pros: http://politico.pro/1OFRD4m. The report: http://bit.ly/1UKb3GY

HAPPY FRIDAY and welcome to Morning Cybersecurity! Hopefully the weather’s as nice today as it was in Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch recently. http://bit.ly/1L339YC Send your thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

DIANNE FEINSTEIN & CHRIS SOGHOIAN NAMED TO POLITICO 50: Feinstein, the former chair of the Senate Intelligence Committee, called Edward Snowden’s 2013 NSA leaks treason. But years beforehand, the ACLU’s Soghoian was already urging Web and telecommunication companies to encrypt their users’ data and thereby protect the Internet’s pedestrians from prying government eyes. Check out the POLITICO 50 issue of POLITICO Magazine to read more about Feinstein [ http://politi.co/1KFYzRx] and Soghoian [ http://politi.co/1UIK3aX].

ENCRYPTION IS A HOT POTATO — No one doubts the importance of resolving the tension between encrypted technology (like smartphones) and law enforcement/intelligence collection. “It really is the holy grail for the IC,” House Intelligence Chairman Devin Nunes said Thursday at a conference hosted by AFCEA and the Intelligence and National Security Alliance. But it looks like nobody wants to take the lead on it either.

Rep. Adam Schiff, the top Democrat on the Intelligence Committee, said at the conference that on a recent visit to Silicon Valley, companies surprisingly told him — in reference to the intelligence community — “Why don’t they give us a proposal and let us weigh in on it?” It’s understandable in retrospect why they’d punt, Schiff said, since it’s not in their economic interest to take the lead. And, he said, “It’s extraordinarily unlikely that Congress would try to come up with some kind of legislative mandate” because it’s probably neither politically feasible nor desirable.

Later in the morning, at an open House Intelligence hearing, FBI Director James Comey said, “You should not look to the government for innovation, right? We can do a lot of great things but technologically, innovation is not our thing.” Schiff believes the encryption debate will be more difficult to resolve than this year’s legislation in response to the telephone records disclosures of Edward Snowden: “This is a phenomenal challenge that makes the metadata debate we just had seem trivial by comparison.”

— OR MAYBE ENCRYPTION IS A NON-STARTER: Asked about Comey’s idea of an encryption “front door” during a question and answer session at the East West Institute’s Cyberspace Cooperation Summit, Paul Nicholas, Microsoft’s senior director of global security strategy and diplomacy, said finding a compromise is effectively off the table. “Is there hope in the tech community for building some sort of front door access? The answer I would have for that is no,” Nicholas said. “If you put this front door in for the FBI, No. 1, it’s probably not technically possible, two, it would have an undermining effect for security and, three, every other government is going to want that. That’s where you start to get into ‘but we want a different front door, because we can’t use the same one.’ I think there are a number of challenges that make that really not a possibility.”

A THIN LINE BETWEEN OFFENSE AND DEFENSE, WAR AND CRIMINALITY — A pair of top Democrats on the House Intelligence Committee, including Schiff, want clearer defining lines on what constitutes an act of cyberwar and what is mere criminality. “We don't know today what constitutes an act of war,” said Rep. Jim Himes at Thursday’s Intelligence Committee hearing, calling on the U.S. to lead a Geneva Accords-style effort for cyber. “We don't know what an appropriate response is. We don't know where the line is drawn between crime and warfare.”

Some Republicans also want clearer definitions, too. Rep. Lynn Westmoreland asked NSA director and Cyber Command chief Adm. Mike Rogers when cyber defense becomes offense. “So for us, particularly, in the DoD side, I'm pretty comfortable that we've got a fairly well-understood characterization of what is defensive in nature, in terms of actions and response,” Rogers said. “The bigger challenge, in some ways, is there is still uncertainty about how would you characterize what is offensive and what is authorized. Again, that boils down, ultimately, to a policy decision. And to date we have tended to do that on a case-by-case basis.” Our other coverage of Thursday’s big hearing, on China: http://politico.pro/1XQh9Ks And on Iran and North Korea: http://politico.pro/1gd2Uxk

APOCALYPSE LATER, MAYBE — Little makes the public notice cybersecurity more than talk of wanton destruction of American’s electricity grid, water treatment plants and other bits of what’s known as critical infrastructure. But don’t get too worked up about the cyber apocalypse, cautioned White House Cybersecurity Coordinator Michael Daniel. “Although intruding upon someone somewhere on a random point and getting access to a random system is fairly easy, to intrude on a specific [critical infrastructure] system, to have a specific effect in the time and place of your choosing, and have that effect only be what you want and nothing else is actually really hard," he told a Washington conference audience.

Critical infrastructure hacking remains a worry, Daniel said — and the likelihood of hackers doing something bad is going up as more critical infrastructure gear gets networked to the Internet. But that’s a far cry from the predictions of Armageddon emanating from alarmists.

** A message from Visa: Visa is paving the way to make payments more secure. From real-time data analytics to chip technology and tokenization – it’s part of our DNA to move payments forward for consumers, merchants, and financial institutions. Together, these technological advancements will help drive secure, reliable payments. Learn more at http://bit.ly/1hXSZgJ **

FORMER DHS OFFICIAL GIVES A SPIRITED HUAWEI DEFENSE — Why does Andy Purdy, a former Homeland Security official and top CSC cyber strategist, now work for Huawei? Because he thinks Huawei is at the forefront of securing the global supply chain and “because I’m an American, frankly, and I want America to be safer,” he said. Purdy made the justification during a keynote address at the East West Institute’s Global Cyberspace Cooperation Summit after Fred Teng, president of the America China Public Affairs Institute, asked about reports that the company’s products may make it easier for the Chinese government to spy on Americans.

The House Intelligence Committee first leveled those charges in a 2012 report, which urged the U.S. government and major contractors to steer clear of partnering or contracting with the Chinese tech giant. Huawei USA hired Purdy that same year to be its chief security officer. Purdy argued Thursday that there are “countervailing forces that don’t want to raise the bar on cybersecurity, ... forces that do not want to have more secure products and services.” U.S. tech firms have also been accused of carrying NSA malware.

MORE EXCELLUS FALLOUT ON THE WAY? — We haven’t seen the full scope of the Excellus Blue Cross data breach that affected 10 million customers, predicts Arun Vishwanath, a University of Buffalo professor who studies online security and cyber behavior. “The average breach lasts for about a year before it is discovered,” he told MC. “My strong, strong guess is there is more here. In these kinds of cases, if you have access to the network, you won’t stop, you will hit as much as you can. That means it won’t just be BlueCross that is impacted, it will be their affiliates all over the country.” Some of that fits the usual pattern of a breach discovery, he said, where the original breach announcement is smaller at first and later multiplies in size.

The consequences are potentially grave, said Vishwanath: “It would be relatively simple for the hackers to go from BlueCross to physician’s offices, for example. What makes this breach so dangerous is the health care industry’s national push toward electronic medical records.”

LAW ENFORCEMENT PRESSURES LIBRARY OVER TOR SERVER — Police pressure has caused a public library to suspend its experiment in hosting a Tor server, ProPublica reported Thursday. Tor depends on volunteers to host servers used to hide the origin of Internet traffic routed through the anonymity network, and the Kilton Library in Lebanon, N.H., recently agreed to house one in its network. “Soon after, state authorities received an email about it from an agent at the Department of Homeland Security,” which led to a meeting between local police and city officials. Then the library unplugged the server, telling ProPublica the project is “on pause.”

Because Tor provides solid anonymity, its users apply it for a range of purposes from evading censorship to hiding criminality (and lots of banality between the two extreme poles). Area police department spokesman Lt. Matthew Isham told ProPublica that “for all the good that a Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well.” http://bit.ly/1JZ1fGr

BIG IDEA: A GLOBAL TAKE ON CRITICAL INFRASTRUCTURE SECURITY — Individual countries are making progress in securing their critical infrastructure against cyberattacks, but they’re duplicating a lot of effort and not learning from each other’s successes and failures, Tom Patterson, Unisys vice president for global security solutions, told Joe on the sidelines of the East West conference Thursday. Patterson led a “breakthrough” discussion at the conference on critical infrastructure.

He proposes launching an international community to share critical infrastructure tips, plans and best practices. Most nations’ worst nightmare is an adversary looking through its energy systems or other infrastructure and charting the path for a future cyberattack. But the international group’s work can be done at a high enough level that systems won’t actually be put at risk, Patterson said. The group will also start in sectors where there’s already some cooperation, such as transportation and health care, he said. The next step is to set up an online forum where people can share ideas and concerns, he said. “By continuing on the path of looking at it nationalistically, maybe we’ll get there, but it will take longer and it will be less perfect,” he said. d

QUICK BYTES

— The Chamber of Commerce weighed in on new draft federal contractor cybersecurity requirements. POLITICO Pro: http://politico.pro/1Nsyi9J

— The former boss of a Republican advertising company in Ohio has been sentenced to probation and a fine over hacking claims. The Columbus Dispatch: http://bit.ly/1QrSt5U

— John McAfee’s presidential campaign announcement video will surely go viral. http://bit.ly/1ihxg3x

That’s all for today. So many thin lines. http://bit.ly/1i1RtJZ

Stay in touch with the whole team: Joseph Marks ([email protected] , @Joseph_Marks_ ); David Perera ([email protected] , @daveperera ); and Tim Starks ([email protected] , @timstarks ).

** A message from Visa: As an industry leader, Visa continues to pioneer new technologies to secure transactions in a smarter and ever-changing world. Visa’s global fraud rate is less than 6 cents for every $100 transacted — which is about one-third the fraud rate experienced in the 1990s. And, we’re continuing to reduce fraud with advances like chip technology, encryption, fraud analytics and tokenization. Chip protects in-store payments by generating a unique, one-time code that can be validated before the transaction is approved, while tokenization, replaces a card number with a substitute digital account number so your actual card number is never shared with the merchant. Visa’s multiple layers of fraud protection are designed to give consumers and merchants the confidence that Visa is the best way to pay and be paid, whether in store, online, or on a mobile device. Learn more at http://vi.sa/1JBLKlr **

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks