THE KEY

Two former spooks are heading to Congress — and both say they’re ready to use their expertise to help push forward new cybersecurity policies.

Former Central Intelligence Agency officers Abigail Spanberger and Elissa Slotkin won their House races last week and will be representing Virginia and Michigan respectively. They’re coming to Washington at a time when Congress is expected to address a wide range of cybersecurity issues — including securing election systems and supply chains.

AD

AD

The Trump administration needs to do more to guard against cyberattacks on critical infrastructure, from electrical grids to election systems, Slotkin said in a statement. It’s Congress’s job “to put politics aside and make ensure that happens,” she said. “As a former CIA officer trained to identify and mitigate risks, it is clear to me there is far more work to do."

Spanberger says she is positioning herself for a seat on a committee such as Foreign Affairs and wants to focus on national security. Securing elections from tampering by foreign adversaries is a big priority for her, she said. "Because of my work at the CIA, I have a very good perspective on what threats exist,” she said in an interview. “It will inform how I look at all aspects of cybersecurity.”

Both are poised to be key players in the debate even as freshmen. Very few lawmakers have experience in cybersecurity or even more broadly in the technology industry. As complex issues ranging from disinformation on social media to encryption are debated on Capitol Hill, Congress’s lack of tech knowledge has been a sore spot for Silicon Valley and strained an already tense relationship.

AD

AD

Some have suggested the relationship between the technology industry and policymakers would improve if there were more lawmakers with technology experience. And having more credible members in Congress could lead to more effective bills and more sophisticated discussion of technical issues.

“We need more basic tech knowledge and competence among policymakers,” Rep. Ro Khanna (D-Calif.), who represents Silicon Valley, said last week at a Technology 202 Live event.

Spanberger was an operations officer for the CIA for eight years with a focus on international counterterrorism. Before joining the CIA, Spanberger worked as a federal law enforcement officer, working on narcotics and money laundering cases with the U.S. Postal Inspection Service. The CIA recruited Slotkin after Sept. 11, 2001, to be a Middle East analyst. Slotkin, who is fluent in Arabic, did three tours in Iraq. She later became the director of Iraq policy at the National Security Council and then moved to the State Department and the Pentagon, rising to acting assistant secretary of defense for international security.

AD

AD

My colleague James Hohmann reported on the trend of CIA officers running for office last year, when tensions between the Trump administration and the intelligence community were high.

Yet techies from the private sector have struggled to win seats. Other congressional candidates with ties to the technology industry, such as former Groupon executive Suneel Gupta or Dataminr vice president Pat Ryan, lost their primaries. Gupta ran for Michigan’s 11th Congressional District, and Ryan ran for New York’s 19th District.

Other races have been very tight. California venture capitalist Josh Harder is locked in a race that’s too close to call against Republican Rep. Jeff Denham. The San Francisco Chronicle reported on Friday that Harder had a slight lead in the race.

AD

And some who were elected have an uncertain future. Will Hurd (R-Tex.), who made the jump from the CIA to Congress, declared victory on election night after the Associated Press projected his victory. But the AP later said the race was too close to call, and his Democratic opponent Gina Ortiz Jones has refused to concede until every vote, including provisional and absentee ballots, is counted.

AD

Hurd was an undercover officer in the CIA in the Middle East and Southeast Asia for nearly a decade, and he later worked as a senior adviser to cybersecurity firm FusionX. Hurd has demonstrated how a background in intelligence experience can shape a lawmaker’s approach to policymaking. He's seen as one of the most tech-savvy members of Congress: He rose to chair of the House subcommittee on information technology. He also sits on the House Permanent Select Intelligence Committee, and he has introduced legislation that would help the government update its IT systems. Last week, Hurd was part of a group of cybersecurity experts from the public and private sector who released a set of principles to secure the Internet of Things.

Spanberger said she envisions herself playing a similar role as Hurd, but for the Democrats. “I hope to be able to bring my experience to the Democratic side of the aisle,” she said.

AD

PINGED, PATCHED, PWNED

PINGED: Researchers from the federal government and the private sector took part in an exercise simulating a cyberattack on the power grid and explored ways to restore power, the Wall Street Journal's Adam Janofsky reported. “Drills played out over seven days, starting on Halloween,” according to the Journal. “The goal was to test how the grid could recover from catastrophic incidents including supply chain attacks, ransomware and misconfigurations of critical machinery. Participants also validated sensors, software and other security tools that could be used in an emergency by utility companies throughout the country.” The exercise took place on Plum Island in the Long Island Sound — the island is also the home of the federal government's Plum Island Animal Disease Center.

“Grid operators and government workers conduct frequent tabletop exercises to determine who would do what during a cyberattack, but those activities lack the depth and urgency of a real-world scenario and might not reveal problems in response plans, said Walter Weiss, the program manager for the Defense Department’s Defense Advanced Research Projects Agency, or DARPA, who led the exercises,” Janofsky wrote. Weiss also told the Journal that the drill helped identify ways to improve the response to an incident. “Some test findings will be published and already DARPA has discovered a few ways to tweak security tools to save time during a crisis, he said,” Janofsky reported. “For example, researchers lost about half of a day at one point because they misinterpreted normal grid behavior as a sign of a cyberattack. He wouldn’t provide details.”

PATCHED: Sue Gordon, principal deputy director of national intelligence, wants tech companies and the federal government to work together on artificial intelligence, according to Wired. “Artificial intelligence, she says, presents a huge opportunity for the government and the private sector, but the risks of its being abused, biased, or deployed by foreign adversaries is so real that the government and tech companies should . . . collaborate to secure it,” Wired's Emily Dreyfuss reported. Gordon was disappointed by Google's decision not to renew its contract with the Defense Department as part of an artificial intelligence initiative called Project Maven. “Gordon expressed dismay over the decision, emphasizing that pattern recognition work is vital to intelligence gathering, and that it’s in the country's best interests to develop the best systems to get it done,” Dreyfuss wrote. (You can read more about Google's withdrawal from Project Maven in The Cybersecurity 202.)

Additionally, Gordon supports increasing the movement of tech workers between the public and private sectors, according to Wired. “Beyond just private-public cooperation, Gordon envisions a new paradigm for sharing talented workers between the government and the private sector,” Dreyfuss wrote. “She disputes the idea that the best engineers don’t want to work for the government, saying that people who want to work on important matters they know have purpose are still drawn to federal jobs, like she was.”

PWNED: “Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans,” TechCrunch's Zack Whittaker reported. “The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained ‘inappropriate access’ to a number of broker and agent accounts, which ‘engaged in excessive searching’ of the government’s healthcare marketplace systems,” Those responsible for the breach accessed personal information on about 75,000 people, CMS announced last month.

AD

AD

As Gizmodo's Dell Cameron reported, CMS said in a letter to those affected by the breach that “the sensitive data exposed may have included Social Security numbers and a variety of other personal information, such as income, tax filing status, family relationships, and immigration status.” However, as TechCrunch noted, the letter said that bank account numbers, credit card numbers, diagnosis or treatment information were not part of the data that was accessible. Citing “a person familiar with the investigation,” Whittaker reported that the number of people affected by the data breach “is expected to change.”

PUBLIC KEY

— “Homeland Security Secretary Kirstjen Nielsen said use of the global positioning system, or GPS, will be one of the first ‘systemic risks’ to be addressed by DHS' new National Risk Management Center, in an effort to create a more strategic approach to defending against cybersecurity threats,” Inside Cybersecurity's Mariam Baksh reported.

— “On Friday, a local judge in New Hampshire ordered Amazon to hand over Echo recordings made the day a Farmington couple was murdered at its home,” Ars Technica's Cyrus Farivar reported. “According to local media accounts, Strafford County Superior Court Presiding Justice Steven M. Houran compelled Amazon to disclose not only the audio files but any associated data — such as what phones were paired to the smart speaker — that may be connected to the January 2017 murder of Christine Sullivan and Jenna Pellegrini.” (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

AD

AD

— More cybersecurity news from the public sector:

PRIVATE KEY

— “Insurer Aflac Inc. nearly three years ago began inserting into its corporate network digital tripwires to trick hackers into revealing their presence inside the company’s systems,” Jeff Stone reported in the Wall Street Journal. “Cybercriminals who click on links disguised as employee credentials or sensitive human resources data in fact are raising a red flag for the security team. Many thousands, perhaps millions, of so-called honeypots now exist in Aflac’s remote desktop software, in file-transfer tools, near sensitive databases and on employee machines, said DJ Goldsworthy, director of security operations and threat intelligence. Aflac uses this deceptive technology as a last line of defense against hackers and rogue insiders who sneak around the company’s other security protocols, said Mr. Goldsworthy.”

AD

AD

— More cybersecurity news from the private sector:

SECURITY FAILS

THE NEW WILD WEST

— “The United States and Russia are competing to steer a process to develop international cyber norms at the United Nations,” FCW's Derek B. Johnson reported. “On Nov. 8, the UN’s Committee on Disarmament and International Security approved dueling draft proposals by the U.S. and Russia to establish working groups that would be responsible for developing global rules of the road for behavior in cyberspace. The U.S. proposal endorses two previous reports on international cyber norms and calls for the UN Secretary General to establish a working group in 2019 staffed by experts with ‘equitable geographic distribution’ around the world.”

— More cybersecurity news from abroad:

FOR THE N00BS

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

In speech honoring WWI soldiers, Trump vows to preserve “civilization ... peace”: