With help from Eric Geller, Martin Matishak, Laurens Cerulus and Josh Gerstein
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Internet of things security is getting worse somehow, especially in the medical industry, according to research out today.
— Lawmakers appear closer to making a deal on expiring surveillance powers, but are getting very close to this weekend’s deadline.
— The case involving accused CIA hacking tool leaker came to a surprise conclusion, and the spyware firm NSO Group sought an extension in its legal battle with WhatsApp.
HAPPY TUESDAY and welcome to Morning Cybersecurity! At long last. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
MORE LIKE THE INTERNET OF THREATS — Despite years of attention to the dangers of insecure internet-connected devices, internet of things security is declining, “leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten,” Palo Alto Networks said in an IoT report out today. Among the report’s most alarming findings: 98 percent of data passing through IoT devices is unencrypted, and 57 percent of IoT devices are vulnerable to “medium- or high-severity attacks.” Of the IoT intrusions that Palo Alto Networks observed, 41 percent were attributable to exploits, 33 percent were due to malware and 26 percent were due to user mistakes.
The problem is especially severe in the medical field: 83 percent of medical imaging devices run on operating systems so old that support for them has expired, and 72 percent of health care providers’ virtual networks combine IoT and IT systems, which means malware on an IT system could spread to a critical medical device. Providers have improved their use of network segmentation, but for such sensitive work, Palo Alto Networks recommended a “device profile-based micro-segmentation approach that considers a multitude of factors, including device type, function, mission criticality, and threat level.”
YOU ALMOST SMELL THE RECESS — House leaders moved closer to a bipartisan agreement to reauthorize intelligence powers slated to expire in just five days. GOP lawmakers left a Monday night meeting with Attorney General William Barr in the office of House Minority Leader Kevin McCarthy (R-Calif.) and expressed optimism about reaching a solution before the March 15 deadline but cautioned that talks are ongoing. Senior aides in both parties say they’re hoping to pass a bill later this week — before Congress leaves for a weeklong recess and the provisions expire on March 15.
“I think we’re close,” according to Rep. Jim Jordan (R-Ohio), who was in the meeting and is poised to become the top Republican on the Judiciary Committee later this week. “We’re still trying to get the finals of the legislation. … We’re still negotiating.” However, some in the GOP would rather see the provisions from the 2015 USA Freedom Act expire than approve even a short-term extension. Rep. Warren Davidson (R-Ohio), a co-sponsor on an overhaul-heavy surveillance bill, H.R. 5675, said the Hill’s focus on coronavirus this week shouldn’t hamper its ability to push for changes. “I think Congress should be able to multitask,” he said.
CASE AGAINST SCHULTE FALLS INTO A PIT — The trial of the accused “Vault 7” leaker, Joshua Schulte, ended in a mistrial on Monday on the central charges regarding his involvement in passing CIA hacking tools to WikiLeaks. The jury deadlocked on those charges but found Schulte guilty of making false statements to the FBI and contempt of court. It’s rare for the government to fail in Espionage Act cases, with alleged leakers reaching plea deals or winning conviction. (The government might retry the case, and Schulte faces other, unrelated charges as well.)
Still, the cases present certain pitfalls, as Zach Dorfman, a senior staff writer for the Aspen Institute’s Cyber and Technology program, noted. “Juries are unpredictable,” he tweeted. “Proving espionage cases in open court can require the disclosure of classified information. Intelligence agencies–particularly, historically CIA–are wary of having their employees or assets called to the witness stand.” It’s why DOJ tends to prefer “ironclad cases,” he said. “Nothing is more embarrassing… than taking an alleged spy to trial and losing the case.”
DERIVATIVE — The NSO Group sought an extension to reply to a lawsuit brought in U.S. court by WhatsApp and previewed its defense strategy on Monday. In documents filed last week and subsequently shared with reporters, the spyware firm said it had not been properly served as a justification for the extension. In its suit, WhatsApp accused NSO Group of being complicit in the infection of 1,400 cellphones for the purpose of surveilling its users.
NSO Group hinted at a defense that relies on the idea of “foreign sovereign immunity,” which nations sometimes claim to avoid civil damages in another country’s courts. “Defendants’ products are exclusively used by foreign sovereign nations and their intelligence and law enforcement agencies for the purpose of combating terrorism, child exploitation, and other serious crimes,” a filing reads. “Thus, Defendants are entitled to derivative foreign sovereign immunity.”
“NSO Group innovates cyber solutions that NSO Group does not itself use,” CEO Shalev Hulio said in a declaration to the court. “NSO Group’s only activities are to assist its customers with implementing the system (at the customer’s facility) and to provide basic technical support—activities in which NSO Group completely follows the directions and specifications of its customers. None of NSO Group’s activities involve any support to any operational activity by any NSO Group customer.”
DEER IN THE HEADLIGHTS — Federal authorities last week arrested a Russian man they said is a hacker who runs DEER.IO, a site that offers cybercriminals a forum to sell products and services. “DEER.IO virtual stores offer for sale a variety of hacked and/or compromised U.S. and international financial and corporate data, Personally Identifiable Information (PII), and compromised user accounts from many U.S. companies,” according to charges unsealed against Kirill Victorovich Firsov on Monday evening.
EARN IT ACT GETS REAL — This week’s Senate Judiciary hearing on the fiercely contested EARN IT Act (S. 3398) will start off on a poignant note, with lawmakers set to hear testimony from a member of the National Center for Missing & Exploited Children’s Team HOPE, our friends at Morning Tech report. The group is made up of individuals who have “experienced the trauma of having a missing or exploited child.”
The committee, which announced its lineup Monday, will then hear from a second panel that includes a top tech industry trade group official — the Internet Association’s Elizabeth Banker — and the chief legal officer at Match, which is facing a congressional investigation into whether it has failed to screen out underage users, leaving them at potential risk to predators.
U.K. TORY MPS TARGET TOUGHER HUAWEI LINE — From our friends at POLITICO Europe’s Cyber Insights: Conservative members of the U.K. House of Commons today will try to pressure Prime Minister Boris Johnson into taking a tougher approach to Chinese telecom giant Huawei. A group of senior Tory MPs including Owen Paterson, Iain Duncan Smith, David Davis and Damian Green tabled an amendment to the telecom infrastructure bill that would call on the government to phase out Huawei gear in telecom networks by 2022.
According to The Guardian, the amendment “is unlikely to be effective if passed because the proposed legislation only applies where leasehold property owners are unresponsive to phone companies” — but the move is a political signal, above all, to Johnson as he drafts the legislation needed to implement his Huawei decision from January.
‘TERSE’ IS RIGHT — An organization representing electricity transmission system operators across dozens of European nations said Monday that it was breached. “ENTSO-E has recently found evidence of a successful cyber intrusion into its office network,” the European Network of Transmission System Operators for Electricity said in a statement, reported by CyberScoop. “It is important to note that the ENTSO-E office network is not connected to any operational TSO system.”
TWEET OF THE DAY — Who sanitizes the SCIF?
RECENTLY ON PRO CYBERSECURITY — House members will get an election security briefing today from top Trump administration national security officials. … “The Trump administration on Monday unveiled its plan to make it easier for patients to download their own health and insurance records to their smartphones — an effort that’s triggered privacy concerns from some of the biggest health care trade groups and intense lobbying from the tech industry.”
— StateScoop: Washington, D.C., is revising its data breach law.
— Infosecurity Magazine: Former DHS inspector general personnel have “been indicted on charges of software and data theft and an alleged scheme to defraud the government.”
That’s all for today.
Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).
Website of source