With help from Martin Matishak
Editor’s Note: This edition of Free Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.
Story Continued Below
WE SEE YOU ‚ÄĒ The Trump administration wants to make it more painful for foreign hackers to continue their long-running streak of successful intrusions into corporate and government systems, NSA senior adviser Rob Joyce said Thursday.
A key part of the administration‚Äôs cybersecurity strategy is ‚Äúengaging people who are seeking to come do things that are illegal or immoral on our networks,‚ÄĚ he said at the Aspen Cyber Summit. He pointed to U.S. Cyber Command‚Äôs new Twitter account that publicly shares information about malware that the command discovers. ‚ÄúThat is an engagement saying, ‚ÄėWe‚Äôre going to take your tools. We‚Äôre going to put them out there. We‚Äôre going to show your tradecraft. We‚Äôre going to make it harder for you to do these kind of operations,‚Äô‚ÄĚ Joyce said. ‚ÄúAnd by doing that, we‚Äôre imposing friction.‚ÄĚ
The government has been tight-lipped about the practical implications of the military‚Äôs new ‚Äúdefend forward‚ÄĚ strategy, and Joyce offered no details about how Cyber Command was hacking adversaries with the freer hand that Trump has given it. But he cited the Twitter account as an example of other, less aggressive ways that the government could pressure adversaries and make their activities less rewarding.
‚ÄúIt‚Äôs about making it harder for them to succeed,‚ÄĚ he said. ‚ÄúSome of that will be taking away the infrastructure they‚Äôre using. Some of it [is] exposing their tools.‚ÄĚ Overall, he added, pushing back on rivals like Russia and China in this way meant that the U.S. was no longer giving them ‚Äúfree shots on goal.‚ÄĚ
HAPPY FRIDAY and welcome to Morning Cybersecurity! After this week, everyone could use a little bit of this. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
Join POLITICO on Nov. 14 for special editorial conversations at The Salute to Military Spouses, a half-day summit to raise awareness of the challenges and contributions of these unsung heroes. As the exclusive media partner of the summit, POLITICO journalists will provide firsthand insight and intelligence on timely political and policy issues facing the military and military spouses. Topics include improving the financial stability of military families and using tech to tackle the high unemployment rate of military spouses. RSVP here.
KEMP RESIGNS ‚ÄĒ Georgia Secretary of State Brian Kemp resigned Thursday, declaring himself the winner of the heated gubernatorial race. His role as the state‚Äôs top elections supervisor and his oversight of the voting process have been riddled with controversy and lawsuits. Just days before the midterms, he accused the Georgia Democratic Party of trying to hack the state‚Äôs voter registration system ‚ÄĒ an allegation made without evidence.
His resignation leaves some election integrity advocates hopeful that Georgia may begin making substantial changes to safeguard voting. ‚ÄúIt‚Äôs hard to imagine that whoever replaces him will do a worse job in terms of election integrity,‚ÄĚ Wendy Weiser, director of the democracy program at Brennan Center for Justice, told MC. ‚ÄúAt this point we can only go uphill.‚ÄĚ
Voting integrity advocates have long criticized Kemp‚Äôs reluctance to end the use of electronic voting machines without auditable paper trails, relying on systems that cybersecurity experts and this federal judge say are bad for voters. The next secretary of state will have a chance modernize that system. So far, however, it‚Äôs unknown who that person will be as the race enters a runoff scheduled for Dec. 4. One of the candidates, Republican Brad Raffensperger, has advocated for updating election machines to move away from the state‚Äôs paperless system.
But the damage Kemp did to the democratic process in Georgia will be hard to undo, said Jenny Flanagan, vice president of state operations for watchdog group Common Cause. “Kemp’s resignation, while welcome, has come too late. Kemp spent his tenure disenfranchising hundreds of thousands of Georgians.‚ÄĚ
BOB LORD AT ASPEN ‚ÄĒ Computer and phone makers should configure their products to automatically install software updates by default, and browser makers should incorporate security features, like forcing HTTPS, that are currently only available as third-party add-ons, the DNC‚Äôs chief security officer said Thursday. ‚ÄúI‚Äôd love to see the operating system vendors start to figure out how to start patching so that it becomes harder and harder to not run a patched system,‚ÄĚ Bob Lord said at the Aspen Cyber Summit, adding that the security community should also ‚Äústart leaning on the browser manufacturers to adopt some additional controls.‚ÄĚ
During the midterm campaign, the DNC distributed a one-page cybersecurity checklist to campaigns and party organizations, and Lord said he planned to ‚Äúwork with them a little bit more closely‚ÄĚ on security. But he added that ‚Äúthere are some things where we should be pushing on the technology providers to do a much better job in getting to that next level and making these things secure by default.‚ÄĚ
Lord also compared the voting technology industry of 2018 to the broader tech industry of 10 or 15 years ago. ‚ÄúWe saw some of these companies, years ago, pushing back, trying to posture, trying to ‚Ä¶ sue or make trouble for the people who are responsible for making these issues known,‚ÄĚ he said. Over time, the situation improved, but ‚Äúthat didn‚Äôt happen overnight, and it didn‚Äôt happen without some wailing and gnashing of teeth on occasion.‚ÄĚ He said he hoped voting vendors would invite researchers to help them modernize their security programs. ‚ÄúI guarantee you there‚Äôd be people willing to raise their hands and step up and help usher them through that journey.‚ÄĚ
ATMS UNDER ATTACK ‚ÄĒ The infamous North Korean hackers Lazarus Group behind the Sony Pictures attack and WannaCry ransomware are now draining ATMs of cash, according to research from Symantec. The firm linked malware discovered in compromised ATMs in 30 countries back to the cybercrime syndicate. US-Cert issued an alert about the ATM campaign back in October. While Symantec estimates that Lazarus has carried out the attacks to steal tens of millions of dollars since 2016, there are no reported attacks on banks in the U.S.
SO NOT ON THE SAME PAGE ‚ÄĒ The Federal Reserve System‚Äôs Board of Governors organizational structure is preventing it from doing a better job to protect its data, according to a watchdog report. The inspector general study found division heads ‚Äúcan make IT decisions without the CIO’s approval and are not required to align investments with the Board’s enterprisewide architecture‚ÄĚ and that ‚Äúvarious IT governance bodies lack a documented reporting hierarchy.‚ÄĚ
HIGH FIVES ALL AROUND ‚ÄĒ European Union security agencies agreed on a roadmap for cybersecurity cooperation next year when they met in Belgium this week. ‚ÄúThe initial focus will be on working closer in the areas of training and cyber exercises, building the cooperation capacity and the improved exchange of information on respective projects and events with a view to complementing the work of the four partners and avoiding the duplication of efforts,‚ÄĚ the participating agencies ‚ÄĒ Europol, the European Defense Agency, CERT-EU, and the European Union Agency for Network and Information Security ‚ÄĒ said in a statement.
During the meeting at CERT-EU‚Äôs headquarters, the agencies reviewed recent developments in cybersecurity and discussed their cooperative activities under a May memorandum of understanding. Jorge Domecq, head of the EDA, said the agencies‚Äô goal was to ‚Äúpromote civ/mil synergies in the cyber domain, considering also relevant EU initiatives,‚ÄĚ to support member countries‚Äô development of cyber capabilities.
SPEND IT WISELY ‚ÄĒ DHS on Thursday announced grants totaling $1.27 million to two universities working on ways to measure the value of cybersecurity spending. The University of California, San Diego, received $1.05 million to ‚Äúdevelop threat intelligence tools and techniques for measuring the reliability and value of a threat intelligence source to an enterprise,‚ÄĚ while the University of Illinois, Chicago, received slightly more than $227,000 to ‚Äúdevelop a cyberattack economic impact model, and a tool to automate data collection and analysis in order to provide near real-time estimates of cyberattack outcomes.‚ÄĚ The two research programs are part of the Cyber Risk Economics project in DHS‚Äôs Science and Technology Directorate.
VETS FOR HIRE ‚ÄĒ The firm Synack, which crowdsources vulnerability testing, launched a Veterans Cyber Program on Thursday to recruit former members of the military to its teams of freelance security researchers. The program will include networking events and training sessions, according to the firm. ‚ÄúCrowdsourcing their expertise helps employers, veterans and our national security,‚ÄĚ said Jim Nicholson, the former secretary of Veterans Affairs and an adviser for the Synack effort.
LOOKS UP MEANING OF OXYMORON ‚ÄĒ Guests, and members of the media, at China‚Äôs Fifth World Internet Conference are reportedly finding themselves locked out of more and more panel discussions. Attendees, including diplomats, found themselves excluded at the last minute from what unexpectedly became closed-door chats about U.S.-China cyber relations, personal data privacy and ‚Äúnorms in cyberspace.‚ÄĚ ‚ÄúYou never know why they decided to close it,‚ÄĚ according to one panelist.
RECENTLY ON PRO CYBERSECURITY ‚ÄĒ Britain‚Äôs home secretary says encryption back doors are unrealistic. ‚Ä¶ Rob Joyce of the NSA also says China is violating a 2015 deal prohibiting it from using hackers to steal U.S. intellectual property.
TWEET OF THE DAY ‚ÄĒ Remembering Aaron Swartz.
‚ÄĒ What would a ‚Äúcategory one‚ÄĚ cyber attack look like? Forbes
‚ÄĒ Do you work in critical infrastructure? DHS has something to tell you about cybersecurity. Nextgov
‚ÄĒ Hackers went to great lengths to phish a Saudi critic, including impersonating slain Washington Post columnist Jamal Khashoggi. AP
‚ÄĒ Trump critics battle attempt to dismiss lawsuit against the Trump campaign over the DNC hacking. POLITICO
‚ÄĒ Big businesses is eager to hear about hackers from threat intelligence firms. The Wall Street Journal
‚ÄĒ Six big ideas for making cyberspace more secure. GCSC
‚ÄĒ Check Point discovers drone vulnerabilities that could let hackers eavesdrop on users and steal their info. Cnet
That‚Äôs all for today. If you’re thinking of adopting a dog, lots of greyhounds in Florida need new homes.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak) and Tim Starks (email@example.com, @timstarks).