By Joseph Marks
Rep. Jim Langevin (D-R.I.) prepares the dais after he was chosen as Speaker Pro Tempore for the opening day of the 116th Congress in Washington on Jan. 3. (Carolyn Kaster/AP)
“As the gloves come off, we want to make sure our policies are implemented the right way, that we’re not overstepping, that we’re acting consistent with our values,” Langevin (D-R.I.), incoming chair of the House Armed Services Committee panel responsible for cyber conflict, told me.
Now that Democrats are in charge of the House, Langevin plans to hold subcommittee hearings and conduct other oversight on Trump's August order loosening Obama-era rules that governed how and when U.S. troops could use cyber tools to disrupt or degrade adversaries’ computer networks.
If Trump administration rules are implemented well, those offensive strikes could raise the costs bad actors pay for violating norms of good behavior in cyberspace and convince them to clean up their acts, said Langevin, who co-founded the Congressional Cybersecurity Caucus.
But if the military flubs the implementation -- by striking too hard or simply vexing adversaries rather than cowing them -- Langevin warns there could be consequences. He worries the new policy could undermine the very norms of good behavior the United States is trying to promote in cyberspace and make Americans less safe in the process.
The Trump strategy could backfire especially if the United States ends up in an escalating tit-for-tat cyber conflict with a nation that’s less reliant on the Internet and so has less to lose.
There’s also a danger that if the United States acts too muscularly in cyberspace it could prompt other nations to do the same, ultimately creating more conflict in cyberspace rather than less, Langevin said.
“It’s enough of a wild West out there as it is now,” he told me.
The specific wording of Trump’s order isn’t public, but it generally devolved the authority for launching offensive hacking operations, which used to rest with the president, to the agency that manages the hacking, national security adviser John Bolton has said. That typically means the secretary of defense will make the call for military hacking operations but, in some cases, that authority rests lower down the chain of command, officials have said.
The order’s ultimate goal is to cause enough pain to U.S. cyber adversaries that they decide it’s not worth attacking the United States in cyberspace, Bolton told reporters during a September conference call. The change in strategy came after several years during which alternative responses, such as indictments, sanctions and naming and shaming hackers, generally failed to deter U.S. cyber adversaries.
Here are some other highlights from my interview with Langevin:
Another cyber czar?: Langevin plans to reintroduce a bill he sponsored with Rep. Ted Lieu (D-Calif.) in the last Congress that would require the Trump administration to reinstate the White House cybersecurity coordinator position and make it a Senate-confirmed job, he said.
Bolton eliminated the cyber coordinator role soon after taking office in May, a move Langevin said was a major step backward in addressing the nation’s cyber needs. “We’re trying, now more than ever, to have a coordinated strategy to protect our country in cyberspace, and how do you do that without a coordinator?” he asked.
Supply chain vulnerabilities: Langevin also plans to introduce legislation and do oversight focused on reducing cyber vulnerabilities in the Defense Department’s vast network of hardware and software contractors, he said.
That move comes after Congress successfully passed broad legislation to protect the civilian government’s cyber supply chain last Congress.
Espionage: Langevin applauded the Trump administration’s December indictment of two Chinese Ministry of State Security hackers for stealing hundreds of gigabytes of sensitive business information, but said he hopes the indictments will be followed with sanctions against the companies and organizations that benefited from that stolen data.
The Trump administration considered sanctions, but Treasury Secretary Steven Mnuchin blocked the proposal, my colleagues Ellen Nakashima and David J. Lynch reported.
Metro tests out its 7000-series subway cars on May, 20, 2014 at the Shady Grove station in Maryland. (Bill O'Leary/The Washington Post)
The transit agency decided to amend the request for proposals after David Horner, a member of Metro's board representing the federal government, expressed worries. “My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner, a former U.S. deputy assistant secretary of transportation, told Robert and Faiz. “These risks are today not widely understood, but their significance is becoming apparent very quickly.”
Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council, said Washington faces a particularly high risk of espionage as the U.S. capital. “Malware could divert data collected from the high definition security cameras. An adversary with that data could then use facial recognition algorithms to track riders, potentially right down to the commuting patterns of individual riders,” Grotto, now a fellow at Stanford University’s Center for International Security and Cooperation, told my colleagues.
Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
“Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data, and compromising supply chains,” NCSC Director William Evanina said in a statement. “The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars.”
The campaign uses videos, posters and other materials that were previously distributed to federal employees. The campaign materials also aim to raise awareness among U.S. businesses about a broad range of risks including threats to the supply chain, spearphishing and deception via social media. “Adversaries may create fake profiles on social media, posing as a job recruiter or someone with a shared interest, to connect with and elicit information from business persons,” according to the news release.
German Chancellor Angela Merkel gives a speech at the Bundestag in Berlin on Sept. 5, 2017. (John MacDougall/AFP/Getty Images)
Most of the data that was spread on Twitter consisted of contact information such as email and phone numbers, but more sensitive information including bank account details or bills was also published online in 50 to 60 cases, according to the Wall Street Journal's Ruth Bender. “The arrest of a young German resident puts to rest concerns that a foreign intelligence service could have been behind the data theft after a string of cyberattacks in recent years authorities have blamed at times on Russian or Chinese cyber thieves,” Bender wrote.
The Supreme Court is seen in Washington on Jan. 7. (J. Scott Applewhite/AP)
— A study found that South Carolina state election officials miscounted hundreds of ballots because of “continued software deficiencies” in voting systems during last year’s primary and general elections, StateScoop’s Benjamin Freed reported. The analysis found that 148 ballots were counted twice in a precinct in Marlboro County in a June primary election. In another precinct, more than 400 votes were counted in the wrong county board race during the general election.
Duncan Buell, a computer science professor at the University of South Carolina, conducted the study for the League of Women Voters of South Carolina. “Neither case involved enough votes to swing the outcome of an election, but Buell told StateScoop the incidents demonstrate the state continues to use poorly designed software that poll workers, many of whom are volunteers working long shifts, struggle to operate correctly,” Freed wrote.
— More cybersecurity news from the public sector:
The WhatsApp logo on a smartphone in Taipei, Taiwan, on April 7, 2016. (Ritchie B. Tongo/European Pressphoto Agency)
Announcement: We are increasing our bounties for almost every product.— Zerodium (@Zerodium) January 7, 2019
We're now paying $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp/iMessage/SMS/MMS RCEs, and $500,000 for Chrome RCEs.
More information at: https://t.co/0NBRnq4I4y pic.twitter.com/vXDyxC3Q4v
— More cybersecurity news from the private sector:
Tony Romm, Elizabeth Dwoskin and Craig Timberg
- The Brookings Institution hosts a discussion titled “How China and the U.S. are advancing artificial intelligence” on Jan. 14.
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15.
Artificial intelligence stars at CES 2019:
This 149-year-old law is why we have government shutdowns:
No, the USMCA doesn't mean Mexico is paying for the wall:
Source: The Washington Post