Skip to main content

Congress peels back secrecy to review Trump hacking policy

By Joseph Marks

PowerPost Analysis
Analysis Interpretation of the news based on evidence, including data, as well as anticipating how events might unfold based on past events

President Donald Trump answers reporters' questions. (Photo by Calla Kessler/The Washington Post)
National security-focused lawmakers won the right yesterday to review the Trump administration’s muscular new offensive hacking policy after a nine-month battle, turning the tables on an administration that has resisted oversight of its cybersecurity policy.
The shift, which comes after the policy has already been used to justify hacking operations against Russia and Iran, marks a rare win for lawmakers who have pressed the administration to open up its cybersecurity work to broader oversight.
But it also comes amid concern in Congress that overeager Trump officials might stumble into a tit-for-tat digital conflict that harms U.S. businesses or even escalates into a conventional military fight. The administration has also eliminated top cybersecurity coordinator positions at the White House and State Department that might have acted as a check on operations that were poorly thought out.
“Given the sensitive nature of cyber operations and this administration’s dramatic shift in official cyber policy, this … was necessary to ensure proper congressional oversight,” Rep. Jim Langevin (D-R.I.), who helped lead the bipartisan charge to disclose the hacking policy, told me.
Langevin and other lawmakers inserted a provision allowing Congress to review the policy called National Security Presidential Memorandum 13, or NSPM 13, into a mammoth $738 billion defense policy bill that cleared Congress yesterday and that also establishes a Space Force and parental leave for federal workers. Trump has pledged to sign the bill quickly.
The secret policy had been withheld for more than a year from lawmakers — even those who regularly review classified material. In general, it loosens the reins on military hackers to engage enemies under a far simpler approval process for actions that fall beneath a level that would cause death, destruction or significant economic impacts, individuals familiar with the policy told The Post last year.
When former national security adviser John Bolton announced the policy in September 2018, he pledged the United States would no longer sit by while Russia, China and Iran pummeled it in cyberspace. “Our hands are not tied as they were in the Obama administration,” he declared.
Bolton later boasted that U.S. hacks had successfully deterred Russia from interfering in the 2018 midterms and Trump himself approved a cyberstrike that disabled Iranian computer systems used to plan attacks on oil tankers in the Persian Gulf.
The Obama administration didn’t ban offensive hacking by the military, but decisions about operations went through a far more rigorous review. That policy was also regularly reviewed by congressional overseers.
The shift to a more aggressive posture was good news even for many Democratic lawmakers and cybersecurity hawks who feared the Obama administration’s cautious approach to punching back in cyberspace had emboldened adversaries and was out of step with an increasingly dangerous digital world.
But Democrats and some Republicans were also worried the administration could easily go too far — especially without congressional oversight. And an escalating hacking conflict might pose outsize dangers for the United States, which is more reliant on the Internet than many of its adversaries.
“Cyber is a rapidly evolving domain of warfare, and Congress has to understand how any president is approaching it,” a Republican aide on the House Armed Services Committee told me.
He compared it to the authority to capture and kill enemy fighters outside of active war zones — an area where Rep. Mac Thornberry (Tex.), the top Republican on the Armed Services panel, demanded more congressional oversight in 2016.
“[Thornberry] sees this spectrum of very dynamic domains of warfare, of which cyber is one, where they move so fast that Congress really has to stay very current on how operations are being executed,” the aide said.
Thornberry was among the lawmakers who pushed for the Trump administration to be more transparent about its hacking policy along with committee Chairman Adam Smith (D-Wash.), Langevin, who leads the committee’s emerging threats panel, and that panel’s ranking Republican Elise Stefanik (N.Y.).
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


 Carter Page. (J. Scott Applewhite/AP)
PINGED: A secretive federal court charged with overseeing requests for surveillance warrants against foreign terrorists and spies slammed the FBI for misleading it in an application to monitor former Trump adviser Carter Page, my colleague Devlin Barrett reports. The court ordered the bureau to explain how it will avoid misleading it in the future.
It’s a rare public rebuke from the court that oversees the country's most sensitive national security cases and could cast doubt on other FBI investigations. The four-page order details 17 errors and omissions in the bureau's application to monitor the former Trump adviser.
The condemnation follows a report issued by the Justice Department inspector general last week that found an FBI lawyer manipulated evidence to back its case to monitor Page. The IG will now audit other FBI applications for abuse.
“The frequency with which representations made by FBI personnel turned out to be unsupported calls into question whether the information contained in other FBI applications is reliable,” Judge Rosemary M. Collyer wrote.

German Chancellor Angela Merkel. (Clemens Bilan/EPA-EFE)
PATCHED: German lawmakers are delaying until next year a decision on whether to bar the Chinese firm Huawei from building portions of the country's next-generation 5G wireless networks, Reuters's Andreas Rinke and Holger Hansen report. The reprieve could agitate the White House, which has pushed European allies to ban Huawei, citing national security concerns.
The delay follows months of clashes between security-minded officials who worry Huawei could assist Beijing spying and pragmatists who fear barring the company could lead to years of delays and a far higher price tag for the 5G transition. All German phone and internet operators currently rely on Huawei gear.

Centers for Medicare and Medicaid Services Administrator Seema Verma. (J. Scott Applewhite/AP)
PWNED: Government agencies that ask for public feedback on their policy changes may be highly vulnerable to phony comments generated by computer bots and artificial intelligence, according to a study by a Harvard University undergraduate shared with the Cybersecurity 202.
The student Max Weiss submitted over 1,000 phony comments to a Centers for Medicare and Medicaid Services online system seeking input on an Idaho Medicaid waiver -- none of which was flagged as phony. One reason they got through is because CMS doesn’t require users to fill in a CAPTCHA phrase or use other techniques to prove they're human, he said.
The loophole could allow malicious actors to outweigh authentic voices on a number of other serious policy debates.
Weiss’s comments were particularly difficult to spot as phony because he used artificial intelligence to make sure they didn’t repeat the same text. Ultimately, the faked comments comprised over half of the total public comments submitted to CMS about the proposal, though Weiss withdrew his comments after the experiment was over.
Fraudsters have flooded public comment systems before — most notably during the Federal Communications Commission's 2017 debate over net neutrality. Researchers eventually pressured the FCC into admitting it had been duped.
CMS said that it would look into the issue after Weiss alerted it to his findings last month. The agency did not respond by publication time to the Post's request for comment.


— Cybersecurity news from the public sector:
Secretary Kirstjen Nielsen came in with the potential to be the most effective cyber leader in agency history—only to be sideswiped by the president’s fixation on the Mexican border.
Snowden, who leaked details of government surveillance programs, is charged with espionage but has remained exiled in Russia since 2013.
Rachel Weiner
Aides to New York City Mayor Bill de Blasio have exchanged messages via Signal, an encrypted-messaging app. Good-government advocates warn such apps can be used to hide records and communications from the public.
Wall Street Journal


— The Global Cyber Alliance launched a $750,000 initiative yesterday to provide free cybersecurity tool kits to election officials, news organizations and community groups among others. It was funded by Craigslist founder Craig Newmark.
— More cybersecurity news from the private sector:
Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers.
This is only the latest controversy for the video doorbell company.
By exploiting flaws in popular video conferencing hardware from DTEN, attackers can monitor audio, capture slides—and take full control of devices.


— Cybersecurity news from abroad:
Rancor has tried to break into the network of an unnamed Cambodian government organization and deploy their custom malware, according to Palo Alto Networks.
Sacking of Dusan Navratil adds to European controversies over Chinese technology giant. 


Popular posts from this blog

Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent

By Joseph Marks 13-17 minutes THE KEY President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP) The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn. With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent. About 20 percent of staffers are furloughed at the De

Democrats call for investigation into Trump’s iPhone use after a report that China is listening:Analysis | The Daily 202 I The Washington Post. By James Hohmann _________________________________________________________________________________ President Trump and Chinese President Xi Jinping visit the Great Hall of the People in Beijing last November. (Andrew Harnik/AP) With Breanne Deppisch and Joanie Greve THE BIG IDEA: If Democrats win the House in two weeks, it’s a safe bet that one of the oversight hearings they schedule for early next year would focus on President Trump’s use of unsecured cellphones. The matter would not likely be pursued with anywhere near the gusto that congressional Republicans investigated Hillary Clinton’s use of a private email server during her time as secretary of state. Leaders of the minority party have higher priorities . But Democratic lawmakers made clear Thursday morning that they will not ignore a New York Times report that Trump has refused to stop using iPhones in the White House, despite repeated warnings from U.S. intelligence offici

RTTNews: Morning Market Briefing.-Weekly Jobless Claims Edge Down To 444,000. May 13th 2010

Morning Market Briefing Thu May 13 09:01 2010   Commentary May 13, 2010 Stocks Poised For Lackluster Open Amid Mixed Market Sentiment - U.S. Commentary Stocks are on pace for a mixed start to Thursday's session, as a mostly upbeat jobs report continued to relieve the markets while some consternation regarding the European debt crisis remained on traders' minds. The major index futures are little changed, with the Dow futures down by 4 points. Full Article Economic News May 13, 2010 Weekly Jobless Claims Edge Down To 444,000 First-time claims for unemployment benefits showed another modest decrease in the week ended May 8th, according to a report released by the Labor Department on Thursday, although the number of claims exceeded estimates due to an upward revision to the previous week's data. Full Article May 13, 2010 Malaysia's Decade High Growth Triggers Policy Tightening Malaysia's economy grew at the fastest pace in a decade in