Showing posts with label The Washington Post. Show all posts
Showing posts with label The Washington Post. Show all posts

Apr 21, 2020

US Politics: Trump to suspend immigration to U.S. for 60 days, citing coronavirus crisis and jobs shortage, but will allow some workers

Nick Miroff



“I will be issuing a temporary suspension of immigration into the United States,” Trump said during a White House briefing Tuesday. “By pausing, we’ll help put unemployed Americans first in line for jobs. It would be wrong to be replacing them with new immigrant labor flown in from abroad.”
Senior White House officials and lawyers met Tuesday to sort out the logistics and legal implications of President Trump’s late-night Twitter proclamation that he would stop immigration to the United States, a move that came with little indication of whom the U.S. government would bar from entry amid the coronavirus outbreak. Trump said the executive order was still being written as of Tuesday night.
“It’s being written now,” Trump said, noting that lawyers were still working through the final details. “We’ll most likely sign it tomorrow.”
After 60 days, the need for modification will be evaluated “based on economic conditions” in the country, Trump said, conditions that he would personally assess.
“We want to protect U.S. workers as we move forward,” Trump said. He noted that “some people will be able to get in. There will be some people coming in. But it’s a strong order.”
The president also said that seasonal farm laborers would not be affected by the measures and that the suspension “will help to conserve vital medical resources.”
Trump said late Monday that he wanted to protect the country from the threat of foreigners bringing the virus into the country and to stem the economic damage the pandemic has triggered — and he retweeted the same post Tuesday, a sign of his enthusiasm for the plan. Yet senior officials at the Department of Homeland Security and other federal agencies could not respond to basic questions about the scope of the order.
Other aides said privately that the president had once more announced a sweeping policy that was not yet ready for implementation, and his administration was trying to piece together an executive order for him to sign that would catch up to his whim.
The president has broad authority to restrict entry into the United States — a point the U.S. Supreme Court affirmed in upholding his controversial entry ban in 2018 — and that power is perhaps no greater than during a public health emergency. State Department officials said they are still waiting for guidance from the White House regarding what types of immigrant visas will be suspended.
Immigrant visas are issued for those who have been approved to move permanently to the United States. The majority are family members of U.S. citizens or permanent residents.
Some immigrant visas also are granted to those who have jobs waiting for them, including nurses planning to work at hospitals. A smaller number of special immigrant visas are granted for a variety of foreigners, including religious ministers, and Iraqis and Afghans who worked for the U.S. government.
The United States already has suspended routine visa services overseas, so that very few would-be immigrants are likely to be stopped just before they board planes.
Though the policy move has been presented as a way to protect the United States from imported cases of the coronavirus, the outbreak is well-established across the country and has been for more than a month. The United States has more confirmed coronavirus cases, by far, than any other country, with nearly 800,000 as of Tuesday afternoon. The next highest national total is Spain’s, at 204,000 cases. The United States also has far more confirmed virus-related deaths — nearly 45,000 — than any other nation and about the same number as the next two countries — Spain and Italy — combined.
Intended immigrants from countries such as Britain, Ireland, Mexico, South Korea and Canada deluged their lawyers with panicked emails Tuesday, worrying that Trump’s tweet would upend their jobs, college studies or efforts to bring their loved ones to the United States. Some have paid tens of thousands of dollars in legal fees to secure their legal papers and have waited years for their approvals.
Juan Ramirez, 41, a restaurant cook in Virginia, said he was planning to visit the U.S. Consulate in his native Mexico soon for a final interview and background checks required to obtain a green card. His wife, a U.S. citizen, is sponsoring him. But now the consulates are closed and he is afraid that if he leaves the country, the United States will not let him back in.
He has a college degree in information technology from Mexico and dreamed of building a career, buying a house and starting a family this year.
“I’m scared of this,” Ramirez said. “I don’t know how it’s going to affect me.”
Greg Siskind, a Memphis immigration lawyer, said Trump’s plans could derail efforts to restart the economy by alienating foreign students, who often pay full tuition at colleges and universities, as well as foreign investors. But he said a 60-day pause “is not a lot” in the grand scheme of things for those seeking green cards and represents what some might experience as a normal delay in the process.
Siskind said he suspects that Trump’s Monday-night tweet spooked authorities in states such as Florida that rely on temporary workers for their tourism and farming industries.
“Can you imagine what would happen to the Florida economy if you turned off tourism for an extended period of time?” he said.
Harvard Business School professor William Kerr, whose research focuses on how high-skilled immigrant labor has reshaped the U.S. economy, said closing off the pipeline for foreign talent could create barriers to economic success.
Immigrants represent more than a quarter of U.S. entrepreneurs and a quarter of inventors, Kerr said. “These are contributions that are very valuable to economic growth,” he said. “We are going to need to restore large parts of our economy, and immigrants could be very helpful in that role.”
Kerr said that the argument that unemployed Americans should be ahead of foreign workers for job vacancies might sound good in principle but that in reality, the people looking for work might not match available jobs in terms of location or skills required.
“To think that shutting down all immigration into the country is the right strategy is quite foolish,” Kerr said. “It is not one that is economically sound and certainty is not motivated by containing the crisis itself. It’s more of an effort to cast suspicion and blame toward immigrant groups.”
Polls show that the president is facing a difficult reelection contest and that a growing number of Americans disapprove of his handling of the coronavirus crisis. Trump has defended his record by pointing to restrictions he ordered on travelers from China, and he has a well-known penchant for ordering closures, shutdowns and bans on international forces he regards as threats, though nothing as extreme as a total freeze on U.S. immigration.
There is no precedent for such a move by a U.S. leader, said Andrew Selee, president of the nonpartisan Migration Policy Institute in Washington.
“I can’t think of any parallels to this in any other democratic country in the modern era,” he said. “We’re essentially telling citizens, companies, innovators, educational institutions to put their plans on hold. Can a president do that? I guess they’re finding whether they have legal authority.”
A draft of the executive order was under review Tuesday at the Justice Department’s Office of Legal Counsel, because that office reviews all executive orders, a Justice Department spokeswoman said. It was unclear whether the office’s legal opinion on the matter would be released publicly.
Trump made his announcement in a tweet at 10:06­ p.m. Monday, saying the move to suspend immigration would shore up American employment and shield the country from the pandemic, calling coronavirus “the Invisible Enemy.”
Selee, of the Migration Policy Institute, said governments have good reasons for reducing immigration during times of economic crisis and high unemployment, or easing restrictions during boom times to extend periods of growth.
“Governments typically try to find nuanced solutions to limit or expand immigration,” he said. “What you don’t see is governments doing blanket stops.”
Much of the U.S. immigration system is driven by domestic demand, experts note: U.S. citizens and residents marry foreigners, or they seek to bring parents, children and other relatives into the country. Companies hire employees to staff hard-to-fill and high-skill jobs. Universities bring in students, professors and athletes.
All of those migration categories would be affected by the type of sweeping order the president has teased.
On Tuesday, the president’s reelection campaign sent out a snap poll to supporters asking whether they approved of his executive order, even suggesting that Trump would be influenced by their degree of support as the policy was being crafted. “Your input is crucial to the President’s next steps,” the message read.
Trump has remained focused on immigration, the border with Mexico and his push to build a border wall there, inserting, unprompted, updates on construction into the daily coronavirus task force briefings.
On Monday, as the head of the U.S. Army Corps of Engineers, Lt. Gen. Todd Semonite, finished briefing reporters on efforts to build temporary hospital facilities, Trump urged the military commander to tell reporters about his border wall project. When the general finished, reporters resumed asking questions about the pandemic.
The Trump administration is preparing in coming days to debut a “border wall cam,” an initiative of Jared Kushner’s, that will stream images of construction crews building the structure, according to two administration officials involved in the project.
The camera feed will be carried on the website of U.S. Customs and Border Protection, the officials said, and could include footage from multiple locations. One official involved in the planning said the feed will have a time delay to avoid tipping off smuggling organizations to the whereabouts of U.S. Border Patrol agents or their absence.
Josh Dawsey, Arelis R. Hernández, Carol Morello and Matt Zapotosky contributed to this report

Apr 13, 2020

Politics: Who’s getting these hundreds of billions in the government aid? For now, the public may be in the dark.

Peter Whoriskey



Chief among the omissions is the $349 billion expected to be doled out to small companies in chunks as large as $10 million. The rescue legislation does not compel the Small Business Administration to disclose the identity of the recipients. So far, the agency has said it received about 487,000 applications totaling $125 billion in requests.
A potentially even larger gap involves the trillions going out to businesses under the auspices of the Federal Reserve.
The Cares Act and other legislation generally requires the Fed to disclose the loan recipients and the amounts they receive, but there is a significant exemption: the Fed chairman, Jerome H. Powell, may request that the information be kept confidential, meaning only congressional leaders would be given access.
Proponents of withholding the information argue that identifying coronavirus aid recipients could make firms hesitant to apply out of concerns for privacy, especially if they are small. Other needy firms may fear that an aid application, once made public, could be construed as a sign of financial frailty. Restarting the economy requires getting money to businesses quickly, these proponents say, so programs should avoid requirements that discourage applications.
On the other hand, according to critics, if the names of the beneficiaries of the aid are withheld, it will be difficult to gauge how much of the relief money is being wasted, fraudulently obtained or reaching places it was intended to go, experts and watchdog groups say.
“You can only truly measure the success or failure of programs if you know where the money is going,” said Neil Barofsky, the former Inspector General of the bailout in the last financial crisis. “As a matter of basic governance, there should be disclosure of recipients of government bailout money.”
Though most of the $2.2 trillion in spending has yet to begin, disputes already have arisen about who will be responsible for making sure it is done ethically.
The Cares Act requires several layers of oversight: It calls for a special inspector general, a congressional review commission and a “Pandemic Response Accountability Committee,” a group that will be composed of inspectors general armed with enhanced powers to subpoena documents and testimony.
But President Trump already has taken steps that undermine these reviewers. In signing the Cares Act into law, Trump angered some Democrats, who had insisted on oversight measures, by declaring that the special inspector general cannot issue reports to Congress without “presidential supervision,” a constraint that could compromise the watchdog’s independence.
Then on Monday, Trump removed the chairman of the federal panel Congress created to oversee his administration’s handling of the Cares Act. Glenn Fine, who had been the acting Pentagon inspector general, was informed he was being replaced at the Defense Department by Sean W. O’Donnell, currently the inspector general at the Environmental Protection Agency.
Regardless of what happens to the oversight panels, the public disclosure of who receives the trillions in emergency money could play a critical role in the public debate over the programs.
Publishing the recipient information would enable outside groups — not just government-appointed bodies — to check into the spending, said Jordan Libowitz of Citizens for Responsibility and Ethics in Washington, a nonprofit watchdog group.
“We are always going to be in favor of as much transparency as possible in government spending,” he said.
But under the $2.2 trillion spending bill, the requirements for disclosure vary by the type of spending.
For example, one of the best known elements in the bill, which allows the Treasury Department to spend $46 billion to help airlines, air cargo companies and “businesses critical to national security,” requires the Treasury to promptly publish the name of the company getting money, the amount of the loan and the contract.
The Cares Act similarly sets out requirements for the Federal Reserve to disclose information about the loans it offers.
The Fed is required to turn over to Congress — and ultimately put up on the Fed’s website — the basic items of loans issued: the identity of the business, how much money was lent and the interest rate. Later it will disclose how much of the loan has been repaid.
Powell has stressed repeatedly in recent months that he believes the Fed must be transparent and accountable to the public in all its actions. In a speech Thursday, he also emphasized that the Fed is making loans that it expects will be repaid, not outright financial grants.
“I would stress that these are lending powers, not spending powers,” Powell said. The Fed’s expectation is “the loans will be fully repaid."
But the Fed only has to provide updates on the spending every 30 days, meaning the public might not know about a new loan for a month.
More significantly, the Fed chair has the discretion to keep the company name and amount borrowed confidential, sharing it only with certain congressional leaders who oversee Fed activities.
During the global financial crisis, the Federal Reserve refused to turn over to reporters the records of some of its emergency bank lending. Bloomberg, the media company, sued for their release and, in a case that went to the Supreme Court, won three years later.
Sarah Bloom Raskin, a lawyer and former Fed official, said the oversight appears “weak” at a time when the Fed has been given substantial new powers to lend money.
Critics also noted that while the central bank has to share some basic information about the loans, other details, such as how many employees the company has retained or the compensation for its chief executive, might never be shared publicly.
“We should ask for the actual deal documents. Why wouldn’t you make those public?” said Marcus Stanley, policy director at Americans for Financial Reform.
Finally, other significant portions of the Cares Act specify no disclosure requirements at all regarding the recipients of the aid.
There are no such requirements, for example, for the $100 billion destined for health care providers, or the $3.5 billion for companies developing diagnostics, medications and vaccines, or the $10 billion supposed to go to airports.
Those agencies could still release the information, however, and some are planning to do so.
The Federal Aviation Administration, which is doling out $10 billion in coronavirus aid to airports, said that the agency would provide a list of the recipients once the deals are arranged, said spokeswoman Marcia Alexander-Adams.
The Department of Health and Human Services, which is supposed to roll out the money to health care providers and companies providing medications, did not respond to a request for comment about whether it would release information on recipients of $100 billion the agency is doling out to healthcare providers.
The identities of the recipients of the money in the Cares Act might also become public if the information is requested under the Freedom of Information Act, and already, some newspapers and watchdog groups have indicated that will file requests. The names of borrowers who apply to the small business loan program could be released under the Freedom of Information Act, “subject to certain exceptions,” according to the fine print on the application form. But large requests under the Freedom of Information Act often can be hampered by months or years of bureaucratic delays and litigation.
One of the most divisive of the disclosure debates could arise over the $349 billion promised to small businesses, a figure that could rise to almost $600 billion if a follow up relief bill is approved. The Small Business Administration hasn’t yet said how much has been disbursed.
Advocates for small businesses said they believe that disclosing the identities of the recipients and the amount they received could raise privacy concerns, especially from small businesses. The size of the loan, they say, could give the public clues about how much a small business makes.
“There are inferences that can be made. … It’s similar to saying, ‘Hey, how much do you make every year?’” said Molly Day, a vice president of National Small Business Association, which counts 65,000 members. “It’s private information that you wouldn’t want to share.”
Moreover, she said, “Advertising to the world that you’re having a hard time — even if everyone else in the whole world is — is something a small business might not want to do.”
But Libowitz and others advocates of government transparency point out that ignorance of the identities of the recipients might make it hard to ask key questions.
“Did they have connections? Did they lobby? Knowing who’s getting the money allows outside parties to do their oversight — and that’s something you can’t do without this information,” Libowitz said.
Staff Writers Aaron Gregg and Renae Merle contributed to this report.

Mar 30, 2020

Analysis | The Cybersecurity 202: Cybersecurity experts slam child protection bill that risks rolling back encryption

By Joseph Marks



Senate Judiciary Committee Chairman Lindsey O. Graham (R-S.C.), a sponsor of the EARN IT Act. (J. Scott Applewhite/AP)
THE KEY
Congress should abandon a new bill that could be used to roll back encryption as part of an effort to combat the spread of online child pornography, according to an overwhelming majority of cybersecurity experts surveyed by The Cybersecurity 202.
About 85 percent of our standing panel of experts called the bill, dubbed the EARN IT Act, a bad idea.
“The EARN IT Act would cause great harm to the open Internet and put everyday Americans at greater risk creating problems rather than offering a solution,” said Heather West, head of policy for the Americas at the nonprofit Internet company Mozilla. 
The Cybersecurity 202 Network, first launched in 2018, comprises more than 100 cybersecurity experts who participate in our ongoing informal surveys. The panel includes current and former officials from the U.S. government, private sector and the security research community. (You can see the full list here.)

The EARN IT Act would strip tech companies of their prized liability protections for what users share on their platforms, unless they follow rules designed by a new government task force — which experts fear would require companies to give law enforcement special access to encrypted communications.
Network experts warned that such a move would make hundreds of millions of people more vulnerable to hacking — and probably wouldn’t even accomplish its main goal of preventing online child exploitation.
“The EARN IT bill not only will fail at its objectives, but will also destroy the protection encryption provides to everyday citizens’ medical, financial and personal data,” said Steve Grobman, chief technology officer of the cybersecurity firm McAfee.
The bill's sponsors, Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.) frequently point out that it doesn’t include the word “encryption” and there’s no guarantee the task force it envisions would focus on the protection. The bill, introduced earlier this month, appeared to be gaining steam on Capitol Hill before the urgent need to respond to the coronavirus pandemic effectively forced all other congressional work into the background.
Experts charged, however, that the bill was designed so that weakening encryption would be the inevitable result. 
"This bill… is clearly a ‘backdoor to a backdoor’ to encryption,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s Center for Internet and Society.
Whitney Merrill, a former Federal Trade Commission attorney, called it “encryption backdoor legislation in disguise” and warned that “while there's no mention of ‘encryption’ in the bill, there is no possible way to do what the bill requires without undermining end-to-end encryption,” a technical term for encrypted communications that can’t be viewed even by the company providing the messaging service.
“The bill is targeted at child exploitation only as a means of achieving the broader goal of government surveillance generally,” said Paul Rosenzweig, a top Department of Homeland Security official during the George W. Bush administration who now runs Red Branch Consulting.
Other experts lashed out at the idea of the U.S. attorney general leading the proposed task force. Attorney General William Barr has been among the most outspoken critics of encryption when it impedes law enforcement investigations, they noted.
“Making it easier to combat child exploitation is the right idea," said Scott Montgomery, vice president and chief technical strategist at McAfee. "However, giving Attorney General Barr (or any single AG) oversight of a committee weighing a nebulous ‘best practices' listis a singularly terrible idea.”
The fact the bill puts Barr at the head of the task force “says all you need to know” about how encryption will fare if it’s passed, said Mark Weatherford, a former DHS cybersecurity official.
“While you can’t argue that the issue of online child sexual exploitation should be addressed through legislation, it’s politically underhanded to use this sensitive public safety issue as subterfuge to advance an issue they’ve been otherwise unsuccessful in achieving,” said Weatherford, who’s now a global information security strategist at Booking Holdings.
Some experts also warned the bill could result in much broader access to encrypted communications for law enforcement even when child pornography is not the main concern.
“It pushes toward an Internet where the law require[s] every message sent to be read by government-approved scanning software,” said Cindy Cohn, executive director of the Electronic Frontier Foundation, a digital rights advocacy group.
Joe Hall, senior vice president for a strong Internet at the Internet Society, a global nonprofit group, called the bill “a bipartisan buzz-saw steamroller through digital rights and free speech.”
And if the government gains special access to encrypted communications with a warrant, there’s no guarantee hackers won’t steal that access and use it to swipe users' personal information, warned Jake Williams, a former National Security Agency hacker and founder of the cybersecurity company Rendition Infosec.
“The government has shown time and time again that they can't protect classified information from access (and even release) by unauthorized parties,” he said, pointing to two prominent leaks of secret hacking tools from the NSA and CIA that proved devastating for the agencies.
“To think the government can (or will) do any better with encryption backdoors given this context is laughable,” he said.
“Experts agree that backdoors could be exploited by bad actors and that no backdoor could guarantee only law-abiding officials have access,” said Jennifer Granick, surveillance and cybersecurity counsel with the American Civil Liberties Union’s Speech, Privacy, and Technology Project.
And even if the bill does result in weaker encryption in products from U.S. companies, criminals could still use products with stronger encryption produced in the European Union or elsewhere, some experts warned.
“Put simply, the EARN IT bill would mandate faulty encryption for Americans, while strong encryption would still be easily available to anyone intelligent enough to download their application from, for example, an E.U. server,” said Sascha Meinrath, a Penn State professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy.
That would also make it more difficult for U.S. tech companies to compete overseas, warned Katie Moussouris, founder and CEO of Luta Security.
“American tech with such mandated encryption backdoors will end up on other countries’ banned software lists, regarded much like Huawei is in the U.S.,” she said, referring to the Chinese telecom firm that officials have accused of aiding Chinese spying and banned from many U.S. networks.
A 15 percent minority of Network experts said the EARN IT bill was a good idea. 
Former NSA general counsel Stewart Baker argued that limiting encryption might be necessary to prevent the spread of child pornography and other criminal activity.
“If encryption is implemented in a way that recklessly and predictably fosters child abuse, why would we give the designer an immunity for the harm it has caused?” he asked. “Would we give an immunity to an electric scooter company whose product design recklessly burned down a few houses just because we thought the scooters were cool and had a positive environmental impact?”
Two experts — John Pescatore, director of emerging security trends at the SANS Institute cybersecurity training organization and Kiersten Todt, president and managing partner of Liberty Group Ventures — argued the bill was necessary so government could force tech companies to take more responsibility for criminal activity on their platforms. But they both said it should not be used to undermine encryption.
“Leaving [Internet service providers] and websites completely free of any responsibility for user content has resulted in vast swarms of malware, ransomware, phishing sites, deep fakes, etc.,” Pescatore said. “The situation today is as if on the Internet [it is] fine to shout ‘Fire!!!’ in a crowded theater, while we know that is NOT OK in the real world!”
Todt argued that tech firms can take numerous reasonable steps to combat the spread of child pornography without weakening encryption. WhatsApp, for example, says it removes about 250,000 accounts each month that it suspects are sharing explicit photos of children based on technical data — even though it can't see the photos themselves.
“The definition of reasonable will be critical to the effectiveness and success of this bill — and this bill should not be an excuse for killing end-to-end encryption,” she said.
Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley, argued that encryption protections need to be addressed in the context of much broader concerns about technology and safety.
“Encryption is a critical issue, but allowing it to overshadow everything else is not good politics because it will make the technology community seem dangerously out of touch,” he said.

THE NETWORK

— More responses to The Cybersecurity 202 Network survey question on whether the EARN IT Act is a good idea:
  • NO: “There are better ways to combat child exploitation. The committee should focus on legislative reforms that hold companies accountable for not identifying and blocking child traffickers from their platforms based on currently available signals. That can be done without weakening privacy and security measures.” — Chris Finan, CEO and co-founder of Manifold Technology and a former top White House cybersecurity official during the Obama administration
  • NO: “High-tech security measures shouldn't be designed by political appointees We need to solve child exploitation online, and while I'm sure this bill has the right intent, it's the wrong approach.” — David Brumley, CEO of the cybersecurity company ForAllSecure and a professor at Carnegie Mellon University
  • NO: “Any legislated structure that carries the abilities to strip American citizens of their right to privacy is a mistake and a step towards the end of democracy.” — Tony Cole, chief technology officer at Attivo Networks
  • NO: “Preventing child exploitation is important, but attacking encryption is not the way to do that.” — Harri Hursti, an election security expert and founding partner of Nordic Innovation Labs
  • NO: “Protecting children from exploitation has long been a top priority for [the Internet Association] and its members, but federal policy regarding something as critical as encryption should be debated in the open with all relevant stakeholders.” — Jon Berroya, senior vice president and general counsel at the Internet Association trade group, which includes Google, Facebook and Microsoft among its members
  • NO: “I share concerns about the impact of harmful online content on the nation’s most vulnerable people, including our children. The EARN IT Act will not help to deter or prevent any of this criminal activity.” — Christian Dawson, executive director of i2Coalition, an industry group that includes Google, Amazon and Cloudflare among its members
PINGED, PATCHED, PWNED

A man walks past a banner showing Saudi King Salman, right, and Crown Prince Mohammed bin Salman outside a mall in Jiddah, Saudi Arabia, on March 7. (Amr Nabil/AP)
PINGED:  Saudi Arabia appears to be tracking its citizens inside the United States by exploiting vulnerabilities in a decades-old global messaging system that allows cellular customers to move from network to network while traveling, Stephanie Kirchgaessner at the Guardian reports. Privacy advocates say the apparent surveillance campaign highlights an urgent need for U.S. regulators to step in and fix vulnerabilities with the system that made the spying possible.
Saudi telecommunications companies requested location data on Saudi citizens in the United States millions of times over a four-month period starting in November, according to documents a whistleblower shared with the Guardian. The large volume of requests indicates a coordinated surveillance effort, multiple security experts told Stephanie. The Saudi government has a history of hacking its own citizens, particularly dissidents and journalists.
The system the Saudi companies used, known as SS7, is meant to allow foreign providers to track roaming charges, but can be easily misused. DHS has received reports that malicious actors are exploiting the system, the agency told the office of Sen. Ron Wyden (D-Ore.) in a 2018 letter.
T-Mobile and Verizon did not comment on requests from the Guardian asking whether they allowed SS7 requests from foreign providers that could be used for tracking locations. AT&T said it has “security controls to block location-tracking messages from roaming partners."

President Trump and Vice President Pence. (Jim Watson/AFP/Getty Images)
PATCHED: Federal, state and local officials are partnering with tech and marketing companies in the hopes they can harness cellphone location data to track the spread of the coronavirus in the United States, the Wall Street Journal's Byron Tau reports. Privacy experts, however, say the efforts could pose serious risks without the right safeguards.
Under a White House proposal, the officials are working with advertisers to pull widely available anonymized geolocation data into a national portal. It's a contrast with Europe and Asia, where government officials have urged telecommunications companies to share data with them directly.
The Centers for Disease Control and Prevention and the White House have partnered with a number of tech companies on the project, while some state and local governments have turned to data marketing companies such as Foursquare Labs.
Data marketing is largely unregulated on the federal level and even anonymized data could be tied to individuals, privacy experts caution. Privacy activist Wolfie Christl called for “strong legal safeguards” to minimize risk.

Few motorists drive on Pennsylvania Avenue NW in Washington on March 25. Officials have urged residents to stay home to contain the spread of the coronavirus. (Manuel Balce Ceneta/AP)
PWNED: House lawmakers failed to renew controversial FBI surveillance tools before leaving town on Friday, leaving the program paused for at least several more weeks, the Wall Street Journal's Dustin Volz reports. Efforts to renew the post-9/11 authorities got mired down as some lawmakers urged broader privacy protections and the bill effectively took a back seat as Congress pivoted to dealing with the coronavirus pandemic.
The Senate passed a short-term extension of the powers before the program expired.
Now, the Justice Department is urging the House to pass the same extension “as soon as possible to avoid any further gap in our national security capabilities,” Justice Department spokeswoman Kerri Kupec told Dustin.

PUBLIC KEY

Cybersecurity news from the public sector:

The Kremlin-backed Internet Research Agency, which interfered in the 2016 election, is using different methods to hide itself better.
The New York Times

Rep. Michael McCaul (R-Texas) is urging Secretary of State Mike Pompeo to take steps to limit the spread of online Chinese misinformation around the coronavirus pandemic.
The Hill

Officials say an updated rule for implementing the program will be open for comment later this spring.
Nextgov

PRIVATE KEY

Cybersecurity news from the private sector:

While hackers all over the world rely on emails and text messages to breach networks, one infamous criminal group appears to be turning to the mailman to deliver their malicious code.
CyberScoop

Kitboga has built a following by trolling telemarketers. Covid-19 opportunists have given him a whole new crop of targets.
Wired

Exclusive: TechCrunch obtained a copy of the database, which was breached in October 2019.
TechCrunch

THE NEW WILD WEST

Cybersecurity news from abroad:

Many European telecommunications companies are sharing mobile location data with governments to follow people’s movements after coronavirus lockdowns, focusing on compliance with privacy rules by anonymizing the data.
Wall Street Journal

A new spate of iOS and Android mobile malware attacks has been targeting Hong Kong residents, according to Kaspersky and Trend Micro.
CyberScoop

Feb 12, 2020

Analysis | The Cybersecurity 202: Nevada officials intend to use Google forms in upcoming caucuses

By Joseph Marks





The fountains of Bellagio erupt along the Las Vegas Strip. (John Locher/AP)
THE KEY
Election experts are warning about more tech and security red flags as Nevada Democrats race to develop a new game plan for their second-in-the-nation caucuses on Feb. 22.
Those warning signs include vital caucus functions conducted with iPads that probably will be connected to the Internet, a dwindling timeframe to test new tech procedures and a lack of transparency. They threaten a repeat of the Iowa’s caucuses debacle where results were delayed for days and online misinformation swirled.
“It’s terrifying that this is happening 11 days before the caucus,” Gregory Miller, chief operating officer of the OSET Institute, a nonprofit election technology organization, told me. “This all should have been baked in several months ago.”
Another blunder could be a disaster for the Democratic Party, which is reeling from the debacle in Iowa and is desperate to prove its tech and cybersecurity bona fides after Hillary Clinton’s 2016 campaign was upended by a Russian hacking and disinformation operation aimed at helping her opponent, Donald Trump.
Tech problems in Nevada will be slightly tempered by a smooth count in the New Hampshire Democratic primary last night, which used a far simpler process to tally votes and was run by election officials rather than the state party. News outlets declared Sen. Bernie Sanders (I-Vt.) the narrow winner of that contest shortly after 11 p.m. Eastern time.
Nevada Democrats have been frantically revamping their caucus operations since last week when they scrapped plans to use apps developed by Shadow Inc., the tech firm launched by veterans of Clinton’s 2016 campaign that also built the app that imploded in Iowa. The Iowa app wasn’t just shoddily built but also contained security vulnerabilities, according to experts who reviewed it after the fact.
The new Nevada procedures present tech and security problems of their own, however.
On Monday evening the state party outlined plans for volunteers to check in early voters using iPads with county-specific PDFs of voter rolls preloaded on the Books app and to record who has voted early using a Google form, according to a document sent to campaigns and detailed by my colleagues Holly Bailey and Isaac Stanley-Becker.
That creates a danger hackers could try to manipulate those forms or simply overwhelm wireless networks so it’s tougher to access them, Miller told me.
Nevada Democrats didn’t respond to questions I sent asking how long those tools would be connected to the Internet and what security testing is planned. The party also hasn’t answered detailed questions about a separate digital tool it intends to use to do the complex math integrating the candidate preferences of early voters with the preferences of people who show up on caucus night.
That lack of transparency could be dangerous because it prevents outside experts from pointing out pitfalls and gives fodder to rumors and misinformation.
“To set up a process for voting and early voting in a caucus on a tight time frame [is] a really big challenge. It would be a tall order for anybody,” David Levine, the elections integrity fellow at the Alliance for Securing Democracy, told me. “So, it’s incumbent on the Nevada Democratic Party to be as transparent and forthcoming as possible.”
If something does go wrong on caucus night, it’s also vital that Nevada officials explain what’s happening as quickly and clearly as possible to avoid the rumors that swirled in Iowa and damaged the contest’s credibility, Levine said.
“If there’s a vacuum, it’s going to be filled,” he said. “To avoid a situation where misinformation or disinformation can drown out accurate information, it’s really important the Nevada Democratic Party steps up and is clear about what they’re doing and how they’re doing it.” 
For some election experts, the Iowa failures and concerns about Nevada are enough to call into question the caucus system itself, in which citizens gather to hash out which candidates to support rather than voting individually and the process is run by state parties rather than election professionals.
“Caucuses are passing from being antiquated to being outright obsolete,” Miller told me. “Sure, there’s some romance to the caucus process of everyone getting together, but romance can be very messy.”
Some security experts, meanwhile, praised the decision to use Google Forms rather than any custom-built tools, saying its safer to rely on large commercial technology that's been rigorously tested — especially given the incredibly tight time frame before this month's Nevada contests.
“Google dedicates enormous resources to keep their core infrastructure secure,” Chad Loder, founder of the cybersecurity training company Habitu8, told me. “They have experience in protecting their systems and applications from nation states. Sometimes, simpler is better. "
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?

PINGED, PATCHED, PWNED

PINGED: The Chinese telecommunications company Huawei has covertly maintained access to mobile phone networks through backdoors meant exclusively for law enforcement, U.S. officials say, according to Bojan Pancevski at the Wall Street Journal. That’s the most serious and specific charge U.S. officials have yet leveled against the Chinese company, which they’re trying to restrict from the next generation of super-fast wireless networks known as 5G.
Officials declined to say whether the United States has observed Huawei using this access, but said classified intelligence shows it has had the capability to do so since at least 2009. The company also failed to disclose that access to customers or to intelligence services in nations where it operates, officials told Bojan.
“We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world,” national security adviser Robert O’Brien said.
Huawei denied the story, saying that it “has never and will never do anything that would compromise or endanger the security of networks and data of its clients.” U.S. officials have long warned that Chinese leaders could compel Huawei to assist government spying, but have stopped short of making more specific charges.
Washington privately shopped the classified intelligence to allies for months as it ramped up efforts to convince other nations to ban Huawei from their 5G networks, Bojan reported.
The warnings didn't stop the United Kingdom from allowing Huawei a limited role in its 5G network build out last month, however. They could carry more weight in Germany, where lawmakers will vote in the coming weeks on whether to allow Huawei access to its 5G market. Diplomats there described a memo detailing the U.S. findings as “smoking gun” evidence that Huawei poses a spying risk, according to a confidential memo seen by the Journal, Bojan reports.
Some privacy advocates, meanwhile, pointed to the story as evidence that law enforcement backdoors into technology can be exploited far too easily by criminals or other nations a dig at the Justice Department, which is pushing for similar special access to encrypted communications.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation:
Gee, maybe back doors for law enforcement aren’t a good idea. https://t.co/jpEiMKCjLy
— Eva (@evacide) February 11, 2020

Senate Minority Leader Chuck Schumer (D-N.Y.) speaks as Sen. Mark Warner (D-Va.) and Sen. Richard Blumenthal (D-Conn.) look on. (Alex Wong/Getty Images)
PATCHED: Senators again tussled again over election security legislation yesterday, with Democrats slamming Republicans for blocking three bills requiring campaigns to report offers of foreign assistance and mandate additional cybersecurity measures to protect hacking. By refusing to pass the measures — even with primaries and caucuses in full swing — Republicans are putting American elections at serious risk of foreign interference, Democrats said.
“Despite all of the ways foreign hackers have already made it into our election infrastructure, Congress has refused to arm state and county elections officials with the knowledge and funding they need to secure their systems,” Sen. Ron Wyden (D-Ore.) said. “I fear the 2020 election will make 2016 look like small potatoes.”
Sen. Marsha Blackburn (R-Tenn.), meanwhile, not only blocked Democrats' efforts but also accused them of trying to “seize control over elections from the states.”
Blackburn countered with a bill seeking an investigation into what went wrong with the results of the Iowa Democratic caucuses called the “Determining Election Blunders And Correcting Logical Errors,” or DEBACLE, Act.
Senate Minority Leader Chuck Schumer (D-N.Y.) accused Republicans of being afraid of the wrath of President Trump and Senate Majority Leader Mitch McConnell (R-Ky.).
The current president of the United States, far from having the same fears about foreign interference as our founders, has been very public about his openness to foreign assistance and manipulation in support of his election, Schumer said.
— Chuck Schumer (@SenSchumer) February 11, 2020
PWNED: Tech entrepreneur Andrew Yang dropped out of the presidential race after a disappointing showing in New Hampshire last night, my colleagues David Weigel and Amy B Wang reported. Yang, a tech entrepreneur, was the only candidate to endorse mobile voting, an idea largely panned by election security experts.
He also advocated reviving the defunct Office of Technology Assessment that would be tasked with making Congress smarter about tech and cybersecurity issues.
Yang spoke out against election interference on the debate stage and praised congressional efforts to guard against it during a Post Live event in October — though he took a softer line than most of his Democratic challengers on directly criticizing Russia for interfering in the 2016 contest.
Sen. Michael F. Bennet (D-Colo.) also ended his campaign last night. Bennet was a co-sponsor of Democrats' major election security bills and had urged House and Senate appropriations committees to increase funding for election security grants and the Election Assistance Commission.

PUBLIC KEY

--Social media companies have ramped up efforts to take down phony and misleading posts by actors tied to Iran that attempt to sway public opinion in the United States and abroad. Now it's the U.S. government's turn to step up, says a new report out today from the Atlantic Council.
The report urges the Department of Homeland Security to create an intergovernmental agency that would attribute and publicize foreign influence operations, which they say could help demystify Iran's ongoing information warfare campaign against the United States.
“The U.S. government has struggled profoundly to come up with a coordinated response to these threats,” Emerson T. Brooking, resident fellow at the Atlantic Council's Digital Forensic Research Lab and co-author of the report with Suzanne Kianpour, told our researcher Tonya Riley. “The stakes are too high for these kinds of attributions to be left to the private sector alone."
— More cybersecurity news from the public sector:
Top federal and state officials pressed a Senate committee on Tuesday to provide more resources and authorities to fight cyberattacks, an issue of increasing concern in the wake of debilitating attacks on governments entities t
The Hill
James Wroten called the clerk of court in Vernon Parish, Louisiana last November with an urgent message.
Kartikay Mehrotra | Bloomberg
House lawmakers on Tuesday touted progress toward bipartisan legislation on self-driving cars, with plans to release draft language that includes cybersecurity measures soon.
The Hill
The resignations could plunge the department into political crisis over its independence.
Matt Zapotosky, Devlin Barrett, Ann Marimow and Spencer Hsu

PRIVATE KEY

--Malicious websites containing the word “valentine” increased by 200 percent in February over previous months in both 2018 and 2019, researchers at Checkpoint found. Fraudulent websites using the word “chocolate" also spiked those months but to a lesser degree, the researchers found. They urged internet users to be wary of special online offers containing the keywords. But who would click on a Valentine's Day offer in October?
— More cybersecurity news from the private sector:
Losses from cryptocurrency crime surged to $4.52 billion last year, as insider t...
Reuters
Motherboard obtained a video of a so-called relay attack from EvanConnect, who sells keyless repeaters that can be used to break into and steal luxury cars.
Vice

THE NEW WILD WEST

— Cybersecurity news from abroad:
Switzerland said on Tuesday it was probing reports that the U.S. Central Intelli...
Reuters

Feb 10, 2020

US Security: U.S. charges four members of Chinese military in connection with 2017 Equifax hack

Devlin Barrett


The Justice Department has charged four members of the Chinese military with the 2017 hack at the credit reporting agency Equifax, a massive data breach that compromised the personal information of nearly half of all Americans.
In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People’s Liberation Army hacked into Equifax’s systems, stealing the personal data as well as company trade secrets. Attorney General William P. Barr called their efforts “a deliberate and sweeping intrusion into the private information of the American people.”
The 2017 breach gave hackers access to the personal information, including Social Security numbers and birth dates, of about 145 million people. Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout of up to $125, though the FTC has warned a large volume of requesters could reduce that amount.
“This data has economic value, and these thefts can feed China’s development of artificial intelligence tools,” Barr said. The attorney general said the indictment would hold the Chinese military “accountable for their criminal actions.”
Barr and other U.S. law enforcement officials have in recent weeks taken a particularly aggressive posture toward China. Late last week, Barr warned of that country’s bid to dominate the burgeoning 5G wireless market and said the U.S. and its allies must “act collectively” or risk putting “their economic fate in China’s hands.”
Those charged with the Equifax hack are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. Officials said they were members of the PLA’s 54th Research Institute.
According to the indictment, in March 2017, a software firm announced a vulnerability in one of its products, but Equifax did not patch the vulnerability on their online dispute portal, which used that particular software. In the months that followed, the Chinese military hackers exploited that unrepaired software flaw to steal vast quantities of Equifax’s files, the indictment charges.
Officials said the hackers also took steps to cover their tracks, routing traffic through 34 servers in 20 countries to hide their location, using encrypted communication channels and wiping logs that might have given away what they were doing.
“American business cannot be complacent about protecting their data,” said FBI Deputy Director David Bowdich.
Barr said that while the Justice Department did not normally charge other countries’ military or intelligence officers outside of the United States, there were exceptions, and the indiscriminate theft of civilians’ personal information “cannot be countenanced.”
In the U.S., he said, “we collect information only for legitimate, national security purposes.”
None of the four is in custody, and officials acknowledged there is little prospect of them coming to the United States. for trial. But the indictment does serve as a sort-of public shaming, and officials said that if those charged attempt to travel someday, the U.S. could potentially arrest them.
“We can’t take them into custody, try them in a court of law, and lock them up — not today, anyway,” Bowdich said. “But one day, these criminals will slip up, and when they do, we’ll be there.”
U.S. officials said the stolen data could be used to help Chinese intelligence agents target American intelligence officials, but added they had seen no evidence yet of such activity.
The case marks the second time the U.S. Justice Department has unsealed a criminal indictment against PLA hackers for targeting U.S. commercial interests. In 2014, the Obama administration announced an indictment against five suspected PLA hackers for allegedly breaking into the computer systems of a host of American manufacturers.

Jan 21, 2020

Opinion | Don’t tell the partisans, but so far impeachment’s political fallout is negligible

Charles Lane



The Senate impeachment trial of President Trump begins in earnest Tuesday, almost precisely four months since House Speaker Nancy Pelosi announced the start of an inquiry into allegations that the president had committed “Treason, Bribery, or other high Crimes and Misdemeanors” by manipulating military aid to Ukraine for personal political advantage.
Little uncertainty surrounds the likely outcome: acquittal for Trump by a Republican-led Senate.
On the other big question, though — how impeachment might affect the 2020 election — there is more room for debate. What’s striking so far is how little difference this supposedly “historic” process seems to be making.
The main impact has been to reinforce what was already the central issue in U.S. politics: “Donald Trump, pro or con?” Now more than ever, opposition to Trump defines what it means to be a Democrat and support for him defines what it means to be a Republican.
Support for impeachment rose from 71.9 percent among Democrats the day before Pelosi’s Sept. 24 announcement to 86.3 percent today, whereas Republican support for it has hardly budged, according to the FiveThirtyEight average of polls.
Pelosi herself led the anti-impeachment forces in the party, warning progressive pro-impeachment Democrats after the party regained the House majority in 2018 that impeaching Trump would “divide the country,” unless evidence of presidential wrongdoing was so strong that Republicans also voted to impeach.
Pelosi and other old Democratic hands feared a voter backlash that could cost them seats in the House, just as the GOP House majority shrank by five seats in 1998 amid the impeachment of Democratic President Bill Clinton.
In the end, the Ukraine revelations forced Pelosi’s hand and, contrary to her initial fears, a party-line impeachment may help House Democrats, or at least not hurt them.
Yes, Democratic Rep. Jeff Van Drew of a deep-red New Jersey district switched parties in December rather than vote to impeach, but 30 other Democrats who represent swing districts (except for Collin C. Peterson of Minnesota and Jared Golden of Maine) backed both articles of impeachment, a pretty good indication that, for them, the political benefits — including a flow of campaign cash from progressive donors — outweigh the costs.
And there is little sign of major losses for Democrats next year, let alone that the House is at risk. The party holds a 5.8 percentage point edge in the “generic ballot” for House races in 2020, according to FiveThirty­Eight, down only modestly from the 8.6 point margin by which they beat Republicans in 2018.
At the presidential level, meanwhile, impeachment has done essentially nothing to Trump’s standing with the public. The day before Pelosi announced the inquiry, 43.3 percent of registered or likely voters approved of the job he was doing; 43.9 percent approve today, while the share disapproving, now 52.1 percent, represents a 1.2 point drop since the eve of her announcement.
Near-total Republican opposition to Trump’s removal from office, via a Senate conviction, cancels out near-total Democratic support for it, with the result that the public is essentially tied on that issue, though the most recent survey, by Gallup, shows the public opposing removal by 51 to 46 percent.
As for the Senate, Democrats have high hopes that impeachment can help them regain control of the body, which Republicans control 53 to 47, even if there is little or no chance of getting the requisite 67 votes to oust the president.
Hence they are using the impending trial to focus their supporters’ ire on a man Democrats love to hate: Majority Leader Mitch McConnell (just as Republicans turned the House impeachment into a fundraising campaign focused on the detested Pelosi).
They also hope to stage a series of votes on procedural issues — especially the key question of whether to call additional witnesses — that will put GOP senators facing difficult reelection campaigns on the spot.
So far, impeachment seems to be forcing swing-state Republicans Martha McSally (Ariz.), Thom Tillis (N.C.), Joni Ernst (Iowa) and Cory Gardner (Colo.) further into the arms of McConnell and the right-wing, pro-Trump forces that dominate the party.
All of the above were scheduled to join the majority leader and Sen. Rick Scott for three “keep the Senate red” fundraisers in Scott’s home state of Florida on Tuesday — but the events had to be postponed because of the start of the Senate trial. Significantly, moderate Republican Sen. Susan Collins of Maine, who has said she is open to calling witnesses after each side’s opening arguments, was slated to join.
Still angry at Democratic attacks over her support for Supreme Court Justice Brett M. Kavanaugh, Collins has sounded unusually partisan Republican notes of late, including her acidic response to pressure on the witness issue from Senate Minority Leader Charles E. Schumer (D-N.Y.).
“I don’t think he’s really very interested in doing anything but trying to defeat me by telling lies to the people of Maine,” Collins said.
The political middle ground upon which Collins built her career is vanishing. For both Democrats and Republicans, impeachment has mutated into the latest in a long series of base-rallying exercises, in preparation for a November 2020 election that will have almost nothing to do with persuading undecideds — and everything to do with mobilizing partisans.
Read more:

Jan 13, 2020

Analysis | The Cybersecurity 202: Get ready for serious cyberattacks from Iran, experts say

By Joseph Marks







President Trump speaks about the situation with Iran in the Grand Foyer of the White House. (Photo by Saul Loeb/AFP/Getty Images)
THE KEY
The United States should expect serious cyberattacks from Iran in the next few months, according to an overwhelming majority of experts surveyed by The Cybersecurity 202.
Those digital attacks are likely to hit oil refineries, financial institutions and other U.S. targets as retaliation for the U.S. killing of a top Iranian general, a whopping 85 percent of respondents to our Network survey said.

“Iran is dangerous because they have the intent, motivation and capabilities. While their cyber capabilities are not on par with Russia and China, they are innovative and can cause both physical and psychological disruption,” warned Kiersten Todt, president of Liberty Group Ventures, and who led an Obama-era cybersecurity commission.
“We should expect attacks of all stripes from Iran over the next few months,” said Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Department of Homeland Security cybersecurity official.
The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
One big reason Iran is likely to ramp up cyberattacks is because it’s easier to focus them at a low enough level that they don’t prompt U.S. retaliation compared with conventional military or terrorist attacks, many experts said. The United States and Iran backed away from further military hostilities after the killing of a Maj. Gen. Qasem Soleimani promoted an Iranian missile strike on two U.S. bases in Iraq.
“Iran will be looking for ways to cause pain in the United States without provoking a severe counterattack,” Stewart Baker, a Steptoe and Johnson attorney and former NSA general counsel, said.
Dmitri Alperovitch, co-founder of the cybersecurity company CrowdStrike, described Iranian leadership as “quite risk averse” and noted that “cyber … provides Iran with response options that are below the thresholds likely to trigger a U.S. retaliation.”
Cyberattacks "seem to be the most likely route where the Iranians can cause damage without casualties and hopefully stay under the thin red line for a major U.S. response,” said Tony Cole, chief technology officer at Attivo Networks.
Iran has a long track record of hacking U.S. targets, including pummeling U.S. banks with overwhelming network traffic to force them offline in 2012 and hacking control systems at a New York dam in 2013. The nation also destroyed sensitive data during a hack at the Sands Casino in 2014 after anti-Iran comments by owner Sheldon Adelson.
“Past performance is not always a perfect predictor of future results, but it is often the best that we have, [and] Iran has a long track record of using cyber means of retaliation,” said Peter Singer, a cyberwar expert and senior fellow at the New America think tank.
“They’ve demonstrated capability and intent for destructive cyberattacks inside the U.S. and I would expect to see that,” said Suzanne Spaulding, who led DHS cybersecurity efforts during the Obama administration.
“Iran is not new to this rodeo … What I expect is simply an escalation of what they've already been doing,” said Mark Weatherford, a former Department of Homeland Security cybersecurity official who’s now a global information security strategist at Booking Holdings.
Cyberattacks are also attractive because the United States is far more reliant on information technology than Iran, which makes it far more vulnerable.
“I remain concerned that the Administration did not fully anticipate the range of possible Iranian responses prior to carrying out the strike [Soleimani], particularly given the United States’ significant reliance on information and communications technology,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s main cybersecurity panel.
Iranian cyberattacks could target “industrial control systems essential to the operation of power grids, water systems, and other critical infrastructures,” warned Melanie Teplinsky, a former White House and NSA official who’s now an adjunct professor at American University’s Washington College of Law.
“The reality is that Iran is likely in a position to cause grave damage across our energy grid, water plants, and other utilities,” said Jay Kaplan, co-founder of the cybersecurity company Synack, but he added that “I don’t believe they will play this card unless things escalate further.”
Iran could also look beyond those targets.
Lance Hoffman, director of the Cyber Security Policy and Research Institute at George Washington University, warned of “manipulation of social media to … sow distrust in U.S. government agencies.”
Or Iranian hackers may take a page from Russia and try to disrupt the 2020 election or Democratic primaries and caucuses, warned Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy & Technology think tank.
“The 30-plus primary elections in March will be prime targets if ideological messaging becomes an attack objective,” he said.
Another danger is that Iranian hackers could miscalculate and end up damaging organizations they don’t intend to.
“Unfortunately, organizations that aren't typically targeted by the Iranian government may nevertheless experience collateral damage or be targeted by hacktivists during a conflict like this,” said Tom Cross, chief technology officer of network security provider OPAQ Networks.
Several experts also fretted that other nations might use escalating tensions between the United States and Iran to launch false flag cyberattacks against U.S. targets that look as if they’re launched by Iran but aren’t.
Camille Stewart, a former DHS cybersecurity official who works in Deloitte & Touche’s cyber risk practice, warned about “unaffiliated actors looking to capitalize off the tensions to execute a cyberattack and pass blame.”
Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, noted that “North Korea and Russia may choose to create distractions and difficulty for the U.S. under the guise of the Iranian conflict.”
Among the 15 percent of experts who didn’t predict serious Iranian cyberattacks, most still expected Iran would punch back in cyberspace — they just didn’t think it would do much harm.
Megan Stifel, executive director for the Americas at the Global Cyber Alliance nonprofit and a former National Security Council cybersecurity official, said she expected “small-scale interruptions and nuisance activities with limited impact.”
Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center, managed by the Mitre Corporation, predicted “cyberattacks that will cause some difficulty, akin to vandalism, but Iran will move with caution and exercise some control, avoiding significant escalation.”
John Pescatore, director of emerging security trends at the SANS Institute cybersecurity training organization, meanwhile, predicted Iran couldn’t do enough damage in cyberspace to send the message it wants to.
“Pictures and stories of blood and deaths is … the goal, not stories of delays in plane takeoffs or deliveries of bicycles,” he said.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?

THE NETWORK

— More responses to The Network survey question about cyberattacks from Iran: 
  • YES: “Iranian-linked actors are already quite active against United States targets. Given the current tension, we should expect an increase in activity. The question is whether they will be strategic and state-directed or undertaken at the initiative of their numerous proxies.” — John Carlin, former assistant attorney general for the Justice Department’s National Security Division and a partner at the Morrison & Foerster law firm
  • YES: “Although the intensity of the operations have waxed and waned and the focus of the operations has shifted between regional targets and Western targets, Iran has made steady use of this tool.” — Michael Daniel, former White House cybersecurity coordinator during the Obama administration who now leads the Cyber Threat Alliance
  • YES: “It’s safe to assume that the gloves will come off and we can expect a more aggressive posture in cyberspace from Iran.” — Vikram Phatak, founder of the cybersecurity firm NSS Labs
  • YES: “It's always better to expect serious cyberattacks and prepare accordingly than to assume they won't occur. We don't have a very clear sense of Iran's capabilities beyond espionage and sabotage, but that doesn't mean we shouldn't be preparing for and expecting more extreme attacks.” — Josephine Wolff, assistant professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University
  • YES: “With kinetic attacks already underway, coming from Iran towards American troops still stationed in Iraqi bases, it stands to reason that cyberattacks will escalate as well.” — Katie Moussouris, founder and CEO of Luta Security
  • YES: “The Iranian government and its agents have proven themselves to possess a small yet potent cadre of cyber operators…I anticipate that they will…use tactics, techniques and procedures such as obfuscation and redirection, outsourcing, and other methods to attack without solid attribution.” — Greg Touhill, president of Cyxtera Federal Group who served as the U.S. government’s first chief information security officer under President Barack Obama
  • YES: “Although Iranian leadership has called for Iran’s responses to the Soleimani killing to be overt and direct, it is hard to imagine that Iran or its proxies will not resort to hostile cyber operations, whether against U.S. military or civilian targets.” — Ashley Deeks, a former State Department official and professor at the University of Virginia Law School
  • NO: “The Iranians do not have escalation dominance in cyberspace, and they know it.”  Dave Aitel, a former NSA hacker who is president and CEO of the cybersecurity firm Immunity Inc.

PINGED, PATCHED, PWNED


Hard-line protesters chant slogans while holding up a poster of Gen. Qasem Soleimani and Supreme Leader Ayatollah Ali Khamenei. (Ebrahim Noroozi/AP)
PINGED: The United States was prepared to launch a cyberattack to disable Iran's gas and oil sector if Iran hit back too hard after a U.S. drone attack killed a top Iranian general, Peter Baker, Ronen Bergman, David D. Kirkpatrick, Julian E. Barnes and Alissa J. Rubin at the New York Times report. The revelation highlights a shift under the Trump administration to be more aggressive in cyberspace. 
The planned response also included physical strikes against a command-in-control ship. But officials backed away from the plans after Iran signaled it would go no further than its missile attacks against U.S. targets in Iran, which were designed to not cause casualties. U.S. officials also sent secret messages through Swiss intermediaries, urging Iran to not go further, the Times reports. 

An attendee wears a badge strip with the logo of Huawei and a sign for 5G at the World 5G Exhibition in Beijing in November. (Jason Lee/Reuters)
PATCHED: U.S. officials are arriving in Britain today to urge leaders there to exclude Huawei equipment from the nation’s next-generation 5G telecommunications networks, two sources told Jack Stubbs, William James, and Alexandra Alper at Reuters. The delegation comes as British security officials close in on a decision about whether to use the controversial Chinese firm that U.S. officials say can’t be trusted not to assist Beijing spying.
The U.S. delegation will include deputy national security adviser Matt Pottinger, Reuters reports. Huawei has steadfastly denied it helps China spy. 
Last week Sen. Tom Cotton (R-Ark.) introduced a bill that would cut off Great Britain and other allies from U.S. intelligence sharing if they fail to ban Huawei from their 5G networks. 
Andrew Parker, head of Britain’s MI5 domestic security agency, meanwhile, said he has “no reason to think” that the U.S. intelligence-sharing relationship would be damaged if Britain adopted Huawei technology, Lionel Barber, Helen Warrell and George Parker at the Financial Times report.

A doctor looks at an x-ray of a woman's broken wrist. (AP Photo/Luca Bruno)
PWNED: Millions of medical images that include patients’ sensitive health information are being exposed online every day in ways that make it easy for hackers to scoop them up, Zack Whittaker at TechCrunch reports
The culprit is insecure servers that hospitals are using to store X rays, ultrasounds and CT scans and that hackers can crack into with easy-to-download software. The servers are now putting about 1 billion medical images across the world at risk -- about half of which belong to patients in the United States, Zack reports. 
In one case, it took a researcher “just a few minutes” to find tens of thousands of patients' scans from one of the largest hospitals in Los Angeles.
“The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” said Dirk Schrader, lead researcher  at a German security firm that unearthed more than 720 million exposed medical images in September.
The exposures, which can lead to greater risk of insurance fraud and identity theft for patients, have sparked concern from U.S. health officials and lawmakers.
“As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” Sen. Mark Warner (D-Va.) told Zack.

PUBLIC KEY

— Former House Intelligence Committee chairman Rep. Mike Rogers (R-Mich.) is announcing a new nonprofit group today aimed at highlighting the economic and national security importance of next-generation 5G telecommunications networks. The group will work with members of Congress “to win the 5G race against China,” according to a news release.
— More cybersecurity news from the public sector:
The U.S. government is planning to permanently halt its civilian drone program due to the devices being made at least partly in China, the Financial Times reported on Sunday.
Reuters
The FBI has told U.S. companies that Iranian hackers have stepped up their probing and reconnaissance activity in the days since the U.S. military killed Iranian Maj. Gen. Qassem Soleimani.
CyberScoop
Former New York City Mayor Mike Bloomberg on Friday released a plan to boost voting rights and election security, becoming the latest 2020 presidential candidate to address how votes are counted.
Q Cyber Technologies has been sued by Facebook and WhatsApp and is accused of helping Saudi Arabia spy on murdered journalist Jamal Khashoggi.
Al-Monitor
Texas authorities and the FBI are investigating after the Manor Independent School District lost about $2.3 million in a phishing email scam, the school system said in a news release.
CNN

PRIVATE KEY

— Cybersecurity news from the private sector:
The company didn't specify how many employees or customers were affected by the incident.
CNBC
Travelex is restoring operations to process foreign exchange orders electronical...
SIM swappers have escalated from bribing employees to using remote desktop software to get direct access to internal T-Mobile, AT&T, and Sprint tools.
Vice

THE NEW WILD WEST

— Cybersecurity news from abroad:
Huawei security chief's claims come as a proposed new bill threatens 'consequences' for U.S. allies buying Huawei.
Forbes

Latest Post Published

Biggest Market Moves Premarket: Athene, Apollo Global, GE, AerCap & More.

cnbc.com Stocks making the biggest moves in the premarket: Athene, Apollo Global, GE, AerCap & more ...