Editors Note: Weekly Cybersecurity is a weekly version of POLITICO Pros daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.
MC has your first look at the Biden administrations new plan for protecting the government with zero-trust networking.
Two Senate committees will have to iron out their differences on cyber incident reporting soon if they want to hitch a ride on a must-pass bill.
The Biden administration and the European Union are making plans to tackle challenges posed by encryption.
HAPPY TUESDAY, and welcome back to Morning Cybersecurity! If youre reading this message, it means that we got through the long Labor Day weekend without any devastating cyberattacks. Maybe everyone really listened to Anne Neuberger after all. Sam will be back tomorrow, so send your thoughts, feedback and especially tips to [emailprotected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
FIRST IN MC: DONT TRUST, VERIFY The White House this morning is releasing for public comment a draft version of its strategy for implementing zero trust principles across federal networks. The Biden administration sees zero-trust networking in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users access to data and protect network traffic from prying eyes.
Among the 18 steps required by the end of fiscal 2024: Every agency will have to use one single sign-on service to let employees access all of its applications; ditch multi-factor authentication systems such as codes delivered by text message that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. Theyll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers cant easily slip from one application to another. And theyll have to make one internal system securely accessible from the internet to reduce the use of VPNs.
Along with the draft zero-trust strategy, CISA is also releasing a maturity model that provides a roadmap for agencies implementation of zero-trust policies, as well as a guidance document to help agencies securely migrate their applications to the cloud.
The zero-trust plan is part of President Joe Bidens cyber executive order, which also launched several other initiatives that have impending due dates. By Thursday, for example, agencies must submit progress reports on their rollout of multi-factor authentication and encryption. CISA has until Thursday to develop a cyber incident response playbook that every agency can use. And DHS and OMB have until Thursday to set up procedures to ensure that contractors report cyber incidents to the appropriate agencies.
SENATE SHOWDOWN As Congress summer recess nears its end, lawmakers face a big question: How will they reach agreement on the best way to require companies to report hacks? And more specifically, what will happen to the Senate Intelligence Committees cyber incident reporting bill now that the Senate and House homeland security panels have teamed up on more industry-friendly legislation?
Senate Intelligences bill differs widely from the Senate Homeland measure that yours truly scooped last week, especially in terms of its minimum reporting timeframe, the types of companies covered and the punishments for noncompliant companies. In letters to Congress and at last weeks hearing, industry groups criticized the Intelligence bills provisions.
There is strong industry support for the House and Senate Homeland bills approach, said Ron Bushar, an executive at the cyber firm FireEye who testified on the House bill last week. And Senate Homeland has another advantage over Senate Intelligence it has jurisdiction over any reporting bill, so it will play a significant role in shaping whatever legislation emerges. FireEye CEO Kevin Mandia will meet with Senate Homeland Security Chair Gary Peters (D-Mich.) on Wednesday, according to Stacy OMara, the companys director of government affairs.
But the Senate Intelligence bill has powerful sponsors, including perennial swing vote Susan Collins (R-Maine) and committee chair Mark Warner (D-Va.), an influential voice on national security. Warner and his colleagues are still revising their bill, and his office says its having productive meetings with interested parties.
The homeland-security panels are collaborating closely on their bills, according to an aide for the House panel. And Senate Homeland Security ranking member Rob Portman (R-Ohio) has been talking to the Senate Intelligence bills sponsors, a Senate aide said. Both aides requested anonymity to discuss legislative negotiations.
Its critical for Congress to listen to industry stakeholders and ensure whats written into law in Washington makes sense practically when implemented in the real world, House Homeland Security ranking member Andrew Garbarino (R-N.Y.) told MC.
Homeland and Intelligence face a tight deadline to resolve their differences. Multiple people tracking the process said the best hope for incident reporting legislation was to attach it to the fiscal 2022 defense policy bill, which is being marked up now. Senate Homelands outreach to industry included a request for feedback by Sept. 14.
Another reason to hurry is that implementation will take a while. You're looking at a minimum of half a year anyway between passage of a bill and standup of a reporting platform, Bushar said. The longer you delay the bill, the more time it takes before you can have a regime in place that can actually start to have an impact.
BOTH FORMS OF CRYPTO The Biden administration and the European Union have recommitted to collaboratively seeking a solution to the encryption debate, a top EU official told MC, suggesting that while this policy challenge has simmered under the surface for several years, its still top of mind for policymakers behind closed doors.
Encryption is important, but we have to always avoid a black-or-white discussion, EU Home Affairs Commissioner Ylva Johansson said in an interview after meetings in Washington with DHS Secretary Alejandro Mayorkas and Attorney General Merrick Garland. It's not like we should protect privacy or protect vulnerable children. We need to do both.
Johansson, who discussed encryption with Garland, said that while the attorney general didnt reveal the Biden administrations agenda for resolving the long-running crypto wars, the EU and the U.S. are very much close to each other on these issues. Both leaders, she said, agreed that tech companies need to take their responsibility to develop proper technical solutions for this.
Apple has received withering criticism from security experts over a proposal to identify child sexual abuse imagery on its customers phones. On Friday, the company said it was pausing the rollout of that feature to collect input and make improvements. Speaking before that news broke, Johansson applauded the companys effort. Apples solution might not be the perfect one, she said, but I welcome a company that really tries to find a balanced approach protecting both privacy and children.
Johansson and her U.S. counterparts also agreed on the scope for a common working group on ransomware, she said. The new group will focus on investigative cooperation, tracing ransom payments (which Johansson identified as a particular priority) and building digital resilience against hackers. The group will present its initial report at the next EU-U.S. Ministerial Meeting on Justice and Home Affairs later this year.
STILL EVADING The U.S. government continues to brush off suggestions that it was involved in firewall maker Juniper Networks use of an encryption algorithm backdoored by the NSA, despite a Bloomberg story saying the Pentagon leaned on the company to adopt the code. Asked about Bloombergs reporting during Thursdays White House press briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the Juniper/NSA saga as an old story thats been reported, and I think weve continuously noted that there isnt substantiation for it.
Security experts first proposed a link between the NSA and the backdoored Juniper code in 2015, several months after the company announced that sophisticated hackers had breached its systems by modifying that code. But until last weeks Bloomberg story, it remained unclear why Juniper had used the widely criticized code in the first place. NIST told companies to stop using it in 2014, one year after leaked documents revealed that the NSA had secretly tampered with it and paid a leading vendor $10 million to use it.
During MCs break, yours truly conducted the first in-depth interview with inaugural National Cyber Director Chris Inglis. Pros can read the story about his priorities and the full Q&A. He also revealed that the Biden administration is pushing Microsoft to make full log data free for all customers.
University of California, Berkeley computer science professor Nicholas Weaver with some real talk: The Ivermectin of Computer Science is Blockchain
How Kuwait punished a security expert for revealing a major banks embarrassing hack. (CyberScoop)
Nextgov interviewed Allan Friedman, the man behind the governments software bill of materials campaign, as he moves from NTIA to CISA to bring SBOMs to life.
The Justice Department launched a cyber fellowship program for prosecutors.
NIST wants feedback on its proposed criteria for an internet of things security labeling program.
Chat soon.
Stay in touch with the whole team: Eric Geller ([emailprotected]); Bob King ([emailprotected]); Sam Sabin ([emailprotected]); and Heidi Vogt ([emailprotected]).
Visit link:
EXCLUSIVE: What's in the new zero-trust strategy - Politico
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]