With help from Eric Geller and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.
Story Continued Below
EQUIFAX EXCLUSIVE: THE BOTTOM LINE ON BREACH FAILURES — The historic Equifax data breach last year that affected 148 million consumers was “entirely preventable” and the credit bureau botched its handling of the mammoth incident afterward, according to a final House Oversight Committee report out today. “Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the staff majority report concludes. “Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
— The buildup: Two major factors allowed the breach to happen, the report states. First, there were big gaps between IT policy development and operation due to the company’s structure, a situation that allowed 300 security certificates to expire, including one that had been expired for 19 months and prevented Equifax from monitoring encrypted network traffic. It also led to an unpatched critical Apache Struts vulnerability that left systems at risk for 145 days — and the company knew it had trouble with patch management operating on an “honor system.”
Second, the company grew too fast, vacuuming up increasingly massive amounts of data as it acquired other companies and assumed those companies’ IT systems. That created a complex series of legacy systems and therefore vulnerabilities, the report states. Equifax had begun a modernization initiative in response to the problem, but it came too late. In all, attackers were able to access 48 databases over a 76-day assault, successfully locating unencrypted personal data 265 times and transferring it out of Equifax’s systems, the committee report states.
— The response: Although Equifax hired more than 1,500 call center employees to answer calls from potential victims, they still were overwhelmed, and they weren’t properly trained, the report states. Some customers were inadvertently directed to a phishing website rather than a website meant to inform them about whether they were victims. A coding issue limited the correct website’s capability to properly identify those victims, according to the report.
— The recommendations: Congress might need to boost the oversight powers of the Federal Trade Commission, and the Office of Management and Budget needs to use its acquisition powers to improve cybersecurity, the report states. The Securities and Exchange Commission should work with the private sector on disclosure of cybersecurity-related matters, the executive branch should work with industry on reducing use of Social Security numbers, and the Government Accountability Office should make recommendations to Congress on improving identity monitoring and protection services. And consumer reporting agencies should improve transparency while the private sector as a whole should modernize its IT, the report recommends.
— The Equifax fallout: After the incident, CEO Richard Smith left the company, the chief information officer and chief security officer took early retirements and the company fired a senior vice president for failing to forward an email about the Apache Struts vulnerability. Smith told the panel last year that “the breach occurred because of both human error and technology failures,” but the committee report deems that an oversimplification.
HAPPY MONDAY and welcome to Morning Cybersecurity! Your usual MC host’s health has been absolute garbage of late, but I’m working my way back. Thanks to my teammates for holding things down while I was away, and thanks to anyone who fed them stuff to write. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
** A message from ManTech: With cyberattacks proliferating, organizations need real-time, dynamic cyber solutions to protect vital infrastructure and data from theft, compromise and destruction. Defense, Intelligence Community and federal civilian agencies look to ManTech for aggressive cyber solutions that stop criminal hackers, thwart nation-state attacks, and expose insider threats. Learn more at www.mantech.com **
HACKED OR NOT? — Former FBI Director James Comey reiterated to House Judiciary Committee lawmakers last week that investigators found no evidence that hackers had breached former Secretary of State Hillary Clinton’s private email server. “My recollection is that we did not find evidence that foreign actors had intruded into the server, but that our experts thought we wouldn’t see it, given the nature of the server and the nature of the adversary,” Comey told Rep. Trey Gowdy during a private Judiciary Committee hearing, the transcript of which the panel published late last week.
Republicans pressed Comey on the point because his original public statement on the Clinton email investigation said it was “reasonably likely” that hackers had penetrated the server. When Gowdy asked if Comey recalled originally writing something to that effect, he replied, “I don’t [recall that], sitting here. It wouldn’t surprise me, though, as part of the editing process.”
Gowdy asked Comey whether, if hackers had breached Clinton’s server, that would have met the legal definition of allowing non-cleared people to access classified information, since the State Department later flagged some of her emails as containing classified material. “Not necessarily,” Comey said. “The kind of evidence I understand that DOJ looks for is I intentionally shared information with you, who didn’t have a clearance. The carelessness involved in having a system that a bad guy could hack into is a different sort” of behavior.
WHEN THE STELLAR WIND BLOWS — Attorney General nominee William Barr, announced late last week, brings some of the same views as acting attorney general Matthew Whitaker on special counsel Robert Mueller’s Russia probe (skeptical of the investigation) and investigating Hillary Clinton’s use of a private email server (critical of the FBI’s investigation). His prior government service came during the George H.W. Bush administration, meaning that cybersecurity wasn’t really on the radar then. But he did serve as Verizon’s general counsel from 2000-2008, overlapping with George W. Bush’s program collecting bulk U.S. citizen communications — including emails and internet activity. His current law firm, Kirkland & Ellis, has a data security and privacy practice.
HUAWEI HEAT — Canada’s arrest late last week of Meng Wanzhou, a top Huawei executive, has some cybersecurity implications even though the arrest at Washington’s behest is on charges of violating sanctions against Iran. The New York Times offers details about how the arrest figures into the larger picture on security and trade with China. Some experts warn of a growing tech cold war with China and Russia over U.S. crackdowns on those nations’ companies, with others warning U.S. tech leaders to stay out of China for fear of retaliation. At nearly the same time, European Commission Vice President Andrus Ansip warned in unusually blunt terms about the cybersecurity risks posed by Huawei and others, and Bloomberg reported on a multibillion cybersecurity reboot from Huawei in response to international fears.
NO ROSETTA STONE NEEDED — The Senate unanimously passed a bill late last week to create a common language for all the threat data that DHS and its component agencies share, and Rep. Will Hurd, who introduced the bill in the House, cheered its passage. The bill, HR 2454, will let DHS “quickly and safely share sensitive information among law enforcement agencies without compromising our nation’s secrets,” Hurd said in a statement. The DHS Data Framework Act covers more than just cyber threat intelligence, including information about terrorism, weapons of mass destruction and other homeland security matters. A statement from Hurd’s office said his bill would replace “the current costly, cumbersome process of searching and vetting information against multiple databases with different log-ins, passwords, and legal restrictions.” The bill must pass the House again before heading to the president’s desk.
OFFICE 365 BACK IN THE SPOTLIGHT — The U.K.’s National Cyber Security Centre recently issued a warning about attacks on Microsoft’s Office 365, which has been in the news over the past several months because of security issues. “The NCSC is aware of several incidents involving the compromise of O365 accounts within the UK, including the use of such methods in targeted supply chain attacks,” the organization stated. “The ultimate objective of this type of targeting is not clear and the attacks appear not to be limited to any particular sector or attributed to any single threat actor.”
PLAN B — Russia’s Central Bank has reportedly warned financial institutions across the country that they could be exiled from some of the world’s financial systems next year. The bank suggest they find alternatives before they come under sanctions via the Countering America’s Adversaries Through Sanctions Act (CAATSA) that Congress overwhelming passed in 2017. The bill was approved to punish Moscow for destabilizing activities, including election interference.
RECENTLY ON PRO CYBERSECURITY — The Justice Department is preparing to charge Chinese government hackers for cyberattacks against major technology services firms. … Sen. Mark Warnercalled for the federal government to develop a comprehensive cyber doctrine. … Warner vowed lawmakers would ‘renew’ efforts to pass election security legislation next year. … Europe is almost finished writing a law that would give institutions the ability set requirements for IoT devices.
PEOPLE ON THE MOVE
— Elizabeth Kimber will lead the CIA’s directorate of operations, the agency said in a statement Friday.
TWEET OF THE DAY — Yeah, probably.
— The FBI is investigating fake net neutrality comments to the FCC. BuzzFeed
— A firm identified Russian cyberattacks on Ukraine before the physical attack and seizure of the nation’s ships. Nextgov
— Russian social media accounts hyped the French street protests. London Times
— Sen. Ron Wyden says DHS should require federal agencies to block malware-delivering advertisements. The Washington Post
— Tonya Ugoretz will become deputy assistant director of the FBI’s cyber division, The Wall Street Journal reported.
— The Washington Post sheds more light on Saudi Arabia’s cyber operations.
— The NSA honored contributors to cryptology.
— German neo-Nazis bit on an online art project that outed them. Daily Beast
— Someone defaced a Linux unofficial community website with some offensive material. Motherboard
— The U.K. is increasing its use of bulk hacking. Register
— A U.K. teen linked to a hacking group was sentenced for making fake bomb threats. BBC
— Hackers stole $800,000 from Cape Cod College. Boston Globe
— Simona Mangiante Papadopoulos, wife of George, had some weird Twitter business and said she was hacked. Splinter News
That’s all for today. Cough, cough.
Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).
** A message from ManTech:
These days, the biggest threat to our national cybersecurity may not be around the world. It could be across the hall. No organization can afford to be hacked.
That’s why ManTech’s insider threat program blends data collection, aggregation and analysis with contextual clues to identify anomalies. We use our experience with Continuous Diagnostics and Mitigation (CDM) and advanced analytics to look for anomalies that indicate potential threats inside the network—like trends and weaknesses, indicators and alerts. Our integrated solution applies pre-security screening to an employee’s lifestyle, counterintelligence factors and suitability. We also provide continuous evaluations, measured monitoring and rapid response. And, of course, we analyze data from physical security safeguards including alarms, CCTV and entry-and-exit checks.
The result is a full-spectrum Insider Threat program that seamlessly integrates data analytics with the human factor – personnel training and processes. Just another ManTech advantage.
Find out more at https://www.mantech.com/capabilities/cyber/insider-threat-program **