With help from Mike Farrell, Eric Geller, Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— More than a dozen major companies, ranging from Google to Johnson & Johnson, are committing to using cybersecurity job recruiting techniques intended to expand the world of would-be hires.
— First in MC: A trio of bipartisan senators is introducing legislation intended to help state and local government switch to a more secure web domain.
— The WhatsApp versus NSO Group legal battle threatens to spill out in several directions, potentially seeping into the encryption debate and other legal actions.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! If it was “Game of Thrones”-related, there was a good chance it got canceled on Tuesday. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
A BIG STEP — Fifteen major organizations, including some of the world’s largest companies, today announced their commitment to help widen the pool of cybersecurity applicants as a way of filling a massive jobs gap. The idea, under the initiative led by the Aspen Cybersecurity Group, is to seek candidates outside traditional postings requiring a bachelor’s or more advanced degree, and to appeal to those with other backgrounds.
That involves “changing job qualifications to elevate the importance of real-world skills over degrees, rewriting job descriptions to appeal to more diverse job applicants, and drawing a transparent career path for cybersecurity workers,” wrote John Carlin, chair of the Aspen Institute’s cybersecurity and technology program and a former assistant attorney general for national security.
The companies and organizations that committed are AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, PwC, Symantec, Unisys and Verizon. The companies agreed to expand their recruitment focus beyond applicants with four-year degrees and by “using non-gender biased job descriptions”; center job postings on core requirements and not “over-spec” them; and make career paths more accessible and understandable.
EXCLUSIVE: THE .GOV MIGRATION MOVEMENT — A bipartisan group of senators is introducing legislation today that would require DHS to help local governments make the switch to the .gov domain, reasoning that it would be a more secure home for their websites. While most federal agencies and many states use .gov for their websites, it’s not as common on the local level. The senators — top Homeland Security Democrat Gary Peters of Michigan, Minnesota Democratic presidential contender Amy Klobuchar and James Lankford (R-Okla.) — contend that it will help citizens and businesses differentiate between legitimate sites and ones set up by cybercriminals. The bill is sponsored by Homeland Security Chairman
“Local governments are responsible for safeguarding citizens’ personal data, from Social Security numbers and credit card information to detailed medical records,” said Peters. “This important legislation will help protect the personal information of people in Michigan and across the country from hackers looking to take advantage of gaps in our cybersecurity defenses.” Under the bill, DHS would have to develop an outreach strategy to aid local governments in taking advantage of .gov security features and authorizing the transition as an expense under the DHS Homeland Security Grant Program.
CYBER GOES TO COURT — The WhatsApp and Facebook legal war against NSO Group over a May intrusion that targeted human rights activists, journalists and others promises to be a big one. And it could serve as a sideline battleground for other debates, too, like encryption and regulation of cyber weapons. WhatsApp head Will Cathcart announced the federal court action Tuesday, writing that “we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO Group replied. “Our technology is not designed or licensed for use against human rights activists and journalists.” The statement also answered another point Cathcart made about not weakening encryption. “The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity,” read the remarks, which echo a recent Trump administration push against warrant-proof encrypted tech. “Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles.”
Revelations in the WhatsApp court filing about the surveillance targets could feed into other legal actions, too, as human rights groups and others are separately fighting to have Israel revoke NSO Group’s export licence. “WhatsApp deserves credit for their tough stance against these malicious attacks, including their efforts to hold NSO to account in the courts,” said Danna Ingleton, deputy director of Amnesty Tech, in a statement that also referenced an upcoming legal case in Tel Aviv.
ABOUT THAT U.S., RUSSIA CYBER ‘RELATIONS’ THING — A brief item that Reuters published recently saying Moscow and Washington would begin cooperating on cyber seemed weird to us. It was based off the Russian TASS news agency report that quoted FSB chief Alexander Bortnikov saying, “we are restoring these (cyber security) relations.” We asked around to agencies and departments that might know, but no one seemed to have any idea or would give us anything on the record about the seemingly random remark.
But one person familiar with the U.S.-Russian relationship told our POLITICO colleague Daniel Lippman in an email that it all amounted to propaganda. “Unimaginable,” the person said about relations between Russia and the U.S. on cyber. “Resistance within the U.S. interagency is overwhelmingly opposed on legit grounds, i.e. not wanting to equate Russia’s malign use of cyber (election meddling) with routine rules of the road discussions.” Even so, the person said, the Russians have “pushed cyber cooperation consistently since 2016 to no avail so anything popping up in their media is propaganda.” We didn’t hear back from the Russian embassy in Washington before press time.
PATENT NO LONGER PENDING — A major voting technology vendor has won a patent for scanning software that it says will eliminate the need for barcodes on paper ballots, which many cybersecurity experts warn are dangerous. Hart InterCivic, the vendor with the third-largest U.S. market share, incorporated the system into its Verity Duo ballot-marking device, which uses a touchscreen to mark paper ballots. “The new scanning technology gives voters peace of mind that their marked ballots are tallied word-for-word, not converted into a barcode that cannot be checked by a human,” Hart said in a statement. The company applied for the patent in January and received federal approval in October.
Barcodes are one of the reasons why some voting security experts call BMDs inferior to hand-marked paper ballots, because they cannot be visually audited and rely on technology to assure accurate tabulation. Hart described barcodes as “controversial” and “unverifiable.” Its system will instead scan and record text that voters can check. Hart’s competitors, Election Systems & Software and Dominion Voting Systems, sell barcode-based devices.
PRETTY PLEASE — The centrist Blue Dog Coalition on Tuesday requested that appropriators provide $600 million in Election Assistance Commission-administered election security grants when their panels reconcile competing versions of the fiscal 2020 Financial Services appropriations bill. Currently, the House-passed measure (H.R. 3351) would provide $600 million for the EAC, while the Senate’s committee-approved bill (S. 2524) would provide $250 million. Funding for the federal government is currently operating on a stopgap spending bill (H.R. 4378) and runs out on Nov. 21.
In its letter, the coalition also asked for language requiring grantees to use the funding to swap out direct-recording electronic voting machines with voting systems that require the use of a voter-verified paper ballot; address cybersecurity vulnerabilities in elections systems; provide election officials with cybersecurity training; and implement election system best practices.
TWEET OF THE DAY — Everyone get your popcorn.
RECENTLY ON PRO CYBERSECURITY — House Homeland Security Chairman Bennie Thompson (D-Miss.) said he’ll be scrutinizing voting machine vendors more going forward. … The Pentagon’s chief information officer, Dana Deasy, defended how the department awarded a $10 billion cloud computing contract, at his nomination hearing. … Sen. Josh Hawley (R-Mo.) will hold a hearing next week on what tech companies are doing to protect consumer data from China. … The European Commission warned Google, Facebook and Twitter to do more on disinformation or face hard rules. … German ministers are considering tougher 5G rules that could exclude Huawei. … An Australian regulator began court action against Google, alleging it misled consumers about location data.
— The U.S. contributed roughly $639,000 to the Organization of American States’ Cybercrime Program, the State Department announced.
— An Indian nuclear power plant said it wasn’t the victim of a cyberattack. India Today
— Credit card information for mostly Indian bank customers popped up on an online market, though. CyberScoop
— Voting Village co-founder Jake Braun makes a curious cameo in this one by Bloomberg.
— Cybersecurity spending is up, but so are breaches. ServiceNow
— WhatsApp versus NSO Group isn’t the only cyber-related court battle waging. Motherboard
— European authorities issued a patch that “fixes two security flaws that could allow an attacker to pose as any EU citizen or business during official transactions.” ZDNet
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
