With help from Eric Geller and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.
Story Continued Below
— A Democratic presidential campaign that has advocated for building a “cyber wall” expanded on the term’s meaning to MC.
— President Donald Trump said Russia did help him get elected, before going back on it. He also talked about election security.
— A senior NSA official commented at length on The New York Times’ EternalBlue story for the first time. He suggested some of the story’s characterizations were off.
HAPPY FRIDAY and welcome to Morning Cybersecurity! And that’s the way our nation became “The Brady Bunch.” Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WHAT IS A ‘CYBER WALL?’ — When Rep. Seth Moulton (D-Mass.) talks about his desire to build a “cyber wall” on the presidential trail, infosec Twitter often uses the occasion to crack wise, expressing befuddlement at what a “cyber wall” actually is. So MC asked his campaign. “Obviously, Rep. Moulton is referring to where we should be making security investments in contrast to Donald Trump’s call for a border wall,” spokesperson Matt Corridoni said. “The ‘cyber wall’ is a metaphor for the actions we should be taking to protect our networks and prevent the intrusions that plagued the 2016 election.”
What are some of those suggestions? Corridoni said Moulton favors giving agencies the money they need to buy “top of the line” software to protect .gov domains. Then there’s .com, where Moulton suggests a start that would include “requiring all contractors to implement rigorous password requirements and staff trainings about phishing and email best practices in order to generate a new industry standard.” The federal government should invest in tech and cyber startups, “so that Silicon Valley isn’t turning to the Chinese for startup funding.”
And Corridoni said Moulton wants to pump up deterrence by making sure hackers recognize the punishments outweigh the benefits of attacks. “Donald Trump has embraced Russia following their attack on the integrity of our election process, and we need to be doing exactly the opposite,” Corridoni said.
HOW AM I NOT MYSELF — Trump said on Thursday for the first time that Russia helped get him elected, but quickly reversed himself. “I had nothing to do with Russia helping me to get elected,” he tweeted. Shortly after, he told reporters something else. “No, Russia did not help me get elected,” he said. “I got me elected.” Trump also commented on election security efforts in his administration. “We are doing a lot, and we’re trying to do paper ballots as a backup system as much as possible, because going to good old-fashioned paper in this modern age is the best way to do it,” he said. While top administration officials have backed those policies, they also resisted legislation last year, S. 2593 (115), that would’ve encouraged those practices.
INTO THE ETERNALBLUE — A senior NSA official on Thursday weighed in publicly on the recent story that hackers used a stolen tool from the clandestine organization to facilitate cyberattacks on American cities, including San Antonio and Baltimore. “NSA shares the concerns of all law-abiding cities around the world about the threat posed by criminal malicious cyber activity,” according to prepared remarks by NSA senior adviser Rob Joyce for a CrowdStrike event in Washington. “The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue. That is not true.”
Joyce’s remarks noted that Microsoft issued patches in 2017 to address a flaw in its software, ostensibly against the cyber tool, dubbed EternalBlue. While the remarks don’t suggest that NSA told Microsoft about the vulnerability, Joyce said his agency, along with DHS and other federal organizations, issued and disseminated advisories about it. “Two years have gone by — network administrators are responsible for ensuring that system patches are up-to-date.” Joyce went on to say that “focusing on a single exploit, especially one that … has a solution through a patch is shortsighted.” Vulnerabilities “will continue to be found,” he said. In fact, Baltimore’s own IT office had warned about vulnerable computer systems.
CRYPTO CHECK-IN — Cybersecurity aficionados interested in encryption policy around the world can turn to a resource from the Carnegie Endowment for International Peace. The organization on Thursday published a series of expert briefs describing how the EU, Brazil, Australia, China, India and Germany have approached encryption. “Regulation on encryption is imminent in India,” writes the Observer Research Foundation’s Bedavyasa Mohanty. “Its exact nature remains undecided, but it will significantly affect India’s newly recognized fundamental right to privacy.” Germany, meanwhile, “takes a clear and unambiguous stance on strong encryption as a fundamental element” for protecting government, corporate and personal data, according to Sven Herpig and Stefan Heumann of the think tank Stiftung Neue Verantwortung.
The papers are the product of Carnegie’s Encryption Working Group, which described them as resources “designed to shine light on key drivers of the debates in these countries, how they have evolved in the last five years, and the divergent approaches taken by different governments.” The group said it would publish “further briefings on aspects of the [global] encryption policy debate” in the next few months.
YOU’VE GOT ANOTHER WEEK — The Election Assistance Commission on Thursday extended the deadline for commenting on an updated version of the guidelines many states use for their voting machine regulations. The original deadline for feedback on the principles and high-level guidelines for the Voluntary Voting System Guidelines 2.0 came and went this week, but it’s now been pushed to June 7. Some major groups got their comments in under the original time frame.
RECENTLY ON PRO CYBERSECURITY — House members introduced bipartisan legislation to safeguard American research from foreign espionage. … Attorney General William Barr said special counsel Robert Mueller “could’ve reached a decision” on obstruction of justice. … “Lawmakers negotiating a national privacy bill are clashing over whether to allow consumers to sue companies like Facebook and Google over privacy violations.”
TWEET OF THE DAY — An easy way to get attention.
— NIST physicists took another step closer to quantum computing.
— A Silk Road 2.0 administrator cooperated with authorities and might face lesser charges. Motherboard
— “U.S. grid regulators are calling for additional cybersecurity safeguards for vital, often foreign-made equipment installed in the bulk power system, according to a report filed [Tuesday] with the Federal Energy Regulatory Commission.” E&E News
— Next week Trump will threaten to cut off intel sharing with the U.K. over 5G. Financial Times
— National Security Adviser John Bolton doesn’t think the U.K. has made a final decision on Huawei yet. Reuters
— Health issues derailed a court session for WikiLeaks founder Julian Assange. NPR
— Cuba legalized private Wi-Fi. ABC News
— Palo Alto Networks got in on the week’s cyber company buy-up trend.
— TechCrunch profiled Dragos.
— A Pennsylvania county is reckoning with a cyberattack. Times-Leader
— Another unsecured database. ZDNet
— And another one. TechCrunch
— Checkers and Rally’s had a data breach.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
