With help from Eric Geller, Mary Lee, Martin Matishak, Christian Vasquez, Stephanie Beasley and Cristiano Lima
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— The Pentagon’s intelligence arm assessed Iran’s capabilities in cyberspace, comparing them unfavorably to the U.S., China and Russia but saying they were improving.
— It’s almost the holiday buying season, and a cybersecurity company assessed the current threat to retailers.
— An election security expert issued a stark warning about election threats at a House committee hearing Tuesday.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Your MC host is off for a couple days to see his favorite musician out of town. Finally. Other tries, FKA twigs was sold out. She puts on what looks like an amazing show, from the live footage I’ve seen. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
DoD INTEL ARM ON IRAN DIGITAL MIGHT — The Defense Intelligence Agency on Tuesday released “Iran Military Power,” an examination of Tehran’s defense goals and intentions, including in cyberspace. “Although still technologically inferior to most of its competitors, the Iranian military has progressed substantially over the past few decades,” DIA chief Lt. Gen. Robert Ashley said in the report’s introduction.
Iran “uses cyberspace operations as a tool of statecraft and internal security, and it continues to improve its capabilities,” the Pentagon’s intelligence arm found, adding Tehran “often masks its cyberoperations using proxies to maintain plausible deniability. However, there are often clear indications that link these operations to Iran’s security apparatus.”
Iran’s offensive digital capabilities “remain underdeveloped” compared to the U.S., China and Russia, according to DIA. The report notes that Tehran receives “technical assistance for cyberspace defense from Russia and China” and delves into the malicious online activities favored by the country, such as phishing, cyber espionage and information operations. Iran’s military modernization goal in terms of cyber is to expand its presence and maintain a hold over its adversaries’ infrastructure to keep it at risk.
A SCAMMER DARKLY — Domain-related attacks make up 92 percent of campaigns against the retail industry, according to a report released today by cybersecurity firm ZeroFOX. The firm looked at the types of attacks against retailers from the past year and found that each brand they monitored experienced six domain alerts per day. The report also found that retail scams increase significantly around the holiday season, with over half the scams targeting the technology retail sector from Nov. 9 to 28 in 2018. What’s more, ZeroFOX found that retailers encounter counterfeits of their products online two times a day, on average.
LET’S GET MOVING — The House Energy and Commerce Committee will take up a pair of postponed cyber-related bills today. The panel will consider one bill that would reauthorize a law on cross-border spyware through Sept. 30, 2027. The existing law, which gave authorities to the FTC to share information and cooperate on investigations with foreign governments, expires next September. Also on the agenda: a bill that would require the president to develop a strategy to ensure the security of 5G and future generation mobile telecommunications systems and infrastructure, as well as protect the competitiveness of American companies and consumer privacy.
If you missed it, the Senate Energy and Natural Resources Committee advanced a bill by voice vote on Tuesday that would authorize $250 million over five years to the Energy Department to create a grant and technical assistance program to protect against, detect and respond to cybersecurity threats. The program would seek to deploy advanced cybersecurity technologies for electric utility systems.
THIS DOESN’T SOUND GREAT — Computer scientist and voting machine vulnerability expert Matthew Blaze issued a warning about the worst-case election security misfire at a hearing of the House Homeland Security Committee on Tuesday. “We don’t know what we don’t know,” Georgetown University’s Blaze told the panel. “One thing we do know: If there has not been a large scale disruption or attack against our election infrastructure that is successful, it’s not because our systems are robust — but rather because nobody has tried to do it.”
KNOW BEFORE YOU BUILD — The European Union’s cybersecurity agency wants to help internet of things manufacturers design secure devices that won’t be roped into botnets and used to disrupt society. The European Union Agency for Cybersecurity, known as ENISA, on Tuesday released a report listing best practices for IoT product development.
The document, produced in collaboration with outside IoT experts, describes the Software Development Life Cycle, catalogs the assets (such as production data and APIs) necessary for development, and describes the cyber threats facing those attacks (such as information manipulation and denial-of-service attacks on production infrastructure). It also offers recommendations for secure, resilient processes at every phase of the design and production process, from personnel training to access control to security metrics to code review.
DRONE EXCLUSIVE — A new DHS report that was published just months after the department issued a cybersecurity warning about Chinese-made drones shows that DHS determined two models of DJI drones were safe for federal use when equipped with a suite of cybersecurity upgrades called Government Edition. The department concluded the 40-page report with skepticism, however: “No data leakage was found during the limited-scope analysis, but that does not mean it cannot happen with the right conditions and circumstances.”
The findings appear to mostly confirm those included in a July report from the Interior Department, which authorized the use of certain DJI drones. DHS declined to comment on its report, obtained by Morning Transportation’s Stephanie Beasley, referring questions to Interior. DOI’s press office did not respond to a request for comment. Interior has remained relatively mum on its decision to ground its mostly Chinese fleet of more than 800 drones, including 121 manufactured by DJI, over cybersecurity concerns.
Worth flagging: In a discussion of supply chain issues, DHS noted the drone market was dominated by companies based in China “due in large part to the overhead for Chinese manufacturing costs as opposed to those based in the U.S.” It also said that many U.S. drone companies rely on Chinese components. As Stephanie reported earlier this week, some in the Trump administration are looking for ways to restore the U.S. drone market, though the White House has expressed concerns about banning Chinese-made drones.
HOUSE BILL WOULD TEST TECH’S RESPONSE TO TERRORIST CONTENT — From our friends at Morning Tech: A Democratic-led House bill slated to be introduced today would create a voluntary system to grade social media platforms’ efforts to crack down on terrorist and violent extremist content. Under the so-called Raising the Bar Act, proposed by Democratic Rep. Max Rose (N.Y.), DHS would select a civil society group to administer exercises that test how well tech companies enforce their counterterrorism policies. The group would then issue a report and brief Congress on its findings, which Rose, who chairs the House Homeland Security Subcommittee on Intelligence and Counterterrorism, hopes will lead to industry reform.
“This is exactly the type of public-private partnership that will get things done and keep people safe in this country,” Rose told Pro’s Cristiano Lima, who first reported on plans for the bill in September. And Rose, who has been critical of industry-led efforts to curb terrorist material, said he’s not worried about a lack of participation in the voluntary exercises. “I fully expect that these tech firms will take part in it,” he said, in a nod to Facebook, Google, Twitter, Microsoft and others. The lawmaker described the bill, co-sponsored by House Homeland Security Chairman Bennie Thompson (D-Miss.), as part of a “joint effort” to tackle online extremism by the committee, which earlier this year advanced a separate bill on the issue.
TWEET OF THE DAY — Wow, what are the odds?!
RECENTLY ON PRO CYBERSECURITY — It takes nearly a week for companies to detect and contain intrusions after suffering a cyberattack, according to CrowdStrike. … The Coalition Against Stalkerware launched Tuesday. … Bipartisan leadership of four Senate committees asked President Donald Trump to appoint a 5G coordinator. … German Chancellor Angela Merkel is resisting calls to be tougher on Huawei. … The European Union’s chief insurance regulator called for a common cybersecurity system. … Swedish prosecutors dropped their rape investigation into WikiLeaks founder Julian Assange.
— “A grid security activist has sued the Federal Energy Regulatory Commission for shielding the names of hundreds of U.S. utilities found to have broken cybersecurity rules.” E&E News
— The Foreign Policy Research Institute launched a project to track Kremlin-sponsored news outlets’ mentions of the 2020 elections.
— U.K.’s Labour Party is sticking with basic, low-cost cyber defenses after attacks from hackers. Reuters
— A pro-Brexit leader’s Twitter account got hacked. BBC
— The Associated Press got the Montenegro side of the election security partnership with Cyber Command.
— India says it can snoop on citizens’ devices for national security or for the purposes of friendly relations with other countries. TechCrunch
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
