With help from Eric Geller, Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
— There’s interest on Capitol Hill in passing legislation in response to the Capital One breach, but most signs point to nothing happening.
— State and local governments, as well as presidential candidates, aren’t doing enough to defend themselves against email spoofing, according to an update out today.
— President Donald Trump may have dug a deeper hole for his pick for director of national intelligence with remarks Tuesday.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! We know what it really means: End times. Please send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
SOUND AND FURY — The Senate Banking Committee and the New York attorney general may be probing the massive Capital One data breach, but don’t expect a legislative response despite the clamor on the Hill, POLITICO’s Zachary Warmbrodt and Tim report. The reasons are many: disputes between industries and squabbles between committees over data security standards, questions about whether a federal data breach notification standard should replace a state-by-state patchwork and difficulty agreeing on consumer privacy legislation. Read more at the POLITICO Pro website.
Elsewhere, Bloomberg reported on the email tip that prompted Capital One to discover the breach. Alleged hacker Paige A. Thompson may have breached even more organizations, Forbes reported, including “one of the world’s biggest telecom providers, an Ohio government body and a major U.S. university.” Also, her arrest happened at a house where authorities also detained a man who had a cache of more than 20 guns. And who’s really to blame for what happened, anyhow?
DMARC IT (CLOSE TO) ZERO — Presidential candidates and state and local government domains aren’t fully protecting themselves against email spoofing, according to ValiMail. Only three of 23 candidates have properly implemented the Domain-based Message Authentication, Reporting and Conformance standard to quarantine or reject such emails, the company found. And a separate study out today found that while there’s been a 171 percent increase since October 2018 in state and local government domains fully protected by DMARC, still only 1.5 percent of overall domains are protected against impersonation.
STOP HELPING — After days of tepid reviews, Trump on Tuesday defended his pick to be the next director of national intelligence, calling him a “brilliant” man who could “rein in” U.S. agencies that have “run amok.” “I think we need somebody like that there,” Trump said of Rep. John Ratcliffe (R-Texas), whom the president tapped for the job on Sunday. “We need somebody strong that can really rein it in because, as I think you’ve all learned, the intelligence agencies have run amok.”
The remarks are sure to send shivers down the spines of Senate Democrats, and some Republicans, who worry Ratcliffe — who has chastised the various probes into the president’s connections to Russia as well as former special counsel Robert Mueller — is too political for what is meant to be a non-partisan job. Indeed, Sen. Joe Manchin (D-W.Va.), a former member of the Senate Intelligence Committee who represents a ruby red state, on Tuesday told CNN that he won’t support Ratcliffe’s nomination after his “toxic presentation” at last week’s Mueller hearing. “You have to get to the most non-political, non-partisan person you can find,” Manchin said. “Why bring in someone who is so toxic?”
Still, Intelligence Chairman Richard Burr (R-N.C.) indicated to reporters that he would move Ratcliffe’s nomination forward when the time comes. “I look forward to spending some time with him and getting him confirmed if I get an official nomination,” he said.
TURKMENISTAN TO U.S.: WE DIDN’T ORDER THESE PIZZAS — Fraudulent purchases are the bane of e-commerce companies, but a new guide might be just what businesses need to cut down on it. NIST and retail industry stakeholders have published a practice guide that walks organizations through using multifactor authentication and emphasizes its benefits for fraud prevention. “The guide documents a system in which risk determines when to trigger MFA challenges to existing customers,” the document’s executive summary reads. It is the product of the National Cybersecurity Center of Excellence, which facilitates collaboration between industry groups and NIST researchers on projects with broad applicability.
The practice guide comes in three parts: an executive summary, a detailed step-by-step walkthrough of the purpose and architecture of MFA and a series of fictional scenarios where MFA might be useful that are accompanied by setup instructions. RSA, Splunk, Yubico and other companies in the MFA space worked with NIST on its example implementations.
REFUND, PLEASE — The Army and Air Force purchased at least $32.8 million of commercial IT products with known cybersecurity vulnerabilities in fiscal 2018, according to a DoD inspector general audit released Tuesday. The DoD purchased and used these items with “commonly known cybersecurity risks,” including Lenovo computers, Lexmark printers and GoPro cameras, because they did not establish a strategy or acquisition policies addressing cybersecurity risks, the report explained.
The IG recommended the Defense secretary direct a group to establish a risk-based approach to prioritizing commercial products for evaluation. The auditors also recommended implementing administrative solutions, including expanding its authority to block DoD components from buying items from certain manufacturers.
ISRAEL TAG TEAM — Sens. Mike Rounds (R-S.D.) and Jacky Rosen (D-Nev.) introduced legislation Tuesday that would direct the State Department to look into creating a joint U.S.-Israel cybersecurity center. “Israel is a world leader in cybersecurity,” Rounds said. “Partnering with this close ally on a cybersecurity center of excellence, where experts can share best practices and other critical information, can help us bolster the cyber capabilities of both nations.” Rep. David Cicilline (D-R.I.) introduced identical legislation in the House.
TWEET OF THE DAY — We’re cringing here.
RECENTLY ON PRO CYBERSECURITY — A judge dismissed a DNC lawsuit against Trump, WikiLeaks, Russia and others for their alleged involvement in hacking a Democratic Party email in 2016. … A freshly-introduced Senate bill would order the intelligence community to increase its collection of information about adversaries’ supply chain attacks. … DHS issued an alert about hackers attaching devices to small planes to scramble flight data. … Mobile malware has grown more popular with hackers, CrowdStrike found. … “A former Senate staffer has pleaded guilty to aiding computer hacking and attempted evidence tampering for helping a fired co-worker enter a Senate office at night and wiping down computers so the colleague wouldn’t be caught.” … Huawei said a U.S. campaign against it hasn’t caused any “major disruptions.” … Cambridge Analytica worked with Brexit campaigners who had denied working with Cambridge Analytica, emails showed.
— “The U.S.-led ‘Five Eyes’ intelligence alliance said on Tuesday that tech firms must allow law enforcement agencies access to encrypted material, warning that failing to do so put people at risk.” Reuters
— The New York Times explores bank security.
— “Google researchers disclose vulnerabilities for ‘interactionless’ iOS attacks.” ZDNet
— What ever happened to Cyberstat? FCW
— Telegram fixed the vulnerability used in the voicemail hack against Brazilian politicians. ZDNet
— Rapid 7 looks into an aviation cybersecurity issue.
— Palo Alto Networks released some adversary playbooks.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
