Overnight Cybersecurity: Congress faces pressure over election cybersecurity | Agencies race to bolster email security | FTC approves settlement over Lenovo privacy charges

View in your browser       Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...   THE BIG STORY: --PRESSURE BUILDS TO BOLSTER ELECTION CYBERSECURITY: Congressional efforts to secure election systems from cyberattacks are picking up steam with lawmakers under pressure to prevent hacks in the 2018 midterms. After the revelation that Russia tried to probe election systems in 21 states in the 2016 election, security experts, state officials and others demanded federal action to help states upgrade outdated voting machines and bolster security around voter registration databases. At the end of December, a bipartisan coalition of six senators introduced the Secure Elections Act, which includes a measure authorizing grants for states to upgrade outdated voting technology and shore up their digital security. --The issue of Russian interference has generated significant attention in Washington over the past year, but little successful legislative action. The bill introduced by Sens. James Lankford (R-Okla.), Amy Klobuchar (D-Minn.) and others, though, is evidence of a growing effort to pass legislation specifically addressing voting infrastructure cybersecurity. The bill comes as state officials are clamoring for swifter action ahead of the 2018 midterms. "When we had instances last year all over the country related to people trying to get into other peoples' data and voter files – why are we waiting for something bad to happen to start doing something about it?" said Arizona Secretary of State Michele Reagan (R). "Let's be honest, it's not going to happen if we all stay quiet about it," Reagan added. --Advocacy groups like Verified Voting are lining up in support of the bill. They hail it as a long-awaited, multifaceted approach that both incentivizes states to bolster voting system cybersecurity and provides resources to replace insecure election technology. The concerns surrounding election infrastructure cybersecurity are two-pronged. Officials maintain that Russia did not target voting machines, which are not connected to the internet. Many say the decentralized nature of the U.S. voting system makes it difficult for hackers to actually change a result. Still, some security experts say that voting technologies are vulnerable to hacking and have called for election officials to swap out paperless direct-recording electronic voting machines for systems that yield an auditable paper ballot, to increase confidence. To read the rest of our piece, click here.   A CASE UPDATE: FTC APPROVES SETTLEMENT WITH LENOVO OVER PRIVACY CHARGES: The Federal Trade Commission (FTC) on Tuesday approved a settlement with computer manufacturer Lenovo over charges that it had violated user privacy with software that came preloaded on its computers. The commission voted 2-0 to approve the settlement it reached in September with the company. "Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use," acting FTC Chairwoman Maureen Ohlhausen said in a statement at the time. "This conduct is even more serious because the software compromised online security protections that consumers rely on." Between August 2014 and February 2015, Lenovo laptops came preloaded with software called VisualDiscovery, a program developed by the now-defunct advertising company Superfish. The FTC found that VisualDiscovery delivered pop-up ads from its retail partners to consumers while accessing their sensitive personal information, like Social Security numbers and financial data. Lenovo said in a statement that it's aware that the settlement was approved Tuesday. In September, the company pointed users toward a guide on how to remove the software. In a statement at the time, it said it stopped pre-installing the program on devices after questions were raised about privacy violations. "While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years," the company said in the statement. "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications." To read the rest of our piece, click here.   A LIGHTER CLICK: Sen. Ron Wyden (R-Ore.) announced Tuesday that he has hired Chris Soghoian as a senior technologist in his Senate office to help address tech and cyber issues. Soghoian previously worked with the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU) and also started as a TechCongress fellow in Wyden's office last February. "Between attacks on our election system, data breaches at Equifax and elsewhere, and warrantless searches of Americans' phones at the border, Congress is in desperate need of more expertise on tech and cybersecurity issues," Wyden said in a statement unveiling the new hire.   A REPORT IN FOCUS: AGENCIES RACE TO IMPLEMENT EMAIL SECURITY TOOL: The federal government's use of a security tool that cracks down on fake emails has surged in recent weeks as agencies with .gov domains rush to meet a deadline to implement the tool and bolster cybersecurity, according to new research. The tool, called the Domain-based Message Authentication, Reporting, and Conformance (DMARC), helps organizations that use it identify fraudulent messages purporting to come from their email domains. The Department of Homeland Security (DHS) announced in mid-October that it would mandate that organizations operating .gov domains use DMARC as well as HTTPS to encrypt web traffic. Homeland Security gave departments and agencies 90 days, or until mid-January, to comply with the directive. According to research released Tuesday by data security company Agari, the adoption of DMARC throughout the federal government increased by 38 percent in 30 days between mid-November and mid-December, indicating a "rapid adoption" of the tool ahead of the Jan. 15, 2018, deadline set by Homeland Security. As of mid-December, 47 percent of federal government domains were secured with DMARC, compared with 34 percent a month prior. According to Agari, 151 federal government domains are newly secured with DMARC, raising the total to more than 400. DMARC allows organizations to report emails that fail authentication tests or, if stronger settings are enabled, send the messages to a recipient's spam folder or block them from reaching the recipient altogether. Federal agencies are required to move to the strongest "reject" setting of DMARC within a year. In a statement, Jeanette Manfra, a top cybersecurity official at DHS, underscored the need for remaining agencies to act quickly to implement the tool before the "imminent" deadline. "DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains," Manfra said. "Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate." To read the rest of our piece, click here.    WHAT'S IN THE SPOTLIGHT: ONE HACKER'S CLAIM: A jailed Russian hacker who claims he was ordered by Russian intelligence to hack into Democratic National Committee (DNC) networks says he can prove he was behind the breach. Konstantin Kozlovsky, who has been jailed on cyber fraud charges in Russia, told independent Russian network TV Rain in a recent interview that he left a file on the DNC network containing markers to prove he had been there. Specifically, Kozlovsky said he left a .dat file with his passport number and the number of his visa to Caribbean island St. Martin on the DNC's internal server, according to a written interview published last week. Kozlovsky is among a group of hackers arrested by Russian authorities last year for using malware to steal more than $25 million from Russian banks. Earlier this year, Kozlovsky posted a purported court testimony on Facebook that showed him claiming he hacked the DNC on the orders of Russia's Federal Security Service, or FSB. Kozlovsky's claims, if proven, would undercut Russian President Vladimir Putin's repeated denials the Kremlin was behind the hacking campaign targeting the 2016 U.S. election. The unclassified assessment released by the U.S. intelligence community in January blamed Russian intelligence for hacking into DNC networks as part of an influence campaign ordered at the highest levels of the Kremlin. "In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained access until at least June 2016," the document states. The assessment does not make specific mention of the FSB but does say Moscow's foreign military intelligence agency, or GRU, "probably began cyber operations aimed at the US election by March 2016." In June 2016, CrowdStrike, an independent cybersecurity firm hired by the DNC, identified two separate Russian intelligence-affiliated infiltrations of DNC networks. The firm identified one intrusion beginning in summer 2015 linked to Cozy Bear, a hacking group believed to be affiliated with the FSB. CrowdStrike linked the second breach, which occurred in April 2016, to Fancy Bear, believed to be connected to the GRU. In the latest interview, Kozlovsky also claimed he wrote malware for the FSB for several years, including the code used in the "WannaCry" ransomware attacks for which the U.S. government has publicly blamed North Korea. To read the rest of our piece, click here.   IN CASE YOU MISSED IT: Links from our blog, The Hill, and around the Web. Romanian hackers charged with disabling DC police cameras during inauguration. (The Hill) In surprise, Trump maintains many Obama-era Russia policies. (The Hill) State Department calls on Iran to stop blocking social media. (The Hill) OP-ED: To fight cyber crime, we need swords, not just shields. (The Hill) Clothing store Forever 21 admits breach that exposed customer credit card information. (CNET) Massive Equifax data breach fails to trigger successful congressional action. (Politico) Cyber criminals are turning away from Bitcoin. (Bloomberg) Ukraine's security service says it defeated Russian cyber campaigns. (Kyiv Post) If you'd like to receive our newsletter in your inbox, please sign up here.           Did a friend forward you this email? Sign up for Cybersecurity Newsletters     Forward Cybersecurity Newsletters       Privacy Policy  |  Manage Subscriptions  |  Unsubscribe  |  Email to a friend  |  Sign Up for Other Newsletters   The Hill 1625 K Street, NW 9th Floor, Washington DC 20006 ©2016 Capitol Hill Publishing Corp., a subsidiary of News Communications, Inc.