Overnight Cybersecurity: Facebook to meet with officials on Capitol Hill amid Cambridge Analytica fallout | Senate Intel releases election security findings | Orbitz admits possible breach

View in your browser       Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...   THE BIG STORIES: --SENATORS RELEASE LONG-AWAITED RECOMMENDATIONS ON ELECTION SECURITY: The Senate Intelligence Committee on Tuesday released a summary of its election security report, the first report the panel has issued in its yearlong investigation into Russian interference in the 2016 election. The committee affirmed that U.S. election infrastructure is "fundamentally resilient," but nevertheless put forth a slate of six recommendations, the bulk of which are tailored to the principle of state-level responsibility for running elections. "States should remain firmly in the lead on running elections, and the federal government should ensure they receive the necessary resources and information," reads the first recommendation -- an apparent nod to state-level pushback to a 2016 decision by former Department of Homeland Security (DHS) Secretary Jeh Johnson to designate election systems "critical infrastructure." Among the more concrete proposals in the summary is a call for Congress to "urgently" pass legislation that would increase federal assistance for states and provide a voluntary grant program to help states boost cybersecurity and conduct audits of their systems. The panel, led by Sens. Richard Burr (R-N.C.) and Mark Warner (D-Va.), does urge the federal government to establish more effective deterrence for future vote-based attacks, calling for it to "clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly." It also calls for a perennial wish of cyber-minded legislators: the establishment of international cyber norms. Foreign policy and cybersecurity experts -- including lawmakers -- have long expressed frustration that there is no clear definition of what constitutes an act of war in cyberspace.   --LAWMAKERS have been grappling with how to boost the cybersecurity of election infrastructure ever since officials at the Department of Homeland Security (DHS) disclosed that Moscow tried to hack into voting infrastructure in 21 states as part of a broader effort to interfere in the 2016 election. While officials say most of the efforts involved preparations for hacking and did not result in successful breaches, the revelation has triggered concern about the vulnerability of U.S. voter registration databases and other digital systems involved in elections. Illinois has confirmed that hackers breached the state voter registration database. "It is clear the Russian government was looking for the vulnerabilities in our election system and highlighted the key gaps," Burr said Tuesday alongside a bipartisan cadre of committee lawmakers. He emphasized, however, "There's no evidence any vote was changed." "We very much support state control of the election process," Burr said. "We think there are ways the federal government can support those states, but we clearly have to get standards in place." Sen. James Lankford (R-Okla.) -- a member of the Senate Intelligence Committee -- and a bipartisan group of senators have introduced a bill called the "Secure Elections Act" that would, among other things, authorize block grants to help states upgrade outdated voting technology and expedite the process by which state election officials receive security clearances to view sensitive threat information. Despite lawmakers' concerns, Congress has yet to pass legislation specifically addressing the cybersecurity of voting infrastructure, partly because some state officials have resisted the efforts, fearing an overreach by the federal government. To read more from our piece, click here.   -- LATEST CAMBRIDGE ANALYTICA FALLOUT - FACEBOOK EXECS HEAD TO THE HILL: Facebook officials are scheduled to meet with officials on Capitol Hill this week to discuss the controversy around Cambridge Analytica's alleged misuse of its platform. The officials will brief Senate Commerce, Science and Transportation Committee staff on Wednesday, according to two sources with knowledge of the meeting. Facebook told The Hill that it will meet with staff from the House and Senate Intelligence committees, the House Energy and Commerce Committee, the Senate Commerce Committee, as well as the House and Senate Judiciary committees on Capitol Hill this week to discuss its dealings with Cambridge Analytica. The firm, a political and corporate information consultant used by the Trump campaign in 2016 for voter research, was suspended from the social media site after it was revealed that it took data from 50 million Facebook accounts without the platform's permission. Cambridge Analytica has contested this version of events. The firm did work for President Trump's 2016 campaign and is also alleged to have links to the Brexit campaign in the United Kingdom, which advocated for leaving the European Union. Facebook came under fire from lawmakers after the reports. Sens. Amy Klobuchar (D-Minn.), John Kennedy (R-La.), Mark Warner (D-Va.) and Jerry Moran (R-Kan.) have all said that they want to see Facebook chief executive Mark Zuckerberg testify on Capitol Hill in front of lawmakers. To read more from our piece, click here.   --AND FTC IS REPORTEDLY INVESTIGATING: The Federal Trade Commission (FTC) is reportedly launching an investigation into Facebook over whether it violated terms of a 2011 consent decree in the wake of reports a data firm harvested information from millions of profiles. Bloomberg News reported Tuesday that the investigation relates to whether Facebook allowed Cambridge Analytica, the data firm used by the Trump campaign, to obtain some Facebook users' personal data in violation of its policies. "We are aware of the issues that have been raised but cannot comment on whether we are investigating," an FTC spokesperson said in an emailed statement. "We take any allegations of violations of our consent decrees very seriously as we did in 2012 in a privacy case involving Google." The FTC fined Google $22.5 million in that case for collecting data on users of Apple's Safari browser without their knowledge. Google at the time had been under a consent decree with the FTC for an earlier privacy violation. The FTC said the Safari incident violated that agreement. Facebook reached a similar consent decree with the FTC in 2011 over charges that it deceived users into thinking their information was private even though it was being shared publicly. That agreement prohibits Facebook from making "misrepresentations about the privacy or security of consumers' personal information." Meanwhile, Cambridge Analytica suspended its CEO Alexander Nix on Tuesday after a British outlet published a video showing him discussing using bribes and prostitutes to sway political elections. To read more from our piece, click here.     A CAPITOL HILL UPDATE:  ENERGY ATTACKS IN FOCUS AT CYBER HEARING: Russian cyberattacks on the U.S. energy grid attracted attention Tuesday at a hearing focused on the federal government's implementation of a key cybersecurity program spearheaded by the Department of Homeland Security. Lawmakers on the House Homeland Security and Oversight Committees jointly held the hearing on Homeland Security's Continuous Diagnostics and Mitigation (CDM) program, which featured testimony from officials at agencies that have already been implementing the first phase of the program. Homeland Security launched CDM, a four-phase program, in 2012 to better monitor and secure federal government networks from cyberattack. Officials at Homeland Security and the Department of Energy faced questions on threats to energy infrastructure, after the Trump administration disclosed last week that Russian government hackers staged a multi-year cyberattack campaign against the energy sector and other critical infrastructure. Rep. Jerry Connolly (D-Va.) pressed Max Everett, the chief information officer at the Department of Energy, on how worried lawmakers should be about threats to the grid. "Obviously, we take that very seriously," Everett said. "We've had a lot of briefings over even the last week." He noted that the department works closely with Homeland Security and the FBI to engage with the energy sector on cybersecurity threats. Homeland Security has the chief responsibility of protecting critical infrastructure--most of which is owned and operated by private companies--from cyber and physical threats. Everett, who in his role is responsible for the department's internal cybersecurity, said that he is particularly concerned about threats to the department's Power Marketing Administrations, which help distribute electricity in the west and northwest United States. He said that the CDM capabilities can help the department fill any "gaps" the administrations have in terms of cybersecurity. Later, Rep. Don Bacon (R-Neb.) expressed his concern about the threat to the energy grid and pressed the officials on how CDM could potentially help protect against such attacks, despite it being a program to secure .gov networks and not those in the private sector. "We want to provide Mr. Everett and the rest of the agencies the visibility of their network, be able to get vulnerabilities quickly patched, get systems properly configured to reduce the likelihood that an adversary can get into that system," said Kevin Cox, the Homeland Security official overseeing the CDM program. "We then want to help the agencies get visibility across their network so that they can detect any attacks to their network, any threats in their network, and address them quickly." "I think it's very alarming," said Bacon. "The next December 7 won't be airplanes and torpedoes coming at Pearl Harbor, it's going to be triggered with an attack on our energy grid with rolling blackouts and chaos." "We've got to start working on resilience of our energy grid," Bacon said.   A REPORT IN FOCUS:  TRUMP 'MANAGEMENT AGENDA' EMPHASIZES TECH MODERNIZATION: The Office of Management and Budget (OMB) on Tuesday rolled out President's Trump's "management agenda," in which information technology modernization gets a key mention. The agenda aims to present "a long-term vision for modernizing the Federal Government in key areas that will improve the ability of agencies to deliver mission outcomes, provide excellent service, and effectively steward taxpayer dollars on behalf of the American people." It identifies IT modernization as a "key driver of transformation" within the new administration. It references the recent passage of the Modernizing Government Technology (MGT) Act, which authorizes two streams of funding for agencies to draw from in order to replace aging information systems with more efficient, secure, and less costly IT infrastructure. Congress still needs to fund the general IT modernization fund established under the law, which is valued at $500 million over two years. "Regardless of funding method, the Administration will promote opportunities to leverage Federal buying power, utilize government-wide vehicles such as the Enterprise Infrastructure Solutions contract to pivot to modern architectures, and clear obstacles agencies encounter, such as overly burdensome reporting and compliance checks, as they seek to enhance their ability to better deliver services to their customers while ensuring that these changes appropriately improve Federal cybersecurity," states Trump's management agenda. IT modernization has been a key priority of the White House's Office of American Innovation, spearheaded by Trump's son-in-law and senior adviser Jared Kushner and Chris Liddell, a former Microsoft executive who just yesterday was tapped as deputy to White House chief of staff John Kelly.   A LIGHTER CLICK:  James Comey might be going Hollywood. (The Hollywood Reporter)   WHAT'S IN THE SPOTLIGHT:  ORBITZ BREACHED: Travel website Orbitz on Tuesday disclosed a possible breach that may have resulted in hackers making away with personal information on 880,000 customer payment cards. Orbitz, which is now owned by Expedia, described the episode as a "data security incident," saying that an internal investigation revealed that hackers may have accessed card information stored on a consumer and business partner platform between October and December of last year. The company said the Orbitz website was not involved in the incident and that there is no "direct evidence" of information actually being stolen. In total, the company said hackers may have gained access to personal information on roughly 880,000 payment cards, including payment card information, names, birth dates, phone numbers, and email and billing addresses. The company said that hackers potentially compromised information on the consumer platform that was used to make purchases between January 2016 and June 2016. With respect to its business partner platform, Orbitz said the cards potentially compromised were used in payments between January 2016 and December 2017. The company said it turned up evidence earlier this month of the possible breach when investigating a "legacy" Orbitz platform. "We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform," Orbitz said in a statement. "As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement, and took swift action to eliminate and prevent unauthorized access to the platform." The company said it is working to notified customers and partners of the incident and plans to provide free credit monitoring and identity theft protection to those impacted. To read more from our piece, click here.   IN CASE YOU MISSED IT: Links from our blog, The Hill, and around the Web. White House vents frustration with 'absurd' Mueller probe. (The Hill) Top Russia probe Republican: 'No intention' of calling Cambridge Analytica officials back. (The Hill) House Judiciary Chair expected to issue DOJ subpoena over Clinton emails as soon as this week. (The Hill) Cambridge Analytica whistleblower to speak to House Intel Dems. (The Hill) OP-ED: Why cryptocurrencies aren't going away. (The Hill) OP-ED: Mark Zuckerberg's moment of truth. (The Hill) Kaspersky Lab exposed a U.S.-led counterterrorism operation spying on ISIS in 'Slingshot' report. (Cyberscoop) Puerto Rico's PREPA power utility was hacked. (Reuters) DHS's cyber office gets a deputy undersecretary. (FCW) The CIA's 'first lady' draws some praise, some criticism. (Washington Post) If you'd like to receive our newsletter in your inbox, please sign up here.     Join The Hill on Wednesday, March 21, for Leadership in Action: The Hill's Newsmaker Series featuring Sen. Lamar Alexander (R-Tenn.) and Reps. Nanette Barragán (D-Calif.), and Joe Crowley (D-N.Y.). RSVP Here           Did a friend forward you this email? Sign up for Cybersecurity Newsletters     Forward Cybersecurity Newsletters       Privacy Policy  |  Manage Subscriptions  |  Unsubscribe  |  Email to a friend  |  Sign Up for Other Newsletters   The Hill 1625 K Street, NW 9th Floor, Washington DC 20006 ©2016 Capitol Hill Publishing Corp., a subsidiary of News Communications, Inc.