Overnight Cybersecurity: Trump signs defense bill with cyber measures | Raises concerns over cyber-war language | Alabama angers election security groups | Dem wants state election cybersecurity grades

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–TRUMP SIGNS DEFENSE AUTHORIZATION: President Trump signed a nearly $700 billion annual defense policy bill on Tuesday, touting it as a step toward delivering on his promise to build up the military. “Today with the signing of this defense bill, we accelerate the process of fully restoring America’s military might,” Trump said at a signing ceremony in the White House’s Roosevelt Room. The National Defense Authorization Act [NDAA] enacts several cybersecurity related measures both military and non-military related.

To read about the signing, click here.

{mosads}

–…CONTAINS LONG-AWAITED IT MODERNIZATION PROGRAM: The NDAA contains legislation on the wish lists of federal agency tech staffs for years. The Modernizing Government Technology (MGT) act, which funds upgrades across the government, was embedded in the authorization. Government information technology ranges from years to decades out of date, impacting efficiency, hindering cybersecurity and costing more money to maintain. According to government reports, there are at least five systems still in use in the federal government that were around when The Beatles played The Ed Sullivan Show. Though it contains contributions from the Obama administration and Rep. Gerry Connolly (D-Va.), MGT is generally seen as the signature legislation of Rep. Will Hurd (R-Texas).

–…CODIFIES FEDERAL WIDE BAN ON KASPERSKY LAB SOFTWARE: Though Kaspersky Lab software was already banned from federal systems, the ban came from a Homeland Security directive. The NDAA makes that directive a law. Lawmakers have publicly expressed fears the cybersecurity company is involved with Russian espionage efforts, something Kaspersky denies. Sen. Jeanne Shaheen (D-N.H.), who submitted the amendment codifying the government stance on the Moscow-based firm’s software, celebrated the bill’s passage in a statement issued to the press: “Considering the grave risk that Kaspersky Lab poses to our national security, it’s necessary that the current directive to remove Kaspersky Lab software from government computers be broadened and reinforced by statute. The case against Kaspersky is well-documented and deeply concerning. This law is long overdue.”

–…TRUMP OBJECTS TO A CYBER PROVISION: President Trump is voicing strong objection to some cyber warfare-related language in the NDAA, charging that it and other provisions “raise constitutional concerns.” The provision in question requires the administration to set forth a national cyber policy that addresses the use of offensive cyber capabilities to respond to attacks in cyberspace. The law requires the administration to report the strategy to Congress and makes funding for the White House Communications Agency (WHCA) contingent on Trump doing so. Trump argued in the statement released by the White House that the provision amounts to Congress holding “hostage” his ability to communicate on national security strategy going forward, saying the provision “threatens to undermine the effective operation of the Executive Office of the President.” “I take cyber‑related issues very seriously, as demonstrated by Executive Order 13800, Trump said, referring to his cybersecurity directive.

To read the rest of our piece, click here.

AN ALABAMA UPDATE:

FILE UNDER CONTROVERSIES NOT INVOLVING ROY MOORE: The Alabama Supreme Court has reportedly stayed a lower court’s order to election officials that would have required the preservation of voting records in Tuesday’s Senate special election.

A circuit judge on Monday ordered election officials to set voting machines to save all digital ballot images, which would preserve voting records in the event of a recount.

Alabama’s AL.com said Tuesday morning that the state’s Supreme Court had blocked the order.

A group of four Alabama voters filed a lawsuit last Thursday arguing that the state is required by law to preserve the images.

The decision rankled election cybersecurity advocates who see physically maintaining paper ballots as an auditable record of voter intent that can be used if accusations of hacking or other issues mar the election.

To read the rest of our piece, click here.

A LIGHTER CLICK: 

CAVITIES: THE FINAL FRONTIER. NASA is growing rock candy in space. For science.

WHAT’S IN THE SPOTLIGHT:

WYDEN PUSHES FOR ELECTION SECURITY UPGRADES:  Sen. Ron Wyden (D. Ore.) formally requested the Executive Branch give states report cards on election security and for political campaigns to be designated as critical infrastructure.

Those are two of four “concrete steps” suggested by Wyden in a letter to national security adviser H.R. McMaster dated Tuesday. Both, if considered, would likely provoke pushback.

“[F]oreign governments will continue to exploit cybersecurity weaknesses in our election infrastructure. While some states have taken the threats seriously, others are seriously lagging behind and remain woefully vulnerable to foreign government cyberattacks,” wrote Wyden.

Wyden suggested in the letter that the Department of Homeland Security (DHS) and the Department of Commerce’s National Institute of Standards and Technology (NIST) provide states letter grades on election security.

States are in charge of running elections, including their security. Though federal agencies including the DHS and NIST offer optional assistance, states have traditionally pushed back against even that amount of help in running their own elections.

Declaring campaigns critical infrastructure would stretch the meaning of the term, while likely making a repeat of the actions Russia is believed to have undertaken in the 2016 elections an even greater offense. 

Wyden’s letter makes two additional requests: that the White House has a senior adviser “own” the issue and that Secret Service extend its protection of candidates to include cybersecurity.

IN CASE YOU MISSED IT:

’Links from our blog, The Hill, and around the Web.

Politifact names Trump’s claim Russia didn’t tamper with the election the lie of the year.

Dell Secureworks researchers find security flaws in two keyless locks. (Threatpost)

Finally, AI does something important: Making ASCII art out of your pictures. (Motherboard)

As maker claims its product is legitimate, researchers at Cybereason profile Mac “Pirrit” software as malware. (Cybereason)

A Buenos Aires-based Starbucks hijacked computers, using its wifi to mine cryptocurrency. (Motherboard)

A Philippine bank claims Bangladesh’s central bank is making it the scapegoat in the latter’s handling of a $81 million mega heist using the SWIFT transfer request system. (Reuters)

…Meanwhile, Taiwanese regulators fined a bank $270,000 for security issues leading to a seperate SWIFT hacking incident. (Reuters)

Ominous headline / Least likely tourism slogan of the day: “Another Human Foot Washes Ashore in Canada. That Makes 13.” Foul play is not involved in any of the feet, which actually seems way stranger. (NYT)

If you’d like to receive our newsletter in your inbox, please sign up here.