Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity

from the can't-even-secure-a-filing-cabinet,-apparently dept

The government has done a spectacularly terrible job at protecting sensitive personal information over the past couple of years. Since 2013, the FDA, US Postal Service, Dept. of Veterans Affairs, the IRS and the Office of Personnel Management have all given up personal information. So, it's no surprise the Government Accountability Office's latest report on information security contains little in the way of properly-secured information.

It opens with this depressing graph, showing just how many agencies flunked its information security controls assessment. Keep in mind that it only surveyed 24 agencies.

But what's most concerning about the report (which is full of concerning conclusions) is that, in an era of cyber-everything, the most common "security incidents" have nothing to do with phishing, security holes or any other cyber-related threat. They have to do with people and the mishandling of dead tree byproducts.


Non-cyber incidents are defined by the GAO as:

...a report of PII [personally-identifiable information] spillage or possible mishandling of PII that involves hard copies or printed material as opposed to digital records.

The GAO reports that security incidents have skyrocketed over the past eight years, from 5,500 in 2006 to nearly 70,000 last year.


It also notes that incidents involving personally-identifiable information have increased steadily as well.

[T]he number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.

It all adds up to something fairly disturbing. Not only are government agencies increasingly under attack from outside forces, but their internal handling of hard-copy PII is getting worse as well -- even if the percentage of non-cyber incidents has declined over the past five years.

And despite the government's increased focus on all things cyber, the first chart makes it clear there has been almost no improvement in information security controls since 2013.

It also appears as though there's only one agency taking the GAO's past recommendations seriously: the Department of Defense.

OMB established a fiscal year 2014 target of 75 percent implementation for strong authentication. In its report on fiscal year 2014 FISMA implementation, OMB indicated that the 24 federal agencies covered by the CFO Act had achieved a combined 72 percent implementation of these requirements, but this number dropped to only 41 percent implementation for the 23 civilian agencies when excluding DOD.

Obviously, overhauling security controls in a large number of agencies is an enormous undertaking. But this low level of implementation is both frightening and pathetic. The government demands large amounts of personal information from citizens, as well as from its employees and job applicants. There's no opting out. Then it takes this information and provides only the most perfunctory of protections. Government agencies clearly can't be trusted with securing this information, but there's no option other than to submit and hope for the best. It's even more disheartening when you realize that some of these directives that still haven't been fully complied with have been in place since 2002.

The government asks for too much and provides too little in return. Multiple agencies want to be the "ground force" in the cyberwar. But until the homefront is secured, it seems unwise to deploy elsewhere.

Filed Under: cybersecurity, dod, gao, government, nsa

US Intelligence Community's Cavalier Attitude Towards OPM Hack

from the that-old-thing... dept

We've obviously written a few times now about the big OPM hack that was revealed a few months ago, in which it appears that hackers (everyone's blaming China for this) were able to get in and access tons of very, very private records of current and former government employees -- apparently including tons of SF-86 forms. Those forms are required to be filled out for anyone in a national security job in the government, and it basically requires you to 'fess up to anything you've ever done that might, at some point, reflect badly on you. The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you into revealing US national security secrets. But, of course, that also makes those documents pretty damn sensitive. And, by now of course you've heard that the Office of Personnel Management was woefully unprepared to properly protect such sensitive data.

Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no:

After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.

NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.

In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize until after the hack that this might be a relevant target.

Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them. At least that's the implication of his "wink wink, nod nod" statement to the Senators:

Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”

Now, he's actually making a totally valid point concerning what the US's response should be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.

But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.

Filed Under: admiral mike rogers, china, cybersecurity, james clapper, nsa, opm, opm hack, surveillance, us cyber command

SalesForce Says It Doesn't Support CISA After Signing Letter That Suggested It Did

from the welcome-to-politics dept

One of the issues with various "cybersecurity information sharing" bills like CISPA from last year and CISA from this year, is that some tech companies have been (quietly) supportive of these bills. The whole focus of these bills is to encourage "cybersecurity information sharing" between private companies and the government. And, in theory, that may sound like a good thing. In reality, all the bills really do is focus on protecting companies from liability should they share private information they shouldn't have shared. And, of course, there's the fact that people who understand these things recognize that there's a hidden meaning behind CISA, in that it's really designed to give the NSA more "signatures" to use in its surveillance dragnet.

But, of course, for many companies, the bill just looks like a "get out of court free" bill -- because the entire focus is on protecting those companies from liability. Some companies take a more long-term, customer- or public-centric view of things and recognize all this, and have not supported CISA. Others, however, have been more supportive. A few weeks ago, the BSA -- which is really the Business Software Alliance, but refers to itself as The Software Alliance -- sent a letter to Congress outlining some of the issues that its members were supporting. This included a bunch of reasonable and good things, like much needed ECPA reform. However, it also included this:

Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.

Now, it's notable that this line does not directly endorse CISA. And it's pretty clear that's on purpose. Of the bullet points in the letter three of the other four all name specific bills that the letter is supporting. Leaving out specific support of CISA is an interesting choice and at least indicates some hesitancy among some of the companies signing onto the letter to actually support CISA in its current form.

Of course, the problem is that, right now, there are no real alternatives being offered, and politicians who support CISA can and will point to this letter to argue that "the tech industry supports CISA." And, with that in hand, the good folks at Fight for the Future kicked off a campaign called YouBetrayedUs.org, calling on the companies who signed the letter -- including Apple, Microsoft, Adobe, Symantec, Salesforce.com, Oracle and more to renounce the letter itself.

It appears that they've claimed their first scalp, as Salesforce.com has issued a press release saying they do not support CISA and have never supported CISA. The quote is from the company's chief legal officer, Burke Norton, who is the same representative who signed the letter:

“At Salesforce, trust is our number one value and nothing is more important to our company than the privacy of our customers' data,” said Burke Norton, chief legal officer, Salesforce. “Contrary to reports, Salesforce does not support CISA and has never supported CISA.”

And here he is on the letter: Again, it's absolutely true that the letter did not directly support CISA. And it could have. As mentioned, most of the other bulletpoints list out bills by name and/or number. But the one on cybersecurity did not. Of course, one might argue that the BSA did this on purpose, knowing that if it cited CISA by name, all hell would rain down on them from the public.

Either way, perhaps this should act as a clear warning to tech companies that do want to support CISA. The public isn't going to like it very much. Similarly, this should provide further notice to companies in signing these kinds of letters that they should understand what it appears they're supporting as well.

Filed Under: cisa, cybersecurity, information sharing, liability
Companies: bsa, microsoft, oracle, salesforce

CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email

from the are-they-that-clueless? dept

It's no secret that FBI Director James Comey is somewhat clueless about encryption -- to the point that he doesn't even realize that stronger encryption will actually better protect Americans. But it seems to go beyond that. Apparently he's so clueless about encryption that he doesn't realize that it will help protect FBI agents. Lorenzo Franceschi-Bicchierai has a great story over at Vice Motherboard concerning key parts of our government that should understand the importance of keeping emails secret, that have failed to take the most basic steps in securing email communications. And the FBI is one of the agencies that has not done so. Ditto with the CIA. Or most branches of the military (the Air Force -- which used to run the US cybersecurity efforts -- is the one exception).

Specifically, the article focuses on the use of STARTTLS, which is used to encrypt emails in transit between service providers (it's not nearly as secure as doing full end-to-end encryption of the messages like PGP -- in which case the email providers can't read your email -- but it's a key tool for at least protecting your messages in transit between those providers). Most email systems use STARTTLS these days. Gmail has offered it since it launched over a decade ago. And for STARTTLS to work, both sides of the email provider chain need to be using it. Google has published stats on how much of the emails sent via Gmail are able to be sent with STARTTLS for a little while now and it keeps going up, such that these days, it's pretty rare for email providers not to offer STARTTLS -- with 80% of outbound mail and 61% of inbound mail using it. Yet the US military, the CIA and the FBI don't use it (the NSA does, because they're no dummies about encryption). Google and others in the tech industry have been begging email providers to use STARTTLS for a while, but apparently the US government, including agencies that you'd figure would want to protect secrets, apparently still hasn't figured this out.

When Franceschi-Bicchierai asked the Defense Department why most of the military doesn't support it, he got a nonsensical answer:

In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA's DOD Enterprise Email (DEE) does not support STARTTLS.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

The spokesperson did not respond to several follow-ups, asking to clarify the statement. Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, said that DISA’s explanation is “an unacceptable and technically inept answer,” and criticized the Pentagon for not taking security seriously and implementing STARTTLS.

“I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”

That opening sentence of the statement from the DOD reads like someone who is just discovering the technical details of email. It's stating something that is (1) meaningless to the question and (2) stated in a manner different than any knowledgeable person would say things. Someone who deals with this stuff would just say POP3 and IMAP rather than spell them out -- and again, that's totally unrelated to the question of STARTTLS. So is the use of PKI (public key infrastructure) for emails.

In the past, I'd mainly assumed that when the FBI spoke out against encryption, it was mainly a smokescreen to try to get more backdoors to make its own life easier. But could it actually be that the FBI (and the CIA and the DOD) don't even realize how important encryption is to protect their own information?

Filed Under: cia, cybersecurity, dod, email, encryption, fbi, security, starttls

White House Realizes Mandating Backdoors To Encryption Isn't Going To Happen

from the option-1-please dept

Over the last few months, I've heard rumblings and conversations from multiple people within the Obama administration suggesting that they don't support the FBI's crazy push to back door all encryption. From Congress, I heard that there was nowhere near enough support for any sort of legislative backdoor mandate. Both were good things to hear, but I worried that I was still only hearing from one side, so that there could still be serious efforts saying the opposite as well. However, the Washington Post has been leaked quite a document that outlines three options that the Obama administration can take in response to the whole "going dark" question. And the good news? None of them involve mandating encryption. Basically, the key message in this document is that no one believes legislation is a realistic option right now (more on that in another post coming shortly).

That's big!

The document's three options can be summarized as follows:

1. Option 1: Do the right thing, admit that backdooring encryption is a bad idea and dumb, and stand up for real cybersecurity by saying that more encryption is generally good for society. This will make lots of people happy -- including civil liberties folks and the tech industry, and it will also do more to protect the public. It will also help the most with many foreign countries in showing that the US isn't just trying to spy on everyone -- though it may piss off a few countries (mainly the UK) who have doubled down on backdooring encryption. Also, it will undermine China's plan to backdoor encryption as well. Let's call this the right option.
2. Option 2: Yeah, we know what the right thing to do is, but we'll take a half-assed approach to it to try to appease the FBI/law enforcement folks and not come out nearly as strongly against legislation. We'll say there's no legislation, but we'll at least leave the door open to it. In private, we may still push tech companies to backdoor stuff. This will anger lots of folks, but maybe (the administration believes) some civil liberties types will think it's enough of a win to celebrate. Then we pretend that we can hold some sort of "discussion" between people who disagree.
3. Option 3: We totally punt on the issue and don't really say anything. If we do say something, we say that this issue needs a lot more discussion and study (just like people have been saying for the last year). In other words, endless cryptowars with no end in sight.

Clearly, Option 1 is the only sensible option, and the report lays out some pretty strong arguments for why coming out against backdooring encryption would be good. It would actually make the tech industry much more willing to work with the government in productive ways, rather than stupid, privacy and security-destroying ways. It would actually better protect the public and it would stop authoritarian regimes from using our own language against us to break encryption. The cons are basically that law enforcement might whine about it. Well, the administration actually says that it "provides no immediate solution to the challenges that the expanding use of encryption poses to law enforcement and national security" but given that law enforcement still hasn't done a good job showing this is a real problem, that's not really a big deal.

In fact, law enforcement is still relying on made up ghost stories rather than any real evidence that encryption is a problem.

So, now the big question is which option the administration will choose. Will it stand up and take leadership on this issue (Option 1), thereby actually protecting Americans? Or will it do a variety of half-assed measures believing that it has to support "both sides" or some crap like that? From the leaked report, it appears that if it chooses either Option 1 or 2, the White House will make a public statement on the matter within the next few weeks.

Filed Under: backdoors, cybersecurity, encryption, going dark, james comey, obama administration, white house

Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded

from the oops dept

Intercept reporter Jenna McLaughlin alerts us to a rather stunning security mistake by a Customs and Border Patrol (CBP) agent, as outlined in some DHS released "incident reports" concerning "cloud data breaches." The very first one involves the CBP agent forwarding all of his email to a personal account, but messing up the configuration, so that it actually forwarded to someone else's Gmail account (someone with a similar name) -- and this mistake was only noticed when this "civilian" responded to an email he had received via this forwarding, and the response was sent to a wider mailing list of Homeland Security employees: If you can't see that, here's what it says:

CBP reports that one (1) CBP user had an auto-forwarding rule setup to have emails sent externally to a civilian's personal Gmail account. There is a possibility that sensitive information to include Personally Identifiable Information (Pll) has been accidently sent out due to this rule. The incident was discovered when a civilian responded to a CBP user's email to a distribution list of other CBP/DHS users. The CBP user noticed the civilian's Gmail address and reported it to the FTO who then reported the incident to the CBP CSIRC. Upon investigation and confirmation from EaaS, one (1) CBP Border Patrol Agent who was on the email distribution list had an auto-forwarding rule setup within their Exchange account to a non-CBP/DHS user's personal Gmail account. The name of the Border Patrol Agent and the civilian are very similar, but it was determined that the Border Patrol Agent misconfigured the rule by using the civilian's personal Gmail address instead of his own. Technical remediation will include working with the EaaS team to implement a rule to disable the auto-forwarding rule and only allow it when requests are made to the Exchange team. The incident has been reported to the CBP Privacy Office and Joint Intake Center for action (assisting the user to have all government emails removed and confirmed).

It seems rather stunning that CBP/DHS didn't already have such a rule in place. Then again, this is Customs and Border Patrol, who has something of a history of not really giving a fuck because they can get away with doing whatever they want and no one ever does anything about it.

Later in the same report, it is revealed that this auto-forwarding from inside DHS to private accounts happened somewhat frequently. An investigation just a month after the incident above showed 771 such rules set in DHS staffers Exchange systems: If you can't read that, it says:

DHS SOC reports that a total of 771 rules are configured in Exchange to auto-forward emails external to DHS. DHS SOC requested and received a list of 771 automated email forwarding rules created by DHS Email as a Service (EaaS) users. Auto-forwarding or redirecting of DHS email to address outside of the .gov or .mil domain is prohibited and shall not be used per DHS 4300A policy, section 5.4.6.i and poses a high risk of accidental disclosure of Pll, SBU, FOUO, LES, or classified data. The incident has been reported to the Joint Intake Center (JIC). Affected Components (CBP, FEMA, DHS HQ, and DC2) are asked to identify and remediate the rules.

Not sure about to you, but this doesn't make me feel much safer about DHS at all. And, remember, DHS is one of the government bodies currently looking to manage the government's cybersecurity efforts -- and they're considered the better option given just how little people trust the NSA or the FBI (the two other main contenders).

Filed Under: border patrol, cbp, cybersecurity, dhs, email, email forwarding, homeland security

Jeb Bush Claims That Creating Encryption Harms America

from the wanna-try-that-one-again? dept

Sometimes you have to wonder if the various political candidates are trying to lose the knowledgeable techie vote. Chris Christie has been strongly pro-surveillance, and it's not hard to guess where he would come down on the whole "backdooring encryption" debate. However, few of the other candidates have been directly asked about that -- though that may be changing. Jeb Bush has now stated that he's against encryption, because, apparently it harms America.

“If you create encryption, it makes it harder for the American government to do its job—while protecting civil liberties—to make sure that evildoers aren’t in our midst,” Bush said in South Carolina at an event sponsored by Americans for Peace, Prosperity, and Security, a group with close ties to military contractors.

Bush said “we need to find a new arrangement with Silicon Valley in this regard because I think this is a very dangerous kind of situation.”

This is, of course, mostly deeply wrong, while also partially right, but for the wrong reasons. First of all, if we want Americans to be safer we should be demanding more encryption, not less. It is a confused state of mind that, just as we keep hearing about more and more data being leaked and hacked into whether by individual malicious hackers or, potentially, nation states, thinks the "answer" to this is somehow less security, rather than more.

However, in a weird way, Bush is actually correct. In some instances, encryption actually does make the government's job harder. But that's a feature, not a bug. Bush should, perhaps, listen to his brother's former Homeland Security Secretary, Michael Chertoff who recently came out against backdooring encryption, noting:

... we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.

This is an important point that Jeb Bush (and many folks in favor of backdooring encryption) don't seem to get.

Separately, from Bush's quote, it appears he's not even familiar with the details of the debate (not that this stops him from opining ignorantly about it). By saying that merely "making" encryption is bad for America, he's just wrong. The debate isn't about making encryption. It's about whether or not encryption should be (or, realistically, can be) compromised via some sort of backdoor. Experts have explained why this actually makes us all worse off, but it's rather disturbing that people like Jeb Bush have summarized the "we should backdoor encyrption" side of things as "we should be against encryption."

Filed Under: cybersecurity, encryption, going dark, jeb bush, privacy

Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?

from the just-saying... dept

As we've been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it's needed. Yet, as we've pointed out multiple times, there's nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to "cybersecurity," people will believe that it all "works."

The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all "upstream" traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention -- because fear! cybersecurity! hack!

So, Wyden's latest strategy is to look a little more deeply at the OPM hack itself and what the government's National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.

The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation's classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.

And thus, the following questions:

1. Did the NCSC identify OPM's security clearance database as a counterintelligence vulnerability prior to these security incidents?
2. Did the NCSC provide OPM with any recommendations about how to secure this information?
3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?

There may be a variety of reasons for sending this letter -- but one clear one is to send the following message: before Congress rushes around demanding CISA as a response to the OPM hack, shouldn't we look at how our own processes failed to prevent that attack? And that's especially true given that the point of CISA is to trust the very same government to help private companies with cybersecurity. If the government can't even do the most basic things to protect its own data, why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?

Filed Under: cisa, congress, cybersecurity, ncsc, opm, opm hack, ron wyden

DailyDirt: No More Secrets...

from the urls-we-dig-up dept

The past year has been pretty rough for security -- with Heartbleed, Superfish, remotely hacked cars and all sorts of personal information getting into the wrong hands. Encryption and security are quickly becoming mainstream topics, as it's harder and harder to keep your head in the sand about technology risks. However, perfect security doesn't really exist, but I'm sure we'll have some folks demanding it soon.

• It turns out that Apple firmware isn't immune from worm malware (known as Thunderstrike 2), delivered via Thunderbolt peripherals. PCs have been vulnerable to this kind of attack, but some PC makers have taken steps to address it. Apple has a fix, but Apple isn't special when it comes to security. [url]
• Has an Israeli security startup called Morphisec created a version of Windows without zero-day exploits? Probably not, but it has likely put a giant bull's eye on its software... whenever it launches. [url]
• Apple keeps patching security flaws in its iPhones, but evidence of attacks are being discovered in the wild. If you get a prompt to download an app outside the App Store, don't do it. [url]
• Android devices have been vulnerable to an attack called Stagefright, but Google is trying to release a fix. The challenge is getting the update to nearly a billion devices -- with manufacturers and carriers cooperation. [url]

After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Filed Under: cybersecurity, hacks, heartbleed, malware, security, stagefright, superfish, thunderstrike 2, worm, zero day
Companies: apple, google, lenovo, morphisec

Senate Punts CISA Vote Into September

from the didn't-have-the-votes dept

Well, that's interesting. Based on all of the talk this week, it was expected that there would be a vote today in the Senate on the faux cybersecurity CISA bill -- but it didn't happen. Business concluded and everyone went home for the month without a vote, meaning it won't be taken up until September, at the earliest. According to Kaveh Waddell at the National Journal:

Senators are heading home for the August recess without voting on the cybersecurity bill.

Lawmakers worked for days on an agreement about which amendments to include on the cyber bill, but Senate leaders pulled the plug at the last minute on a vote scheduled first for 10:30 a.m, then for 2 p.m. Then they decided to skip town.

Under the deal senators struck Wednesday afternoon, the cyber bill will come up again in September after recess, and 21 Democratic and Republican amendments will receive votes.

It's not entirely clear why the delay happened. Some have suggested it had to do with concern over some of those 21 amendments, but it might also mean that there really aren't the votes that CISA supporters were hoping for. After all, the hope had been to try to "sneak" CISA through when people weren't paying attention, but civil liberties and privacy advocates have been quite active again (and, I'm sure, will continue to be). Either way, the fight to block such a bad piece of legislation goes on, but it's good to see that the actual vote has been delayed for now...

Filed Under: cisa, cybersecurity, senate