Page 835 | FedScoop

McCain threatens to subpoena Apple CEO Tim Cook to talk encryption with feds

Top security and law enforcement officials are pushing Congress to continue fighting for some sort of encryption legislation that would grant access to secured systems in the event of a criminal investigation.

“We now find ourselves at what is a complete impasse [in the encryption debate], and it is time I urge for congress to step in and break that impasse,” Former Assistant Attorney General for National Security Kenneth Wainstein told a Senate Armed Services Committee, or SASC, hearing Thursday.

“While I fully appreciate the validity of concerns by the tech companies, I do not believe that that is the end of the discussion,” he added.

Weinstein, along with former NSA Deputy Director Chris Inglis and Manhattan District Attorney Cyrus Vance, Jr., spoke before lawmakers in an effort to restart negotiations concerning so-called “backdoors” and other workarounds to encryption. This Senate committee launched effort — largely led by veteran Sen. John McCain, R-Ariz., and comprised of members from both sides of the aisle — aims to formalize definitive encryption policy in the future.

The panel members’ opinions were noticeably one-sided, in favor of regulating encryption in order to give law enforcement access as they need it.

During the hearing, McCain repeatedly criticized his colleagues from the Senate for not mandating that data from encrypted communication services be accessible to law enforcement during an investigation.

McCain said continued inaction effectively protects child pornographers and human traffickers. He vowed to subpoena tech company executives — specifically naming Apple CEO Tim Cook — if they continue to refuse attendance in follow-up hearings.

According to Vance, the number of unaccessible electronic devices captured by law enforcement grows by the day. He said that in his New York office alone, there are encrypted smartphones carrying evidence related to a range of crimes from murder to child abuse.

“It seems to me that there are some in the technology community who have come to the conclusion that the inability to find a path to victims — in the cases I describe — is simply collateral damage,” Vance testified.

Inglis and Vance both said technology exists that wouldn’t “weaken” protection and yet could help law enforcement close cases.

“I think there are systems that we can develop which provide appropriate security … and at the same time deliver appropriate access to the government where it needs that.”

Inglis left the door open to the development of security absent of encryption, but his statements also directly contradict what many security experts and privacy advocates fundamental believe an encrypted product is designed to do.

“There are no technical systems that can be developed that guarantee ‘appropriate security’ for the user, while also guaranteeing regulated access to law enforcement only,” Gustaf Bjorksten, Chief Technologist at Access Now, said in response to the hearing through an email to FedScoop.

“Weakening the encryption of applications with backdoors allows for the possibility of criminals and foreign powers utilizing the same mechanism to access the sensitive user communications. In this digital age, any mandating of backdoors in encryption applications will harm the privacy of users, erode confidence in online transactions, and fail to achieve the results touted by law enforcement,” Bjorksten wrote.

Whether a U.S. company’s cybersecurity apparatus is strong enough to fend of attacks without broad encryption technologies is, at least until today, an internal decision — but the panel, in step with McCain, is advocating for a working partnership between the private and public sector on such choices.

Notably, the McCain-led SASC hearing comes more than seven months after Senate Select Committee on Intelligence leaders Sen. Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C., attempted to introduce legislation that would have compelled private tech companies to grant access to encrypted data if a court order is presented.

The Feinstein-Burr bill came shortly after a terrorist attack on American soil that left 14 people dead in San Bernardino, Calif.

Silicon Valley subsequently denounced the proposal, calling the move an attack on consumer privacy. At the moment, the Intelligence Committee bill is frozen — having never been introduced for a vote.

A Feinstein spokesperson told McClatchy DC that no decisions has been made concerning whether the Senator will move forward with the proposal — “staff continue to consult” on the matter.

To contact the reporter on this story: send an email via chris.bing@fedscoop.com or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on

Ex-NSA chief: Responding to cyberattacks is a government responsibility

In warfare, rules of engagement are a fundamental necessity to curtail violence against non-military targets. But with millions of Americans already victim to cyber attacks perpetrated by nation state actors, lawmakers question if a response with conventional weapons is appropriate to stop future online attacks.

The U.S. government must design “an effective strategy not only to limit the impact of cyberattacks, but to meaningfully deter cyber attackers,” Rep. Will Hurd, R-Texas, told a House Oversight Subcommittee hearing Wednesday.

Hurd and other lawmakers asked a star-studded panel of cybersecurity officials and experts what they believe constitutes a “cyber act of war.” The hearing, Hurd explained, is the first step in launching a more comprehensive debate about who should and how one would define a “red-line” in cyber space.

The panel — comprised by former NSA Director Keith Alexander, State Department Coordinator for Cyber Issues Chris Painter, Department of Defense Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes and New America Senior Fellow Peter Singer — made several recommendations on what should be considered when evaluating a cyber attack against the U.S.

Until now, the Obama administration’s general policy has been to handle the response of significant attacks on a “case-by-case basis” with a “whole of government approach” — one that includes consultation with leaders from the U.S. defense and intelligence agencies.

“If you think about Sony being attacked, Sony has no capability to fire back. In fact, if we think about Sony firing back, we quickly get to the realization that if Sony fires back that could get us into a war on the Korean peninsula. We don’t want that to happen. That is an inherently government responsibility,” testified Alexander.

Attacks that cause major loss of life, destruction or incapacitation of significant portions of key infrastructure, or even attacks that cause “massive economic damage” fall within the parameters of what the U.S. should be prepared to call acts of war, Alexander wrote in prepared testimony.

Even so, a military strike may not be the best way to counter a cyber attack attributed to a specific actor, the panel said.

“Incidents described as cyber attacks or computer network attacks are not necessarily considered armed attacks for the purpose of triggering a nation’s right of self-defense,” said Aaron Hughes.

The U.S. boasts a “large toolbox” to choose solutions from in responding to cyber attacks, explained Painter. They include, he said, but are not limited to: diplomatic outreach, economic sanctions, law enforcement oversight, offensive cyber operations and a military strike. Additionally, there may be a strategic advantage to consider when choosing whether or not to publicly disclosing the attribution of an attack — as was the case following the now historic Sony hack, orchestrated by North Korea.

However, one of the biggest challenges in deciding a response remains the issue of accurate attribution, the panel unanimously agreed.

According to Sean Kanuck, formerly a national intelligence officer in the Office of the Director of National Intelligence, attribution is a difficult challenge. And timely attribution — vital to a quick response, whether political or military — is even more difficult.

“In response to particular incidents, they are usually ad-hoc [cyber forensics] investigations dealing with a particular set of circumstances,” Kanuck told the committee, “It is very difficult to define the intentions of would be adversaries or actors in specific instances. Often you might derive that information from other sources of information — intelligence collection, other areas — in order to know what an actor’s objectives might have been.”

He added, “in the realtime context of an ongoing incident … that would be a very high challenge … It is not a certainty that you will always know who did it and why.”

Nonetheless, both formal and informal boundaries already exist in cyberspace between nations, said Painter, who leads a division within the State Department that implements the President’s International Strategy for Cyberspace. At the center of this effort, Painter explained, is “international norm building,” focused on cyber — the promotion of rules and standards to guide nations’ conduct.

“The norms we’ve been promoting are, for instance, don’t attack the critical infrastructure of another country — absent wartime — that provide services to the public; don’t attack CERTs, don’t attack the computer emergency response teams, use them for good not for bad; and an expectation that if you get a request from another state and there is malicious code coming from that state, you’re going to mitigate it by technical or law enforcement means. And finally, don’t steal the intellectual property using cyber means of another country for your commercial benefit,” said Painter.

When Hughes was pressed by Rep. Jody Hice, R-Ga., to directly describe when the DOD believes a cyberattack warrants military action, Hughes explained: “not to be cliche, but it really needs be decided on a case-by-case basis” — which, in this context, is also a fair summary of the panel’s overall recommendation.

You can watch the hearing below.

Certified VA-DOD interoperability still lacking, lawmakers say

The Department of Veterans Affairs claims it’s made it easier than ever to swap electronic health records with the Pentagon, but lawmakers say the underlying platform still lacks key capabilities — like the ability to provide images or things like analytics.

With the new “read only” Joint Legacy Viewer EHR exchange platform, the VA and the Defense Department already reached the level of interoperability required by the 2014 National Defense Authorization Act, VA CIO LaVerne Council testified before the Senate Appropriations Committee’s Subcommittee on Military Construction, Veterans Affairs, and Related Agencies Wednesday. As of July 7, she said in prepared testimony, “JLV had more than 198,000 authorized users in VA and DOD together, including 158,159 authorized VA users.”

Even so, senators on the committee argued the two departments hadn’t yet met true interoperability because those exchanges still lack a number of capabilities veterans would expect to see after leaving active duty.

“It does not provide the X-ray data of patient,” Chairman Sen. Mark Kirk, R-Ill., said of JLV, which he referred to as a “Band-Aid” solution. “So we would say now, ‘Welcome to the VA, we have no X-ray data on you from all the X-rays the Navy, the Army, the Air Force did for you.’”

CT scans are also not included in the exchange of EHRs between the two departments, he said.

“I think most members of this committee would say that is not interoperable,” Kirk said.

JLV is only part of the VA’s larger move to a more modern health IT environment and away from its decades-old Veterans Health Information Systems and Technology Architecture, known as VistA. More recently, Council announced, VA will look to depart from the VistA platform in coming years in favor of a more modern, centralized and open source-based Digital Health Platform project.

For now, the VA and DOD only share narrative reports on that type of imagery missing from JLV, which the VA officials said can be just as important as the imagery itself in helping to interpret it.

“The data we are exchanging now is all of the health record data, which includes 25 domains of standardized data where standards exist,” said David Waltman, VistA Evolution program executive and senior adviser to the undersecretary for health at the Veterans Health Administration. “So that includes progress nodes, lab reports … it includes the reports from all of those imaging studies. And as we know, the size of the data for the studies themselves is exponentially larger.”

VA is in the process for delivering the image-viewing component for JLV, which it plans to release in September, Council said.

Even then, Kirk argued, JLV won’t have the advanced capabilities like analytics needed to ensure the care of veterans that is found in many commercial health IT solutions. He frequently mentioned Cerner, the health care company helping to lead DOD’s development of its Defense Healthcare Management System Modernization project, as an example of a provider that currently uses data to calculate, for example, suicide risk.

“JLV is 100 percent incapable of those analytics,” Waltman agreed.

“We need an integrated capability of all of the clinical data, the process management for managing clinical workflows, integrated with analytics that can use algorithms … that can predict, based on the information in the record and pathways and courses of action available, what interventions should be taken and what the processes and care pathways should be,” he said.

Agreeing to that as a more accurate definition of complete interoperability, the subcommittee pushed Waltman for a timeline when that might happen.

“The middle of calendar year 2018,” he responded.

Given that, it may be necessary to revise the definition of interoperability between VA and DOD — because, Kirk said, the current one that doesn’t cut it.

“When we got to the heart of this hearing, you certified that you were interoperable based on the JLV’s existence, and we now know that the JLV does not have X-rays or CT scans — and that is interoperable from your viewpoint,” he said in closing. “I would say to expect some further definition from this committee on that point. We need to move forward on this point to make sure that there is no net burden on the soldier or sailor when they come out of the service, that we 100 percent transfer their data to VA.”

You say you want a revolution: DARPA’s Cyber Grand Challenge

In a much larger setting than this, hackers will try their hands at launching a fully autonomous security system at DEFCON next month. (DEF CON/Wikipedia/CC 2.0)

In a few weeks, a town better known for events like the World Series of Poker will host the World Series of Hacking.

The finals of the Cyber Grand Challenge, which will be held by the Defense Advanced Research Projects Agency at the DEFCON security conference in Las Vegas next month, aim to see if a high performance computer system can discover and patch security systems automatically — without human intervention.

Seven teams will compete in the finals in front of 5,000 spectators packed into the Paris Las Vegas auditorium, waiting to see if a computer will be able to put the best human penetration testers and security researchers to shame.

While the event has the aura of a sporting finale, DARPA program manager Mike Walker says the efforts undertaken by the finalists are important for eliminating a glaring problem when it comes to cybersecurity: vulnerabilities often go hundreds of days without being discovered and it some instances take more than a year to patch.

[Brand new: Sign up for the CyberScoop Newsletter, a daily look at all things cybersecurity]

“The reaction to unknown flaws in software is entirely manual,” Walker told reporters on Wednesday. “We want to build autonomous systems that can arrive at their own insights, do their own analysis, make their own risk equity decisions of when to patch and how to manage that process.”

The entries, all built on custom high-performance computers, will be responsible for monitoring a network running software with previously unexamined code. The finalists’ systems will need to comprehend the software’s language or author their own logic; explore the almost infinite possible inputs into that software; and arrive at the diagnosis of new vulnerabilities entirely on their own.

Walker says the systems must “then form the solution, whether it’s network defense or patching defense, and manage the solution. If the solution breaks, it’s the machine’s responsibility to fix it.”

If the winners want to test their luck, DEFCON organizers have invited the winning automated system to compete against the world’s best human hackers in their Capture the Flag competition the following day, marking the first-ever inclusion of a mechanical contestant in the event.

DARPA is comparing the Capture the Flag competition to similar competitions, such as the famed Jeopardy! competition where IBM’s Watson cognitive computer defeated two human competitors. Walker said the competition is geared toward these systems, known as reasoning systems, because it tests how close researchers are to achieving full autonomy.

“We wanted to follow in the tradition of reasoning machines like Deep Blue and Watson and AlphaGo,” Walker said. “This is an adversarial domain. In adversarial domains, the way you build a metric — like the Elo rating in chess — is, you measure [your] efficacy by the opponent you can defeat.”

Beyond the competition, Walker wants the challenge to kick off a “revolution” in security automation, eventually getting to the point that it’s as commonplace as nutrition labels on food packaging.

“When you buy [software] and you look on the back, what you don’t have today is a sticker that tells you what machine investigated [its] security and what machine will guard its security in the future,” he said. “That’s something we could see as an open technology revolution in security automation.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

Congress: Federal bank agency CIO ‘misled lawmakers and hid breaches’

The chief information officer of the Federal Deposit Insurance Corp. misled congressional overseers to cover up cybersecurity breaches at the agency, retaliated against whistleblowers and those who disagreed with him, and generally created a toxic work environment for his team, congressional staff allege in a report published Wednesday.

CIO Larry Gross “has created a work environment defined largely by vindictiveness and retaliation,” reads the report, authored by Republican staffers working for the House Science, Space and Technology Committee, and based on a series of formal interviews with a handful of FDIC staff.

The report alleges Gross transferred or forced into early retirement two cyber experts who challenged his judgment, and accuses him of “retaliating against individuals within the CIO organization who have provided testimony to the committee the course of its investigation.”

Gross has “silenced or ignored those who disagree with his viewpoints,” the report charges.

The report also says that, before Gross took over the CIO’s office in 2015, the agency was penetrated at least three times — in 2010, 2011 and 2013 — by suspected Chinese hackers and failed to report it either to Congress or the “appropriate authorities” — likely the FBI.

The FDIC press office declined to comment for the record or to make Gross available for an interview.

The agency’s chairman will testify Thursday before the committee, and the report says he will be asked about discrepancies committee staff have found.

The committee’s investigation was prompted when, earlier this year, the FDIC reported two breaches last year involving the downloading to thumb drives of masses of sensitive personal and banking information by departing staff.

In both cases, the agency said in letters to Congress and reiterated in Gross’ May 12 testimony before the committee, the downloads were inadvertent; occurred — at least in part — because “the individuals involved … were not computer proficient”; and were resolved in a cooperative, amicable fashion.

This despite the fact, the report charges, that one of the departing employees possessed a master’s degree in IT management and hired a lawyer to negotiate the return of the thumb drive.

“These facts poke holes in the agency’s narrative that this was an inadvertent breach,” the report states, adding that there has been “a continued pattern of obstruction and reticence by the FDIC” toward the committee’s investigation.

In total, the authors state, more than 160,000 individuals had their personal information compromised by these employee downloads, but the agency did not take steps to notify and provide credit monitoring for the victims until Gross was hauled over the coals by the committee on May 12.

The seven whistleblowers interviewed by committee staff allegedly told them that FDIC officials “created a narrative for the committee in an effort to deter the committee from pursuing the issue of the agency’s cybersecurity breaches any further.”

The report concludes that the agency deliberately mischaracterized the “severity of the breaches and intentionally [withheld] information from Congress.”

GSA pitches Silicon Valley on federal cyber acquisition

General Services Administration chief Denise Turner Roth is visiting Silicon Valley this week to promote her agency’s ongoing support of federalwide efforts to bolster cybersecurity and encourage innovative startups to take part.

In line with President Barack Obama’s $19 billion Cybersecurity National Action Plan launched in February with his proposed budget for fiscal year 2017, GSA recently announced the creation of a special item number for cybersecurity on its IT Schedule 70 governmentwide contracting vehicle. Roth and her colleagues are in San Francisco to host an industry day, much like one last month in Washington, D.C., focused on GSA’s role in supporting CNAP.

Roth told FedScoop ahead of that meeting it’s imperative that GSA be “expansive” about opening the forthcoming cyber SIN — “Highly Adaptive Cybersecurity Services” — to as many vendors as possible “to be able to support our sister agencies as best as possible.”

“To the extent that we have an expansive list of vendors that are qualified, that are engaged and ready to support federal agencies, the better off it will be for our federal partners,” she said. “This is a part of that effort of outreach and ensuring that we are casting a broad net.”

GSA creates SINs for specific categories of popular items on its governmentwide schedules so agencies have greater insight into and can differentiate what they’re buying. GSA said in June it plans to issue a solicitation for the cyber SIN in August and launch it in September.

Many federal agencies have lately turned west to Silicon Valley, the undisputed center of the American technology industry, in search of innovative, cutting-edge solutions to replace antiquated legacy systems. Roth acknowledged this, framing her visit as an opportunity to introduce innovative startups to the federal acquisition process and bring a diversity of fresh ideas into the cybersecurity equation.

“It’s an obvious recognition that a lot of the transformation that we’re seeing technology is coming from Silicon Valley,” she told FedScoop. “As a federal agency that’s looking to partner with the private sector to ensure that we’re providing the most diverse representation of what’s coming form our vendors, the products they’re providing, we need to go where those companies are. And from a tech perspective, Silicon Valley is certainly a key part of that relationship.”

GSA introduced a line of new initiatives in April dubbed Making It Easier that will simplify the language around its IT Schedule 70 offer process to new vendors and ease the burden for those innovative startups looking to join the acquisition vehicle.

“The recognition is that if we’re going to make the government a 21st century government, we need to ensure that we have a broad representation from the technology community, and the Silicon Valley technology firms are part of that,” she added.

Roth intends to address more than CNAP and the new Schedule 70 cyber SIN, like the movement around the IT Modernization Fund — a $3.1 billion revolving fund backed by legislation introduced by House Whip Rep. Steny Hoyer, D-Md., that would give agencies necessary investments to replace outdated legacy systems with the requirement that they repay those funds over time.

Regardless of that bill’s movement through Congress, Roth said GSA is operating as if it will be passed.

“We are looking internally at what personnel support we will need to be able to review, what steps we will need to take,” she said. “My direction to the team overall is we need to assume that the fund is happening and take an evaluation of what’s necessary from all parts of organization in order to make the fund successful the day we receive approval.”

In a broad sense, the visit out West is an opportunity for GSA to inform those in and out of government of its more prominent role supporting federal cybersecurity, Roth explained, saying it’s “not always an obvious role that people recognize we’re playing but are in fact playing.”

“It is primarily in the acquisition space, but it’s much deeper than that,” she said. “It’s actually ensuring that as our partner agencies are looking to the market to seek solutions, it’s helping to ensure that the contracts themselves have the appropriate requirements so that our agencies are buying what they need , that they also tools on how to assess vendors as they’re coming in and vendors ready to provide cybersecurity support, that they can ensure what they’re providing is going to actually meet the need of the agency.”

And all vendors — small or large, from the east, west or anywhere in between — have a part to play in that mission “bringing the right products to the table,” the administrator said.

“For the federal government to improve its technology footprint, we’ll need to work closer with vendors industrywide — whether that’s East Coast or West Coast, wherever it takes us,” Roth said. “But also we do want to be accessible to the startup companies as well to the extent that it makes sense.”

“Cybersecurity is no longer just an IT issue — it is a mission issue, and we need to treat it as such,” she said.

Better tech, stronger disclosure policies could improve FOIA — experts

Congress should push agencies to make information from frequently requested records categories more readily available — and streamline the technology used to handle Freedom of Information Act requests, experts said at a recent hearing.

At a Tuesday Senate Judiciary Committee hearing, panelists and senators celebrated FOIA reforms signed into law in June, but they also noted that Congress could to more to make the open records law effective.

“We should bear in mind that a new administration will soon be moving in,” said Republican Sen. Chuck Grassley of Iowa, chairman of the Senate Judiciary Committee, in his prepared statement. “So it’s important to ask how we can work to secure a commitment to transparency from day one.”

He added, “By releasing information before it’s requested, agencies could go a long way towards reducing delays and improving transparency.”

The biggest issue with FOIA, panelists said, is how long it takes. And one hearing witness said the FOIA backlog might be caused by companies requesting data through FOIA that the government should be proactively disclosing.

Margaret Kwoka, assistant professor at Sturm College of Law at University of Denver, said other requesters (like the media or citizens) may be crowded out by commercial requestors that request the same categories of routine information.

“The government could decide to affirmatively publish those whole categories,” Kwoka said to FedScoop. “And pre-empt the need for one-by-one requesting, where kind of private entities are essentially doing the work the government should be doing, which is to categorize you know all of the records in a particular area and make a database of them.”

Her research, published this year, indicates that commercial requesters make up the majority of requests at four out of six entities whose requesters she reviewed, according to her testimony. The agencies included in her review of requesters were Securities and Exchange Commission, Food and Drug Administration, the Environmental Protection Agency, the Defense Logistics Agency, the Federal Trade Commission, and the National Institutes of Health

Several companies are actually making a profit off requesting information and then reselling it, like FOI Services Inc., which was the single highest-volume requestor of FDA information, according to Kwoka’s research.

Sen. Patrick Leahy, D-Vt., asked witnesses how agencies could better tackle the FOIA request workload brought on by commercial requesters. The way to increase efficiency, Kwoka said, could be agencies proactively releasing that information.

“I think we’re going to be facing that question more and more as we go ahead,” Leahy said. “We want FOIA to work. We also don’t want to be overwhelmed.”

Legislating proactive disclosure isn’t easy, Kwoka told FedScoop after the hearing, but she said there are several ways Congress could address this problem, including requiring agencies to publish FOIA logs and conducting an annual analysis to see whether frequently requested categories of records could be made available without using FOIA.

Other organizations have pushed for proactive disclosure, like the Sunlight Foundation, as mentioned in one of its recent blog posts.

“I think there was a lot of agreement both from the members of the committee and also from the panelists about the need to think about how to legislate affirmative disclosure requirements going forward,” Kwoka told FedScoop.

Panelists also noted that government needs to continue to address the technology that stands up FOIA operations — an issue that was also touched on in the FOIA Improvement Act. The act, signed in to law in June, calls for a centralized FOIA request website that can track requests. Right now, only some agencies use a website called FOIA Online.

“FOIA suffers from insufficient investment in technology,” said Rick Blum, director of the Sunshine in Government Initiative, in his opening testimony.

Blum said in the hearing that the committee could provide oversight as government tries to implement this part of the law.

Government should also develop digital systems to publish documents automatically, which would improve proactive disclosure, said David Cuillier — director of the University of Arizona School of Journalism, testifying on behalf of the Society of Professional Journalists Freedom of Information Committee — in his prepared statement.

In June, the administration announced the Department of Justice will work with the Office of Management and Budget and the Environmental Protection Agency to launch in 2017 “a consolidated FOIA request portal,” which would be inspired by the service FOIA Online provides.

The portal will first focus on establishing a centralized place to submit requests, and then other features will be added, according to the White House fact sheet.

Kwoka told FedScoop that “technology has to be a critical component to improving the way the existing FOIA structure works, and also to any affirmative disclosure regime.”

She added that “the records are only as good as the technology that supports them.”

Fiat Chrysler becomes first auto maker to offer bug bounty

Fiat-Chrysler, in a partnership with Bugcrowd, will pay researchers between $150 and $1,500, depending on the severity of the bugs. (Fiat Chrysler of America)

Italian-owned auto giant Fiat Chrysler became the first major car manufacturer Wednesday to offer payments to hackers who find software flaws or other security vulnerabilities in their products, the company said.

The bug bounty program will be run by Bugcrowd, a platform that allows security researchers to crowdsource their search for vulnerabilities in third-party products, Fiat Chrysler announced in a release. It will pay researchers between $150 and $1,500, depending on the severity of the bugs.

The move follows a recall of 1.4 million vehicles by the firm last year, after a Jeep Cherokee was famously hacked by Charlie Miller and Chris Valasek.

Although Fiat is the first automaker to offer a bounty, GM hired HackerOne in January to provide a responsible disclosure channel for security researchers, though without any bounty involved. Tesla has run a bounty program through Bugcrowd for more than a year, offering up to $10,000 for the worst security flaws.

“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, senior manager of security architecture for the automaker. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”

The bounty program page on Bugcrowd’s website enumerates a long lists of exclusions — products or services not covered by the program. They include DDoS attacks, “vulnerabilities relating to SSO and federation technologies,” and flaws in the login or password recovery process.

“The consumer is starting to understand that these days the car is basically a two-ton computer,” said Casey Ellis, CEO and founder of Bugcrowd. He added that Fiat Chrysler customers “are the real winners of this bounty program; they’re receiving an even safer and more secure product both now and into the future.”

Scoop News Group debuts cybersecurity publication CyberScoop

Scoop News Group announces the debut of CyberScoop, the go-to destination for the latest cyber news, with the launch of a digital newsletter featuring articles and events related to protecting electronic data. With an initial subscriber base of 200,000 government and industry professionals, CyberScoop will engage top security leaders through news, newsletters, TV, radio and events. The full news site is scheduled to launch in August 2016.

Cybersecurity has increasingly become the No. 1 priority among IT leaders in federal, state and local governments; educational institutions; and the private sector. CyberScoop is the response to the rise of cyber-related infringements, issues and discussions.

“As the leading tech media company in Washington, D.C., we have spent the past eight years building community with top security leaders from the government and tech industry. We are uniquely positioned to bring the brightest people together and wrap our arms around an issue that impacts everyone,” says Goldy Kamali, Founder and CEO of Scoop News Group. “From the White House to Silicon Valley, we will engage and collaborate with security leaders on the latest technology to the policies that shape our digital world. CyberScoop will take a growing, complex landscape and make sense of it on one platform.”

With nearly a decade of cybersecurity coverage published in SNG’s federal, state and local, and education technology media titles – FedScoop, StateScoop and EdScoop, respectively – this cutting-edge platform will provide dedicated cybersecurity and cyber-related coverage through CyberScoop.com and its daily newsletter. SNG’s award-winning editorial team are established members of the cyber technology community and will be led by technology journalism veteran, Greg Otto, as its Managing Editor.

“‘Cybersecurity’ is such a nebulous term. Does it mean the same thing as it did five years ago? What does it mean to our government? What does it mean to us individually? What does it mean for the way we do business, for the way we protect our health and the way we move from one place to another? From the OPM hack to the fight over encryption, FedScoop has produced great coverage of all things related to federal cybersecurity. CyberScoop will take it to the next level, reporting on the resulting breaking news, developments and cybersecurity advancements in both government and the marketplace,” says Greg Otto, Managing Editor, CyberScoop.

To learn more about CyberScoop, or to sign up for updates, please visit www.cyberscoop.com.

Senator grills DOE official over lack of cyber training programs

2011_01_doe

An undeniable shortage in qualified industrial control system, or ICS, cybersecurity professionals — individuals trained to defend the nation’s energy infrastructure from hackers — should cause the Department of Energy serious concern, Sen. Bill Cassidy, R.-La., told Department of Energy Assistant Secretary Patricia Hoffman during a Senate Energy & Natural Resources subcommittee hearing.

“The number of ICS professionals is severely limited, maybe 500 to 1000 worldwide, and we need tens of thousands. And that begs the question: what are we doing to address the shortage, which is exponential. What are we doing to address this critical shortfall,” Cassidy — referencing a conversation with personnel from the non-profit, Louisiana-based research institute, the Cyber Innovation Center — said.

Reg Harnish, the CEO of New York-based cybersecurity consultancy GreyCastle Security, wrote in an email to FedScoop, “finding cybersecurity experts is difficult no matter what industry you’re in, partly because it is an ultra-competitive market and partly because there are so few of them. [But] for those entities trying to defend industrial control systems it is even more difficult.”

Arkansas Electric Cooperative Corporation CEO Duane Highley, who also testified to the committee on Tuesday, responded to Cassidy by admitting the U.S. is experiencing a deficit.

“Certainly, the demand for these technically skilled folk causes us a lot of the time to go outside the country to get those people … We just don’t produce enough in house to make it happen,” said Highley.

“I think it’s something to watch but we don’t believe it is insurmountable,” he concluded.

Hoffman countered Cassidy, explaining that the DOE is already working with both University of Arkansas and University of Illinois to develop engineering curriculums that combine energy infrastructure engineering and cybersecurity studies, so that the next class of security specialists can assist the energy sector.

She also pointed to several threat intelligence information sharing partnerships between private sector competitors and the federal government, which are concurrently used to prepare existing, in-house security teams to stop hackers from disrupting, for example, the electrical grid.

“It seems as though you’re not doing that much on manpower or womenpower training though,” Cassidy said to Hoffman, “And I say that because even if you have two universities with engineering programs — and even if they are big engineering programs — it is still relatively small.”

He added, “if I am being told we have between 500 to 1000 people and we need tens of thousands, it seems like … just, doesn’t anyone else see a problem of manpower here?”

A recent Kaspersky Lab’s report highlights the immature state of security surrounding ICS — with nearly 60,000 systems in the U.S. accessible online through Shodan, a custom, online search engine that catalogs internet-connected systems. A total of 189 security vulnerabilities were reported by ICS product vendors in 2015, according to the report, which is up slightly from one year prior. And available exploits were found for more than 20 of the reported software bugs.

In an email to FedScoop, a department spokesperson responded to Cassidy’s criticism: the “DOE, in partnership with the Department of Homeland Security, and the energy sector, supports university collaborations that engage 16 universities [in total] with the primary focus on research and development.”

“Both undergraduate and graduate students participate in research to develop innovative cybersecurity technologies that will transition to the energy sector to reduce the risk of energy disruption resulting from a cyber incident,” the spokesperson said.

Other known cybersecurity programs created by the DOE include a public depository for basic cybersecurity information and educational resources called the Cybersecurity Awareness & Training Warehouse and Cybersecurity Awareness & Training program designed to train department employees.