MC exclusive: Manhattan DA takes encryption-breaking plea to Congress

With help from Cory Bennett, Martin Matishak and Tim Starks

FIRST IN MC: ENCRYPTION ON THE HILL — Manhattan District Attorney Cyrus Vance, one of the most outspoken advocates of legislation outlawing unbreakable encryption, recently briefed Senate offices about the threat posed by encrypted devices and communications platforms, several sources told MC.

The briefing, hosted by the Senate Judiciary Committee on Friday, focused on the ways in which encryption complicates local and state law enforcement investigations, according to a Vance spokesman. The session lasted 75 minutes and involved approximately 50 Senate staffers. FBI official Valerie Cofield — who has reportedly met with researchers to discuss their technical solutions — and a bureau colleague also attended the briefing, according to Vance’s spokesman. Judiciary Committee and FBI spokespeople did not respond to a request for comment on the meeting.

In recent years, Vance has taken the lead in articulating the burden that encryption places local police and prosecutors. He has clashed with tech companies, released reports describing encryption’s consequences and even penned a New York Times op-ed on the subject. At the Judiciary Committee meeting, according to his spokesman, Vance briefly mentioned his proposal for a federal law requiring that tech companies maintain the ability to unlock devices and data when served with warrants.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Your temporary MC host is a big fan of space telescopes and is dismayed at the latest delay for the Webb. C’mon, NASA, get it together. Tim is out this week, but send the rest of us your thoughts, feedback and especially tips, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Space is our new, free weekly briefing on the policies and personalities shaping the second space age in Washington and beyond. Sign up today to start receiving the newsletter right at launch on April 6. Presented by Boeing.

SAY WHAT?! — Cybersecurity experts and civil libertarians slammed the FBI on Tuesday after an internal investigation revealed controversies over the bureau’s handling of the San Bernardino iPhone encryption battle. According to the Justice Department inspector general’s report, a top FBI official “became concerned” that one of her subordinates was stonewalling efforts to unlock the shooter’s phone “to pursue his own agenda of obtaining a favorable court ruling against Apple.” In addition, according to the report, an FBI unit knew that a private vendor was 90 percent done with an unlocking tool when the bureau told a federal court that only Apple could crack the device.

“It’s clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist’s phone,” Sen. Ron Wyden, a frequent critic of the FBI’s push for encryption workarounds, said in a statement.

The IG report “raises the question of how seriously the FBI has really been thwarted when devices are locked — and how much of the going dark debate is the FBI simply seeking easier ways to do investigations,” said Susan Landau, a Tufts University computer science professor. “The inspector general is clearly concerned that the whole of the FBI is not committed to finding technical solutions that do not involve the weakening of encryption,” added Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

Even former law enforcement officials said they were concerned. “What is troubling,” said former cybercrime prosecutor Ed McAndrew, now a partner at Ballard Spahr, “is the revelation that the litigation bias of certain FBI personnel could have unknowingly impacted [prosecutors’] actions in pursuing the court order and subsequent litigation.”

ZUCK HILL WATCH — Facebook CEO Mark Zuckerberg is expected to testify in front of at least one congressional panel in the coming month, but certain details about that appearance remain in flux, Pro Technology’s Ashley Gold reports. While there were reports that a date had been set for Zuckerberg to testify at a House Energy and Commerce hearing, Elena Hernandez, a spokesperson for the committee, said that some factors are still being finagled.

“The committee is continuing to work with Facebook to determine a day and time for Mr. Zuckerberg to testify,” she said in a statement. Facebook is under heavy scrutiny from lawmakers in the U.S. and abroad amid reports that Trump-linked data firm Cambridge Analytica secretly accessed and misused data from 50 million Facebook users. Representatives for the Senate Commerce and Judiciary committees, which have also formally summoned Zuckerberg, did not have additional comment on his response to their invitations.

Separately, Facebook said it would expand a bug bounty program in the wake of the Cambridge Analytica flap “so that people can also report to us if they find misuses of data by app developers.” The company vowed to provide more concrete details “in the coming weeks.”


THE HITS KEEP COMING — Baltimore officials are investigating a weekend hack of the city’s 911 dispatch system that forced controllers to temporarily switch the system into manual mode, underscoring the digital vulnerability of local emergency systems. “Instead of details of incoming callers seeking emergency support being relayed to dispatchers electronically, they were relayed by call center support staff manually,” said Frank Johnson, the chief information officer at the mayor’s office, in a statement. Baltimore technicians were able to “isolate” the hacked server from the rest of the city’s networks, according to Johnson’s statement, and the city restored full 911 services early Sunday morning. The FBI is helping the city investigate the hack.

News of the Baltimore incident came a few days after Atlanta said that it was responding to a ransomware attack that crippled many city services, including online bill paying and parking ticket resolution. The city was still grappling with the disruption on Tuesday. “This is much bigger than a ransomware attack,” said Atlanta Mayor Keisha Lance Bottoms in a Tuesday press conference. “This is really an attack on our government, which means it’s an attack on all of us.” Bottoms would not say whether Atlanta planned to pay the ransom, promising only that “everything is up for discussion.”

Cyber intrusions into municipal services have been a fact of life for years, but the rise of ransomware as a quick and easy tactic, combined with the proliferation of digital vulnerabilities, has heightened fears that hackers might be able to disrupt essential operations with ease. After Hawaii’s emergency management agency accidentally sent residents a ballistic missile alert, officials scrambled to assure the world that the incident was the result of human error and not a hack.

DON’T BLAME US — Russian cyber firm Kaspersky Lab is defending its release of information about an advanced hacking operation after a report that the operation was a valuable U.S. counterterrorism program. Earlier this month, Kaspersky published details of a “highly sophisticated cyberespionage campaign” that it called Slingshot. CyberScoop subsequently reported that Slingshot was “an active, U.S.-led counterterrorism cyber-espionage operation … used to target ISIS and Al Qaeda members.” Speaking at an event in Melbourne, Kaspersky CEO Eugene Kaspersky deflected blame for any operational disruptions. “Don’t blame our X-ray,” he told The Australian. “It rings on any kind of gun. It doesn’t matter who’s wearing the gun, a terrorist or a policeman.”

Kaspersky has been in hot water with the U.S. government for years, ever since intelligence agencies began alleging that the Kremlin used the company’s software to scoop up rival nations’ classified secrets. The Department of Homeland Security and Congress have separately banned government agencies from using Kaspersky products.

WE CAN ALWAYS TEAM UP — The U.S. Chamber of Commerce is out with a new white paper that offers best practices for businesses to follow when partnering with law enforcement to respond to cyberattacks. The analysis suggests businesses cultivate relationships with state and federal law enforcement, join a cyber information-sharing organization and develop their own digital incident response plan. Matthew Eggers, the chamber’s vice president for cybersecurity policy, called the steps “key to combating cybercrime.”

BUSCAR RESPUESTAS — Eleven House Democrats pressed a top Mexican official on Tuesday about the status of a months-long probe into his government’s alleged use of cyber weapons to spy on innocent civilians. “We believe that it is imperative that the Government of Mexico carry out a serious, transparent, thorough, and impartial investigation into the illegal use of spyware, and bring to justice any public official or government agency involved in the matter,” the group, led by Rep. Alan Lowenthal, wrote in a letter to Mexico’s ambassador to the U.S., Geronimo Gutierrez.

The spyware, called Pegasus, is made by the Israeli-based NSO Group, which claims to peddle its wares only to government agencies for use against criminals and terrorists. The government opened an investigation into the software’s use following the release of research that showed victims were targeted around the same time that Mexico’s Congress was debating anti-corruption legislation, but the inquiry has reportedly slowed to a crawl. Lawmakers asked the diplomat to update them about the government’s “plans to address the concerns of the spyware victims, guarantee that all lines of investigation outlined … are exhausted, and ensure that victims and their lawyers are kept informed of the progress in the case.”

BRING HIM TO ME — House Speaker Paul Ryan took the opportunity during a trip to the Czech Republic on Tuesday to press for the country to extradite a Russian man accused of hacking computers at LinkedIn, Dropbox and other American companies. “The United States has the case to prevail on having him extradited, whether it’s the severity of the crime, which is clearly on the side of U.S., or the timing of the request for the extradition,” Ryan said, according to the Associated Press. The individual, Yevgeniy Nikulin, was arrested in Prague, the Czech capital, in 2016 in cooperation with the FBI. His extradition is still working its way through the Czech court system.

RECENTLY ON PRO CYBERSECURITY — DHS opposed Kaspersky’s push for a quick court victory over the software ban. … Trump extended Obama’s cyber sanctions executive order.

TWEET OF THE DAY — Before you speak, always ask yourself, “What would this look like in a future IG report?”

QUICK BYTES

DHS Secretary Kirstjen Nielsen issued a stern warning against election meddling in remarks to foreign diplomats last week. The New York Times.

A look at Army Cyber Command’s training school for America’s future digital defenders. Wired.

The U.S. government’s campaign against Chinese hardware maker Huawei is putting rural telecom companies in a difficult spot. The Wall Street Journal.

A Microsoft PowerPoint vulnerability was hackers’ favorite exploit in 2017, according to new research from Recorded Future.

That’s all for today. Hey Elon Musk, wanna build a space telescope?

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).