Published on April 1st, 2020 📆 | 4901 Views ⚑0
The security picture for Zoom
With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Zoom has surged in popularity as people hold meetings online amid the coronavirus crisis, but the glow is wearing off as lawmakers and others probe security and privacy concerns.
— The FBI warned for the third time in 2020 about malware that specializes in targeting the health care sector.
— A think tank is taking a gander at the future of DHS, including its cyber, election security and critical infrastructure missions.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Continuing to find good in bad times: Mountain goats becoming city goats. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
ZOOMING IN ON ZOOM — These are boom times for video conference app Zoom, with the company getting so popular on the stock market that people are buying up a different company with the same name. It’s also turned into a time of high scrutiny about its security vulnerabilities and privacy practices.
U.S. government officials are among those taking a closer look. Sen. Richard Blumenthal (D-Conn.) on Tuesday asked the company about its data collection and encryption practices. “The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the Coronavirus pandemic should not have to add privacy and cybersecurity fears to their ever-growing list of worries,” Blumenthal wrote in a letter to Zoom CEO Eric Yuan.
But the app is already approved for general use in the House, and some advocates like progressive group Demand Progress would like to see it — or something like it — used to record votes. And federal agencies can already use Zoom under a General Services Administration authorization.
The scrutiny is also coming from the state level — and overseas. On Monday, the New York attorney general sent the company some questions and the FBI issued an alert about the practice of “Zoom-bombing,” in which virtual conferences are hijacked. The courts are next in line as a class-action lawsuit is in the works over Zoom sending user information to Facebook.
Zoom is already a thing for governments in other countries, for better or worse. In the U.K., it’s banned by the military, but that didn’t stop Prime Minister Boris Johnson and his cabinet from holding a meeting on the platform Tuesday. (The security flaw was more user error, though, as Johnson tweeted a screenshot that included his Zoom ID, as a number of security experts observed on Twitter.)
Zoom’s security is likely to face greater scrutiny as the coronavirus crisis continues. The Intercept took issue with Zoom’s use of the term “end-to-end encryption” to market itself, concluding that it doesn’t provide it for video and audio content. Motherboard reported that Zoom was leaking emails and photos to strangers. Those follow other unflattering stories that emerged this year. And last year, the company endured criticism from a security researcher for how it handled a vulnerability he discovered.
One prominent information security voice predicted the attention on Zoom wouldn’t go away soon. “This is going to get worse, as the entire infosec world descends on a spectacularly complicated product with lots of attack surface and some sketchy design trade-offs,” tweeted Alex Stamos, a computer scientist and adjunct professor at Stanford University’s Center for International Security and Cooperation who once served as Facebook’s chief security officer.
THEY SEEM A BIT WORRIED — The FBI this week issued another alert about the Kwampirs malware, the third such alert this year. Used by the attack group named Orangeworm, “Kwampirs operations against global health care entities have been effective, gaining broad and sustained access to targeted entities,” the FBI alert dated Monday reads. “Targeted entities range from major transnational health care companies to local hospital organizations. The scope of infections has ranged from localized infected machine(s) to enterprise infections.” Symantec, which first publicized the group, didn’t believe it was attached to a nation-state.
THINK DIFFERENT — The Atlantic Council on Monday announced the Future of DHS Project, which will deliver recommendations on cybersecurity, election security, critical infrastructure and more by the end of July, the think tank said. “This project can contribute significantly by clarifying the options and suggesting new ways to tackle challenges that range from COVID-19 to the myriad threats that face everything from our democratic elections to the critical infrastructure upon which the United States must rely,” said Frederick Kempe, president and CEO of the Atlantic Council.
A goal of one of the project study groups led by the Scowcroft Center for Strategy and Security is to examine “foreign nation-state threats to our democracy through cyber, social media, and disinformation.” The project’s advisory board, co-chaired by former DHS secretaries Michael Chertoff and Jeh Johnson, includes former secretary Janet Napolitano and former acting secretaries Rand Beers and Kevin McAleenan. Accenture and SAIC are supporting the project.
THIS IS NO LONGER A TEST — A CISA official confirmed to MC on Tuesday that it “discontinued” the vulnerability testing of the Boeing 757-200 “in order to prioritize broader resilience efforts,” in response to a Defense Daily and Avionics International story on CISA’s abandonment of cybersecurity testing of the plane.
Broadly: “CISA and its partners at the FAA and the Department of Defense remain engaged in the Aviation Cybersecurity Initiative, which is working to reduce cybersecurity risk and increase resilience in the aviation ecosystem,” said Scott McConnell, a CISA spokesperson. “This includes expanding its Community of Interest to include additional public and private sector partners, forming new working groups to assess and mitigate various aspects of the aviation ecosystem, and implementing cybersecurity training at airports across the country in the near future.” The original story has some additional details, too.
SBA MUST ALLAY IT DECAY — The Small Business Administration needs to improve its hardware inventory, access control policy and patching and vulnerability remediation process, the SBA’s inspector general said in a report published this week. Based on these and other weaknesses, the SBA IG described the agency’s cybersecurity program as generally “not effective,” though it noted “improvement in cybersecurity oversight in the domains of incident response, risk management, and contingency planning.”
Among SBA’s other weak points: poorly observed change management processes; poor oversight of deviations from baseline security configurations; and lax enforcement of the government-wide requirement to use Personal Identity Verification, or PIV, cards. In a letter to the IG, the SBA said it concurred with the recommendations and would implement the necessary changes.
NOT ON SCHEDULE — The Treasury Department’s Bureau of the Fiscal Service failed to correct a number of information security control shortcomings for both the Schedule of Federal Debt and Schedule of the General Fund as of the end of fiscal 2019, GOA audits released on Tuesday revealed. For the former, “Fiscal Service’s corrective actions for addressing unresolved control deficiencies from prior audits did not consistently resolve their underlying causes, and we found through our testing that certain deficiencies, which Fiscal Service identified as remediated, continued to exist.” Both reports cited progress, however.
TRY TO GET ONE OF THESE GIGS — The Congressional Budget Office has put a price tag on legislation that recently won approval from the Senate Homeland Security Committee. In an assessment released Tuesday, the CBO said the cost of a bill (S. 3207) that would require CISA to appoint a cybersecurity coordinator for each state was $37 million from fiscal 2020 to fiscal 2025, assuming average compensation for the coordinator positions at $179,000 and related expenses. The CBO on Tuesday also assessed that the Senate version of a cybersecurity bill (S. 3045) that would grant CISA administrative subpoena powers in certain circumstances would, in fact, reduce the deficit, as it did for the House version.
THINK OF THE CHILDREN — The Air Force Association on Tuesday announced the release of the second volume in a book series meant to teach kids the importance of cybersecurity. “Ben the Cyber Defender” follows a boy with a “not-so-typical passion for cybersecurity and helping others. His skills are put to the test when his cousin, Ethan, accidentally releases a virus that is set to ruin devices all over town,” according to the book’s description. Meanwhile, the Academy of Cybersecurity hopes to give parents working from home a break next week when it launches a virtual “Cyber School” for kids with livestream conversations about hacking, coding and other topics.
TWEET OF THE DAY — “What’s wrong with this picture?”
RECENTLY ON PRO CYBERSECURITY — Senators weren’t pleased that the House left without temporarily extending expiring surveillance powers. … Marriott said hackers stole data on up to 5.2 million guests. … The Nigeria-based cybercrime group SilverTerrier is showing signs of advanced maturity and different targeting, according to Palo Alto Networks. … “Hackers deploying cheap, creative tools are targeting Asian users via compromised websites and fake Flash upload warnings, Kaspersky researchers said. … The DOJ inspector general discovered widespread issues with the FBI’s use of secret surveillance warrants. … House Speaker Nancy Pelosi (D-Calif.) said vote-by-mail should be expanded for the 2020 elections.
— BBC: Game and chatting service app Houseparty is offering a $1 million reward related to hacking allegations.
— Motherboard: The successor to the Hacking Team isn’t doing so well.
— CyberScoop: A security firm believes North Korean hackers are behind a spearphishing campaign targeting people interested in North Korean refugees.
— Inside Cybersecurity: “Cyber insurance leader urges federal policymakers to focus on info-sharing, avoid regulatory mandates.”
FOR YOUR CALENDAR (Send your events to: [email protected])
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).