REPORT: CYBERCRIME COSTS RISING – The cost of cybercrime to U.S. businesses is up again this year, according to a new report. In news that’s less surprising than it is stark, the average cost to a U.S. company of cybercrime is up nearly 10 percent from last year, according to the study from HP Enterprise Security and Ponemon Institute. Researchers put the average cost to U.S. businesses at $12.69 million, up from $11.1 million in last year’s report. The U.S. saw the highest cost of any country. But the report also found that security measures taken in advance by companies could significantly cut the costs. Companies were grouped based on Ponemon’s Security Effectiveness Score Index, which rates companies based on 24 measures of cybersecurity. The cost to the companies with the worst SES scores was nearly three times as high as the companies with the best SES scores. Deploying certain technologies or governance practices like having a CISO and certified professionals on staff each could save companies millions. The story: http://politico.pro/1ndxHN8
TODAY’S HOT TICKET: CATCHING UP ON CYBER WITH THE WH – The White House’s cyber czar will be the center of attention this morning when he addresses recent cyberattacks on financial institutions, including JPMorgan. Michael Daniel’s remarks this morning at the Center for National Policy will come the day after a New York Times report that President Barack Obama was regularly updated on the JPM investigation and had some questions about it (more on that below.) At the event he’s headlining today, Daniel will address “government concerns about the latest breaches in the financial sector,” according to a preview provided by CNP, in addition to one of his pet issues — the cyber workforce. If that isn’t enough, the event will also feature a who’s who of cyber experts: George Washington University’s Frank Ciluffo, Black Hat’s Jeff Moss, New America Foundation’s Peter Singer and Northrop Grumman’s Vern Boyle. Say hi to Dave if you’re there, or catch the livestream at 9:30: http://bit.ly/ZeNa4j. And just for fun — tell us what you would ask if you could get one cyber question answered by the White House (tkopan@politico.com).
YAHOO WHITE HAT: YES, THE FBI VISITED ME – The security researcher who found that servers at Yahoo, WinZip and Lycos were compromised got a visit from the FBI after making his findings public — a case that he says illustrates the shades of gray in which he and other white-hat hackers operate. Jonathan Hall set up a trap for attacks using the Shellshock vulnerability, one of which he discovered was coming from a WinZip server, according to Wired. Hall traced the attack back, finding a network of infected computers run by Romanian hackers. Not only did he follow the attacks, he accessed one of the WinZip servers and executed a “kill” command that terminated the program. But in his work to, as he sees it, protect the Internet, Hall may have run afoul of anti-hacking laws himself.
After Wired published its story on Hall’s work, he put up a blog post expanding on the topic. He acknowledged he was operating in a gray area, but argued that the feds should not expend resources prosecuting him. “There’s a piece of it that’s really missing to qualify it as being worth prosecuting, in my opinion: criminal intent,” Hall wrote. He compared himself to a woman who stopped her car to let ducks cross the highway, which caused a chain-reaction fatal crash. And then he put the ball back in the FBI’s court: “So, yes. The FBI visited me. That’s sorta what happens when you email them two times and call them three, then publicly announce that you’re very disappointed in the reachability and response time.” The Wired story: http://wrd.cm/1qhJViZ and Hall’s blog: http://bit.ly/1yOmcRx
HAPPY THURSDAY and welcome to Morning Cybersecurity, where (shameless plug alert) your host today will be moderating a discussion with Crowdstrike co-founder Dmitri Alperovitch at Financial Services Roundtable’s Global Financial Summit. It’ll be livestreamed, if you want to tune in to the conversation about cybersecurity in the financial industry. As always, send your thoughts, tips and feedback to tkopan@politico.com and follow @talkopan, @POLITICOPro and @MorningCybersec. Full team info is below.
NIST: RFI RESPONSES IN, JUST NOT UP – NIST is rejecting speculation that the agency hasn’t received any responses to the request for information it put out in August regarding experiences in implementing the cybersecurity framework. Although it has yet to post online any of the responses, it has received them, a NIST spokeswoman told MC. But asked to enumerate the responses or explain why none have been posted, the spokeswoman had no further comment. NIST has a reputation for transparency, so its refusal to post comments or say why it hasn’t done so is out of character. Comments will be posted after the RFI closes this Friday, the agency said. Here’s the RFI: http://1.usa.gov/1u8u0Hf and here’s the webpage where comments should appear http://1.usa.gov/1vNWjgf
DRIP, DRIP, DRIP: WHITE HOUSE MONITORED JPM ATTACK – The New York Times had the big story of the day yesterday, reporting that President Obama and his national security staff were briefed periodically on the attacks on U.S. financial institutions this summer. Asked about the report, the White House told Dave that “the president is regularly briefed on matters of national security importance.” Obama pressed officials on whether the attacks were politically-motivated Russian attempts at retaliation against U.S.-led sanctions against Russia implemented following Russian aggression against neighbor state Ukraine, the Times said. One senior official told the paper: “The question kept coming back, ‘is this plain old theft, or is Putin retaliating?’ … ‘And the answer was: We don’t know for sure.’” The story: http://nyti.ms/1seQMjJ
-- Plus, now The Wall Street Journal is reporting that at least 12 other financial services firm were targeted by the same hackers as the JPMorgan incident. Data was successfully taken from at least one other firm, the WSJ reported, citing investigators. That story: http://on.wsj.com/1vSbE0b
FEDERAL AGENCY SEEKS HACKER TRAP – The Social Security Administration posted a notice this week that it is shopping for a provider of a “honeypot” — a ruse to lure hackers trying to steal citizen information. The honeypot should automatically and securely alert SSA security staff when hackers attempt to intrude into it, capturing data about inbound and outbound connections, firewall logs and keystroke logs, according to the sources sought notice posted by the agency. While honeypots are frequently used in the private sector, by the military and by law enforcement, Trend Micro Chief Cybersecurity Officer Tom Kellermann said they’re somewhat new for federal civilian agencies. Part of what makes the notice odd, of course, is that honeypots rely on the element of surprise — so the SSA broadcasting its plans to potentially secure one isn’t something Kellermann would advise. Tuesday’s posting is just a sources sought notice, which means the agency is simply investigating the state of the industry and hasn’t committed to buying any new technology. Joe has the story: http://politico.pro/1vNHpq6
EAST-WEST DIVIDE: TECH GATHERS ON SURVEILLANCE – Top tech execs and leading lawmakers lambasted the disastrous effects of unchecked NSA surveillance on the tech industry in Palo Alto yesterday at a gathering spearheaded by Oregon Sen. Ron Wyden. But with Congress out of town and the USA FREEDOM Act stalled, the West Coast take fell on deaf ears in D.C. Pro Tech's Tony Romm had the story: “Google Executive Chairman Eric Schmidt warned that continued NSA snooping would ‘end up breaking the Internet’ and lead to global trade restrictions. Microsoft’s top lawyer, Brad Smith, lamented a loss of ‘trust’ among users. And Sen. Ron Wyden (D-Ore.), who convened the panel discussion, said the programs exposed by Edward Snowden are tarnishing the ‘American brand.’” The conversation continued to touch on efforts to rein in NSA surveillance in Washington, with Smith noting the conventional wisdom now is that USA FREEDOM will not pass in the lame duck.
--Wyden also weighed in on the current spat over smartphone encryption, siding against top brass at the FBI. Tech firms “should not be required to build back doors into their products,” Wyden said, rejecting the idea that government should always have the key to circumvent security features. “What’s needed is to find laws that ensure liberty and security are not mutually exclusive, so companies are not forced to duke it out with the government in technology labs.” The story, from Pro Tech: http://politico.pro/ZeFCyA
REPORT WATCH:
-- Employers and higher education leaders recommend developing curriculums with industry input and offering better internships as ways to attract students to cybersecurity careers, according to a (ISC)² Foundation and University of Phoenix report based off a focus group roundtable. http://bit.ly/ZRnA6L
QUICK BYTES
-- Chinese officials want to beef up the nation’s cybersecurity and develop more software domestically to be free of Western products, state media reports. Reuters: http://reut.rs/1vRpP5H
-- DHS’ plan for federal government-wide realtime computer network diagnostics — the troubled CDM program — is in “great shape,” insists Asst. Secretary Andy Ozment. Federal News Radio: http://bit.ly/1ndTXXn
-- Israel aims to become a cybersecurity superpower, and the IDF is launching an ambitious program to groom the next generation of cyberwarriors in high school. Washington Post: http://wapo.st/1ndTX9L
-- South Korea’s military, facing stepped-up cyberwarfare efforts from the North, is pushing a more aggressive cyber policy. AsiaOne: http://bit.ly/1ExKDmy
-- Tesla CEO Elon Musk worries that artificial intelligence may determine the best way to rid the world of email spam is to get rid of the humans. CNET: http://cnet.co/1o0oCbd
-- Bond insurer MBIA reportedly knew about its breach for two weeks before acting, and the customers put at risk included thousands of local governments. Reuters: http://reut.rs/1vNGxBK
-- Internet pioneer Tim Berners-Lee defends the decision to not build security into the Web from the get-go. The Register: http://bit.ly/1oSIMyI
-- EisnerAmper’s Fifth Annual Board of Directors Survey finds cybersecurity and social media use are top risks that concern boards of directors in 2014. Lexology: http://bit.ly/1vOBQYG
-- The Health Information Trust Alliance has established a threat exchange system aimed at automating the sharing of cyberthreats in the healthcare industry. SC Magazine: http://bit.ly/1ndfj7b
-- The FDA explains its thinking on recent device cybersecurity moves in a new blog post. FDA: http://1.usa.gov/1ri6LqH
-- The U.K. gets tough on revenge porn. Naked Security: http://bit.ly/1yOx5CO
That’s all for today. Keep on keepin’ on.
Stay in touch with the whole team: Tal Kopan (tkopan@politico.com, @TalKopan); Shaun Waterman (swaterman@politico.com, @WatermanReports); Joseph Marks (JMarks@politico.com, @Joseph_Marks_); and David Perera (dperera@politico.com, @daveperera).