Software bill of materials on today’s agenda

With help from Eric Geller, Jordyn Hermani and Mary Lee

Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.

Story Continued Below

— A U.S. agency will discuss creating a software “ingredient list” today. It could speed up discovering and fixing security flaws.

— The dark web is making tax identity theft simpler and less expensive. A report out today found bargain bin prices for documents.

— The federal chief information security officer has won praise in an OMB office with low morale. The bad news is the current CISO is doing two jobs at once.

HAPPY THURSDAY and welcome to Morning Cybersecurity! After scarring you with some horrifying bee news yesterday, your MC host hopes to make it up to you with a bit of bee comedy. Send your thoughts, feedback and especially tips to, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

DO YOU KNOW WHAT’S IN YOUR CODE? — The telecom and tech agency NTIA will host a meeting today as part of its project with industry to develop a software “ingredient list” that promotes code transparency, and the agency is optimistic about this work.

The goal of a software bill of materials is to reduce supply chain risks and speed up the discovery and remediation of digital flaws. “Several working groups are digging into the details of how this would work, and studying what a more secure future can look like if stakeholders widely adopt SBOM across the Internet ecosystem,” Allan Friedman, director of cybersecurity initiatives at NTIA, said in a blog post. Medical device makers and hospitals are already pilot-testing one SBOM to see how useful it is. Friedman said NTIA hopes to explore “other use cases across diverse sectors in the months ahead.”

TAX SEASON JUST GOT A LOT MORE FRUSTRATING — Committing tax identity theft and fraud is getting cheaper and easier due to help from the dark web, research out today from Carbon Black suggests. With prices ranging from 19 cents to $62 apiece, hackers could buy several variations of tax-related items like W-2 and 1040 forms, names, Social Security numbers and birthdates, with W-2s and 1040s having a generally higher base price.

For a roughly $1,000 investment, Carbon Black researchers found, a “relatively inexperienced hacker” could buy authenticated access to a U.S. based bank account, file a false tax return, have the IRS refund deposited into the new account and transfer the combined balance into a crypto exchange or wallet. The hacker could then either continue to use that cryptocurrency on the dark web or cash out from an EU-based bank and turn the funds into real currency, which the report estimates “can more than double their initial $1,000 investment.”

Carbon Black’s report offered several tips for tax payers to protect themselves, including using a bank with multi-factor authentication, filing taxes as soon as possible and using a password manager. It also recommended authenticating requests for tax information via telephone or in person before giving away the information online and being skeptical of websites that require your tax information.

FEDERAL CISO’S BALANCING ACT — As OMB’s IT and cyber oversight office grapples with dismal morale, employees see Federal Chief Information Security Officer Grant Schneider as a rare bright spot in a leadership team that they say is letting them down. “He’s one of the few leaders that’s trying,” a current OMB employee told Eric for his story about turmoil in the office. “He is trying to engage at least the cyber team folks to see what he do can do and how he can help.” A former senior federal IT official who worked closely with the office echoed this perspective, calling Grant “a devoted public servant.”

But Schneider can’t focus on his team in the Office of the Federal Chief Information Officer, sources said, because he spends the vast majority of his time — one former OFCIO employee said “99 percent” — at the National Security Council, where he concurrently serves as a senior director for cybersecurity policy. “It is clear to some staff he’s investing more time with NSC than he is with OFCIO,” said the OMB employee. The former senior official said Schneider is “task-saturated,” adding, “He’s got two full-time jobs, and neither deserves to be part-time.”

Schneider has discussed employees’ concerns with Federal CIO Suzette Kent, whom sources said has adopted a much more distant management style than her Obama administration predecessor Tony Scott. “He has communicated to Suzette about the challenges and the need and the urgency to try to fix these things,” said the current OMB employee. “But that’s his boss, and he has to take the lead from her. So if it’s Suzette’s decision not to address these things, it’s out of his hands.”

FOR THE FIRST TIME A top DHS cyber official responded Wednesday to the question on everyone in the cybersecurity community’s mind right now: How will Secretary Kirstjen Nielsen’s departure affect the department’s cyber mission? “Professionals will keep doing their job regardless of the politics,” Jeanette Manfra, assistant director for cybersecurity at the department’s Cybersecurity and Infrastructure Security Agency, said at an Atlantic event. Many seem to agree, but the issue is whether DHS cyber people will be less effective with a different boss.

At the same event, the president of the National Association of Secretaries of State said there’s an effort afoot to improve election-system sensors known as Albert sensors. “We’re working with Center for Internet Security on a pilot to develop an Albert monitor that works in the cloud,” said Jim Condos, secretary of state in Vermont.

LAZARUS GROUP STRIKES AGAIN — DHS and FBI alerted industry about their findings on new Trojan malware variants deployed by the Lazarus Group, widely believed to be backed by the North Korean government. The U.S. Computer Emergency Readiness Team malware analysis report released Wednesday analyzes nine malicious executable files, seven of which are proxy applications that cloak traffic between the malware and remote operators.

The proxies can create counterfeit authentications using valid digital certificates or electronic passwords allowing for a secure connection and session, masking network connections with remote malicious actors. The agencies dubbed the malware “Hoplight.” The agencies recommended to users and administrators to implement 13 best practices to bolster organizations’ defenses, including maintaining up-to-date antivirus signatures and implementing regular password changes.

RECENTLY ON PRO CYBERSECURITY There’s at least one more victim of the hacker group behind the destructive malware known as Trisis or Triton, FireEye said. … Kaspersky Lab identified malware that can track keystrokes to pilfer files off USB devices. … Attorney General William Barr alleged that the Justice Department “spied” on the presidential campaign of Donald Trump, echoing a sentiment the president has embraced. … The State Department’s top cyber official said Europe should follow Germany’s lead on Huawei.


More than three-quarters of organizations lack a cybersecurity incident response plan, according to a survey out today from IBM and the Ponemon Institute. More than half of those that have a plan don’t test them regularly, if at all.

POLITICO and the Atlantic look at Nielsen’s life after DHS.

DHS and the FBI have “moderate confidence” that Russians conducted reconnaissance at minimum on all 50 states prior to the 2016 election. Ars Technica

Finland saw an election-related cyberattack. Bloomberg

“’MuddyWater’ APT Spotted Attacking Android.” Dark Reading

A democracy activist convicted under a United Arab Emirates cybercrime law is on a hunger strike. LobeLog

That’s all for today.

Stay in touch with the whole team: Mike Farrell (, @mikebfarrell); Eric Geller (, @ericgeller); Martin Matishak (, @martinmatishak) and Tim Starks (, @timstarks).

Source Link