Turmoil on NSC cyber team

With help from Eric Geller and Martin Matishak

FLYNN’S INFLUENCE PERSISTS — A White House staffer from the Michael Flynn era is angling to replace President Donald Trump’s outgoing top cyber adviser and has been criticizing his work. Joshua Steinman, a senior director for cyber policy at the National Security Council, wants to be the next cybersecurity coordinator and has been speaking ill of current coordinator Rob Joyce, who is leaving soon, multiple sources told MC. Steinman has been expressing “an earnest desire to assume the mantle,” according to a former U.S. official familiar with the matter. “It’s an active and ongoing situation where this guy was taking action to undercut Joyce, undercut the rest of the team, cut people out of things,” a second former government official said.

Story Continued Below

Joyce spent nearly 30 years at the NSA, supervising both its offensive and defensive missions, before joining the White House. As special assistant to the president and cybersecurity coordinator since last March, Joyce has overseen all federal cyber policy and operations decisions, and leads the NSC cyber unit where Steinman works. Steinman, who served in the Navy for eight years and has been a reservist since 2015, had scant cyber policy experience before joining the NSC when it was led by Flynn, sources said. Steinman’s LinkedIn profile lists only three previous jobs: a National Defense University fellowship, a position at the security firm ThinAir and his role as the founder of a company selling “American-made luxury socks.”

Steinman’s ambition and his criticism of Joyce are “not surprising,” said a former White House official. “Josh thought the job was his before [then-homeland security adviser] Tom Bossert informed him during week 1 that he was aiming to have Rob brought on as cyber coordinator,” this person told MC. “Flynn had promised the job to Josh during the transition, so he looked at Rob coming on as a demotion.” A National Security Council spokesman declined to comment on the internal jousting, which was first reported by CyberScoop. "Everybody had been watching Josh do what he does since the day he got there,” said the second former government official. “It wasn’t until recently that it became more and more obvious that Josh was trying to undercut Joyce because he wanted his job.”

Steinman refers to himself on Twitter and LinkedIn as the “special assistant for cyber,” but as one of the NSC cyber team’s two senior directors, he reports to the cyber coordinator, who holds the rank of special assistant to the president. Steinman’s portfolio at the NSC covers the offensive and foreign policy aspects of cybersecurity. The defensive and homeland security aspects fall under senior director Grant Schneider, who serves in an acting capacity while also leading the Office of Management and Budget’s cyber team.

HAPPY FRIDAY and welcome to Morning Cybersecurity! Y’all, your MC host’s dedication to “Star Wars: Battlefront II” even through all the negative uproar has been unceasing, but everyone agrees: “Ewok Hunt,” the new mode, is crazy fun. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Space is our new weekly briefing on the policies and personalities shaping the second space age. Sign up today.

IT’S FINALLY HERE — The Trump administration has sent Congress a report outlining its cybersecurity strategy, responding to years of demands from lawmakers anxious for clarity about America’s digital conflict policy. A White House official told MC that the report, delivered Thursday afternoon, covers “the challenges our nation is facing in cyberspace; what the administration has already accomplished to address those challenges; and the administration’s plans to continue addressing those challenges.” Congress mandated the report as part of the latest defense policy bill.

The classified four-page document, delivered to eight congressional committees, drew in part on the State Department’s cyber deterrence strategy, according to a U.S. official familiar with the matter. State prepared that report as part of Trump’s May 2017 cyber executive order, and the U.S. official said the new cyber strategy would cite it as a classified annex. “The administration continues to enhance its policy for improving the nation’s cybersecurity and looks forward to engaging with Congress on this important topic in the coming months,” the White House official told MC.

The administration had little choice but to complete the report. The fiscal year 2018 National Defense Authorization Act froze funding for some White House Military Office operations until the report’s delivery. The WHMO includes the White House Communications Agency, which supports senior officials’ secure communications in Washington and around the world, as well as the staff that man the Situation Room.

HERE TO HELP — Partnering with electric utilities and other major infrastructure firms is an important way for states to improve their cyber defenses, according to a top official in the Wisconsin National Guard. “One of the things that we [realized] very early on when it came to cyber was, we really needed to have a partnership with our critical infrastructure sector industries in Wisconsin,” said Brig. Gen. Mark Michie, the land component commander for the state’s Guard force, during a panel Thursday about states’ cyber efforts at the RSA conference in San Francisco.

The effort began with the energy sector and involved developing “a relationship with them that was based on trust,” he said. Wisconsin told the companies, “What we want to do is support you and your ability to keep the lights on, regardless of [whether it’s] a cyber event or a physical security event,” according to Michie. To make the firms more comfortable, the Guard crafted non-disclosure agreements so the two sides could share information that wouldn’t be subject to open-records requests. Michie said the state has partnerships with “seven or eight utilities” to share cyber threat data.

Federal partnerships are also essential, Michie said, because “jurisdiction kills you when you’re working investigations on cyber crime.” He met with FBI officials in Washington to explain Wisconsin’s efforts and to ask “if there were opportunities for us to partner with them in ways that could be meaningful.” At the same time, he said, “it became very apparent that [federal authorities’] threshold was so high that most all of these [cyber] crimes that are being perpetrated were not being investigated.” So he built a state-level law enforcement team to focus on cyber threats.

OVERHEARD AT RSA — Here’s what Eric saw and heard as he criss-crossed sessions during day four of RSA:

During a morning session about regulating grid security, Arthur Conklin, an information security professor at the University of Houston, noted that it was impossible to apply the cybersecurity rules from other critical infrastructure sectors — like HIPAA for health care and PCI for financial services — onto the energy sector. “We’re dealing with control systems here, and those regulations — HIPAA, PCI, almost any other separate regulation you point to — deal with information [and] protecting information,” said Conklin. “With control systems you want to protect control.”

A May 2015 Homeland Security Department directive has dramatically reduced the amount of time critical security flaws go unpatched at federal agencies, according to the head of the DHS team that helps companies and agencies secure their networks. Several years ago, as Robert Karas’ National Cybersecurity Assessments and Technical Services team was scanning government networks, “we noticed that it took federal agencies over 300 days to mitigate and fix a critical vulnerability,” Karas said during an RSA talk. So DHS issued a binding operational directive giving agencies a maximum of 30 days to fix these flaws. Since then, the maximum amount of time has gone down to eight and a half days, he said, adding, “That’s a big culture change through the federal government.” Now DHS wants to spread that culture change to local governments and the private sector.

The internet of things will soon inspire a privacy-focused backlash not unlike the furor over Facebook and Cambridge Analytica, a cyber law expert predicted during a session about IoT regulation. “I think that there will be a wave that follows the social media outrage [over] Facebook where the public is going to appreciate the benefits of the IoT but become wary of what it means” from a privacy perspective, said Robert Metzger, a cyber and risk management expert at law firm Rogers, Joseph, O'Donnell. And like with Facebook, consumers may worry that IoT device makers don’t have their best interests at heart. “We can’t trust everyone in industry,” Metzger said, “because … for many companies, the fastest path to the market is the objective, and return on investment from additional security measures does not exist.”

TODAY AT RSA — This morning at RSA, a University of Surrey professor will unveil a report detailing the price of cybercrime, as well as how ill-gotten revenues are laundered and distributed. Dubbed “The Web of Profit,” professor Mike McGuire’s report estimates that cybercrime revenues are reaching at least $1.5 trillion annually, a figure the paper dubs conservative. The biggest piece of the revenue comes from illicit and illegal online markets, per the report: $860 million, compared to the next highest figure — $500 million — coming from trade secret and intellectual property theft.

“The findings of Dr. McGuire’s research provide shocking insight into just how widespread and profitable cybercrime has become,” commented Gregory Webb, CEO of Bromium, the cybersecurity firm that sponsored the study. “The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum.”

CYBER BILL ROUND-UP A couple smaller-scale defense cybersecurity-related bills have dropped in recent days. One, sponsored by Sen. Chris Coons and others, expands a program at technical standards agency NIST that aids small and medium-size manufacturers. The Hollings Manufacturing Extension Partnership program, which provides advice and other services to those manufacturers, would be able to offer new services to help defense industry suppliers mitigate cybersecurity risks, such as disseminating cyber threat information. “Small manufacturers are essential to the defense supply chain,” Coons said when he announced the legislation, saying the bill (S. 2666) was inspired by DoD rules put in place in December. “I’m very concerned that many of these manufacturers have not been able to implement the Department of Defense’s new cybersecurity requirements.”

Draft legislation introduced this week by House Armed Services Chairman Mac Thornberry would formally transfer elsewhere the personnel and responsibilities of an organization charged with defending 15,000 military computer networks. The bill would eliminate the Defense Information Systems Agency, and would transfer all of the responsibilities under Joint Force Headquarters-Department of Defense Information Network to Cyber Command. Thornberry told reporters that as of now, it looks as if those responsibilities are already transferred or on the way to being transferred.

— AND CYBER BILL COST: A bill recently approved by the House Small Business Committee that would have the feds help small businesses with cybersecurity would cost the federal government less than a half-million dollars each year, according to a new Congressional Budget Office analysis. The legislation (H.R. 3170) would set up a process for small-business development centers — organizations created by the Small Business Administration to provide technical assistance to small businesses — to offer cybersecurity training. That could include grants of up to $350,000 each year and other costs. “Based on that limit and using information from the SBA, CBO estimates that implementing the bill would cost less than $500,000 annually for the agency to develop training materials and to reimburse as many as 63 SBDCs; such spending would be subject to the availability of appropriated funds,” the CBO report states.

R.I.P., INTERNET TRAILBLAZER Internet pioneer Bob Braden recently passed away, the university where he last worked confirmed to MC. Braden, a computer scientist at the University of Southern California’s Information Sciences Institute since 1986 and before that at the University of California, Los Angeles; Stanford University; and Carnegie Mellon University, is credited with connecting the first supercomputer to the Advanced Research Projects Agency Network, the Defense Department forerunner of the internet, among his other contributions to developing the foundational structures of the internet. No information on the date of Braden’s passing or cause of death were immediately available.

RECENTLY ON PRO CYBERSECURITY — Facing legal trouble elsewhere, Trump’s longtime attorney Michael Cohen has dropped his libel suits against BuzzFeed and Fusion GPS over the Christopher Steele dossier. … Trump’s allies are worried Cohen might be open to cooperating with federal prosecutors against the president. … “The Department of Justice has delivered to Congress copies of former FBI Director James Comey's memos documenting his interactions with President Donald Trump, a move intended to avert a legal standoff between House Republicans and Deputy Attorney General Rod Rosenstein.”

TWEET OF THE DAY — 12D chess.

PEOPLE ON THE MOVE

Brittany Kaiser, former business development director at Cambridge Analytica, has become an executive advisory board member at IOVO, the company announced Thursday. IOVO bills itself as a collector and storer of user data based on a decentralized network that prevents others from accessing the info without consent.

QUICK BYTES

How North Korean hackers got good. The Wall Street Journal.

“The FBI has quietly solved a rash of bulk database thefts that affected 168 million users of some of the internet’s most popular websites, The Daily Beast has learned.”

DHS isn’t crazy about legislation creating a bug bounty program at the department. Nextgov.

“British cybersecurity expert faces hearing in U.S. ‘WannaCry’ case.” San Jose Mercury News.

A member of the Election Assistance Commission said the only good thing about Russia’s alleged 2016 election interference is that it finally put a focus on election security. CyberScoop.

Lots of shady Chrome ad blockers are installing malware. Motherboard.

The forensic tools that enable tracking of cryptocurrency criminals. MIT Technology Review.

“Facebook to put 1.5 billion users out of reach of new EU privacy law.” Reuters.

The GOP bought at least 17 domains to slam former FBI Director James Comey. Motherboard.

Russian propagandists have figured out how to evade being flagged by YouTube. NBC News.

Nine agencies have requested money from the new government-wide IT modernization fund. FCW.

That’s all for today. Seriously, a horror game where the Ewoks are the bone-chilling villains. And it WORKS.

Stay in touch with the whole team: Cory Bennett (cbennett@politico.com, @Cory_Bennett); Bryan Bender (bbender@politico.com, @BryanDBender); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).