with Bastien Inzaurralde
Jigsaw announced Wednesday that it would start providing political organizations free protection against direct denial of service attacks, which are designed to overload a target with fake traffic. The service, called Project Shield, essentially creates a filter that prevents this malicious traffic from reaching the protected website. It's part of the "Protect Your Election" initiative, a suite of cybersecurity tools offered by Jigsaw, now owned by Google's parent company Alphabet.
“What we’ve realized over the last couple years, seeing what happens during elections, is that DDoS attacks tend to spike,” said George Conard, Project Shield’s product manager. “We’re trying to understand what organizations that are vulnerable to digital attacks need and how we can keep them safer.”
Jigsaw has already been offering Project Shield free to journalists and human rights workers. Conard told me the decision to extend the service to political campaigns free of charge came out of the group’s research and conversations with election officials and others working on digital security during elections. Jigsaw already offers tools to protect against phishing and unauthorized access to email accounts, for instance.
As tech giants are increasingly under the spotlight in Washington, Alphabet isn't the only company proactively announcing some solutions to potential election interference. Facebook, under fire for running divisive ads filled with Kremlin-fed propaganda on its platform during the 2016 election, is teaming up with the Atlantic Council think tank on an effort to deter disinformation on the social media platform during elections, Axios reported Thursday.
The DDoS problem is already on full display. In the days leading up to the 2016 election, hackers launched a series of DDoS attacks against Hillary Clinton and Donald Trump's campaign websites. Neither site crashed, but the attempts mirrored other successful attacks that used publicly available malware to shut down several major websites, including Spotify and Twitter, earlier that year.
Just last week, cybersecurity researchers revealed that hackers with foreign IP addresses had bombarded an election website in Knox County, Tenn., with malicious traffic during the county primary on May 1. The website, which was displaying election night returns, crashed for about an hour before officials restored it.
Attacks such as those are designed to sow confusion by preventing people from getting the information they need at critical moments. “If you see that a website’s down you say, 'Wait, what’s going on?' It makes them seem less credible,' " Conard told me.
DDoS attacks are on the rise generally, and those that target political campaigns often come from attackers who want to intimidate an opposing candidate or cause, said Jose Nazario, director of security research at the cloud computing provider Fastly.
“As campaigns have moved online — whether to take donations, coordinate, or broadcast their message — it’s become a way to hit them directly,” said Nazario, who has studied politically motivated DDoS attacks. “They can be very effective at silencing an opposing voice.”
Unlike the complex cyberattacks the U.S. intelligence community says the Russian government mounted against Democratic political organizations in 2016, DDoS attacks are not very sophisticated. They are cheap and don’t require much technical skill to carry out.
But they're effective. Scores of websites offer ways to carry out these attacks for $20 or less. They work by hijacking Internet-connected devices and turning them into “bots” that cripple their targets with a flood of simultaneous Internet requests.
Even a relatively minor attack can take down a small organization’s website and cost thousands of dollars to defend against.
“When I think about the election space in the current climate,” Conard said, “anybody who’s unhappy with what they heard a local or national office candidate say can go into their living room, open their laptop and find somebody to launch an attack.”
DDoS attacks are also appealing because they’re difficult to trace, according to Nazario. “If you’re thinking, ‘I want to be anonymous with my outrage,’ that’s pretty attractive,” he said.
Political campaigns working on tight budgets don’t always have the technical expertise to protect themselves or the resources to hire large IT teams that can manage a sudden attack. Even well-funded campaigns tend to spend their money on other things, such as travel and office space.
So Jigsaw's offering may come in handy to a broad cross-section of candidates and groups. It’s not clear how many campaigns will take advantage of the free protections, but Conard says U.S. political organizations of all political stripes, including nonprofits, campaigns, candidates and political action committees, are welcome to sign up.
“Part of the goal is to build awareness and make sure candidates and campaigns are thinking about this threat early in the process,” Conard said. “We’re out to protect as many people as we can.”
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: The intelligence community said it last year, and now the Senate Intelligence Committee is saying it too: Russia interfered in the 2016 election and sought to help Donald Trump get elected.
Sen. Richard Burr (R-N.C.), the panel's chairman, said in a statement that the committee has “no reason to dispute the conclusions” made by U.S. intelligence agencies about Russian meddling in the election.
“The Russian effort was extensive, sophisticated, and ordered by President [Vladimir] Putin himself for the purpose of helping Donald Trump and hurting Hillary Clinton,” said Sen. Mark R. Warner (D-Va.), the committee's vice chairman. “In order to protect our democracy from future threats, we must understand what happened in 2016.”
The Senate panel's conclusions differ on a specific point from the House Intelligence Committee's report that was published last month, The Washington Post's Karoun Demirjian reports. "The Senate committee’s findings clash with the House GOP’s determination that the intelligence community did not follow its own best practices in concluding the Kremlin favored Trump in the election. The dispute — and the questions it now raises about which record of events is most accurate — could complicate the Republican Party’s messaging heading into the 2018 election season."
PATCHED: Former Cambridge Analytica employee Christopher Wylie told the Senate Judiciary Committee on Wednesday that the scandal over the collection of private data by the now defunct political consultancy “is the canary in the coal mine.”
“We must address the digital echo chambers that are being exploited to algorithmically segregate American society,” Wylie said in his opening remarks. “Online communities should unite us and not divide us.”
Wylie said that "voter disengagement" was one of the services that the company offered in the United States. “My understanding was that this was targeted at African American voters,” he told senators.
PWNED: Years before the massive leak of CIA hacking tools to WikiLeaks in 2017, the intelligence agency missed a possible red flag about a former employee who is now the suspect in the case, the Daily Beast's Kevin Poulsen reports. The suspect, Joshua Adam Schulte, uploaded software code with the name “OSB Project Wizard” to the platform GitHub in 2013 but it appears that the code remained unnoticed, according to Poulsen.
“Then years later, the WikiLeaks Vault 7 release happened, and it included a brief description of a CIA project with the exact same name and purpose as Schulte’s code,” Poulsen writes. “It turns out OSB stands for the CIA’s 'Operational Support Branch'— the elite coding unit that makes the CIA’s hacking tools.”
The code that Schulte uploaded in 2013 isn't particularly sensitive, Poulsen writes. “But if the appearance of an internal CIA tool in a public GitHub account was overlooked in 2013, it would surely have gotten the FBI’s attention in 2017 as it looked for suspects in one of the largest CIA leaks in history,” he adds.
— More cybersecurity news:
PUBLIC KEY
— The Senate Intelligence Committee on Wednesday endorsed Gina Haspel, Trump's nominee for CIA director, in a 10-to-5 vote. Burr, the panel's chairman, said Haspel is “the most qualified person” Trump could have picked for the job. Haspel's endorsement by the committee now sets up “a floor vote that her opponents say will signal to the world whether the United States condemns or condones torture,” Demirjian writes.
— The controversy over Trump's recent comments about rescuing Chinese tech company ZTE isn't over yet. In an answer yesterday to a question by Sen. Patrick J. Leahy (D-Vt.) about ZTE, FBI Director Christopher A. Wray said the agency is “deeply concerned that any company beholden to foreign governments that don't share our values” would be reaching “positions of power” inside the U.S. telecommunications network.
“That gives them the capacity to maliciously modify or steal information,” Wray added. “That gives them the capacity to conduct undetected espionage. That gives them the capacity to exert pressure or exert control.”
— The Senate voted to reinstate net neutrality rules. Republican Sens. Susan Collins (Maine), Lisa Murkowski (Alaska) and John Neely Kennedy (La.) voted for the measure alongside Senate Democrats, giving it 52 votes to 47.
“The resolution targets the [Federal Communications Commission’s] vote in December to repeal its net neutrality rules for Internet providers,” The Post's Brian Fung writes. “If successful, the legislative gambit could restore the agency's regulations and hand a victory to tech companies, activists and consumer advocacy groups.”
Ajit Pai, the FCC's chairman, called Senate Democrats’ victorious vote “disappointing” in a statement. “But ultimately, I'm confident that their effort to reinstate heavy-handed government regulation of the Internet will fail,” he added.
— More news on ZTE and other government cybersecurity stories:
PRIVATE KEY
— Airports need to improve their cyberdefenses to be ready for a massive cyberattack, according to a report by PA Consulting Group released on Wednesday that examined four major airports.
"Threats come in many forms, and vary in the level of sophistication and motivation," the report says. "They range from low-skilled 'script kiddies' to highly skilled and motivated nation-states. Between these two extremes are other threat actors that can cause harm to an airport, including criminal organisations, disgruntled employees and hacktivists."
David Oliver, global transport security lead at PA Consulting Group, said airports should dedicate the same efforts to cybersecurity as they do to physical security. "If the industry does not act now, it will find itself at increased vulnerability to cyberattacks as new technologies become part of everyday operations," Oliver said in a statement accompanying the report.
— More cybersecurity news about the private sector:
THE NEW WILD WEST
— Facebook on Tuesday, basically: Our chief executive Mark Zuckerberg isn’t going to London to answer questions. Facebook on Wednesday: Sure, he’ll come to Brussels. The social network said yesterday that Zuckerberg will meet in private with key lawmakers of the European Parliament as soon as next week, The Post's Romm reports.
“Parliament’s priority is to ensure the proper functioning of the digital market, with a high level of protection for personal data, effective rules on copyright and the protection of consumer rights,” European Parliament President Antonio Tajani said in a statement. “Web giants must be responsible for the content they publish, including blatantly false news and illegal content.”
But the meeting is set to be in private rather than in a public setting, and that isn't going over too well among some in Europe, Romm reports.
From Guy Verhofstadt, leader of the Alliance of Liberals and Democrats for Europe group in the European Parliament:
I will not attend the meeting with Mr Zuckerberg if it’s held behind closed doors. It must be a public hearing – why not a Facebook Live? I strongly regret that the @EPPGroup has colluded with extreme right to keep everything behind closed doors. https://t.co/uYqEDlRtyo
— Guy Verhofstadt (@guyverhofstadt) May 16, 2018
— And while Zuckerberg is in Europe, French President Emmanuel Macron will have a “frank” discussion with him next week over taxes and data privacy, Reuters reports. Macron's office said Zuckerberg and the French head of state will meet at the presidential palace in Paris during a summit titled Tech for Good, according to Reuters.
“Macron will hold a one-on-one meeting with Zuckerberg, during which all subjects will be raised in 'very frank' discussions, the president’s office said,” Reuters reports.
Meanwhile, Zuckerberg has refused three times to answer questions from a committee in the British Parliament that is investigating fake news, the Guardian's Jennifer Rankin writes.
— More cybersecurity news from overseas:
CHAT ROOM
— The Senate Judiciary Committee on Wednesday released thousands of pages of documents related to a June 2016 meeting at Trump Tower between a Russian lawyer and Trump's son Donald Trump Jr., who was expecting to get potentially damaging information on Clinton as part of a Russian government effort to help his father's campaign.
"The new details of the June 9, 2016, meeting in Trump Tower are drawn from 2,500 pages of congressional testimony and exhibits that paint a vivid picture of how Donald Trump’s erstwhile Russian business partners collided with his presidential campaign in a single 20-minute meeting that has been a key focus of investigations by three congressional committees and special counsel Robert S. Mueller III," The Post's Rosalind S. Helderman and Demirjian report. Trump's son-in-law and adviser Jared Kushner and Trump's then-campaign chairman Paul Manafort were also at the meeting.
And some quotes from Rob Goldstone, a music promoter who helped organize the meeting, didn't go unnoticed on Twitter:
Rob Goldstone, always and forever. pic.twitter.com/ELXYigvxjV
— Chris Geidner (@chrisgeidner) May 16, 2018
This may be the best Q and A of Rob Goldstone yet pic.twitter.com/mmsdZR55hj
— Ben Jacobs (@Bencjacobs) May 16, 2018
He texted Emin Agalarov, the pop singer son of Russian billionaire developer Aras Agalarov:
Rob Goldstone explains to Emin Agalarov in a text why his involvement in the Trump Tower meeting hurts his career. pic.twitter.com/WR25FYzGll
— Philip Bump (@pbump) May 16, 2018
Robert Goldstone is an underrated character who was pushed out of last season's story far too soon by the, imho, narratively inferior Scaramucci. pic.twitter.com/WJnyt6blHW
— Susan Simpson (@TheViewFromLL2) May 16, 2018
ZERO DAYBOOK
Today
- House Intelligence Committee hearing on China’s military expansion.
- House Education Committee hearing on promoting data security in schools and states.
- House Ways and Means Committee hearing on the future of the Social Security number.
- National Security Telecommunications Advisory Committee's Cybersecurity Moonshot Subcommittee meeting.
- SecureWorld Houston conference.
- secureCISO San Francisco conference.
- Data Connectors Philadelphia Cybersecurity Conference.
Coming soon
- House Energy Committee hearing on quantum computing tomorrow.
- BSides Knoxville conference tomorrow.
- NolaCon conference from May 18 till May 20.
- HackMiami 2018 Hackers Conference from May 18 till May 20.
- Ignite '18 Cybersecurity Conference in Anaheim, Calif., from May 21 till May 24.
- House Energy Committee hearing on Internet of Things legislation on May 22.
- Senate Armed Services Subcommittee on Cybersecurity closed markup of the National Defense Authorization Act for fiscal year 2019 on May 22.
- Security Through Innovation Summit in Washington on May 22.
- GMU-AFCEA Symposium 2018 in Fairfax on May 22 and May 23.
EASTER EGGS
A "new" Rembrandt painting surfaces after going unknown for four centuries:
Massive ash plume rises from Kilauea volcano in Hawaii:
Putin fist-bumps hockey players on the ice: