The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Google wants to help political groups fight these cheap but disruptive cyberattacks

with Bastien Inzaurralde


With midterm elections on the horizon, policymakers in Washington are fixated on preventing the kind of sophisticated cyberattacks and highly targeted influence operations that rocked the 2016 presidential election.

On the other coast, a Google-founded technology incubator is offering political campaigns a free tool to defend against a simpler kind of cyberattack it says could also prove a serious threat to the democratic process.

Jigsaw announced Wednesday that it would start providing political organizations free protection against direct denial of service attacks, which are designed to overload a target with fake traffic. The service, called Project Shield, essentially creates a filter that prevents this malicious traffic from reaching the protected website. It's part of the "Protect Your Election" initiative, a suite of cybersecurity tools offered by Jigsaw, now owned by Google's parent company Alphabet. 

“What we’ve realized over the last couple years, seeing what happens during elections, is that DDoS attacks tend to spike,” said George Conard, Project Shield’s product manager. “We’re trying to understand what organizations that are vulnerable to digital attacks need and how we can keep them safer.”

Jigsaw has already been offering Project Shield free to journalists and human rights workers. Conard told me the decision to extend the service to political campaigns free of charge came out of the group’s research and conversations with election officials and others working on digital security during elections. Jigsaw already offers tools to protect against phishing and unauthorized access to email accounts, for instance.  

As tech giants are increasingly under the spotlight in Washington, Alphabet isn't the only company proactively announcing some solutions to potential election interference. Facebook, under fire for running divisive ads filled with Kremlin-fed propaganda on its platform during the 2016 election, is teaming up with the Atlantic Council think tank on an effort to deter disinformation on the social media platform during elections, Axios reported Thursday. 

The DDoS problem is already on full display. In the days leading up to the 2016 election, hackers launched a series of DDoS attacks against Hillary Clinton and Donald Trump's campaign websites. Neither site crashed, but the attempts mirrored other successful attacks that used publicly available malware to shut down several major websites, including Spotify and Twitter, earlier that year. 

Just last week, cybersecurity researchers revealed that hackers with foreign IP addresses had bombarded an election website in Knox County, Tenn., with malicious traffic during the county primary on May 1. The website, which was displaying election night returns, crashed for about an hour before officials restored it.

Attacks such as those are designed to sow confusion by preventing people from getting the information they need at critical moments. “If you see that a website’s down you say, 'Wait, what’s going on?' It makes them seem less credible,' " Conard told me. 

DDoS attacks are on the rise generally, and those that target political campaigns often come from attackers who want to intimidate an opposing candidate or cause, said Jose Nazario, director of security research at the cloud computing provider Fastly

“As campaigns have moved online — whether to take donations, coordinate, or broadcast their message — it’s become a way to hit them directly,” said Nazario, who has studied politically motivated DDoS attacks. “They can be very effective at silencing an opposing voice.” 

Unlike the complex cyberattacks the U.S. intelligence community says the Russian government mounted against Democratic political organizations in 2016, DDoS attacks are not very sophisticated. They are cheap and don’t require much technical skill to carry out.

But they're effective. Scores of websites offer ways to carry out these attacks for $20 or less. They work by hijacking Internet-connected devices and turning them into “bots” that cripple their targets with a flood of simultaneous Internet requests.

Even a relatively minor attack can take down a small organization’s website and cost thousands of dollars to defend against.

“When I think about the election space in the current climate,” Conard said, “anybody who’s unhappy with what they heard a local or national office candidate say can go into their living room, open their laptop and find somebody to launch an attack.” 

DDoS attacks are also appealing because they’re difficult to trace, according to Nazario. “If you’re thinking, ‘I want to be anonymous with my outrage,’ that’s pretty attractive,” he said.

Political campaigns working on tight budgets don’t always have the technical expertise to protect themselves or the resources to hire large IT teams that can manage a sudden attack. Even well-funded campaigns tend to spend their money on other things, such as travel and office space.

So Jigsaw's offering may come in handy to a broad cross-section of candidates and groups. It’s not clear how many campaigns will take advantage of the free protections, but Conard says U.S. political organizations of all political stripes, including nonprofits, campaigns, candidates and political action committees, are welcome to sign up. 

“Part of the goal is to build awareness and make sure candidates and campaigns are thinking about this threat early in the process,” Conard said. “We’re out to protect as many people as we can.”


PINGED: The intelligence community said it last year, and now the Senate Intelligence Committee is saying it too: Russia interfered in the 2016 election and sought to help Donald Trump get elected.

Sen. Richard Burr (R-N.C.), the panel's chairman, said in a statement that the committee has “no reason to dispute the conclusions” made by U.S. intelligence agencies about Russian meddling in the election.

“The Russian effort was extensive, sophisticated, and ordered by President [Vladimir] Putin himself for the purpose of helping Donald Trump and hurting Hillary Clinton,” said Sen. Mark R. Warner (D-Va.), the committee's vice chairman. “In order to protect our democracy from future threats, we must understand what happened in 2016.”

The Senate panel's conclusions differ on a specific point from the House Intelligence Committee's report that was published last month, The Washington Post's Karoun Demirjian reports. "The Senate committee’s findings clash with the House GOP’s determination that the intelligence community did not follow its own best practices in concluding the Kremlin favored Trump in the election. The dispute — and the questions it now raises about which record of events is most accurate — could complicate the Republican Party’s messaging heading into the 2018 election season."

Christopher Wylie, the Cambridge Analytica whistleblower, testified before the Senate Judiciary Committee about how the company manipulated Facebook data. (Video: Reuters)

PATCHED: Former Cambridge Analytica employee Christopher Wylie told the Senate Judiciary Committee on Wednesday that the scandal over the collection of private data by the now defunct political consultancy “is the canary in the coal mine.”

“We must address the digital echo chambers that are being exploited to algorithmically segregate American society,” Wylie said in his opening remarks. “Online communities should unite us and not divide us.”

Wylie said that "voter disengagement" was one of the services that the company offered in the United States. “My understanding was that this was targeted at African American voters,” he told senators. 

PWNED: Years before the massive leak of CIA hacking tools to WikiLeaks in 2017, the intelligence agency missed a possible red flag about a former employee who is now the suspect in the case, the Daily Beast's Kevin Poulsen reports. The suspect, Joshua Adam Schulte, uploaded software code with the name “OSB Project Wizard” to the platform GitHub in 2013 but it appears that the code remained unnoticed, according to Poulsen.

“Then years later, the WikiLeaks Vault 7 release happened, and it included a brief description of a CIA project with the exact same name and purpose as Schulte’s code,” Poulsen writes. “It turns out OSB stands for the CIA’s 'Operational Support Branch'— the elite coding unit that makes the CIA’s hacking tools.”

The code that Schulte uploaded in 2013 isn't particularly sensitive, Poulsen writes. “But if the appearance of an internal CIA tool in a public GitHub account was overlooked in 2013, it would surely have gotten the FBI’s attention in 2017 as it looked for suspects in one of the largest CIA leaks in history,” he adds.

— More cybersecurity news:

Justice Dept. inspector general finishes draft of report on Clinton email case (Matt Zapotosky and Devlin Barrett)

Code Name Crossfire Hurricane: The Secret Origins of the Trump Investigation (The New York Times)


— The Senate Intelligence Committee on Wednesday endorsed Gina Haspel, Trump's nominee for CIA director, in a 10-to-5 vote. Burr, the panel's chairman, said Haspel is “the most qualified person” Trump could have picked for the job. Haspel's endorsement by the committee now sets up “a floor vote that her opponents say will signal to the world whether the United States condemns or condones torture,” Demirjian writes.

— The controversy over Trump's recent comments about rescuing Chinese tech company ZTE isn't over yet. In an answer yesterday to a question by Sen. Patrick J. Leahy (D-Vt.) about ZTE, FBI Director Christopher A. Wray said the agency is “deeply concerned that any company beholden to foreign governments that don't share our values” would be reaching “positions of power” inside the U.S. telecommunications network.

“That gives them the capacity to maliciously modify or steal information,” Wray added. “That gives them the capacity to conduct undetected espionage. That gives them the capacity to exert pressure or exert control.”

The Senate voted 52 to 47 on May 16 to reverse the Federal Communications Commission decision in December, 2017, to repeal neutrality rules. (Video: Reuters)

— The Senate voted to reinstate net neutrality rules. Republican Sens. Susan Collins (Maine), Lisa Murkowski (Alaska) and John Neely Kennedy (La.) voted for the measure alongside Senate Democrats, giving it 52 votes to 47.

“The resolution targets the [Federal Communications Commission’s] vote in December to repeal its net neutrality rules for Internet providers,” The Post's Brian Fung writes. “If successful, the legislative gambit could restore the agency's regulations and hand a victory to tech companies, activists and consumer advocacy groups.”

Ajit Pai, the FCC's chairman, called Senate Democrats’ victorious vote “disappointing” in a statement. “But ultimately, I'm confident that their effort to reinstate heavy-handed government regulation of the Internet will fail,” he added.

— More news on ZTE and other government cybersecurity stories:

Trump links ZTE rescue to larger trade talks with China, contradicting top aides (Damian Paletta)

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US (Motherboard)

NIST seeks to apply cyber framework to widely used medical patient imaging devices (Inside Cybersecurity)


— Airports need to improve their cyberdefenses to be ready for a massive cyberattack, according to a report by PA Consulting Group released on Wednesday that examined four major airports.

"Threats come in many forms, and vary in the level of sophistication and motivation," the report says. "They range from low-skilled 'script kiddies' to highly skilled and motivated nation-states. Between these two extremes are other threat actors that can cause harm to an airport, including criminal organisations, disgruntled employees and hacktivists."

David Oliver, global transport security lead at PA Consulting Group, said airports should dedicate the same efforts to cybersecurity as they do to physical security. "If the industry does not act now, it will find itself at increased vulnerability to cyberattacks as new technologies become part of everyday operations," Oliver said in a statement accompanying the report.

— More cybersecurity news about the private sector:


— Facebook on Tuesday, basically: Our chief executive Mark Zuckerberg isn’t going to London to answer questions. Facebook on Wednesday: Sure, he’ll come to Brussels. The social network said yesterday that Zuckerberg will meet in private with key lawmakers of the European Parliament as soon as next week, The Post's Romm reports.

“Parliament’s priority is to ensure the proper functioning of the digital market, with a high level of protection for personal data, effective rules on copyright and the protection of consumer rights,” European Parliament President Antonio Tajani said in a statement. “Web giants must be responsible for the content they publish, including blatantly false news and illegal content.”

But the meeting is set to be in private rather than in a public setting, and that isn't going over too well among some in Europe, Romm reports.

From Guy Verhofstadt, leader of the Alliance of Liberals and Democrats for Europe group in the European Parliament:

— And while Zuckerberg is in Europe, French President Emmanuel Macron will have a “frank” discussion with him next week over taxes and data privacy, Reuters reports. Macron's office said Zuckerberg and the French head of state will meet at the presidential palace in Paris during a summit titled Tech for Good, according to Reuters.

“Macron will hold a one-on-one meeting with Zuckerberg, during which all subjects will be raised in 'very frank' discussions, the president’s office said,” Reuters reports.

Meanwhile, Zuckerberg has refused three times to answer questions from a committee in the British Parliament that is investigating fake news, the Guardian's Jennifer Rankin writes.

— More cybersecurity news from overseas:

Mexico central bank says hackers siphoned $15 million from five companies (Reuters)

Accused 'Dark Overlord' hacker arrested in Serbia (CyberScoop)


— The Senate Judiciary Committee on Wednesday released thousands of pages of documents related to a June 2016 meeting at Trump Tower between a Russian lawyer and Trump's son Donald Trump Jr., who was expecting to get potentially damaging information on Clinton as part of a Russian government effort to help his father's campaign.  

"The new details of the June 9, 2016, meeting in Trump Tower are drawn from 2,500 pages of congressional testimony and exhibits that paint a vivid picture of how Donald Trump’s erstwhile Russian business partners collided with his presidential campaign in a single 20-minute meeting that has been a key focus of investigations by three congressional committees and special counsel Robert S. Mueller III," The Post's Rosalind S. Helderman and Demirjian report. Trump's son-in-law and adviser Jared Kushner and Trump's then-campaign chairman Paul Manafort were also at the meeting. 

And some quotes from Rob Goldstone, a music promoter who helped organize the meeting, didn't go unnoticed on Twitter:  

He texted Emin Agalarov, the pop singer son of Russian billionaire developer Aras Agalarov: 



Coming soon


A "new" Rembrandt painting surfaces after going unknown for four centuries:

Dutch art dealer Jan Six bought "Portrait of a Young Gentleman" at a London auction in 2016. He then spent more than a year accumulating proof that it was real. (Video: Reuters)

Massive ash plume rises from Kilauea volcano in Hawaii:

The Halemaumau Crater of Hawaii's Kilauea volcano emitted a large ash plume on May 15. (Video: Timothy Bryan)

Putin fist-bumps hockey players on the ice:

President Vladimir Putin took to the ice on May 10 in Sochi, Russia, in the closing stages of the seventh Russian National Amateur Ice Hockey Teams' Festival. (Video: Reuters)