Tech companies are taking a more transparent approach than usual in disclosing cyberthreats against their platforms -- especially when it comes to election interference.
One high-profile example came this week when Microsoft announced that Russian hackers tried to use the company’s domains to launch phishing attacks on U.S. political institutions. The company also revealed recently that hackers had used similar means to target 2018 congressional candidates. And just last month, Facebook said that it had uncovered a sophisticated political disinformation campaign involving nearly two dozen fraudulent pages and profiles.
The disclosures are not just limited to U.S. election threats. Late Tuesday, Facebook announced that it had identified new social media influence campaigns — one backed by the Iranian government, another linked to Russian military intelligence — and removed hundreds of fraudulent accounts that it said were designed to manipulate users in other countries around the globe.
Proactively sharing details about these kinds of threats is a change in strategy that’s politically expedient for the industry. Washington is scrambling to mount a coordinated response to Russian cyberthreats, and Congress has hammered tech giants for not doing more to curb bad actors on their platforms. Lawmakers and agencies such as the Federal Trade Commission are also mulling regulations that would require companies to notify customers about intrusions into their networks and other security lapses.
By communicating that they’re paying attention — and have a plan — companies can signal that they don't need intensive monitoring or restrictions from the government, some experts say.
“It’s a corporate win-win,” said Andrea Matwyshyn, a Northeastern University law professor specializing in technology policy. “There’s no downside for companies in trying to defend their customers and trying to forestall legislation that might require that they adjust their structures. And it’s obviously a benefit to defend their brand if criminals are abusing their goodwill.”
Microsoft revealed Monday that the Russian government-affiliated hacking group APT28 had created fake versions of websites in what appeared to be a phishing scheme designed to get victims to open malicious emails, as my colleagues Elizabeth Dwoskin and Craig Timberg reported. The fake sites included three crafted to look like they were affiliated with the Senate and others that mimicked public policy groups. The company got a court order to seize the domains and said it found no evidence that the hackers had actually used the sites in attacks.
Microsoft President Brad Smith told my colleagues that the tech industry was seeking to become more transparent with the public. He said Microsoft’s sleuths had tracked the hackers for two years but decided to speak publicly out of a sense of urgency and because of an uptick in Russian activity going into the midterms. “When there are facts that are clear as day, for those of us who operate inside companies, increasingly we feel it’s an imperative for us to share this more broadly with the public,” Smith said.
Disclosing such threats is one of many ways tech companies are trying to stay ahead of the curve as Moscow continues with the interference operations that rocked the 2016 election, said Noah Theran, a spokesman for the Internet Association, a lobbying group that represents Microsoft and other tech companies.
“There were many lessons learned coming out of the 2016 election, and Internet companies are committed to doing their part to ensure foreign actors can’t misuse online platforms or services,” he told me.
But companies still get hacked far more often than they admit, meaning true transparency may be a long way away, said Sascha Meinrath, founder of the technology policy think tank X-Lab. “Microsoft, to give them the benefit of the doubt, is trying to ameliorate concerns that they’re unaware of things like hacking attempts, while still attempting to downplay the fact that they get hacked all the time,” he told me. “It’s necessary to let people know when information has been falsified and when hacking is suspected. On the other hand, this is the .001 percent of it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Iranian influence operation Facebook revealed Tuesday night "dated to 2011 and had ties to state media operations in that country... involving hundreds of accounts on both Facebook and its sister site, Instagram," my colleagues Craig Timberg, Elizabeth Dwoskin, Tony Romm and Ellen Nakashima reported. "It also spread to Twitter and YouTube, with accounts that both companies said they also removed. The fake Iranian accounts bought ads on Facebook and used it to organize events."
It also reached other online platforms. “On the heels of Facebook’s revelations Tuesday evening, Twitter also said that the company had removed 284 accounts for engaging in ‘coordinated manipulation,’” Craig, Elizabeth, Tony and Ellen reported. “Twitter said the accounts also appeared to originate from Iran. YouTube, which belongs to Google, removed at least one account tied to Iran, Google said.”
"Facebook also deleted some unrelated fake accounts originating in Russia, which has been the main focus of reporting on disinformation operations targeting the United States. Tuesday night’s revelations were unusual because the disinformation targeted people in many countries -- in the Middle East and Latin America, as well as Britain and the United States, Facebook said -- and involved a nation-state actor other than Russia," my colleagues write.
PATCHED: Sen. Sheldon Whitehouse (D-R.I.) said during a Senate hearing Tuesday that he doubted that businesses know which government agencies they should contact to inquire about “hacking back” and questioned witnesses from the public and private sector about the feasibility of allowing such a practice.
“Let me ask you specifically about the question of companies being able to hack back and defend themselves,” Whitehouse told Thomas A. Fanning, the chairman, president and chief executive of utility giant Southern Company, during a hearing on the Senate Judiciary subcommittee on crime and terrorism. “I am not sure that that's a good idea. I am also not sure that it's not a good idea. The default proposition right now is that's not a good idea because I don't see that there's any place that somebody like you could go to get a meaningful decision out of the government on that point.”
Fanning replied with an explanation that included metaphors of “trout fishing in a river,” “fish DNA” and “a bathtub” before concluding that he thought the “fire back capability” should rest with federal agencies such as the Defense Department and U.S. Cyber Command. “That's not our job,” Fanning said.
Whitehouse also asked officials from DHS, the Justice Department and the Office of the Director of National Intelligence for a written answer on how private businesses could seek permission from the government to hack back. “I'd like your written responses to where a private-sector actor could go to get [an] answer, which would have to be an interagency answer ultimately, to that question,” Whitehouse said.
PWNED: Sen Bill Nelson's (D-Fla.) comments two weeks ago about threats to election security in Florida continue to reverberate. In a letter to Florida Secretary of State Ken Detzner dated Aug. 20, DHS Secretary Kirstjen Nielsen and FBI Director Christopher A. Wray said they “have not seen any new or ongoing compromises of state or local election infrastructure in Florida.” The statement stands in contrast with Nelson's claims to the Tampa Bay Times this month that Russian hackers “have already penetrated certain counties in the state and they now have free rein to move about.” Nielsen and Wray also noted in their letter that “Russian government actors have previously demonstrated both the intent and capability to conduct malicious cyber operations.”
Ryan Brown, a spokesman for Nelson, said Nielsen and Wray's letter does not contradict the senator's comments and criticized the reaction of Florida Gov. Rick Scott (R), who is running to unseat Nelson, over the episode. “In my opinion, there’s nothing in this letter that contradicts what Sen. Nelson said he was told a few months ago, and what he and Sen. [Marco] Rubio have tried to warn about in order to guard against Russian meddling in our elections,” Brown said in an emailed statement. “The governor of Florida has a security clearance and could have quickly and directly received information, answers and posed any questions instead of engaging in these confusing and partisan histrionics of the past week.”
In a statement released Tuesday, Scott chided Nelson and said he has provided no evidence for his allegations. “It is irresponsible and reckless that Bill Nelson would attempt to undermine the voters’ confidence in their county elections systems by making confusing statements while campaigning and then walking away with absolutely no explanation,” Scott said.
— More than a third of the $380 million that Congress set aside this year for states to upgrade their election systems is being directed toward cybersecurity improvements, the Election Assistance Commission announced in a news release on Tuesday. The commission released plans outlining how 48 of the 55 states and territories that received their portion of the funding plan to use the money. The commission said that about 36 percent of the federal funds will be spent by 41 states and territories to strengthen election cybersecurity. “Just five months after Congress appropriated these vital funds, states and territories have money in the bank and new plans in place to protect the security, accessibility and efficiency of federal elections,” Thomas Hicks, the commission's chairman, said in a statement. The plans that the EAC received indicate that most states intend to spent their share of the funding within the next two to three years, according to the commission's news release.
— A Democratic bill in the Senate that would require paper ballots and risk-limiting audits in all federal elections picked up the support of Democratic Sens. Brian Schatz (Hawaii), Cory Booker (N.J.) and Richard Blumenthal (Conn.) on Tuesday. Democratic Sens. Ron Wyden (Ore.), Kirsten Gillibrand (N.Y.) Edward J. Markey (Mass.), Jeff Merkley (Ore.), Patty Murray (Wash.) and Elizabeth Warren (Mass.) introduced the Protecting American Votes and Elections Act of 2018 in June. “Protecting our elections from cyberattacks isn’t complicated,” Schatz said in a statement. “Every state should move back to using paper ballots. It’s that simple.”
— “Faced with new evidence that Russian hackers are targeting conservative American research groups and the Senate’s own web pages, key lawmakers from both parties signaled on Tuesday that they were ready to move forward with punishing new sanctions legislation capable of crippling the Russian economy,” the New York Times's Nicholas Fandos and Catie Edmondson reported. “And in three separate hearings on Capitol Hill, senators prodded the Trump administration to do more with its existing authorities to deter Russia and protect American political infrastructure.”
The Times reported that tensions rose during the hearings as senators expressed frustration about answers from administration officials that they found too vague. “‘One of the things I thought would come from this hearing is a recommendation or a set of recommendations of what Congress might consider legislatively for additional sanctions,’ Senator Jerry Moran, Republican of Kansas, said at the Banking Committee hearing,” Fandos and Edmondson wrote. “‘Am I to take from your unwillingness to answer that kind of question that there is opposition by the administration to additional sanctions?’ ”
During a hearing on the Senate Judiciary subcommittee on crime and terrorism, a senior Department of Homeland Security official said it would be “exceedingly complex” for Russian hackers to manipulate election results in the 2018 midterms. “Our assessment is that it would be exceedingly complex to change vote totals in that in trying, attempting to do so, [it is] likely that something would be noticed,” Robert Kolasky, director of DHS's National Risk Management Center, said in response to a question from Sen. Lindsey O. Graham (R-S.C.). Kolasky added that voter registration databases are more vulnerable to hacking than election results.
— Separately yesterday, the Treasury Department announced sanctions related to Russian cyber activities. “The United States on Tuesday imposed sanctions on two Russians, one Russian company and one Slovakian company for what Washington said were their actions to help another Russian company avoid sanctions over the country’s malicious cyber-related activities,” Reuters reported.
— More cybersecurity news from the public sector:
- Senate Rules and Administration Committee business meeting about the Secure Elections Act.
How one Tuesday in August became pivotal to Trump’s presidency:
McConnell demurs on Russia sanctions bill before midterms:
U.S. deports accused ex-Nazi guard to Germany: