It wasn’t the Democratic National Committee’s finest moment, at least from a public relations standpoint.
On Wednesday, the DNC revealed that it alerted the FBI about an unsuccessful attempt to hack its voter database, sparking fears that it was being targeted again by foreign adversaries. By the end of the day, however, the committee admitted it was a false alarm: The feared hack, it turned out, was actually a security test organized by a state party without the DNC’s knowledge.
But digital security experts say the episode should actually inspire confidence in the DNC’s cyberdefenses ahead of November. The committee and its cybersecurity contractors deserved praise, these experts said, for shutting down the mock hacking operation quickly and going public with it soon after.
“Ignore the smug and partisan sniping-to-come re: attempted DNC hack,” Thomas Rid, a security studies professor at Johns Hopkins University, wrote in a tweet. “A mock red-team attack that is closely held and quickly discovered is exactly what you want to happen. This is probably a good thing.”
The committee “deserves credit for going public with what it assumed was a real attempted attack,” he added in an email to me.
“The public voice of @DNC is their greatest weapon against nation state actors, and informing citizens about threats to voting is important,” tweeted Heather Adkins, Google’s director of information security. “We are in this together.”
The DNC initially described the operation as an attempt by unidentified hackers to create a fake log-in page for its VoteBuilder platform that would trick people into entering their usernames and passwords. It looked like the early stages of a spearphishing attack: the link to the fake site could have been emailed to DNC staffers in hopes of getting them to give away that information. Russian hackers used similar techniques in 2016 to infiltrate Democratic organizations and the Hillary Clinton campaign.
The San Francisco-based security firm Lookout discovered it using a “phishing” detection tool and within hours notified the DNC., which in turn disclosed the matter to the FBI and the media. But late Wednesday night, DNC Chief Security Officer Bob Lord reversed course, as my colleague Ellen Nakashima reported:
“The test was conducted at the behest of the Michigan Democratic Party, using 'white-hat' security personnel with the group DigiDems, who provided their services to create the mock site, a Democratic official said. The state party did not notify the national committee or NGP, the firm that hosts the voter database, the official said. . . .
Michigan party officials told the DNC on Wednesday afternoon that they had ordered the test. They were ‘a little embarrassed, but they did the right thing and told us right away,’ said a DNC official, who spoke on the condition of anonymity because the matter remains sensitive. ‘They didn’t let it linger.’”
The DNC took a beating in some corners for the mix-up. The incident “makes it sound like the DNC doesn’t know how to tell the difference between serious and less serious intrusion attempts,” Josephine Wolff, an assistant professor of public policy and computing security at Rochester Institute of Technology, wrote in Slate. It also signaled that the committee might not “understand that security testing should, in fact, be both authorized and solicited by an organization,” she wrote.
But security professionals said the response should be held up as a success story, false alarms notwithstanding. From Geoff Belknap, chief security officer at Slack:
Exactly right. I’m not sure why so many people are dunking on the DNC for this.— Geoff Belknap (@geoffbelknap) August 23, 2018
This is exactly how it should work.
This is what “good” looks like. https://t.co/GnIzbq1WUS
Michael Coates, Twitter’s former chief information security officer:
Very interesting series of events. Reinforces one the most important elements of security - (1) ability to detect and (2) speed of response. You can't address a problem you don't see and it's no help to see it months later.— Michael Coates (@_mwc) August 23, 2018
So great work to all involved to spot and react fast! https://t.co/67cv4sCplO
And Maurice Turner, senior technologist at the Center for Democracy and Technology:
Better safe than sorry. We need more examples of defense in action reported to the public, even if it means false alarms.— Maurice Turner (@TypeMRT) August 23, 2018
While it might not have been the most well-executed test -- given that state party officials created a panic by leaving their DNC counterparts in the dark -- the episode offered valuable lessons for political organizations as they try to harden their defenses against a new wave of bad actors, said Steve Grobman, chief technology officer at McAfee.
“It is a positive sign that we see political organizations taking these steps as part of their overall strategy,” he told me. “Political organizations need strong cyberdefense given the sophistication of the adversaries that are targeting them. They should be sure to not only test individual responses with simulated phishing attacks, but also test their cyberdefense teams with a wide range of scenarios.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Tech giants in Silicon Valley continue to unearth online accounts linked to Iran. Google announced Thursday that it shut down 39 YouTube channels with more than 13,000 views in the United States, six blogs on Blogger and 13 Google Plus accounts that had ties to the Islamic Republic of Iran Broadcasting, The Washington Post's Tony Romm reported. “Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors’ accounts,” Kent Walker, senior vice president of global affairs at Google, wrote in a blog post. “Additionally, we use a number of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.” Walker said the accounts that Google terminated shared political content in English in the United States.
“Google also revealed Thursday it took down 42 additional channels on YouTube that had ties to the Russian government’s online troll army, called the Internet Research Agency, since the company testified to Congress in November,” Tony writes. The 42 YouTube channels linked to the IRA had 58 political videos in English, Walker wrote in the blog post. In total, those 58 videos had amassed fewer than 1,800 views in the United States. Additionally, Walker said that Google in recent months has “blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world.”
PATCHED: “Reality Winner, the former Air Force linguist and intelligence contractor who pleaded guilty in June to leaking a top-secret government report on Russian hacking, was sentenced on Thursday to five years and three months in federal prison,” the New York Times's Dave Philipps reported. “Ms. Winner, 26, is the first person to be sentenced under the Espionage Act since President Trump took office. Prosecutors said her sentence was the longest ever imposed in federal court for an unauthorized release of government information to the media.”
Bobby L. Christine, U.S. attorney for the Southern District of Georgia, said in a statement that Winner's actions jeopardized intelligence work. “This defendant used her position of trust to steal and divulge closely guarded intelligence information,” Christine said. “Her betrayal of the United States put at risk sources and methods of intelligence gathering, thereby offering advantage to our adversaries.” The classified report that Winner leaked to the Intercept last year while working as a National Security Agency contractor contained information about Russian intelligence hacking against local election officials and voter registration databases, the Times reported.
Betsy Reed, the Intercept's editor in chief, called Winner “a conscience-driven whistleblower ” and said the information she leaked to the news outlet helped raise awareness about election security. “The vulnerability of the American electoral system is a national topic of immense gravity, but it took Winner’s act of bravery to bring key details of an attempt to compromise the democratic process in 2016 to public attention,” Reed said in a statement. Reed also said that First Look Media, which is the Intercept's parent company, contributed financially to Winner's legal defense. “Addressing Chief Judge J. Randall Hall in court on Thursday, Ms. Winner said she took ‘full responsibility’ for the ‘undeniable mistake I made.’ She said she ‘would like to apologize profusely' for her actions,” the Times's Philipps wrote.
PWNED: Four lawmakers on the Senate Armed Services Committee told Defense Secretary Jim Mattis that they worry about “the cybersecurity risks posed to Department of Defense (DoD) information held by defense contractors.” Sens. John McCain (R-Ariz.), the committee's chairman, Jack Reed (R.I.), the panel's ranking Democrat, Mike Rounds (R-S.D.), the cybersecurity subcommittee's chairman, and Bill Nelson (Fla.), the subcommittee's top Democrat, said they “were alarmed” after my colleagues Ellen Nakashima and Paul Sonne reported in June that Chinese government hackers stole sensitive data about undersea warfare from a Navy contractor in January and February. The letter is dated July 27 but was not provided to news outlets until Thursday.
The senators told Mattis that following the publication of The Post article, the committee “gathered information that suggests DoD simply is not doing enough to protect controlled unclassified government information.” Among their concerns, the lawmakers mentioned defense contracts that fail to comply with cybersecurity standards and computer networks that don't rely on multi-factor authentication. “Time is of the essence to do more to defend the controlled unclassified information held by our defense contractors,” McCain, Reed, Rounds and Nelson said. “Action is needed now to improve compliance with existing regulations and best practices, as well as increase the cybersecurity standards for defense contractors, with a single DoD official in charge.”
— National security adviser John Bolton on Thursday said he told Nikolai Patrushev, his Russian counterpart, that Russia ought not to try interfering in the 2018 midterm elections. “ ‘I made it clear we wouldn’t tolerate (election) meddling in 2018 and that we were prepared to take necessary steps to prevent it from happening,’ Bolton told a news conference after more than five hours of talks with Patrushev in Geneva,” Reuters's Stephanie Nebehay and Babak Dehghanpisheh reported.
— The postponement of a Senate Rules and Administration Committee meeting to consider the Secure Elections Act this week was the result of White House opposition to the legislation, according to Yahoo News's Alexander Nazaryan. “In a statement to Yahoo News, White House spokeswoman Lindsay Walters says that while the administration ‘appreciates Congress’s interest in election security, [the Department of Homeland Security] has all the statutory authority it needs to assist state and local officials to improve the security of existing election infrastructure,’” Nazaryan wrote.
The Secure Elections Act would require post-election audits and would aim to streamline the way federal and state officials share information about threats to election systems. The bill would also require backup paper ballots for states that want to receive federal election funding to buy voting equipment. The White House did not say which provisions of the bill it opposes, Nazaryan reported. “We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections,” Walters told Yahoo News.
Additionally, the Hill's Olivia Beavers reported that Sen. James Lankford (R-Okla.), who has promoted the bill for several months alongside Sen. Amy Klobuchar (D-Minn.), denied claims by Sen. Jeff Merkley (D-Ore.) that the bill stalled because the White House opposed it. “The White House was pretty clear with me yesterday at the end of the day: ‘That was not us trying to kill this,’” Lankford said Thursday, as quoted by the Hill.
— “An American Muslim woman has formally asked a federal judge to force border officials to delete data copied from her iPhone 6S Plus, months after it was seized from her when she landed at Newark International Airport in February 2018 while returning from a trip abroad,” Ars Technica's Cyrus Farivar reported on Thursday.
— More cybersecurity news from the public sector:
— “Representatives from a host of the biggest US tech companies, including Facebook and Twitter, have scheduled a private meeting for Friday to share their tactics in preparation for the 2018 midterm elections,” Buzzfeed News's Kevin Collier reported on Thursday. “Last week, Facebook’s head of cybersecurity policy, Nathaniel Gleicher, invited employees from a dozen companies, including Google, Microsoft, and Snapchat, to gather at Twitter’s headquarters in downtown San Francisco, according to an email obtained by BuzzFeed News.”
— More cybersecurity news from the private sector:
— “A massive trove of voter records containing personal information on millions of Texas residents has been found online,” TechCrunch's Zack Whittaker reported Thursday. “The data — a single file containing an estimated 14.8 million records — was left on an unsecured server without a password. Texas has 19.3 million registered voters.” TechCrunch reported that much of the information that was left on the server is public. “It’s not clear who owned the server where the exposed file was found, but an analysis of the data reveals that it was likely originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data,” Whittaker wrote.
— More news about security vulnerabilities:
Trump's pattern of political pardons:
State Department spokeswoman bringing “Flat Stanley” to North Korea:
Leafy seadragons get extra help to stay afloat: