The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Keep calm and trust the feds on Election Day, national security officials tell states

with Bastien Inzaurralde


With midterm races in the home stretch and the 2020 presidential election on the horizon, a pair of top national security officials have a message for state election administrators: Trust us when we warn you about cyberthreats. 

William Evanina, director of the National Counterintelligence and Security Center, and Christopher Krebs, the Department of Homeland Security’s cybersecurity chief, urged state officials to keep their lines open to the feds as Election Day approaches and the possibility of an attack on their systems looms large.

“At some point in your future, next month or 2020, there will be a piece of intelligence that comes so fast and furious in the community, the phone call will be made to Chris that will tell him, ‘Hey, this happened and we need to act,’ ” Evanina said Wednesday at an election security summit on Capitol Hill with state leaders and members of Congress. “Chris will pick up the phone and call a state and say, ‘You need to do something.’ And you have to trust Chris.” 

State and federal officials insist they’ve made vast improvements in the way they share threat information since the 2016 election, when a lack of coordination between state offices and the government’s sprawling intelligence bureaucracy prevented them from getting a clear picture of Russia’s interference campaign and responding accordingly. But the remarks from Evanina and Krebs show that a potential communication breakdown remains a top concern. And the November midterms will represent a critical test for how much those relationships have improved.

In the wake of the 2016 election, many states bristled at the idea of the federal government taking a greater role in election security, said Krebs, the head of the National Protection and Programs Directorate, DHS's main cybersecurity unit. The department, he said, got “a number of love letters, or hate mail, or however you want to describe it” from state officials angry about the Obama administration’s abrupt decision to designate election systems as critical infrastructure, which tasked DHS with protecting voting machines and election equipment from digital and physical threats in the same way they protect power plants and hospitals. Many state officials viewed the move as overreach by the federal government. 

It was a challenge to convince states to take action on the government's warnings about cyberthreats because the right communication channels didn’t exist, Krebs said. Nor did NPPD have the credibility or name recognition among states when officials came to them with warnings about vulnerabilities or malicious activity. “Back in 2016 when the phone calls were made, saying, ‘Hey, look, we're seeing something. There's something go on in your network. I need you to take action. By the way, you have no idea who I am, you've never heard of NPPD, you've never heard who the leadership was at the time, but I need you to take this action.’ There was no trust, and there was no certainty or confidence in that ask,” he said. 

That's not the case anymore, officials said. When federal officials initially tried to partner with states on improving their election security, "we were really walking on eggshells,” Vermont Secretary of State Jim Condos, a Democrat, said in Wednesday’s meeting. Now, he said, “we know what's available to us to help us make sure that our systems are in good shape.”

Officials also pointed to an array of new efforts that they said will  help states and feds coordinate in a way that they didn't in 2016. For instance, DHS recently set up an information-sharing center specifically for election security threats and has sent teams to help states identify vulnerabilities in their systems. The department has also deployed cyber-intrusion sensors across the country that give DHS and state officials a clearer view of cyberattacks. And officials from DHS and the intelligence community have held classified briefings and regular conference calls with state officials on election security threats.

States have their guard up going into the midterms, and with good reason. In 2016, Russian hackers probed election systems in 21 states, and penetrated a state voter registration database in Illinois, stealing records on 500,000 voters. Hackers also targeted state election officials with spearphishing attacks, at one point posing as a voting  equipment vendor and sending dozens of emails laced with malicious software to election administrators in Florida. Intelligence officials say they haven’t seen the same magnitude of interference this year, but they warn that Russia is still targeting the midterms.

State and federal officials are keenly aware that their work over the past two years will be under the magnifying glass come Election Day. So Evanina offered election administrators another piece of advice ahead of Nov. 6: If you learn about a cyberthreat, don’t panic. “If there is an attempt or breach or event,” he said, that “doesn't mean there's an impact with the election. Don't panic with the news media, because at the end of the day if something happens in Atlanta at 9 o'clock in the morning, we need that to not influence the people in California.”

And Krebs called on states to keep sharing what they know. “We have to get over the assumption that the federal government knows all and sees all and has intelligence collection holdings that are able to paint the full picture before a bad thing happens,” he said. “It's not how it works. They have a piece of the pie. The more information that we can get from the election community, no single piece of information, no anomaly is too small.”


PINGED: Facebook is briefing lawmakers about a security breach disclosed last week that extended to almost 50 million accounts. “Facebook briefed Department of Homeland Security officials last week and some individual lawmakers this week, according to people familiar with the matter,” the Wall Street Journal's Deepa Seetharaman and Dustin Volz reported Wednesday. “The company is expected to meet with other congressional committees, including the Senate Intelligence Committee, about the breach as early as this week, other people familiar with the matter said. It isn’t clear whether Facebook provided information pointing to possible perpetrators or about how the hackers exploited the security flaws.”

The announcement about the breach comes as lawmakers on Capitol Hill consider whether to craft consumer privacy legislation amid concerns over how Facebook and other tech giants handle users' personal data. “In an onstage interview Monday with The Wall Street Journal as part of Advertising Week in New York City, Facebook’s vice president of global marketing solutions, Carolyn Everson, compared the hackers to an ‘odorless, weightless intruder that walked in’ that the company could detect only ‘once they made a certain move,’ ” Seetharaman and Volz wrote. “Facebook’s efforts to keep lawmakers in the loop about the incident are notable given that the company has been under intense scrutiny for the past two years for a range of issues, including its handling of user data.”

PATCHED: The Dutch defense minister said that his country’s military intelligence thwarted a Russian cyberattack against the Organization for the Prohibition of Chemical Weapons, the Guardian’s Pippa Crerar and Jessica Elgot reported. “The attack, which was thwarted with the help of British officials, came after the GRU cybercrime unit had also attempted a remote attack on the Porton Down chemical weapons facility in in April and on the UK Foreign Office in March. Both attacks were unsuccessful,” Crerar and Elgot wrote. “The attack on the OPCW is also believed to have been conducted by Russian military intelligence, the GRU, which has been blamed by the British government for the attack on Sergei and Yulia Skripal in Salisbury in March. The Dutch defence minister, Ank Bijleveld, said four intelligence officials from the GRU’s cybercrime unit, known as Sandworm, had been expelled from the Netherlands after being caught spying on the chemical weapons body in April."

PWNED: Chinese spies secretly implanted surveillance chips in data center equipment used by Amazon and Apple during the manufacturing process,  Bloomberg's Jordan Robertson and Michael Riley write in a deeply reported cover story today. The chips, which were found in hardware made by the San Jose-based company Supermicro, "allowed the attackers to create a stealth doorway into any network that included the altered machines," they write, citing government officials.

The report continues: “The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies. One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple.”

Amazon, Apple and Supermicro disputed the report. "Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple told Bloomberg. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications” as described by Bloomberg, Amazon wrote.  “We remain unaware of any such investigation,” said Supermicro. ( founder and chief executive Jeffrey P. Bezos also owns the Washington Post.)


— Vice President Pence plans to renew accusations by the Trump administration that China is seeking to interfere in the 2018 midterm elections, Bloomberg News's Toluse Olorunnipa and David Tweed reported. “Pence was expected to accuse China of ‘a whole-of-government approach’ to sway American public opinion, including spies, tariffs, coercive measures and a propaganda campaign, according to excerpts of a speech he is scheduled to give Thursday,” Olorunnipa and Tweed wrote. “The speech at the Hudson Institute in Washington represented some of the most critical remarks about China by such a high-ranking U.S. official in recent memory.”

— The Senate on Wednesday passed a bill that would rename and reorganize NPPD, making it the lead civilian cybersecurity agency in government. House Homeland Security Committee Chairman Michael McCaul (R-Tex.), the original sponsor of the legislation, applauded the move. “With the advancement of technology and our increased dependence on computer networks, nation states, hackers, and cybercriminals are finding new ways to attack our cyber infrastructure and expose vulnerabilities," McCaul told me in an emailed statement. "This streamlining effort will achieve DHS’s goal of creating a stand-alone operational organization, focusing on and elevating its vital cybersecurity and infrastructure security missions to strengthen the security of digital America and our nation’s critical infrastructure.” 

From Krebs:

— “The U.S. and the U.K. are among countries that have become more willing to blame specific nations for major cyberattacks, signaling that longstanding concerns about the difficulty of dissecting hacks and the risk of being mistaken may be diminishing, according to government and private-sector experts,” the Wall Street Journal's Catherine Stupp wrote Wednesday. “Countries hope that publicly attributing cyberattacks could deter hackers, especially those backed by foreign governments, in the face of prosecution, measures such as economic sanctions, or even counterattacks.” One reason countries may shy away from naming names is the difficulty of attributing an attack. “Governments historically have been reluctant to make public accusations against other countries regarding cyberattacks,” Stupp wrote. “The science of attribution can be uncertain and mistakes can bring serious foreign-policy consequences.”

— “U.S. Capitol Police announced late Wednesday that a former junior Senate Democratic staffer has been arrested for allegedly posting private information about Republican senators on the Wikipedia Internet website,” The Post's Spencer S. Hsu reported. “Jackson A. Cosko, 27, of the District, faces five federal counts including making public restricted personal information, making threats in interstate communications, identity theft, witness tampering and unauthorized access of a government computer, police said. Cosko also faces District charges of second degree burglary and unlawful entry, police said.” Citing a U.S. official, Spencer wrote that “the arrest was tied to the investigation into the posting of personal information about Republican senators on the Wikipedia site as they held a hearing Sept. 27 on sexual assault allegations against Supreme Court nominee Brett M. Kavanaugh.”

— Ethical hackers discovered about 150 vulnerabilities on public-facing U.S. Marine Corps websites as part of a bug bounty operation, the U.S. Digital Service announced Wednesday in a post on Medium. The security company HackerOne partnered with the government to set up the Hack the Marine Corps program. Over 20 days, 105 hackers looked for weaknesses on about 200 public-facing websites, and those who found “valid” glitches received a combined amount of about $150,000, the post said. In one instance, a group of three hackers managed to “access certain records” about Marine personnel — which allowed them to share a reward of $10,000. The most successful participant earned $26,900 for discovering several vulnerabilities, and the whole program cost $350,000.

“Hack the Marine Corps was an incredibly valuable experience,” Maj. Gen. Matthew Glavy, commander of the U.S. Marine Corps Forces Cyberspace Command, said in a statement. “When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal. What we learn from this program assists the Marine Corps in improving our war-fighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives.”

— The federal government and the oil and natural gas industry are launching a program to help strengthen American pipelines' cyberdefenses, DHS announced Wednesday. On the government's side of the partnership, the “pipeline cybersecurity initiative” will mobilize DHS, the Energy Department, as well as the Transportation Security Administration. Federal officials met with industry representatives as part of the National Cybersecurity Awareness Month. “Collaborative efforts like this allow us to better understand the threat landscape and direct more targeted and prioritized risk management activities,” Krebs said in a statement. “We look forward to continuing these important meetings with the other critical infrastructure sectors across the country.”

— More cybersecurity news from the public sector:

Trump allies, offering no specifics, say former FBI official gives ‘explosive’ testimony in Russia probe (Karoun Demirjian)

Russian-linked group behind DNC hack now conducting covert intel operations, firm says (The Hill)


— Anthony Aiello was charged with killing his stepdaughter, Karen Navarra, after police in San Jose used data from the victim's Fitbit to charge the 90-year-old man, the New York Times's Christine Hauser reported Wednesday. “In the San Jose case, the police said their investigation used a combination of video surveillance and data from Ms. Navarra’s Fitbit, an Alta HR device, which she wore on her left wrist and synchronized with a computer in her home, where she lived alone,” according to the Times. “On Sept. 13, a co-worker of Ms. Navarra’s went to the house to check on her because she had not showed up for her job at a pharmacy, the report said. The front door was unlocked, and she discovered Ms. Navarra dead, slouched in a chair at her dining room table.”

Police found that when Navarra’s Fitbit recorded her heart rate stop, video surveillance showed that the car of Aiello, who had visited her, was still outside her home, according to the Times. “Mr. Aiello was ‘confronted’ with the Fitbit information during questioning, said Brian Meeker, a San Jose police detective. ‘After explaining the abilities of the Fitbit to record time, physical movement, and heart rate data, he was informed that the victim was deceased prior to his leaving the house,’ Detective Meeker said in the report,” Hauser wrote.

— More cybersecurity news from the private sector:

Fake-news ecosystem still thrives, two years after the 2016 election, new report says (Craig Timberg)

Mainstream advertising is still showing up on polarizing and misleading sites — despite efforts to stop it (Craig Timberg, Elizabeth Dwoskin and Andrew Ba Tran)


— “North Korea’s nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam,” the Associated Press's Matthew Pennington reported. “U.S. security firm FireEye raised the alarm Wednesday over a North Korean group that it says has stolen hundreds of millions of dollars by infiltrating the computer systems of banks around the world since 2014 through highly sophisticated and destructive attacks that have spanned at least 11 countries. It says the group is still operating and poses ‘an active global threat.’ ”

— More cybersecurity news from abroad:

Russia staged cyber-attacks on chemical weapons body and Porton Down (The Guardian)




“Presidential alert” test sets phones to buzzing across country:

The Federal Emergency Management Agency sent an alert aimed at tens of millions of mobile phones Oct. 3 to test a presidential alert system. (Video: Reuters)

McConnell moves ahead on Kavanaugh’s nomination, procedural vote expected Friday:

Senate Majority Leader Mitch McConnell filed a motion Oct. 3 to end debate after he dismissed the allegations of sexual assault against the judge. (Video: U.S. Senate)

Bystander challenges woman for allegedly harassing Spanish-speaking shoppers

A bystander called out a woman accused of harassing two shoppers for speaking Spanish in a grocery store Oct. 1 in Rifle, Colo. (Video: Faby VelSa via Storyful)