with Cat Zakrzewski and Bastien Inzaurralde
“Today’s report confirms that Google’s claims to value consumers’ privacy seem like nothing more than empty talk,” Sen. Richard Blumenthal (D-Conn.), who is sponsoring a data privacy bill, said in an email. “Google must explain its unwillingness to disclose this breach and the FTC must conduct a fulsome investigation. But to truly end this cycle of broken promises, we need a national privacy framework that protects consumers and empowers the FTC to hold companies accountable.”
Google discovered and fixed the security vulnerability in its foundering Google+ social network in March, just as Facebook was coming under fire for its role in the Cambridge Analytica scandal. And reports that company officials decided not to disclose it in part because executives worried about drawing scrutiny from policymakers landed like a bombshell in Washington. It's clear that while Google has so far managed to avoid the kind of grilling Facebook and Twitter faced from lawmakers seeking to zero in on Silicon Valley's privacy and data use practices, those days are over.
Sen. Mark R. Warner (D-Va.), the top Democrat on the Intelligence Committee, noted that Google, like Facebook, is operating under a consent decree with the FTC that bars it from misrepresenting how much control users have over their data. “However, neither company appears to have been particularly chastened in their privacy practices. This seriously questions whether the FTC enforcement model is up to the task of consumer protection when it comes to major social media platforms,” Warner told The Cybersecurity 202. “It’s clear that Congress needs to step in.”
A spokeswoman from the Republican-led House Energy and Commerce Committee also said Monday that "the committee takes protection of consumer information seriously and we are currently reviewing the situation."
Shortly after the Wall Street Journal first reported the incident Monday afternoon, the company went into damage control mode. Google explained what happened in a blog post and announced a suite of new data privacy measures. The company also said it would shutter the consumer version of Google+.
This bug could have allowed outside developers from more than 400 software applications to access troves of personal information, including names, email addresses, ages, occupations and genders. Google said that other details, such as phone numbers and social media posts, were not exposed and that it found no evidence that any developer was aware of the bug.
But it's Google's secrecy that may get the company in the most trouble. My colleagues Craig Timberg, Renae Merle and Cat Zakrzewski have more on the behind-the-scenes discussion about the disclosure:
The decision to not immediately report the software bug — in a process that included briefing chief executive Sundar Pichai — was discussed in an internal document that expressed concerns about the company’s reputation and the possibility of increased scrutiny from regulators, said a person familiar with internal deliberations at Google.
Google said Monday that it did not immediately announce the data leak because it was unsure which users were affected or that the data had been misused. The company declined to comment on whether concerns about regulators or its reputation affected its decisions.
The person close to the situation, who spoke on the condition of anonymity to describe sensitive matters, said the document was not part of the official decision-making process at Google.
Despite its concerns about lawmakers' reactions, Google might have been better off if it had gone public about the incident right away. The Google+ user base is minuscule, and public concerns about data leaks and breaches tends to fade fairly quickly unless the information is used for nefarious purposes. “But because Google tried to cover up the problem because it didn’t meet some threshold of severity, the company looks much worse,” TechCrunch’s John Constine wrote. “That casts doubt on whether Google is being transparent on tons of other controversial questions about its practices.”
The disclosure could also boost calls for legislation that would replace the patchwork of state laws governing what companies must do to notify consumers and regulators of data breaches. Sens. John Kennedy (R-La.) and Amy Klobuchar (D-Minn.), are backing a bill that would require companies to notify customers of data breaches within 72 hours of discovering them and offer remedies to affected users. A similar standard exists under Europe's privacy law, which took effect earlier this year.
Google’s top brass has largely stayed out of the spotlight as top executives such as Facebook’s Mark Zuckerberg and Twitter’s Jack Dorsey have faced tough questions from lawmakers in hearings about their privacy and data use practices. But that strategy has so far only ballooned the laundry list of concerns lawmakers have about the company. They’ve questioned the company on reports it is planning to push into China with a censored version of its search engine. Defense officials are concerned about the company’s decision to sever a contract with the Pentagon following employee backlash. Meanwhile, conservatives worry the company’s liberal employees were silencing conservative voices — a charge Google has denied.
And the icing on the cake: Lawmakers were angry that Google did not send an executive senior enough for a major tech hearing in September. Even before the Google+ drama unfolded on Monday, Warner told my colleague Cat that the company was not being sufficiently transparent or proactive when it comes to election security. “Google is just AWOL,” Warner told Cat. “I think they are making a huge mistake in judgment and a huge mistake in policy for not treating these issues seriously.”
"This attitude from tech companies will ultimately bring what it seeks to forestall,” tweeted Laura Rosenberger, a former White House official in the Obama administration who now directs the bipartisan Alliance for Securing Democracy.
This attitude from tech companies will ultimately bring what it seeks to forestall: "[Google] opted not to disclose the issue... in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage"https://t.co/QrvPZEyx9i— Laura Rosenberger (@rosenbergerlm) October 8, 2018
From CyberScoop's Greg Otto, referencing Europe's sweeping new privacy law, the General Data Protection Regulation:
The cover-up, and not the data exposure itself, is going to be Exhibit A for when the U.S. builds its own GDPR— Greg Otto (@gregotto) October 8, 2018
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why next Tuesday, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast.
Click here to sign up.
PINGED: “A top Trump campaign official requested proposals in 2016 from an Israeli company to create fake online identities, to use social media manipulation and to gather intelligence to help defeat Republican primary race opponents and Hillary Clinton, according to interviews and copies of the proposals,” the New York Times's Mark Mazzetti, Ronen Bergman, David D. Kirkpatrick and Maggie Haberman reported Monday. “The Trump campaign’s interest in the work began as Russians were escalating their effort to aid Donald J. Trump. Though the Israeli company’s pitches were narrower than Moscow’s interference campaign and appear unconnected, the documents show that a senior Trump aide saw the promise of a disruption effort to swing voters in Mr. Trump’s favor.”
Yet Rick Gates, the campaign official, “ultimately was uninterested in Psy-Group’s work” and there is no indication that the Trump campaign went ahead with the pitches from the Israeli firm, according to the Times. In one proposal to the Trump campaign, “Psy-Group promised that ‘veteran intelligence officers’ would use various methods to assess the leanings of the roughly 5,000 delegates to the Republican nominating convention,” Mazzetti, Bergman, Kirkpatrick and Haberman wrote. “After scouring social media accounts and all other available information to compile a dossier on the psychology of any persuadable delegate, more than 40 Psy-Group employees would use ‘authentic looking’ fake online identities to bombard up to 2,500 targets with specially tailored messages meant to win them over to Mr. Trump.” Gates pleaded guilty to charges of conspiracy and lying to the FBI as part of a plea agreement this year in special counsel Robert S. Mueller III's investigation.
PATCHED: “Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains,” The Washington Post's Hamza Shaban reported. “Officials at federal agencies such as the departments of Justice, State and Defense can begin adding two-step verification to their accounts on Monday, according to the General Services Administration, the agency that manages dot-gov domains for the U.S. government. In the coming months, state and local officials will be prompted to add the security feature.”
The Office of Personnel Management, which suffered a major data breach in 2014, enacted two-factor authentication this year for all users, according to my colleague. “According to the GSA, authorized account holders may not need to make changes to their information or to their dot-gov domain very often, but if a hacker takes control of an account, he or she could at any time alter what the public sees and interacts with when they navigate to a government website,” Hamza wrote. “Government officials will use the Google Authenticator app on their mobile devices to use two-factor verification. Once the account holders log in to the dot-gov domain with their password, they will be prompted to input a one-time code generated by the app to complete the sign-in process.”
PWNED: “Barely a month before midterm elections, voting integrity advocates and electronic voting experts want the federal government to issue an official warning to states that use voting machines with integrated cellular modems that the machines are vulnerable to hacks, potentially interfering with the ballot counting,” Tim Johnson of the McClatchy D.C. Bureau reported Monday. “Once seen as a useful tool to provide quick election results, voting machines with cellular modems are now subject to fierce debate over how easy it would be to break into them and change the results. Such machines are certified for use in Florida, Illinois, Michigan and Wisconsin.”
Reid Magney, a spokesman for the Wisconsin Elections Commission, told McClatchy that concerns over potential hacking of machines containing cellular modems are overblown. “It is not a large concern at this point,” Magney said, as quoted by Johnson. “The results are encrypted and use security keys, so the receiving computer knows that the data is authentic. … I know people have theorized about man-in-the-middle attacks. I’ve never seen people intercept (cellular signals), change them, re-encrypt them and send them on.” Additionally, it's unclear precisely how many cellular-enabled voting machines there are in the United States. “An official with the Election Assistance Commission, an independent federal agency that is a clearinghouse for election information, said there are ‘probably’ more than 1,000 of the cellular-enabled machines deployed in different parts of the country,” Johnson reported.
— More cybersecurity news:
— Researchers say there is no indication yet that Russia is directly interfering in the 2018 midterms, the Daily Beast's Kevin Poulsen and Spencer Ackerman reported Monday. “Russian social media trolls are, of course, still promulgating fake news and slapping frantically at America’s hot buttons — tweeting wildly in favor of Brett Kavanaugh’s confirmation, according to researchers, and pushing a counter-protest against last summer’s white supremacist Unite the Right 2 rally,” Poulsen and Ackerman wrote. “The GRU is still hacking into computers in the U.S. and everywhere else. But so far, Russia-watchers say the trolls haven’t delved into the nitty gritty of 35 Senate campaigns and 435 House races. Nor has the GRU engineered the type of damaging email dumps that tent-posted the 2016 election circus.”
— The Pentagon warned in a report last week that the supply chain of America's manufacturing sector is particularly vulnerable to cyberthreats, Fifth Domain's Justin Lynch reported Monday. “The 146-page report said that the vulnerability in the American manufacturing supply chain was spurred by the ‘infinite number of touch points’ in each component, all of which could be exploited or corrupted,” Lynch wrote. “The report was clear about one party believed responsible for exploiting supply chain risks in the manufacturing sector and defense industrial base. ‘China’ is referenced 100 times in the body of the report, and is accused throughout of pilfering trade secrets and sensitive material.”
— “Alphabet Inc.’s Google has decided not to compete for the Pentagon’s cloud-computing contract valued at as much as $10 billion, saying the project may conflict with its corporate values,” Bloomberg News's Naomi Nix reported Monday. “The project, known as the Joint Enterprise Defense Infrastructure cloud, or JEDI, involves transitioning massive amounts of Defense Department data to a commercially operated cloud system. Companies are due to submit bids for the contract, which could last as long as 10 years, on October 12th.”
— More cybersecurity news from the public sector:
— Russia brushed off accusations by the Netherlands that GRU agents unsuccessfully tried to hack the Organization for the Prohibition of Chemical Weapons, the Associated Press's Vladimir Isachenkov reported. “There was nothing secret in the Russian specialists’ trip to The Hague in April,” Russian Foreign Minister Sergei Lavrov said Monday, as quoted by the AP. “They weren’t hiding from anyone when they arrived at the airport, settled in a hotel and visited our embassy. They were detained without any explanations, denied a chance to contact our embassy in the Netherlands and then asked to leave. It all looked like a misunderstanding.”
— Meanwhile, another country is accusing Russia of launching cyberattacks. “Russia has carried out cyber attacks on Latvia’s foreign and defense apparatus and other state institutions, a Latvian intelligence agency said on Monday,” Reuters reported. “Russia’s military intelligence agency (GRU) has tried to access information by e-mail phishing attacks against government computers in ‘recent years’, Latvia’s Constitution Protection Bureau said.”
— More cybersecurity news from abroad:
- 2018 National Cyber Symposium in Colorado Springs.
- Senate Homeland Security and Governmental Affairs Committee hearing on “threats to the homeland” tomorrow.
- Senate Commerce Committee hearing on consumer data privacy tomorrow.
Trump apologizes to Kavanaugh for “terrible pain and suffering.”
Taylor Swift has never really talked politics. Until now.
Alaska's brown bears search for food as winter nears: