Good morning! I’m Cat Zakrzewski, a tech policy reporter at the Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
Democratic campaigns are not just turning to tech workers because of their deep pockets. After a wide-ranging Russian hacking campaign exposed poor cybersecurity practices during the 2016 election, they’re seeking out techies' expertise this time around.
Two groups — Ragtag and DigiDems — launched in the aftermath of the 2016 election to help campaigns connect with tech-savvy volunteers or full-time organizers. Many in Silicon Valley were blindsided by Donald Trump’s victory, and it prompted soul-searching within the industry about ways to get more politically involved. In a symbolic stand against the Trump administration, tech workers are taking a more hands-on role in the 2018 midterms, especially when it comes to improving cybersecurity for progressive campaigns.
“For a long time, folks who work in tech have been targeted by campaigns as potential donors,” said Ragtag founder Brady Kriss. “A lot of folks in tech want to contribute something more than that.”
Techies from both DigiDems and Ragtag have helped campaigns adopt best cybersecurity practices such as two-factor authentication and password managers. But the groups operate in different ways. LinkedIn co-founder Allen Blue, along with several other tech leaders, helms DigiDems. That group finds people with varying degrees of technical experience, trains them in topics such as cybersecurity, and then embeds them as full-time campaign workers, with the assistance of the Democratic Party leadership. DigiDems has embedded more than 80 people in campaigns. Meanwhile, Ragtag connects technologists with campaigns, allowing them to volunteer their expertise.
Cybersecurity threats are not unique to one party, and campaigns on either side of the aisle could be hit with a phishing attack or password theft. Democrats had a more high-profile wake-up call when Hillary Clinton campaign manager John Podesta’s emails were leaked and published on WikiLeaks through a phishing attack that was part of Moscow's attempt to influence the presidential election in favor of Trump. But Republicans are at risk, too. Both Barack Obama and John McCain’s teams suffered breaches during the 2008 presidential election.
But Democrats may be seeing more on-the-ground cybersecurity support from techies this cycle because of the industry workers' cozier relationship with the party. As my colleague Tony Romm pointed out recently, Silicon Valley is trying to help the Democrats take back Congress in 2018. Still, the tech industry’s heightened political involvement comes at an awkward time — dedicating more resources to liberal campaigns could exacerbate strained tensions with Republicans in Washington.
The industry is under fire among lawmakers for its workers' alleged bias against conservatives — a Republican talking point that has recently been amplified by President Trump. Some Republicans say the workers’ political bias is resulting in content decisions that silence conservative voices — a charge the technology companies have denied.
“While the tech giants, which have deep liberal bias throughout their personnel and practices, place a thumb on the scale against conservatives online, we are undaunted,” a spokeswoman for the Trump campaign told Tony.
The Republican National Committee did not immediately respond to requests for comment on tech volunteers helping Democrats’ campaigns with cybersecurity.
James Renken, a site reliability engineer in Minnesota, is a Ragtag volunteer who has consulted on cybersecurity issues with campaigns. He taped a training to teach voting nonprofit and campaign workers how to avoid phishing attacks, and he also consulted on the guidance that Ragtag gives campaigns about deploying two-factor authentication.
Renken said he was already on the path to becoming more politically engaged, but Trump’s election made volunteering his time more “urgent.” He said campaigns workers are taking the threat of phishing seriously.
“It's gotten so bad that people are paying attention,” he said.
Becca Kahn, a recent college graduate, joined DigiDems after interning with several technology companies. She went through an extensive training process with the organization, which included a segment on cybersecurity. She’s now embedded full-time with the campaign of Katie Hill, a Democrat running in California’s 25th Congressional District.
Kahn has trained people on the campaign in a variety of security best practices, including turning on two-factor authentication, using a password manager and communicating on encrypted services such as Signal. “We do everything to make sure they're safe as possible,” she said. Kahn said this allows campaigns to instead focus on the work they do best.
The DigiDems embeds are also are in constant communication so they can learn strong security practices from each other.
DigiDems Co-Executive Director Alicia Rockmore said the organization has a tremendous amount of data about what has worked this campaign cycle that it will apply in future elections. But for now, the group is focused on Nov. 6. “The ability of folks to understand strategy and translate that from a tech perspective will make a difference in some of these races,” she said.
Correction: A previous version of this story misidentified the executive chairman of DigiDems. He is Allen Blue.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Election systems vendors largely escape public oversight and are often reluctant to submit their equipment to independent security testing even though they “effectively run elections either directly or through subcontractors” throughout much of the United States, the Associated Press's Frank Bajak reported Monday. “A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated,” Bajak wrote. “Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling. The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.”
However, some states such as California, New York and Colorado maintain oversight over vendors, according to the AP. “California conducts some of the most rigorous scrutiny of voting systems in the U.S. and has repeatedly found chronic problems with the most popular voting systems,” Bajak reported. “Last year, a state security contractor found multiple vulnerabilities in ES&S’s Electionware system that could, for instance, allow an intruder to erase all recorded votes at the close of voting.”
PATCHED: Despite ongoing concerns about potential election interference in the upcoming midterms, officials across the country and at all levels of government “have made significant efforts to secure our election infrastructure and defend our democracy” since Russia interfered in the U.S. presidential election two years ago, according to a report from the Center for Strategic and International Studies. Such improvements include the implementation of cybersecurity best practices as well as the allocation of public funds to strengthen election security, wrote William A. Carter, deputy director and fellow at CSIS's Technology Policy Program.
For example, CSIS found that 40 states have invested more than $75 million in state and federal funds since 2016 to help secure their election systems. “This includes 26 states that have conducted security assessments and implemented cybersecurity upgrades, 20 states that have invested in enhanced cybersecurity training for election officials, 15 states that have upgraded or replaced voting equipment, and nine states that are expanding post-election audits,” according to Carter. However, the report notes that there is still room for improvement. In particular, Carter argued that all states should adopt a voter-verifiable paper audit trail in their election processes and conduct risk-limiting audits. “No system is perfect (including paper ballots, which have been manipulated many times over the course of modern history), but a paper audit trail and risk-limiting audits are an important first step in establishing resiliency of computerized elections against cyber threats,” Carter wrote in the report.
PWNED: “The anti-Semitic online screeds tied to the man police say killed 11 people at a Pittsburgh synagogue are rekindling a debate in Congress over the role that social media companies should play in policing their platforms — and the penalties they should face if they fail,” The Washington Post's Tony Romm reported Monday. “Days before the Pittsburgh attack, an account matching the suspect’s name, Robert Bowers, published violent, anti-Semitic posts on Gab, a social networking site that’s become a haven for the alt-right. The site has billed itself as a hub for ‘free speech’ with few rules on what users can say and share. ‘Hate speech is free speech,’ Gab’s leaders previously have said.”
Some lawmakers on Capitol Hill are calling for regulating social media companies and for revisiting Section 230 of the Communications Decency Act, which essentially protects major Internet companies from being held liable for content posted on their sites by users, according to my colleague. “When it was written, we were not facing these issues,” Rep. Anna G. Eshoo (D-Calif.), who sits on the House Energy and Commerce Committee and whose district include Silicon Valley, told Tony. “You have to draw it up carefully. You have to work with stakeholders. But I don’t think we’re in a time or era where we can simply overlook this.”
— “The U.S. has raised the stakes in a battle with Beijing over intellectual property by restricting American firms from doing business with a state-owned Chinese chip maker that Micron Technology Inc. has accused of stealing its secrets,” the Wall Street Journal's Kate O'Keeffe reported. “Citing national and economic security concerns, the Commerce Department said Monday that it will begin restricting American companies from selling software and technology goods to Fujian Jinhua Integrated Circuit Co., a semiconductor startup into which the Chinese government has been pouring money as part of an effort to build its own chip industry. The decision has the potential to cause significant damage to the new chip maker, which still relies on U.S. technology to produce its own chips.”
— More cybersecurity news from the public sector:
— Nearly half of cyberattacks that a group of incident response companies investigated in the third quarter originated from Russia and China, according to a report by the cybersecurity company Carbon Black. The Quarterly Incident Response Threat Report released Tuesday relies on data that Carbon Black compiled from 37 companies. China and Russia accounted for 47 of the 113 cyberattacks that were investigated, according to the study. “Cyberattacks are becoming increasingly sophisticated, in large part because of a burgeoning dark-web economy,” the report said.
The report also found that financial and health-care organizations were the main targets of cyberattacks. Carbon Black reported that 78 percent of its partner companies saw financial institutions targeted by cyberattacks while 59 percent of respondents said health-care organizations were also targeted. Moreover, attacks against Internet of Things devices represent a “growing concern,” according to Carbon Black's report. More than a third of respondents said they observed attacks that took advantage of vulnerabilities in businesses' IoT devices. “Today, there are more than 8.4 billion IoT devices, ranging from consumer devices like Fitbits and smart watches to enterprise devices such as security cameras, alarm systems, and thermostats,” the report said. “Of late, those ‘things’ — which often have no built-in ability [to] be patched remotely — have become the target of cyberattacks.”
— The encrypted messaging app Signal announced a new privacy feature called “sealed sender” to protect the identity of a message sender, Wired's Lily Hay Newman reported Monday. “Since the mechanism removes Signal's ability to validate senders, the service is adding workarounds that still let users verify who sent incoming messages, and reduce their chance of receiving abusive content,” according to Wired. “Most importantly, Signal will only allow ‘sealed sender’ messages to go between accounts that have already established trust, particularly by being in each others' contact lists. If you block someone Signal has made cryptographic tweaks so they will still be barred from messaging you — even if you are in each others' contacts.”
— More cybersecurity news from the private sector:
- CyberCon 2018 organized by Fifth Domain on Thursday in Arlington, Va.
- The National Institute of Standards and Technology hosts the 2018 Cybersecurity Risk Management Conference on Nov. 7 through Nov. 9 in Baltimore.
Medical personnel discuss Pittsburgh synagogue shooting:
Jamal Khashoggi's fiancee says she is disappointed in President Trump:
In Wisconsin, two presidents offer two different visions of America: