Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
Election Day is over, but government officials are still watching out for potential interference in the political process after detecting online disinformation that was meant to undermine yesterday's midterms.
Foreign adversaries will “continue to push misinformation” even after the election results are fully reported, a Department of Homeland Security official told reporters in a series of briefings on election security that lasted well into the night.
While DHS made clear it did not detect any breaches that would affect the casting or counting of votes, the official expressed concerns that bad actors could create the perception that the election was not secure -- including by “enhancing or overstating” how successful hacking attempts were. “We’re talking about propaganda machines,” the official said, “that are trying to divide the American people and undermine their confidence in election systems.”
Officials and disinformation experts have long said that a hacking claim could damage trust in the U.S. election system just as much as a real breach. It’s imperative that voters perceive the U.S. election system is secure, they say, especially in the wake of the intelligence community's conclusion that Russia's campaign of hacking and fake news was designed to influence the 2016 presidential election in favor of Donald Trump.
But with votes still being counted in some states, the DHS official said it was too early to tell if their efforts to reassure the American public the election's integrity is intact will be effective. “I’m not sure we have a good way to gauge right now what the general public sentiment is right now on what transpired today from an election security standpoint," the official said.
Officials underscored the department would still be engaged in assisting state officials by auditing votes, and coordinating with other agencies and state election administrators about potential cyberthreats or disinformation campaigns. But it was clear by their last call with reporters at midnight that they were starting to view Election Day 2018 as a victory. The DHS official said there have been no reported incidents “that would affect the ability to cast and count votes.” Though there were examples of instances of disinformation spreading on social media, companies such as Facebook appeared to be quick to take action against the bubbling campaigns that were reported throughout the day.
As The New York Times's Kevin Roose puts it:
Minor blips aside, we seem to have gotten through an election day without a major cybersecurity breach or a viral misinformation epidemic. That's a big deal, and a credit to everyone who pushed hard for accountability and transparency in these systems.— Kevin Roose (@kevinroose) November 7, 2018
Even so, the midterms did give some clues about how disinformation campaigns are evolving. For instance, people used social media to spread false information about how to vote.
Throughout the day, there were reports of disinformation about where to vote on social media. Common hoaxes included posts that said Republicans vote Nov. 6, Democrats vote Nov. 7, or vice versa. Facebook told Reuters reporter Joseph Menn it was cracking down on such posts. But he still saw three public posts after they made that statement, and I myself found many examples of similar hoaxes circulating on Twitter.
In another shift, the disinformation about voting wasn’t limited to the main social platforms — Google, Twitter and Facebook. Roose shared examples of disinformation on sites as seemingly random as Nextdoor, a niche social networking site for neighbors to connect:
Update: the Nextdoor voter misinformation poster has logged on again. pic.twitter.com/uvixulwY3j— Kevin Roose (@kevinroose) November 6, 2018
The midterms also showed us tangible evidence of how the federal government stepped up its efforts to coordinate with state and local election officials on combating disinformation -- or lend expertise to handle any false alarms. In one instance, states reported to the government their concerns about text messages sent out with inaccurate voting information. DHS, according to the official, was able to determine that a third-party provider was simply having a technology issue and it wasn't an example of an adversary trying to manipulate the vote. Another official on the call said the government was working with states to deal with issues that might cause a site to crash from increased traffic to local and state websites when unofficial results are posted. “Don’t automatically assume it’s a DDoS attack by a malicious actor,” the official warned.
Officials said they were already looking ahead to securing the 2020 vote. An official said the team would get "a few hours” to rest overnight but would quickly be evaluating what worked and what didn't. “Our focus is providing the services, the support that state and local partners need and ensuring that when 2020 rolls around, everyone is as secure as possible for that vote,” the DHS official just told reporters.
But as we learned in 2016, it's difficult to understand the full scope of cybersecurity incidents the morning after the election, and we may not know the full picture. It's possible that reports of cybersecurity incidents could emerge in the coming days, weeks and months as ballots and systems are audited.
We also don't know if technology companies' efforts to stamp out disinformation on their platforms were enough -- or at least enough to quell lawmakers' concerns about it. Facebook made a strong showing of how seriously it was taking election security by suspending 30 Facebook accounts and 85 Instagram accounts on the eve of the election. Late last night, the company disclosed they were targeted because of potential ties to Russia, my colleague Tony Romm reported.
Despite these efforts, hoaxes continued to proliferate on social media, and it seemed the companies had different standards for dealing with them. One hoax about “voter fraud” spread quickly across many social networks. The post showed a video of a vote that appears to be recorded incorrectly. Yet local election officials said this particular instance actually just showed a machine with a paper jam that was taken offline. The voter was moved to another machine and cast their vote without problems.
The video falsely alleging vote rigging in Ohio is now at 4,000 RTs (including lots of QAnon types). Here’s the county BOE’s statement, which makes clear it was a paper jam. pic.twitter.com/oaz3L1ZObm— Kevin Roose (@kevinroose) November 7, 2018
The technology companies handled the video differently, CNN reporter Donie O’Sullivan said:
Facebooks tells me that it has removed this video from Facebook and Instagram after it was debunked by their fact-checking partners at @AP. Meanwhile, the false video is still spreading on Twitter. 5,5000 retweets now. #Midterms2018 https://t.co/6u7KAVaQIy— Donie O'Sullivan (@donie) November 7, 2018
Now that the Democrats have taken back the House, we can expect oversight of the technology companies to increase — so expect this issue to get scrutiny in the next Congress.
Tune in: The first in a series of Technology 202 live events is tomorrow at 9 a.m. Eastern. My colleagues and I will be interviewing top tech executives, White House officials and Rep. Ro Khanna. Sign up to get the livestream.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The state of West Virginia implemented a pilot program to allow its voters living abroad to take part in the midterms via a mobile device, The Washington Post's Brian Fung reported. “The statewide pilot, which covers 24 of West Virginia’s 55 counties, uses a mixture of smartphones, facial recognition and the same technology that underpins bitcoin — the blockchain — in an effort to create a large-scale and secure way for service members, Peace Corps volunteers or other Americans living overseas to participate in the midterm elections. West Virginia is the first state to run a blockchain-based voting project at such a scale, state officials say.”
But, as Brian noted, some “security experts have said that simply by introducing an Internet-connected mobile device into the process raises the baseline risk of hacking or interception. And despite the current use of cryptography to keep remotely submitted ballots secret on the blockchain, future technologies that could defeat that protection may end up unmasking voters' identities and choices.” However, the state does not intend to adopt such procedure as its default voting method, Brian reported. “Secretary Warner has never and will never advocate that this is a solution for mainstream voting,” said Michael Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, as quoted by my colleague.
PATCHED: The Iranian regime “is now bolstering its capacity to cause even greater harm in the future” in cyberspace and may order cyberattacks in retaliation against U.S. sanctions, according to a report from the Foundation for Defense of Democracies. “As Iran begins to feel the full effects of renewed sanctions pressure, the regime may instruct OilRig, APT33, and others to respond by hitting the American economy like its hackers did during the previous escalation of sanctions,” the report said, referring to Iran-linked hacking groups.
The authors of the FDD report, Annie Fixler and Frank Cilluffo, also argued that Iran's capacities in cyberspace aren't as powerful as that of other foreign foes but can nonetheless threaten America's national security. “While Iran does not have the cyber capabilities of China, Russia, or North Korea, Tehran is willing to take greater risks and cause greater destruction,” Fixler and Cilluffo said. “The Islamic Republic cannot match Washington’s capabilities on the traditional military battlefield nor in the virtual world, but its hackers can still do serious damage.”
Fixler, a policy analyst at FDD's Center on Sanctions and Illicit Finance, and Cilluffo, who directs the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, said the United States should work to acquire a better understanding of Iranian cyberthreats, bolster its defenses and “impose costs on Tehran.” Such “costs” could include financial punishments as well as information warfare that would aim to increase tensions between Iranian citizens and their leaders. Moreover, the United States “must be willing to deploy the full range of its offensive capabilities” against Iran, the report said.
PWNED: “Facebook is admitting that it didn’t do enough to prevent its services from being used to incite violence and spread hate in Myanmar,” the Associated Press's Barbara Ortutay reported. “The company ‘can and should do more’ to protect human rights and ensure it isn’t used to foment division and spread offline violence in the country, Alex Warofka, a product policy manager, said in a blog post. Facebook commissioned the nonprofit Business for Social Responsibility to study the company’s role in Myanmar and released the group’s 62-page report late Monday.”
The New York Times's Alexandra Stevenson wrote that BSR's “report details how Facebook unwittingly entered a country new to the digital era and still emerging from decades of censorship,” but she added that the study “fails to look closely at how Facebook employees missed a crescendo of posts and misinformation that helped to fuel modern ethnic cleansing in Myanmar.” The social network also faced some criticism for publishing the report on Monday as public attention was turning to Tuesday's midterm elections, according to the Times. “The report recommends that Facebook increase enforcement of policies for content posted on its platform; exercise greater transparency with data that shows its progress; and engage with civil society and officials in Myanmar,” Stevenson reported.
Winners and losers from the 2018 midterm elections:
— In the House, “the Democratic victory means a probable reopening of the investigation into Russian interference in the 2016 election,” the AP's Tim Sullivan reported. “The Republican-led Intelligence Committee closed its probe into Russian meddling, saying it had found no evidence of collusion between Russia and the Trump campaign. Democrats, though, have long said the Republicans ignored a string of key facts and witnesses.”
-- We're still waiting on the fate of Rep. Will Hurd (R-Tex.), who sits on the House Intelligence Committee and chairs the House Oversight subcommittee on Information Technology, who is in a tight reelection race against Democrat Gina Ortiz Jones in Texas’s 23rd Congressional District. The AP initially declared Hurd the winner but later withdrew the call. Hurd, who previously worked at the CIA, is considered one of Capitol Hill’s most tech-savvy lawmakers. At nearly 4 a.m., The Post reported: "With 100 percent of precincts reporting, Hurd is leading with 49.1 percent of the vote, followed by Ortiz Jones with 48.8 percent."
— “The proliferation of connected devices including electric cars could provide grid operators with an operational view of cybersecurity threats and change the way the grid is secured, said Karen Evans, assistant secretary of the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response,” FCW's Mark Rockwell reported. “While experts generally consider the internet of things to be a risky ecosystem full of unsecured devices, Evans said there could be an upside. In remarks to researchers from CESER's Cybersecurity for Energy Delivery Systems (CEDS) program on Nov. 6, Evans said a growing fleet of connected electric-powered vehicles ‘could become sensors’ to provide cybersecurity situational awareness.”
— More cybersecurity news from the public sector:
— “A small number of HSBC online banking customers — less than 1% of accounts — were breached last month by unauthorized users, the bank acknowledged Tuesday,” American Banker's Penny Crosman reported. “HSBC sent a disclosure notice Nov. 2 to customers saying the breaches occurred between Oct. 4 and Oct. 14 of this year. The bank suspended all affected accounts.” The bank was “unusually quick” to report the breach, according to American Banker.
“The breach may have occurred through a technique called ‘credential stuffing,’ in which hackers who have stolen passwords for other websites try them out on an online banking site, under the assumption that people use the same passwords everywhere they go on the web,” Crosman wrote. “It's a pretty safe assumption: According to a survey of 1,000 people conducted last year by Keeper Security, more than 80% of U.S. adults reuse the same password across multiple accounts.”
— “Chinese authorities have begun deploying a new surveillance tool: ‘gait recognition’ software that uses people’s body shapes and how they walk to identify them, even when their faces are hidden from cameras,” the AP's Dake Kang reported. “Already used by police on the streets of Beijing and Shanghai, ‘gait recognition’ is part of a push across China to develop artificial-intelligence and data-driven surveillance that is raising concern about how far the technology will go.”
— Russia is taking new measures to crack down on anonymous messaging apps like Telegram. “Mobile phone network operators will be required to confirm the authenticity of a user’s phone numbers within 20 minutes,” the AP reported. “If a number cannot be verified, messenger services are required to block users from their platforms. The Russian government will also require network operators to keep track of which messenger apps their users have registered for. The decree goes into effect after 180 days.”
— More cybersecurity news from abroad:
- Federal IT Security Conference in College Park, Md.
- The National Institute of Standards and Technology hosts the 2018 Cybersecurity Risk Management Conference through Friday in Baltimore.
- Cyber Security Awareness Week 2018 conference hosted by NYU Tandon School of Engineering in New York tomorrow.
- Infosecurity North America conference on Nov. 14 through Nov. 15 in New York.
We talked to voters around the country on Election Day. Here's what they said:
2018 midterm election: A night of firsts.
Kemp insists “we make it easy to vote” in Georgia: