The breach of the National Republican Congressional Committee email system is throwing a spotlight on the duty to disclose cyberattacks on the political system — and the long-term effects of hacking on the public’s faith in the integrity of elections.
It’s still not clear what information the unknown intruders may have stolen from the committee, which is the campaign arm of the House GOP. But Democrats have pounced on Republicans for not disclosing the breach after it was discovered in April 2018, months ahead of the midterm elections.
“The threat of cyber-attacks and info operations from our adversaries is not a Republican or Democratic problem,” Sen. Mark R. Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, wrote on Twitter this week. “Politicians who’ve insisted on viewing this threat through a narrow partisan lens over the past two years have put us at a massive disadvantage. It's time to wake up.”
The threat of cyber-attacks and info operations from our adversaries is not a Republican or Democratic problem. Politicians who’ve insisted on viewing this threat through a narrow partisan lens over the past two years have put us at a massive disadvantage. It's time to wake up. https://t.co/UPeYxXcIwh— Mark Warner (@MarkWarner) December 4, 2018
Warner and committee chairman Richard Burr (R-N.C.) have been leading an investigation into Russia’s interference in the 2016 presidential election and have zeroed in on what they see as the urgent need to shore up defenses for U.S. election systems.
They found that the Department of Homeland Security had an “inadequate” response to the Russian campaign, which U.S. intelligence agencies have concluded was designed in part to undermine confidence in the voting process. The delay in action was a big issue here, too: The committee faulted the department for waiting until September 2017 to contact all the chief election officials in the states whose voting systems had been probed by Russian operatives. (The committee found that at least 18 states, and perhaps as many as 21, were targeted, including by hackers seeking to access the states' voter rolls.)
The emails of political committees are increasingly being seen as a part of election infrastructure, experts said, given that they can provide foreign governments with a window into campaigns and sow confusion if they are selectively released, as the Russians did with emails stolen from the Democratic National Committee and Hillary Clinton’s campaign in 2016.
The NRCC hack “raises the issue of campaign committees and related entities being ‘soft targets’ relative to other government related entities,” Steve Grobman, the senior vice president and chief technology officer of security company McAfee, said in a statement. “They are often comprised of employees and volunteers possessing varying degrees of cybersecurity practices, policies and protective measures to protect their communications and computing systems. It raises the question of whether these entities should be considered a part of our election infrastructure.”
The recent breach isn't the first time the NRCC has had to confront cybersecurity challenges. As The Post reported in July, the NRCC dismissed an offer from its Democratic counterpart that both parties team up to combat hacks in the 2018 election. The Republicans called the proposal a “political stunt.”
But as election security is increasingly seen as a national security issue, attention is turning as well to the broader impact that hacking has on public confidence in the outcomes of elections.
Recent polling data suggests that the public was shaken by the 2016 theft and dissemination of Democratic emails by Russian hackers, and that the operation has undermined confidence in future elections.
Sixty-seven percent of respondents in a poll by OpenVPN, which makes open-source software to implement virtual private networks, said that the 2016 hacks affected the outcome of the presidential election. And 60 percent said they don’t think the U.S. voting system is secure.
Those views broke down along partisan lines, underscoring the extent to which election security may have become just another divisive issue in American politics. Eighty-six percent of Democrats said they thought the hacks affected the outcome of the election, but only 34 percent of Republicans said the same.
Young people are also more likely to be skeptical about the security of elections, the study found. Among 18- to 24-year-olds, 81 percent said they think the 2016 hack affected the outcome of the election, while 55 percent of baby boomers thought it did. Among that younger cohort, 40 percent said the hacks would discourage them from voting, compared to just 10 percent of boomers, the study found.
The public perception of hacking’s influence is all the more striking because there is no evidence that the Russian intervention actually influenced the outcome of the election. That’s a question that, notably, U.S. intelligence agencies did not try to answer when they produced a report in January 2017 about the Russian campaign. While the agencies did find that the Russians tried to help Donald Trump win the election, they made no assessment of whether the dissemination of emails or the use of social media to spread false stories actually persuaded voters.
It’s too early to say whether the NRCC hack will similarly undermine voter confidence. But given the swift backlash from Democrats, it’s at least clear that by not disclosing breaches sooner, Republicans leave themselves open to criticism that they don’t take election security seriously.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Private investigators examining the Marriott International data breach found signs that Chinese hackers may have carried out the operation. Reuters's Chris Bing reported that investigators have encountered “hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers,” raising the possibility that the goal was to gather intelligence.
Moreover, the duration of the breach of Marriott subsidiary Starwood's reservation system, which started in 2014, also suggests that the hack may have been an espionage effort rather than an act of cybertheft, a former senior Justice Department official told Reuters. “One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network,” Michael Sussmann, who served in the department's computer crimes section, told Bing. “Patience is a virtue for spies, but not for criminals trying to steal credit card numbers.”
The breach has also prompted calls for action on Capitol Hill. Sen. John Neely Kennedy (R-La.) on Tuesday said he is working on a privacy bill, but he did not specify what the legislation would entail, the Hill's Jacqueline Thomsen and Olivia Beavers reported. “Right now there’s a lot of chopping, but I don’t see any chips flying. Everybody’s talking, but nothing’s moving in terms of legislation,” Kennedy said.
PATCHED: A federal grand jury in Atlanta returned an indictment that accuses two Iranian men of attacking the city of Atlanta with the SamSam ransomware, according to a news release from the U.S. attorney's office for the Northern District of Georgia. Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri also face charges in New Jersey already. The indictment “vindicates the City of Atlanta’s interest in ensuring that those responsible for the attacks face justice here as well,” Byung J. “BJay” Pak, the U.S. attorney for the Northern District of Georgia, said in a statement.
The Atlanta attack in March 2018 infected about 3,789 computers that belonged to the city, according to the press release from the U.S. attorney's office. “The Atlanta attack was not a targeted state-sponsored attack,” Ars Technica's Sean Gallagher wrote. “The attackers likely chose Atlanta based on a vulnerability scan. According to the indictment, the attackers offered the city the option of paying six Bitcoin (currently the equivalent of $22,500) to get keys to unlock all the affected systems or 0.8 Bitcoin (about $3,000) for individual systems.”
PWNED: Facebook documents and emails released by a British lawmaker leading a parliamentary probe of the social network shine a light on some of the company's previous deliberations on issues such as user privacy and data collection.
“The emails also suggest the extent to which Facebook users and developers may have been kept in the dark about the company's data-collection practices,” The Washington Post's Elizabeth Dwoskin, Craig Timberg and Tony Romm reported. “Company product managers discussed testing new features to collect call logs on Android smartphones in a way that might have made it harder for users to understand what they were giving away. They debated collecting call log data from users in ways that would bypass the privacy permissions people normally check off when signing up for an app.”
One of the emails released by Damian Collins, the chairman of the British parliamentary committee, shows that Facebook product managers suggested that such practices could elicit public backlash. “This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it,” the email said, as quoted by Elizabeth, Craig and Tony.
— “The chief financial officer of China’s Huawei Technologies faces extradition to the United States after she was arrested in Canada, Canadian officials said Wednesday,” The Post's Emily Rauhala and Ellen Nakashima reported. “Meng Wanzhou, a senior executive who is also the daughter of the tech giant’s founder, Ren Zhengfei, was arrested in Vancouver on Dec. 1, according to Canada’s Department of Justice. A bail hearing has been set for Friday.” Emily and Ellen noted that the arrest came as trade tensions continue between Washington and Beijing. “At the heart of the dispute is a White House claim that China violates the rules of global trade through forced technology transfer and cyberwarfare,” my colleagues wrote. “There have been growing calls for the United States to increase its scrutiny of Chinese firms, including Huawei, on the grounds of national security.”
— “Quantum computers with the ability to crack today’s encrypted systems are at least 10 years away from development, according to a report compiled by the National Academies of Sciences, Engineering, and Medicine,” Nextgov's Frank Konkel reported. “However, the report—released Tuesday—makes clear that quantum computers pose a dramatic threat to the encryption that secures today’s networks and computer systems and calls for the development of cryptography immune to quantum computers as fast as possible.”
— More cybersecurity news from the public sector:
— “Adobe issued a new patch for a zero-day security vulnerability that exploited a flaw in the company’s Flash Player,” CyberScoop's Zaid Shoorbajee reported. “The flaw, uncovered by researchers from the security vendor Gigamon, was exploitable through Microsoft Word, according to a report published Wednesday. Researchers discovered the vulnerability after a Ukrainian IP address submitted the details to VirusTotal, a malware analysis site, the Gigamon report said. The document was made to look like a job application form for a Russian health clinic, but in fact was meant to deliver reconnaissance malware.”
— More cybersecurity news from the private sector:
— “Australia’s parliament on Thursday passed a bill to force tech firms such as Alphabet Inc’s Google, Facebook and Apple to give police access to encrypted data, the most far-reaching such requirements imposed by a western country,” Reuters reported. “The bill, staunchly opposed by the tech giants which fear Australia could be an example as other nations explore similar rules, is set to become law before the end of the year.” Reuters continued: “When it becomes law, Australia will be one of the first nations to impose broad access requirements on technology firms, after many years of lobbying by intelligence and law enforcement agencies in many countries, particularly the so-called Five Eyes nations.”
From the Wall Street Journal's Dustin Volz:
Apple said the bill granted “extraordinarily broad and vague powers” that could compel it to develop custom software to bypass encryption. “The development of such a tool, even if deployed only to one phone, would render everyone’s encryption and security less effective."— Dustin Volz (@dnvolz) December 5, 2018
From encrypted email service ProtonMail:
As a Swiss company, we are subject to Swiss law, and we do not have the ability to decrypt your messages.— ProtonMail (@ProtonMail) December 4, 2018
— The Syrian Electronic Army “is putting significant resources into an Android spyware tool that can keep constant tabs on a target's mobile life,” Forbes's Thomas Brewster reported, citing research from Kristin Del Rosso and Michael Flossman of the mobile security firm Lookout. Brewster continued: “The malware, dubbed SilverHawk, is being built into fake updates for a variety of security and privacy-focused communications apps, including WhatsApp and Telegram. The SEA also created Microsoft Word and YouTube fakes filled with the SilverHawk spyware in their attempts to hack into Google Android devices.”
- Microsoft President Brad Smith participates in a discussion on facial recognition at the Brookings Institution.
- 2018 Cloud Security Alliance Congress on Dec. 11 through Dec. 12. in ChampionsGate, Fla.
Memorable moments from George H.W. Bush's D.C. funeral:
George W. Bush honors his father with tearful eulogy:
Storm chaser gets close to Illinois twister: