The Federal Election Commission will vote today on whether lawmakers can use leftover campaign cash to secure their personal tech devices and email accounts against hackers.
The proposal, from Sen. Ron Wyden (D-Ore.), comes amid rising concern that Kremlin-linked hackers are targeting the personal email accounts and other data of lawmakers and their office and campaign staffs. Hacked information from those personal accounts could be used for blackmail or as a jumping-off point to break into email accounts for campaigns, congressional offices or even federal agencies.
More importantly, hackers could strategically release hacked information to upend a political campaign, as Russia did with hacked emails from the Hillary Clinton campaign and the Democratic National Committee in 2016, or to sway a political or policy debate.
The proposal is based on a similar FEC advisory opinion from 2017 that determined members of Congress could use leftover campaign funds to upgrade physical security systems at their homes, such as installing cameras, sensors and locks.
“Given the growing cybersecurity threats posed by foreign governments hacking the personal accounts and devices of elected officials, it is common sense to permit these same funds to be spent on cybersecurity as well,” Wyden told me in an email.
A cybersecurity firm told Wyden’s office this year that one of the Russian government hacking groups that breached the DNC was also targeting the personal email accounts of senators and Senate staff, according to a September letter Wyden sent to Senate Majority Leader Mitch McConnell (R-Ky.), Minority Leader Chuck Schumer (D-N.Y.) and leaders of the Senate Rules Committee. Wyden did not name the cybersecurity company.
The Senate Sergeant at Arms, which helps digitally secure senators’ personal offices, told the targeted senators that it was not allowed to spend appropriated money to help secure personal devices, Wyden said.
That hacking group, which cyber researchers have dubbed Fancy Bear, Pawn Storm and other fanciful names, also created a phony website designed to steal Senate staffers' log-in credentials in 2017, according to a report from the cybersecurity firm Trend Micro.
In advance of the 2018 midterms, Russian hackers also targeted the campaign of Sen. Claire McCaskill, (Mo.), the ranking Democrat on the Senate Homeland Security Committee, who has been outspoken about Russian hacking and disinformation efforts during the 2016 election.
The spearphishing campaign targeting McCaskill, who lost her bid for reelection, was also aimed at two other campaigns, according to an official from Microsoft, which discovered the efforts. The executive did not say which campaigns were targeted other than McCaskill’s.
It’s unclear whether those hacking campaigns targeted campaign or personal accounts. Sophisticated hackers who work for national spy agencies will frequently target both professional and personal accounts looking for the weakest link, Thomas Rid, a Johns Hopkins University professor and cyber expert, said in a letter supporting Wyden’s proposal.
“Personal accounts are often much softer targets because the user determines the security settings, not cybersecurity professionals,” Rid said.
Wyden’s proposal would allow only lawmakers to use leftover campaign funds for personal cybersecurity — not their staff or families. The senator plans to introduce legislation in the next Congress to help secure congressional staffers’ personal devices, a Wyden aide told me.
Some of the tools senators could buy with campaign funds include dedicated secure cellphones and computers that aren’t shared with family members, secure routers that automatically update, and password manager tools that automatically apply complex and random passwords for websites, according to the proposal.
The funds could also pay for consultations with cybersecurity companies or emergency response after a senator’s personal device or network is breached.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Assistant Attorney General John Demers told lawmakers that China's strategy to become the world's leader in technology can be summed up with the words “rob, replicate and replace,” as The Washington Post's Ellen Nakashima reported. “Rob the American company of its intellectual property. Replicate the technology. And replace the American company in the Chinese market and one day in the global market,” Demers said during a Senate Judiciary Committee hearing on “China’s Non-Traditional Espionage Against the United States.”
E.W. “Bill” Priestap, head of the FBI's counterintelligence division, said that China's economic espionage, theft of technology and efforts to influence American society represent “the most severe counterintelligence threat” against the United States, Ellen reported. “The lawmakers expressed concern about the Chinese government’s reported efforts to finance Chinese nationals’ work or study in the United States and then pressure them to use their access to obtain research that would be of strategic value to China,” my colleague wrote. “Priestap said the bureau has worked ‘thousands’ of complaints and investigations about such activity.”
PATCHED: Sen. Kamala D. Harris (D-Calif.) introduced a bill to help curb economic and industrial espionage. Harris's bill, titled Deterring Espionage by Foreign Entities through National Defense Act, would alter provisions of the Economic Espionage Act (EEA) to cover a wider range of offenses that may be committed outside the United States, such as hacking and cybercrime, according to a news release from Harris. “As foreign agents develop increasingly sophisticated methods of stealing American intellectual property and trade secrets, we must strengthen the tools Americans can use to respond to this growing threat and take steps to secure our economy,” Harris said in a statement.
The bill's provisions include raising punitive damages available for victims under the EEA, extending the statute of limitations for civil actions and widening the scope of the EEA to cover offenses committed abroad that cause “substantial” economic harm in the United States, according to Harris's news release. Harris said U.S. laws should “provide a strong deterrent to committing these acts in the first place.”
PWNED: Relying on data collected by the cybersecurity group Certfa, the Associated Press’s Raphael Satter reported that hackers tied to the Iranian government sought to penetrate the private emails of more than a dozen U.S. Treasury officials. The hacking group, nicknamed Charming Kitten, also targeted people who were involved in the Iran nuclear deal, Arab atomic scientists and other targets generally via phishing attempts. “An analysis of Certfa’s data shows the group targeted at least 13 U.S. Treasury employees’ personal emails, including one belonging to a director at the Financial Crimes Enforcement Network, which fights money laundering and terror financing, and one used by the Iran licensing chief at the Office of Foreign Asset Control, which is in charge of enforcing U.S. sanctions,” Satter wrote. “But a few employees’ LinkedIn profiles referenced back office jobs or routine tax work.”
The AP reported the hacking group “mistakenly left one of its servers open to the internet last month,” allowing Certfa researchers to retrieve a list of 77 Gmail and Yahoo addresses that Charming Kitten was targeting. “One of Charming Kitten’s targets was Andrew J. Grotto, whose tenure on the U.S. National Security Council straddled the Obama and Trump administrations and who has written about Iran’s nuclear ambitions,” according to Satter. “Jarrett Blanc, the State Department coordinator responsible for the implementation of the nuclear deal under Obama, was also on the list.”
— China is “conducting espionage and influence operations here in the United States,” Secretary of State Mike Pompeo told Fox News Channel on Wednesday. In an interview on “Fox & Friends,” Pompeo also said that “our relationship with China is a challenging one” and called the country a “strategic competitor” to the United States. “They have committed cyberattacks across the world,” Pompeo said. “Our effort, from the Department of Homeland Security and the FBI and the State Department, is to push back against these threats to America from China.”
— McCaskill said she does not expect a bill she introduced with Sen. James Lankford (R-Okla.) to help identify supply-chain risks in the federal government will pass in this Congress, the Hill's Jacqueline Thomsen reported. The bill would establish a Federal Acquisition Security Council to help spot and prevent supply-chain threats when government agencies purchase IT equipment. McCaskill said she does not “know if there's going to be a chance to work on that before the end of Congress,” as quoted by the Hill.
— More cybersecurity news from the public sector:
— Hackers impersonating an employee of Save the Children Federation tricked the charity into sending almost $1 million abroad last year, the Boston Globe's Todd Wallack reported. The nonprofit organization sent the money to Japan after hackers penetrated a staffer's email and created false invoices. “By the time the nonprofit realized it had been defrauded, it was too late to stop the transfer,” Wallack wrote. “But Save the Children Federation, the US affiliate of the international relief organization, said it recouped all but $112,000 through insurance and tightened its security after discovering the theft in May 2017, according to a recent filing with the Internal Revenue Service.”
Since the scam occurred, Save the Children Federation has shored up its computer systems and enacted measures to ensure that “someone confirms all new vendors and bank account instructions via phone,” according to the Globe. In another instance, the organization sent $9,210 to a bank account in Africa after a hacker compromised a vendor's email and gave the charity a phony account number, but Wallack reported that the nonprofit group was able to recover almost the full amount.
— “A hack on Italian oil services firm Saipem that crippled more than 300 of the company’s computers used a variant of the notorious Shamoon virus, Saipem said, a development that links the case to a massive attack in 2012 on Saudi Aramco,” Reuters's Stephen Jewkes and Jim Finkle reported. Reuters added the “Shamoon virus was used in some of the most damaging cyber attacks in history, starting in 2012 when it crippled tens of thousands of computers at Saudi Aramco and RasGas Co Ltd in the Middle East - attacks that cybersecurity researchers said were conducted on behalf of Iran.”
— Researchers at the cybersecurity company McAfee said they spotted a hacking campaign targeting defense and government organizations. “The report said that between October and November, the cybercriminals targeted individuals at 87 companies using social media, sending them messages disguised as recruitment campaigns to get them to open a malicious document,” CNBC's Ryan Browne reported. “Once opened, another program called ‘Rising Sun’ was installed, opening a ‘backdoor’ portal that gave hackers the ability to extract intelligence and send it on to a control server. Attackers gained access to usernames, IP addresses, network configuration and system settings data.” McAfee researchers called the hacking campaign “Operation Sharpshooter.”
- The Federal Election Commission holds an open meeting.
- The House Intelligence Committee holds a business meeting.
Republicans defend Trump after Michael Cohen guilty pleas:
Tracing the trail of anti-Soros content at Radio and Television Martí:
“Nobody should work here, ever”: Man quits Walmart job over store’s PA system.