Once-wonky security proposals are now applause lines with voters. Take Sen. Kamala Harris (D-Calif..), who made a shift to paper ballots a key talking point at a breakfast this week in New Hampshire: "Going back to the future, the best and smartest way to conduct voting: paper ballots. Because Russia can’t hack a piece of paper.” The crowd erupted in approval.
And Sen. Amy Klobuchar (D-Minn.) made the case for upgrading voting machines at a town hall in New Hampshire this week: Cyber "is the next arena for warfare. We're already seeing it right now," she said. "And just to give you an example, the bill that I had to upgrade our election equipment cost literally -- bipartisan bill -- 3 percent of one aircraft carrier." In fact, all six U.S. senators that threw their hats in the ring for the Democratic nomination have co-sponsored bills aimed at protecting election systems against Russian hackers.
All this is a major shift from 2016, when cybersecurity issues, such as terrorists’ use of encrypted communications, played only a minor role in the presidential primary campaign. Key candidates, including Democratic nominee Hillary Clinton, were never forced to take a firm position on them.
But the fact that they are talking about it now now is a sign Democrats think a strong cybersecurity position is, at least in part, necessary to win. It's also perhaps the most telling sign yet that cybersecurity is now an accepted, mainstream national issue.
“This is an issue people understand. It’s their vote. It goes to their core as Americans,” Melanie Teplinsky, a former White House and NSA official, told me.
Compare that to the debate over end-to-end encryption, which gained national prominence during the 2016 contest when Apple fought an FBI request to help it crack into the iPhone used by San Bernardino, Calif., shooter Syed Farook.
That issue involved a difficult balance between law enforcement’s desire to access encrypted information from terrorists and criminals, and privacy and security advocates' concerns that law enforcement back doors into encryption could also be exploited by malicious hackers, Teplinsky noted.
In other words: There was no clear win for a politician who took a stand on the issue.
In the encryption case, Trump characteristically threw caution to the wind, calling for a national boycott of Apple. Clinton, equally characteristically, avoided taking a position. In an interview before the Apple-FBI standoff, she described the encryption debate only as a “classic hard choice.” But, neither made the topic a major campaign issue.
And in Congress, there was big security legislation on the table. The 2015 Cybersecurity Information Sharing Act gave companies legal cover to share cyberthreat information with the government. But it played almost no role in the campaign.
“Most other cyber topics … are technical issues where people’s eyes glaze over,” Teplinsky said. “Election security is different. It’s really quite simple.”
Election security is also an easy issue on which to attack Trump. He declined to blame Russia for hacking the Democratic National Committee and the Clinton campaign before the election — despite intelligence agencies’ conclusion that Russia was responsible — and has wavered on the question since then.
And it's popular with the base. Just over half of Americans are confident the federal government is making serious efforts to secure election systems, according to an October Pew study, and Democrats (43 percent) are far less confident than Republicans (72 percent).
Yet election security can also be a controversial topic, especially when officials get into the nitty-gritty of the kind of mandates the federal government should impose on states — which are constitutionally responsible for elections — in exchange for money to secure systems.
Democratic candidates probably will be forced to take hard positions on election security during the campaign, Suzanne Spaulding, a former top Homeland Security Department cyber official, told me. That includes whether the federal government should require states to use paper ballots rather than machines that record votes digitally and are more vulnerable to tampering, she said.
But it's clear presidential contenders so far see it as a pressing challenge -- beyond the politics. Klobuchar at the town hall described protecting elections from Russian interference as one of the most urgent foreign policy issues facing the nation along with modernizing the military and restoring an Obama-era agreement that prevented Iran from developing a nuclear weapon.
Harris and Klobuchar are co-sponsors of the Secure Elections Act, the bipartisan election security bill that came closest to passing last Congress. They’re expected to reintroduce that bill soon along with Republican sponsor James Lankford (R-Okla.).
Other Democratic candidates and independent Bernie Sanders (Vt.) have been less outspoken about election security since their campaign announcements, but all have records condemnding Russian interference in the 2016 campaign and urging congressional funding to shore up state and local election systems.
Sanders, Kirsten Gillibrand (N.Y.), Elizabeth Warren (Mass.) and Cory Booker (N.J.) were all co-sponsors of a separate election security bill, the Protecting American Votes and Elections Act, last Congress — as was Harris.
The PAVE Act went further than the Secure Elections Act by mandating that states use paper ballots in exchange for election security funding, but it didn’t win Republican supporters.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: British cybersecurity officials said Chinese telecommunications giant Huawei hasn't remedied “serious” engineering issues as the United States seeks to convince allies to prevent the company from building their 5G networks, The Washington Post's Ellen Nakashima reported. The engineering problems could put British civilian networks at risk of compromise. “Last year we said we found some worrying engineering issues,” Ian Levy, technical director of Britain’s National Cyber Security Center (NCSC), said during a media call, Ellen reported. “As of today, we have not seen a credible plan [to address the issue]. That’s the reality of the situation, unfortunately.”
While the United States has warned allies against letting Huawei be involved in their 5G networks, Britain hasn't made a decision yet on the matter. But Ciaran Martin, the NCSC's chief executive, said during a speech in Brussels that Britain has "strict controls for how Huawei is deployed. It is not in any sensitive networks — including those of the government. . . . Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei,” Martin said, according to my colleague.
PATCHED: Pennsylvania could be the only swing state with some voting machines that don't include auditable paper backups in the 2020 elections unless the state replaces its voting equipment in time, Pennsylvania's acting secretary of state said, according to the Associated Press's Marc Levy. Pennsylvania is among 13 states where some or all voting machines still lack a paper backup, which voting security experts say raises concerns about undiscovered tampering.
“Almost all, if not every single one of those 13 states will be upgrading by 2020,” Pennsylvania acting secretary of state Kathy Boockvar told state senators, according to the AP. “So if we don’t, we will certainly be the only swing state, if not the only state, left in the country without a voter-verified paper trail. It’s not a position that I think any of us at the county, state or federal level want to be in.”
But some senators expressed skepticism as Boockvar made the case for new machines. “We have a rush to 2020,” state Sen. Bob Mensch (R-Montgomery) said, according to the AP. “We have a huge expense to our taxpayers, we have vendors who are using excessively high interest-rate proposals, we have governments that don’t have a way to pay for these and we have no example, none, of a real legitimate issue.”
PWNED: PayPal, until recently, was processing payments for companies that sell software people can use to spy on their spouses or partners, according to Motherboard's Joseph Cox and Lorenzo Franceschi-Bicchierai. Those spyware companies include TheTruthSpy, Spy Master Pro, FlexiSpy and HelloSpy. HelloSpy, once installed, "can sweep up all sorts of information and present it in a web browser for the stalker to scroll through,” according to Motherboard. “That includes tracking its GPS location, reading text messages and browsing history, seeing the device’s call history, and even remotely activating the device’s microphone, according to HelloSpy’s website.”
PayPal shut down HelloSpy's account after Motherboard contacted the online payment service. Cindy Southworth, executive vice president and founder of the Safety Net Technology Project at the National Network to End Domestic Violence, commended PayPal for cracking down on HelloSpy. “I applaud PayPal for booting a product that is designed and advertised to commit the crime of stalking and harms countless victims of domestic violence,” Southworth said in an email to Motherboard.
— Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said the Department of Homeland Security has launched a pilot program to test in a laboratory machines from election equipment vendors for vulnerabilities, Politico reported.
— Disinformation efforts are targeting several candidates or potential contenders for the Democratic nomination for the 2020 presidential election, Politico's Natasha Korecki reported. Some signs suggest that part of the disinformation efforts are coordinated and are similar to the Russian troll farm Internet Research Agency's tactics, but this activity has not been definitely attributed to specific actors. Moreover, not all of those disinformation efforts are the result of a coordinated effort. "The goal of the coordinated barrage appears to be undermining the nascent candidacies through the dissemination of memes, hashtags, misinformation and distortions of their positions," Politico reported.
— Vermont Chief Information Officer John Quinn directed executive branch agencies in the state to rid themselves of any products from Russian cybersecurity firm Kaspersky Lab and the Chinese firms Huawei and ZTE, StateScoop's Benjamin Freed reported. “The ever-evolving nature of cyber threats has continued to prove that the State of Vermont and the valuable data that we hold for our citizens is a priority target for cyber criminals and hackers alike,” Quinn said in a memo to the agencies, according to StateScoop.
— Several hacking groups are behind the Ryuk ransomware, but it is unlikely that hackers linked to North Korea are among them as had been suggested, according to a report from McAfee and Coveware. Instead, the groups behind the ransomware have ties to one of the post-Soviet republics, according to the researchers. “By now it should be without question that involvement of the DPRK is the least likely hypothesis,” the report said, referring to the Democratic People's Republic of Korea. The Ryuk ransomware was used in cyberattacks against several newspapers’ computer systems late last year.
“In the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor,” the report said. “The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.”
— More cybersecurity news from the private sector:
— Uber fixed a bug spotted by security researchers that could have made it possible for hackers to seize trip receipts and invoices, TechCrunch's Zack Whittaker reported. “In a blog post, Anand Prakash and Manisha Sangwan explained that a vulnerable developer endpoint on Uber’s back-end systems — since locked down — was mistakenly spitting back client secrets and server tokens for apps authorized by the Uber account owner,” TechCrunch reported.
— More news about security incidents:
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
- The Atlantic Council holds a discussion on “operationalizing cyber strategies” on Feb. 27.
- The Center for Strategic and International Studies holds an event on “China's pursuit of semiconductor independence” on Feb. 28.
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership” on March 4.
How QAnon, the bizarre pro-Trump conspiracy theory, took hold in right-wing circles online:
“We’re the cool kids”: Here’s people enjoying the snowstorm around D.C.
Samsung’s new Galaxy S10 has twists in the screen to make other smartphones seem dated: