THE KEY

House Republicans’ campaign arm is set to offer hands-on cybersecurity assistance to GOP candidates to help protect them against foreign hacking operations, National Republican Congressional Committee officials exclusively told The Cybersecurity 202.

The plan, which will be announced today, will include flying out the NRCC’s technology team to candidates’ districts to train their staff to spot suspicious emails and websites, ensure all their software is patched against bugs and set them up with a suite of free anti-hacking tools, NRCC officials told me.

The committee will also buy campaigns subscriptions for a cybersecurity company that will monitor and respond to suspicious activity on their computer networks, they said. The NRCC declined to name the company but a person familiar with the plan told me it was CrowdStrike, which helped the NRCC respond to a breach of its computer networks in 2018.

The NRCC program, which will be announced at a regular weekly meeting of the House Republican Conference, shows how hacking concerns are motivating candidates up and down the ballot as they gear up for the second election cycle since a Russian hacking and disinformation operation upended the 2016 presidential contest. 

“We take [cybersecurity] threats seriously and want to ensure that all Republicans running for Congress can say the same,” NRCC Chairman Tom Emmer (Minn.) told me in a statement. 

He added that House campaigns “seldom have the resources necessary” for all the cyber protections they need and that it’s important that the NRCC help fill those gaps.

The Republicans' initiative comes as the Department of Homeland Security is trying to surge its efforts to help campaigns defend their digital networks and as private organizations are rushing to offer campaigns low-cost or free cybersecurity help. And it could increase the pressure on Democrats to up their game and create a more formal mechanism to help campaigns directly. After the 2016 contest, the Democratic National Committee created a cybersecurity checklist for campaigns but offers far less hands-on assistance. 

One thing the Republican program will not address: Whether campaigns should use hacked information about their opponents provided by foreign powers, the officials said. That issue has dogged Republicans since President Trump said in June that he might accept such material and might not alert the FBI about it.

“We want to focus on campaigns not getting hacked in the first place,” one official told me.

The cybersecurity services will be available immediately to House GOP incumbents and to other Republican nominees after they’ve won their party’s primaries, officials told me. NRCC officials don’t have an estimate for how much the program will cost — partly because they don’t know how many House candidates will sign up — but they’re prepared to spend a substantial amount, they said.

“It’s become more and more critical. It’s like putting bars on the windows, and every campaign needs to have bars on the windows,” one official said. The officials spoke on the condition of anonymity to speak freely and in detail about the program that has not yet been announced.   

The anti-hacking program was partly spurred by the NRCC’s own experience being hacked in 2018, about seven months before the midterm elections, they said. That breach drove home that sophisticated hackers could penetrate computer networks even if an organization had strong digital protections in place — and the NRCC’s protections probably were far stronger than the average House campaign’s, they said.

The officials declined to provide additional details about that breach, which compromised an unknown number of committee email accounts and has not been tied to any particular nation-state or hacking group.

The breach came about two years after Russia hacked email accounts belonging to the DNC and Democratic Congressional Campaign Committee and leaked many of their findings in an effort to damage Hillary Clinton’s campaign and aid Donald Trump.

Among other services, the NRCC plans to help campaigns supply their staffers with password managers and two-factor authentication systems for websites and apps. Password managers automatically create complex and hard-to-crack passwords, and two-factor authentication systems require users to identify themselves with something in addition to a password, such as a unique SMS code.

PINGED, PATCHED, PWNED

PINGED: WikiLeaks founder Julian Assange turned the Ecuadoran Embassy “into a command center” to interfere with the 2016 U.S. election, according to a review compiled by a surveillance company for the Ecuadoran government and obtained by CNN's Marshall Cohen, Kay Guerrero, and Arturo Torres.

The report offers a detailed timeline that seems to bolster allegations by U.S. special counsel Robert S. Muller III that Assange worked with the Russian government in distributing hacked information to influence the 2016 presidential election.It concludes there is “no doubt that there is evidence' that Assange had ties to Russian intelligence agencies."

Leading up to the election, Assange “met with Russians and world-class hackers at critical moments, frequently for hours at a time,” CNN reports. He also managed several of the WikiLeaks dumps of hacked information from the embassy. The month of the first hack against the Democratic National Committee, Assange received more than 75 visits, including from a hacker later flagged in the Mueller report. It’s unclear whether Mueller had access to the Ecuadoran intelligence.

Assange is imprisoned in the United Kingdom, where he is awaiting extradition to the United States on more than a dozen criminal charges, including violating the U.S. Espionage Act.

PATCHED: The Environmental Protection Agency has weak cybersecurity protections that leave the agency at heightened risk of hacking, according to a report released Monday by the agency's top watchdog. Investigators claimed that the agency did not adequately protect people's personal information and didn't enforce strong password requirements that could prevent hackers from breaching the agency's computer systems.

Investigators also flagged that the agency was vulnerable to “unauthorized access” by hackers because it had no process in place to verify that users accessing data had permission to do so.  

The new warnings follow a May audit that also slammed the agency for failing to track or fix cybersecurity vulnerabilities it already knew about. The agency is still working to implement changes to address those concerns, according to the new report.

PWNED: Hackers associated with a Russian intelligence agency are again looking to compromise billionaire Democratic funder George Soros, Kevin Poulsen at the Daily Beast reports. Russian hackers also targeted Soros's Open Society Foundations in 2016 in an attempt to discredit Democrats leading up to the presidential election.

Last month Microsoft shut down a phony website registered by a Russian hacking group attempting to trick Open Society Foundation employees into giving hackers their login information and other sensitive company data, Poulsen reports. The cybersecurity firm ThreatConnect also found four other domains registered at the same time that appear to target Soros’s foundation, Poulsen reports. 

Open Society Foundations’ chief communications officer Laura Silber confirmed to Poulsen that she was “aware of an attack,” but didn’t provide any additional information as to what hackers may have been after. 

PUBLIC KEY

— Cybersecurity news from the public sector:

Sen. Ron Wyden (D-Ore.) is demanding answers from the Election Assistance Commission (EAC) as to how the federal agency plans to secure election equipment amid reports that most machines depend on software that will soon be out-of-date and vulnerable to cyber attacks.
The Hill
Officials in La Porte County agreed to pay up to alleviate the pain from an attack that affected two domain controllers, knocking network services offline.
CyberScoop
The House passed legislation by voice vote on Monday intended to increase cybersecurity at the Small Business Administration (SBA) and separately approved a bill to help small businesses defend against cyber attacks.
A Republican lawmaker on Monday introduced legislation to boost the presence of ...
Reuters
The cyber agility framework can help organizations better understand the effectiveness of their cybersecurity efforts.
Federal Computer Week
PRIVATE KEY

— Cybersecurity news from the private sector:

Cybersecurity firm Symantec found an exploit that could allow WhatsApp and Telegram media files to be exposed and manipulated by malicious actors.
Venture Beat
Turla was found to reference Trump Tower and "RocketMan," the latter a reference to President Donald Trump's nickname for North Korean leader Kim Jong Un
THE NEW WILD WEST

— Cybersecurity news from abroad:

A UK parliamentary committee has concluded there are no technical grounds for excluding Chinese network kit vendor Huawei from the country’s 5G networks. In a letter from the chair of the Science & Technology Committee to the UK’s digital minister Jeremy Wright, the committee says: …
Tech Crunch
Information Commissioner's Office intends to fine airline for “poor security arrangements” - British Airways says it's “surprised and disappointed” by planned penalty.
ZDNet
SOFIA, Bulgaria (AP) — Bulgarian officials say unidentified hackers have stolen the personal details of millions of people from Bulgaria's national revenue agency and note a possible Russian link...
ZERO DAYBOOK

Coming up:

  • The Aspen Security Forum takes place July 17-20 in Aspen, Colorado