THE KEY

Robert S. Mueller III sounded a warning bell yesterday about Russian efforts to compromise future U.S. elections, but the House lawmakers who grilled him for six hours appeared largely uninterested.

The former special counsel repeatedly warned the two House committees that Russia and other nations are already trying to undermine the 2020 contest. He also urged Congress to step up its efforts to protect the vote from foreign tampering -- and ensure intelligence agencies were steering their resources toward countering that threat.

“Much more needs to be done in order to protect against this intrusions, not just by the Russians but others as well,” Mueller said.

The lawmakers questioning Mueller, however, mostly eschewed his concerns in favor of partisan sniping, steering their questions to Democratic claims that President Trump obstructed justice and Republican claims that the special counsel’s investigation was politically biased against him.

The failure to focus on election security during the hearings reflects a broader impasse between Democratic and Republican lawmakers, who have not passed any significant election security reforms since Russian hackers upended the 2016 contest — with the exception of delivering $380 million for security to states in 2018 with no strings attached. As states demand more cash to upgrade aging voting systems, the deadlock is generally between Democrats who want to impose new security requirements on state election officials and Republicans who are wary of impinging on state's rights to run their own elections. 

On the other side of the Capitol, Democratic senators did seize on Mueller's testimony to press Senate Majority Leader Mitch McConnell (R-Ky.) for blocking any of their election security bills from coming up for a vote. 

Here’s Sen. Martin Heinrich (D-N.M.):

And Senate Intelligence Committee vice chairman Sen. Mark R. Warner (D-Va.):

Senate Minority Leader Charles E. Schumer (D-N.Y.) tweeted a rare moment focused on election security during the House hearings, when Rep. Will Hurd (R-Tex.) asked Mueller about Russian attempts to influence the 2016 election.

Mueller replied with a sobering answer: “It wasn’t a single attempt. [They are] doing it as we sit here, and they expect to do it during the next campaign.”

House Intelligence Chairman Adam B. Schiff (D-Calif.) did make somewhat of a closing argument for increasing election security protections, though, ending the day by noting that “the Russians massively intervened in 2016, and they are prepared to do so again in voting that is set to begin a mere eight months from now.”

To protect the nation, Schiff said, “we must make all efforts to harden our elections’ infrastructure, to ensure there is a paper trail for all voting, to deter the Russians from meddling, to discover it when they do, to disrupt it, and to make them pay.”

Here are three other major security takeaways from the day’s hearings:

1. Mueller said accepting dirt on political adversaries from hackers shouldn’t be "a new normal." 

Mueller criticized the Trump campaign for being willing to accept disparaging information on Hillary Clinton and other Democrats from foreign hackers during 2016. “I hope this is not the new normal, but I fear it is,” he said.

At several points, he noted that accepting such dirt could be illegal in certain circumstances.

The comments come after Trump said he would consider looking at information a foreign power provides on his 2020 opponents and may or may not alert the FBI about it. 

2. Encryption got in the way of the Mueller probe. 

The special counsel said his investigation was sometimes stymied by Trump administration officials using encrypted apps such as Signal that either shield communications from warrants or automatically delete them after a specified period.

The revelation, detailed in Mueller’s report, didn’t make much of a splash when it came out, but it could draw more attention in the wake of the Trump Justice Department reinvigorating its push to allow police special access to encrypted apps.

Attorney General William P. Barr charged Tuesday that terrorists are using those apps to secretly plan attacks and that drug smugglers are using them to plan major operations. Here’s more about how encryption affected the Mueller investigation from CNN’s Kevin Collier.

3. WikiLeaks is considered a "hostile intelligence service." 

Mueller was eager to agree with Rep. Mike Quigley (D-Ill.) when he quoted Mike Pompeo, then the CIA director, describing WikiLeaks — which published troves of emails Russia hacked from the Democratic National Committee and Clinton Campaign Chairman John Podesta in 2016 — as a “hostile intelligence service.”

Asked how he responded to quotes of Trump publicly praising WikiLeaks during the campaign, Mueller replied, “Problematic is an understatement in terms of what it displays, in terms of . . . [giving some] hope or some boost to what is and should be illegal activity.”

PINGED, PATCHED, PWNED

PINGED: The Pentagon has tapped Katie Arrington to lead a new cybersecurity office at the agency, Jennifer Jacobs of Bloomberg News reports. Arrington, who lost a bid for a House seat in South Carolina last year, will be the agency's first chief information security officer (CISO).

Numerous federal agencies have appointed CISOs in recent years amid heightened cybersecurity concerns, but despite its size and sensitive operations, the Pentagon had not.

“Our adversaries are increasingly focused on using cyber to reduce the effectiveness of Department of Defense weapon systems, critical infrastructure and supply chain security,” Assistant Defense Secretary Kevin M. Fahey wrote in a memo Wednesday. “Establishment of the CISO is meant to improve our effectiveness in responding to cyber threats.”

Arrington, who was endorsed by Trump in her congressional race, served under Fahey in the acquisitions office at the Pentagon after losing to her Democratic opponent. Arrington comes from a long career in the tech and defense sector and most recently served as vice president of sales at Dispersive Technologies, a cybersecurity company.

PATCHED: Hackers could disrupt and undermine public confidence in elections by compromising "softer targets" such as online election instructions and social media accounts that share vote tallies, according to a new report out of San Mateo County, Calif.

An attack that spread false information from those accounts could tamp down voter turnout or sow distrust among voters even if the election district has secured its most important technology, such as voting machines and voter registration databases, the report authors warn. 

The report comes after a 2010 hack of San Mateo County's election results page and a 2016 compromise of county email accounts. Despite upgrades since those hacks, the report found that local election officials still lacked strong password protection for social media accounts, emails and website log-ins. Recommendations from the Department of Homeland Security emphasize the need for secure communication platforms for election results, but county guidelines did not, the report's authors found.

The report was produced by a “civil grand jury” — a California system in which volunteer jurors investigate and report on concerns related to local government.

PWNED: A Russia-based company sanctioned by the Obama administration for providing spyware used by a Kremlin intelligence agency to interfere with the 2016 election is at it again, according to a report by cybersecurity research firm LookOut. 

The malicious Android-based software developed by the Russian defense contractor Special Technologies (STC) infects phones by posing as a legitimate application, including Skype, Signal and PornHub, and then uses that access to steal users’ personal data, passwords and other information. 

Researchers at LookOut only found the surveillance software they call Monokle on a handful of apps, suggesting that the company is targeting a select group of people. Some of the more niche apps Monokle imitatied suggest that hackers might be targeting people interested in Islam, people associated with the Uzbek region and those associated with a militant group in Syria.

Obama slapped sanctions on STC as one of three companies that provided material support to Russia's main intelligence agency (GRU) for alleged interference in the 2016 election. Monokle is probably still “being actively deployed,” according to Lookout, and it is possible an iPhone version is on the way. 

None of the apps identified by researchers at Lookout is currently available in the Google Play store, the company told the Hill.

PUBLIC KEY

— Cybersecurity news from the public sector:

Politics
A federal judge is considering whether to order Georgia to immediately stop using its outdated voting machines
Kate Brumback | AP
A Senate committee on Wednesday approved legislation designed to lessen the threats posed by altered or manipulated videos known as “deepfakes.”
The Hill
The House quietly passed legislation on July 23 that would expand cybersecurity research and development partnerships between several federal agencies and the government of Israel.
FCW
The law operation, detailed Wednesday by FBI officials involved in the matter, targeted the Methbot/3ve fraud scheme.
CyberScoop
PRIVATE KEY

— Cybersecurity news from the private sector:

German blue-chip companies BASF, Siemens, Henkel, along with a host of others, said they had been victims of cyberattacks ...
Reuters
Forbes speaks with FaceApp founder and owner Yaroslav Goncharov about his massively popular app and a wild week in which a senator called for his company to be investigated by the FBI.
Forbes
As Internet-connected devices proliferate, chief information security officers worry about how long they are likely to stick around.
Wall Street Journal
Robinhood sent an email to users Wednesday informing them that user credentials were stored in an insecure format inside the company's internal systems.
Cyberscoop
The hackers who breached corporate VPN service provider Citrix last year used an unsophisticated technique that throws commonly used, weak passwords at a system until one works, the company’s investigators has confirmed.
CyberScoop
THE NEW WILD WEST

— Cybersecurity news from abroad:

Prosecutors have charged two workers at a cyber security company with terrorism ...
Reuters
Intrusion Truth's previous two exposes -- for APT3 and APT10 -- resulted in DOJ charges. Will this one as well?
ZDNet
CHAT ROOM

Center for Democracy and Technology Senior Technologist Maurice Turner has an idea for how that $5 billion Facebook settlement can be spent: