THE KEY

Top government cybersecurity officials are worried that ransomware, which has wreaked havoc by locking up the computer networks of businesses, schools and police stations, could be used to sow chaos during the 2020 election.

Perhaps most damaging of all would be if hackers used ransomware — an attack disabling an organization's computers and encrypting its data — to lock up a state’s voter registration database in the days before an election. That would prevent local election officials from verifying that people are voting where they’re supposed to, Chris Krebs, the top cybersecurity official at the Homeland Security Department, said yesterday.

Krebs’s organization, the Cybersecurity and Infrastructure Security Agency, is launching a major initiative to ensure those databases are protected against ransomware, which was first reported by Reuters last week.

The organization is also contacting more than 8,000 election jurisdictions and urging them to take basic cybersecurity measures to ensure their other election infrastructure is as secure as possible, he said.

“We're not going to let the Russians come back. We're not going to let the Chinese, we're not going to let the Iranians,” Krebs said. “We're going to be ready. We're working every day on this problem set.”

A ransomware attack could conceivably throw the results of the 2020 presidential election into question and spark deep distrust in the results — without the attackers hacking any voting machines or changing any votes.

Krebs described that as a “worst-case scenario” in a speech at the Billington Cybersecurity Summit. The danger is particularly grave because voter registration databases were targeted by Russian hackers in 2016, according to the report by former special counsel Robert S. Mueller III, and are the piece of election infrastructure most likely to be connected to the Internet.

About half of states have signed up for DHS to scan their voter registration databases to ensure they’re as secure as possible against ransomware, Krebs told reporters on the sidelines of the cybersecurity conference. In some other cases, those states are getting the same cybersecurity scans but from private security companies, he said.

He described the initiative as part of a broader DHS effort to evolve from the 2018 election — when the department focused primarily on helping state and local election agencies achieve basic digital protections against hacking — to envisioning and protecting against what attackers might do next in 2020.

“We are trying to look at, given what we know today … what’s the worst-case scenario a year from now?” he said. “How could things get worse? That’s what we’re trying to get ahead of.”

Hackers that target businesses and state and local government agencies with ransomware have generally unlocked the victims' files after they paid a ransom, but there’s no guarantee that attackers targeting voter registration databases would do the same — especially if their real goal was to undermine the election rather than to make money.

Ransomware attacks have also grown substantially in recent years as hackers see how lucrative they can be. An August report from the cybersecurity company McAfee Labs found the attacks had increased more than 100 percent over the previous year. 

“Ransomware is not a problem that's going away,” Krebs said. “Every time a company, an agency or jurisdiction or whatever pays [a ransom] out, it just validates the model.”

During a separate cybersecurity conference yesterday, FBI Deputy Assistant Director Tonya Ugoretz urged ransomware victims never to pay ransoms, saying it would encourage more such attacks and could fund other nefarious activities.

Here are details from CBS News’s Olivia Gazis:

PINGED, PATCHED, PWNED

PINGED: Paige Thompson, the hacker who was charged in a data breach that compromised the personal information of about 106 million Capital One bank customers, has pleaded not guilty to all charges, Jeff Stone at CyberScoop reported

Thompson may have also stolen data from more than 30 other companies, according to court documents, but the documents don’t name those companies. Amazon Web Services, Thompson's former employer that provided cloud storage to the allegedly hacked companies, told Sen. Ron Wyden (D-Ore.) that it was not aware of breaches of any other customers. (Amazon founder Jeff Bezos owns The Washington Post).

In addition to stealing victims’ data, federal prosecutors are alleging that Thompson used the hacks to harness the companies' computing power to mine for cryptocurrency. Thompson could face up to 25 years in prison on one count of computer fraud and abuse and one count of wire fraud.

PATCHED: A coalition of 26 moderate House Democrats sent leadership in both chambers of Congress a letter yesterday urging them to take immediate action to bring election security legislation up for a vote.

House Democrats have passed legislation requiring voting systems to use paper ballots and authorizing $600 million in election security funding to states, but Senate Majority Leader Mitch McConnell (R-Ky.) has blocked the measures.

“In a divided government, the only way we can accomplish this vital task is to put politics aside and pursue bipartisan solutions that can pass a Democratic-led House and a Republican-led Senate, and go to a Republican President’s desk for a signature,” wrote the co-chairs of the Blue Dog Coalition and its task force on national security.

 Also yesterday, Senate Minority Leader Charles E. Schumer (D-N.Y.) listed “greater action to deter Russia and secure our elections ahead of 2020, including votes on bipartisan election security legislation and new funding in the 2020 appropriations process” as one of five major priorities for this fall in a letter to colleagues.

PWNED: After failing to negotiate down a hacking group’s ransom request for more than $5 million in bitcoin in exchange for unlocking its computer systems, the city of New Bedford, Mass. reversed course and managed to restore its services on its own, StateScoop’s Benjamin Freed reports.

The city initially offered hackers $400,000, a number closer to other ransoms the hacking group has collected in recent months. The Ryuk group — named for the ransomware it uses — has collected as little as $100,000 from a public school district in New York to as much as $600,000 from Riviera Beach, Fla. The original $5 million demand would have been among the highest-known hacking ransoms ever collected. 

PUBLIC KEY

— Cybersecurity news from the public sector:

Companies that make voting machines and election systems have given the Homeland Security Department access to engineering details and operations so the U.S. can identify potential vulnerabilities hackers might exploit heading into the 2020 election, a department official said.
Bloomberg
The Defense Department's Cybersecurity Maturity Model Certification framework is ready for public comment.
Federal Computer Week
Despite the ransomware rampage, survey finds citizens unwilling to pay for local fixes.
Ars Technica
A potential Lawfare piece from New Year’s Day 2021, following a not-quite-worst-case scenario of election interference.
Lawfare Blog
PRIVATE KEY

— Cybersecurity news from the private sector:

Facebook Inc is teaming up with Microsoft Corp, the Partnership on AI coalition ...
Reuters
Hackers have been targeting regular people and celebrities with the attack. Last week, it was used to hijack the Twitter account of Twitter’s C.E.O.
The New York Times
An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.
TechCrunch
The trackers, advertised for children and the elderly, are being used in the US, Europe and elsewhere. And they've got some serious security issues.
CNET
THE NEW WILD WEST

— Cybersecurity news from abroad:

Hackers working for the Chinese government have broken into telecoms networks to track Uighur travelers in Central and Southeast Asia, two intelligence officials and two security consultants who investigated the attacks told Reuters.
Reuters
CHAT ROOM

The cryptocurrency media lit up recently after a Forbes contributor reported that NASA was developing a “quantum cryptocurrency.” The only problem was that the article, now taken down, was based on a tweet by Bloomberg reporter William Turton, which reported that the NSA -- not NASA -- is working on developing “quantum resistant crypto" … meaning “cryptography.”

 

 

Forbes quickly removed the article, but as CNN's Kevin Collier pointed out, the damage was done.

Reuters's Joseph Menn:

For what it's worth, quantum-resistant cryptography refers to encryption that's complex enough to withstand the code-breaking power of a new generation of super-powerful quantum computers that are currently being developed. Government agencies, academics and international standards bodies have been working on the problem for quite some time.