Numerous state election offices aren’t patching their computer systems against known digital attacks and rely heavily on outdated, weak software, the report from the cybersecurity company NormShield found. They're not fully protecting their websites against attacks or taking technical steps that would help prevent hackers from impersonating employees over email. And employee emails and passwords have leaked online.
Any one of those vulnerabilities could be the weak spot that allows hackers to compromise a swath of election systems — especially since several states with the worst security practices were swing states, the company's Chief Security Officer Bob Maley told me. He declined to disclose how specific states fared at this time.
The report could be ammunition for Democrats — and states who want more cash — in the election security debate in Washington. Democrats are pushing to commit $1 billion in additional money to help state officials ensure Russia or another U.S. adversary does not disrupt the election, but face staunch opposition from Senate Majority Leader Mitch McConnell (R-Ky.) who has balked at the idea of imposing security mandates on states.
Much of the election security debate so far has focused on the security of voting machines and election night infrastructure, such as electronic poll books and voter registration databases. The NormShield report's findings, however, shed light on how there's a broader ecosystem of computer systems and digital accounts that could put elections at risk.
That ecosystem needs to be protected because hackers often gain access to an organization’s most valuable systems and data by first breaking into something that’s lower value and less protected, Maley told me — such as a public-facing website or employee email account. As an example, he pointed to the 2013 Target breach in which hackers stole the information of more than 40 million customers by first hacking into the retailer’s heating and air conditioning vendor.
“Bad actors, whether it's nation-states or criminals, they know those keys to the kingdom, those essential assets are usually extremely well protected,” Maley told me. “So, they’re going to look for other ways to get to those assets … Once you're inside the castle, then traversing from one section to another is much easier.”
The report is based entirely on information that’s available on the public Internet, so the vulnerabilities probably are also known to hackers in Russia and elsewhere who are interested in compromising the 2020 election, Maley told me.
NormShield prepared the first version of its report in July and shared it privately with state election offices and urged them to make fixes. By the time the company prepared the current report in late August, researchers found 14 of the states had significantly improved their protections.
According to the report, 13 of those states moved from an overall letter grade of C to B and one state — which Maley told me is a swing state — rose from a D to a B.
There are still 13 states at the C level, though, and several of them are swing states — where hackers could do the most damage by undermining election efforts, Maley noted.
NormShield plans to publish another report next month in which it will actually name which states have low grades. It plans to continue publishing those reports until the 2020 election, Maley told me.
“I don’t think we’re ever going to stop election interference attempts, but, by securing this infrastructure, we can do better at blocking them,” he said.
PINGED, PATCHED, PWNED
PINGED: The government isn't doing enough to defend the United States from cyberattacks and risks a calamity if it doesn’t step up its game, three former Department of Homeland Security secretaries warned yesterday. The former secretaries called cybersecurity one of the “top” priorities for the department — along with domestic terrorism — during a hearing focused on major threats and reflecting on the Sept. 11, 2001, terrorist attacks. They encouraged Senate Homeland Security Committee members to increase resources for cybersecurity, including to protect local governments against ransomware attacks and to punish foreign hackers.
“Perhaps it is time for the country to have a 9/11 Commission for cyber before we have, for example, massive ransomware attacks simultaneously conducted around the country,” former DHS secretary Janet Napolitano said. “Or where we suffer once again a direct attack on our democracy as we saw in the 2016 election.”
Napolitano and former secretaries Michael Chertoff and Jeh Johnson also warned that U.S. adversaries, including China, North Korea and Iran, may try to follow Russia's example and use hacked information to undermine U.S. elections or other key institutions.
Johnson, who led DHS during Russia's hacking and influence campaign to undermine the 2016 election, encouraged lawmakers to pursue more damaging economic sanctions against hackers.
“We're at a new level of the theft of intellectual property, of weaponizing things that are hacked for political purposes or stolen,” Johnson said. “We have to put it to the bad actor and simply make the behavior cost-prohibitive.”
PATCHED: Microsoft and the Hewlett Foundation are expected to launch a nonprofit organization to investigate and expose large-scale cyberattacks against civilians and to help victims recover from those attacks, Shannon Vavra at CyberScoop reports. The “Cyber Peace Institute,” whose supporters also include Facebook, Mastercard and the Ford Foundation, hopes to take up the mantle of “neutral arbiter” in calling out criminal and nation-state-led hacking groups, Vavra reports.
The idea is similar to several existing organizations, however, and some industry insiders told Vavra the Peace Institute's still-hazy mission may be too broad to add value. For instance, dozens of companies including Microsoft have already joined in a "Cybersecurity Tech Accord” and a United Nations woring group is expected to meet next month to propose rules for acceptable behavior in cyberspace.
PWND: Equifax has added another stumbling block for victims seeking a cash payout for the company's mammoth 2017 data breach, which compromised the personal information of more than 145 million Americans. While consumers originally just had to state they already had credit monitoring services to opt for a cash settlement instead, now they have to provide Equifax with details about which credit monitoring services they have.
Lawmakers and victims criticized the settlement last month after the Federal Trade Commission backpedaled on language stating victims would get $125 as a cash settlement. The agency clarified that the payments would be capped at $125 — but victims probably would get far less depending on how many took the cash option.
Lawmakers have criticized the settlement as a "slap on the wrist" for Equifax and used the public outrage as an opportunity to push for stricter consumer privacy laws. Sen. Ron Wyden (D-Ore.):
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: