THE KEY

As Democrats take the stage for their third primary debate tonight, two of the top-polling presidential candidates are still declining to share with the public how they are protecting their campaigns from the sort of Russian hacking operation that targeted the last Democratic nominee, Hillary Clinton.

The campaigns for Sens. Elizabeth Warren (D-Mass.) and Bernie Sanders (I-Vt.) are still refusing to answer The Cybersecurity 202's questions about whether they implemented basic cybersecurity protections. Questions about their security status are becoming even more urgent as the crowded field winnows and chances increase that one could actually become president -- since both are among five candidates currently polling ahead of President Trump in head-to-head matchups, according to a recent Washington Post-ABC News Survey

The Warren and Sanders campaigns suggested that sharing information about any digital protections could make their campaigns more vulnerable to hacking. But that explanation doesn’t fly with many cybersecurity experts, who note that hackers are bound to target campaigns regardless of whether they’ve acknowledged taking simple steps to protect themselves recommended to all campaigns by the Democratic National Committee, such as training staff on cybersecurity best practices and mandating that they use complex passwords and encrypted apps for texting.

“Talking publicly about investing in skilled security personnel, industry best practices, and sharing threat intelligence should be seen as a way to deter potential interference and boost voter confidence,” Maurice Turner, senior technologist at the Center for Democracy and Technology and an election security advocate, told me.

Turner also knocked the candidates for calling for improving the security of election systems as part of their campaign pitch -- but not being candid about how they were securing their own part of the democratic process. 

“I would expect that any candidate looking to make election security a topic of debate should also include campaign security as part of that discussion,” he said.

The uncertainty about Warren and Sanders’s security status could spark bad memories for Democrats who watched in 2016 as Clinton was dogged by the release of hacked documents from her campaign and from the DNC, a move intelligence officials concluded was part of a Russian hacking and influence operation aimed at helping Trump. And there’s little doubt that Russia is eager to undermine the 2020 contest, as former special counsel Robert S. Mueller III told lawmakers in July.

The other top-polling candidates -- former vice president Joe Biden, Sen. Kamala Harris (Calif.) and South Bend, Ind., Mayor Pete Buttigieg -- were all more forthcoming. They offered up some information about cybersecurity training they’d required for their campaign staff and digital protections they’d implemented, including mandating extra security steps before campaign staff can log into devices and websites. 

Harris and Buttigieg also said they're requiring staff to use encrypted messaging apps and Buttigieg has even hired a high-powered chief information security officer, former branch chief of White House Threat Intelligence Mick Baccio, to manage his campaign’s security, as Politico reported last month. All five are polling ahead of Trump in head-to-head matchups, according to the Post-ABC poll, though Buttigieg’s potential victory is within the poll’s margin of error.

Warren and Sanders's silence on security is out of the mainstream for tonight’s debate stage, which will include the race’s 10 highest-performing candidates.

When I polled the broader Democratic field in June, Sen. Amy Klobuchar (Minn.), former Housing and Urban Development secretary Julián Castro and former Rep. Beto O’Rourke (Tex.) all described digital protections their campaigns were using. Entrepreneur Andrew Yang didn’t respond to my survey but described his protections in a Wall Street Journal story.

Sen. Cory Booker (N.J.) was the only other candidate besides Warren and Sanders who will be on tonight’s debate stage and has refused to answer any cybersecurity questions.

A spokesman for Biden’s campaign touted the campaign’s “comprehensive approach to defending, protecting and securing our digital ecosystem,” including “training staff on cybersecurity best practices and tools to ensure the campaign infrastructure remains secure.”

A Harris spokeswoman told me that campaign staff “is being trained on threats and ways to avoid being a target” and that campaign staff were using encrypted messaging apps rather than less-secure texting.

Buttigieg’s campaign is following a number of cybersecurity best practices recommended by the Democratic National Committee, such as requiring staff to use complex passwords for websites, passcodes for smartphones and encrypted apps for text messaging, a spokesman told me.

Watch The Washington Post’s debate analysis, starting at 7:30 p.m., and tune in afterward for The Fix’s winners and losers. Tune in at washingtonpost.com or wapo.st/debate.

PINGED, PATCHED, PWNED

PINGED: Immigrations and Customs Enforcement has signed a massive $30 million deal with the Israeli data extraction company Cellebrite, Blake Montgomery at the Daily Beast reports. The company, which came to prominence for offering to crack into the locked iPhone of San Bernardino, Calif., shooter Syed Farook for the FBI in 2016, has found a windfall in the Trump administration's much more aggressive approach to searching devices at the border. 

The recently signed contract is worth more than 10 times as much as a $2.2 million deal the agency signed with ICE in 2017. ICE would not provide details to the Daily Beast about how or where the technology would be used. But Cellebrite boasted this summer that the premium version of its data extraction device “can now unlock any iOS device cops can lay their hands on” as well as numerous Android devices, Wired reported.

ICE’s aggressive searching of devices at the border has garnered criticism from privacy advocates, Blake reports. Both CBP and ICE defended the searches in a lawsuit last year as “a crucial tool for detecting evidence relating to terrorism and other national security matters.”

PATCHED: U.S. government officials have determined Israeli spies were responsible for placing cellphone surveillance devices known as StingRays around the White House in recent years, Politico’s Daniel Lippman reports.

“But unlike most other occasions when flagrant incidents of foreign spying have been discovered on American soil, the Trump administration did not rebuke the Israeli government, and there were no consequences for Israel’s behavior,” Daniel reports.

Police have increasingly used StingRays in recent years to pinpoint suspects’ locations – but privacy advocates say the devices are far too invasive because they also capture the cellphone locations and identifying information of anyone else nearby.

The Department of Homeland Security acknowledged finding StingRays, formally called international mobile subscriber identity-catchers or IMSI-catchers, near the White House in a 2018 letter to Sen. Ron Wyden (D-Ore.), but it wasn’t clear then who might have placed the StingRays. An Israeli Embassy spokesperson has denied Israel placed the devices, Daniel reported.

PWNED: A coalition of cybersecurity experts wants to break the encryption debate free from a years-long stalemate between law enforcement officials who want special access to citizens’ encrypted communications and tech companies that say that would do irreparable damage to everyone’s cybersecurity. 

The experts brought together by the Carnegie Endowment for International Peace and the Princeton Center for Information Technology Policy published a working paper that outlines questions to ask about legislative proposals to weaken encryption, such as whether they actually solve law enforcement problems and whether there are safeguards against the proposals being used for mass surveillance or in a discriminatory way.

One of the group's members, Alexander Macgillivray, former federal deputy chief technology officer and former general counsel at Twitter, explains here:

But critics are already pushing back against the proposal.  Rob Graham of Errata Security: 

PUBLIC KEY

— Cybersecurity news from the public sector:

A hacking group with ties to North Korea has been targeting U.S. entities with malicious documents as it works to hide its tracks better, according to research from Maryland-based cybersecurity firm Prevailion.
CyberScoop
Emails between the DEA and NSO obtained by Motherboard explain why the DEA didn't purchase the company's malware in 2014.
Vice
The new committee will address critical security issues that trouble the open skies.
NextGov
As cities become smarter, officials and security experts say that current defenses are unlikely to keep hackers at bay.
Wall Street Journal
PRIVATE KEY

The number of ways hackers could attack the food industry is on the rise, according to a new report from researchers at the University of Minnesota. Left unfixed, these vulnerabilities could lead to attacks on the food supply that result in public health crises, environmental damage and significant financial losses, the researchers found. 

Officials and analysts have fretted extensively about the danger of a physical terrorist attack on the U.S. food supply but paid less attention to the danger of a cyberattack. 

Researchers and manufacturers identified more than 200 vulnerabilities in digitally run control systems used by the food and agriculture industry in 2011 -- a number that has steadily risen since then. Many of the systems were built without cybersecurity in mind, making it easy for attackers to access them and difficult for administrators to keep the hackers out, the researchers found. 

“The food industry has not been a target of costly cyberattacks like financial, energy, and health care companies have,” said Stephen Streng, lead author on the report. “However, as companies in those sectors learn to harden their defenses, the attackers will begin looking for easier victims.”

— More cybersecurity news from the private sector:

A group charged with stealing 32 terabytes of academic data is still going strong.
Ars Technica
They’re stepping up where governments haven’t.
Harvard Business Review
Web feature developers are being warned to step up attention to privacy and security as they design contributions.
TechCrunch
Cybersecurity company Symantec cut 152 jobs at its Mountain View headquarters and 18 in San Francisco, along with 36 in Culver City in L.A. County.
San Francisco Chronicle
THE NEW WILD WEST

— Cybersecurity news from abroad:

Britain will make a decision soon about whether to allow Huawei equipment to be used in its 5G networks but China must play by the rules if it gets access to Western markets, Defense Secretary Ben Wallace said.
Reuters
ZERO DAYBOOK

— Coming soon:

  • The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency will host its second annual National Cybersecurity Summit September 18-20 in National Harbor, Maryland.