Political campaigns are flocking to encrypted messenging apps to avoid being the next big target after the Hillary Clinton campaign's emails were exposed by hackers in 2016. But these apps are far from a panacea if other campaign security practices are subpar.
That’s the blunt assessment from Joel Wallenstrom, chief executive of encrypted messaging app Wickr, one of seven cybersecurity products the nonprofit group Defending Digital Campaigns is offering candidates at a steep discount in an effort to level the playing field between often-scrappy campaigns and sophisticated nation-state adversaries trying to compromise them.
“There are conversations where it’s just not a good thing for Russia or China to get access to them,” Wallenstrom told me, noting the adoption of encrypted apps has been “pretty prevalent this cycle.”
So far, House Democrats’ campaign arm has invested about $22,000 in paid Wickr accounts for House races over the past two election cycles, and Democrats’ Senate campaign arm has invested about $12,500 during the same period, according to Federal Election Commission records.
The presidential campaigns for Sen. Kamala D. Harris (D-Calif.) and Amy Klobuchar (D-Minn.) have about $8,000 and $1,600 in Wickr contracts respectively this cycle. Several other presidential campaigns are either using the free version of Wickr or receiving the paid version through purchases from broader IT contracts, Wallenstrom told me.
DDC is offering presidential, House and Senate campaigns Wickr accounts for about 50 percent off provided they meet certain polling or fundraising requirements. Paid Wickr accounts allow customers to tack on extra services and create rules about what people inside an organization can share with each other.
The FEC typically bars reduced-price deals, but gave DDC special approval as candidates still face determined hackers from Russia, China and other U.S. adversaries.
But encrypted messaging alone won’t protect campaigns from a major hacking compromise — especially if adversaries have penetrated staffers' phones and other devices and can spy on the decrypted messages as staffers read them. And it’s not clear that most campaigns have the full web of protections they need or the cybersecurity savvy to stay safe.
Fixing that is one of the chief goals of the DDC offerings, which also include email security, cybersecurity training and protection for “endpoints,” such as phones, tablets and laptops. These other products are at similar discounts to Wickr's or free.
“When we look at start-ups outside of campaigns, they’re typically not very good at security,” Wallenstrom told me. “So, these campaigns are facing some really difficult challenges as start-ups, but they’re different in that their adversary is immediately focused on them and really powerful.”
The reduced price on the DDC products should also help campaigns, which are routinely wary of spending on anything that’s not directly tied to getting more votes. “I've never seen an industry that is so focused on one thing,” Wallenstrom said. “They have a finish line and if you're going to take a dollar away from advertising, there better be a real, real, real strong argument around that return on investments.”
Campaigns shifted rapidly to encrypted messaging apps after WikiLeaks and other organizations published hacked emails from the Democratic National Committee and Clinton's campaign chairman John Podesta in the last presidential election, despite not knowing if those apps aligned with FEC requirements or internal campaign policies.
“The Podesta thing hit the fan and everybody jumped on Signal and Wickr and basically were like ‘these things don't necessarily meet our requirements,’ but it was a safe place,” Wallenstrom said.
In addition to protecting campaigns, Wallenstrom is hoping the DDC effort gives candidates a better understanding of cybersecurity issues once they’re in office.
Most immediately, he hopes they’ll push back on Justice Department efforts to force tech companies to build in a way for the government to bypass the advanced encryption Wickr uses. DOJ officials say such strong protection could help terrorists, child sex predators and other criminals communicate outside law enforcement’s view. Cybersecurity experts, however, say any law enforcement back doors in encryption could also be exploited by malicious hackers and put all consumers' privacy and security at risk.
But even if that battle is won, lawmakers probably will play a role in laying out how encryption will factor into other federal rules, such as Securities and Exchange Commission requirements about how publicly-traded companies must retain records of certain communications.
“I think people need to value encryption and kill this back door debate,” Wallenstrom said. “But then, once that's done, the unavoidable next step is we have to put policies and rules and regulations in place so that we're doing this the right way.”
PINGED, PATCHED, PWNED
PINGED: The FBI quietly convened top tech and cybersecurity companies for a closed-door conference in September to address the growing scourge of ransomware attacks across the United States, Sean Lyngaas at CyberScoop reports. The FBI's big request was for the companies that investigate ransomwre attacks to share more data that will help the bureau go after attackers.
“Whatever data point that we can collect that can be used to round out that picture to lead us one step closer to attribution … so that we can impose some kind of consequence, that’s important,” FBI cyber division section chief Herb Stapleton told Sean. The FBI also asked private-sector executives to come up with new ways to anonymize victim data so they can share it more easily.
Ransomware attacks, which lock up computer systems until users pay up, cost U.S. businesses, local governments, schools and other victims hundreds of millions of dollars a year.
Attendees included representatives of the private sector, including IBM, as well as law firms, local law enforcement and cyber insurance companies. “One attendee estimated that the companies represented at the conference were involved in responding to more than half of enterprise ransomware attacks,” Sean reported.
PATCHED: Sen. Marco Rubio (R-Fla.) wants answers from the Pentagon after reports that banned Chinese surveillance equipment is still being used at Defense Department facilities. His letter to Defense Secretary Mark Esper follows a Wall Street Journal report last month that more than 2,700 Chinese-made cameras are still being used by federal agencies despite spying concerns.
“The Department of Defense must act quickly to identify and remove this equipment as every day that passes only provides our adversaries additional time to infiltrate and exploit our national security networks as well as the ability to monitor U.S. military activities that may be of interest,” Rubio wrote.
A 2019 defense funding bill banned federal agencies from buying Chinese-produced cameras, but it didn’t mandate removing existing devices. The ban included electronics made by ZTE, Huawei, Hikvision Digital Technology and Dahua Technology, all of which have been blacklisted by the Commerce Department.
“As you continue to posture the Department of Defense in the era of great power competition, we must remain vigilant to attack from every possible source,” Rubio wrote.
Rubio wants to know if the Pentagon will removing the remaining devices and if it plans to assess how big a counterintelligence threat they pose.
PWNED: The United States needs to prepare for a future where China has broad control over next-generation 5G telecommunications networks and be prepared to protect U.S. data from Beijing spying, a new report from the Center for a New American Security think tank cautions.
That includes mandating strict security standards for U.S. 5G networks, boosting encryption on those networks and segmenting off portions of networks that carry especially sensitive data. It also means collaborating with NATO and other allies to develop secure information-sharing outside the United States, Center for a New American Security researcher Elsa B. Kania writes.
Kania also urges U.S. policymakers. to more proactively invest in 5G technologies, citing limited U.S. investment as one reason China is outpacing the United States in 5G development.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: