The U.S. intelligence community will share all the information it can about hacking threats against the 2020 election following the last presidential race that saw substantial interference from Russia.
As the contest approaches, intelligence agencies plan not only to alert the public about hacking and disinformation operations but also to educate them about operations Russia and other adversaries might launch so they can be on the lookout, Shelby Pierson, the intelligence community’s first election threat executive, said during an election officials’ summit.
“What I want for the American voting public is that they understand these…threats and that they are empowered to participate in the process,” she said during the summit hosted by the Election Assistance Commission, which helps deliver election security advice and guidelines to states.
Pierson wants Americans to hear so much about election interference dangers, in fact, that they take the initiative to ensure they're not duped by misinformation -- researching when and where they’re supposed to vote far in advance of the election and vetting any Internet rumors about elections or candidates, she said.
“The cognizance of those threats I think will strengthen the foundation [for] every voter…when they go to the ballot box for the primaries and when they go into November of 2020,” she said.
That’s a sea change from 2016, when intelligence agencies waited until after the election to release their most detailed assessment of Russian efforts to interfere by hacking and releasing Hillary Clinton campaign and Democratic National Committee emails and sowing discord on social media. In the case of two Florida counties where Russian hackers compromised computer systems, the public didn’t learn about the breaches until April 2019, when they were included in the Mueller report.
The shift reflects a realization throughout government that staying mum about foreign hacking efforts and how the federal government and election officials are protecting against them could play into Russia’s hands, sowing distrust in government and giving rise to conspiracy theories.
It also demonstrates the scope of the threat, which Pierson said has only grown since 2016.
“The threats as we go into 2020 are frankly more sophisticated,” she said. “This is not a Russia-only problem. [It’s] Russia, China, Iran, North Korea, nonstate hacktivists who all have opportunity, means and potentially motive to come after the United States in the 2020 election…This is a top national security priority.”
Intelligence officials are tomorrow planning to brief state officials on top threats against elections, including dangers stemming from heightened tensions between the United States and Iran, she told Cyberscoop during the conference.
Pierson was appointed in July as the first top intelligence official to focus exclusively on election threats, part of a government-wide surge to focus on the issue since 2016. That has included a massive Department of Homeland Security effort to vet the cybersecurity of local election offices and to monitor them for hacking, as well as more than $800 million in election security money delivered by Congress.
That money hasn’t come with any cybersecurity requirements for state and local election officials, though, which has sparked concerns among experts and congressional Democrats that many jurisdictions may remain far too vulnerable.
Some Texas counties, for example, used the federal money to purchase paperless voting machines that election security experts and DHS say shouldn’t be trusted because there’s no way to ensure votes are being recorded accurately.
Texas Director of Elections Keith Ingram gave a measured defense of those machines during the EAC summit, saying “all the voting systems that are certified for use in Texas can produce a secure election.”
He noted, however, the Texas legislature came close to passing a bill banning paperless voting machines before adjourning in May and could pass a similar bill when it meets again in 2021.
“We're putting in our letter [approving voting plans] a reminder to them that…they could be wasting their money and have to spend it again,” he said.
PINGED, PATCHED, PWNED
-- Cybersecurity went nearly unmentioned in last night’s final Democratic debate before the Iowa caucuses despite getting two early name checks from South Bend, Indiana Mayor Pete Buttigieg and Sen. Elizabeth Warren (D-Mass.). Both essentially listed cybersecurity as an emerging topic they’d pay more attention to as president. The day was jam-packed with other cybersecurity news, though. Here’s a rundown:
PINGED: President Trump slammed Apple on Twitter for refusing to help law enforcement “unlock phones used by killers, drug dealers and other violent criminal elements.” The presidential condemnation comes as Attorney General William P. Barr is pressuring the company to help the FBI crack into two encrypted iPhones that belong to a gunman who killed three people at a Florida military base last month.
Apple has refused to help, saying that weakening encryption would make everyone less safe.
“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW! MAKE AMERICA GREAT AGAIN,” Trump tweeted.
We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW! MAKE AMERICA GREAT AGAIN.— Donald J. Trump (@realDonaldTrump) January 14, 2020
The FBI asked a court in 2016 to force Apple to help it crack into an iPhone used by San Bernardino, Calif., shooter Syed Farook but withdrew the request before a judge’s ruling. At the time Trump urged a boycott of Apple.
PATCHED: Top cybersecurity officials and political leaders are urging Americans to patch a vulnerability disclosed yesterday by Microsoft and the NSA that could expose computer users to significant breaches or surveillance.
The Department of Homeland Security issued an emergency directive requiring federal agencies to install the patch within 10 days. The Democratic National Committee also warned campaigns to patch the vulnerability, CNN's Donie O'Sullivan reported.
Rob Joyce, a top NSA official who led White House cybersecurity policy earlier in the Trump administration, echoed the warning.
Multiple threads: Time to patch your windows boxes. I'm watching the debate on whether or not this is urgent. If you have something worth protecting, allowing a flaw that subverts the trust system in Microsoft Windows is seriously, seriously bad. Patch.https://t.co/AGeVqIRtVd pic.twitter.com/d41qmgAqn1— Rob Joyce (@RGB_Lights) January 14, 2020
The NSA's decision to disclose the problem to Microsoft instead of weaponizing the vulnerability marks a significant departure in strategy for the agency, my colleague Ellen Nakashima reports.
The disclosure is part of an effort to “build trust” with cybersecurity researchers and the private sector, NSA Director of Cybersecurity Anne Neuberger told reporters yesterday. The agency has alerted industry to numerous computer bugs in the past, but this is the first time it's taking public credit, she said.
The NSA's Neuberger said this wasn't the first vulnerability the agency has reported to Microsoft, but it was the first one for which they accepted credit/attribution when MS asked.— briankrebs (@briankrebs) January 14, 2020
Yet the disclosure marks a strong contrast to how the agency has kept mum about similar flaws in the past and used them to spy on adversaries, especially a dangerous tool dubbed “EternalBlue” that was later weaponized by hackers including from North Korea, Ellen reports. The agency disclosed that vulnerability only after malicious hackers caught on, launching one of the most damaging ransomware campaigns in history.
Rep. Jim Langevin (D-R.I.) called the disclosure a “feather in the cap” of the new NSA Cybersecurity Directorate and proof that the government was doing a better job at releasing dangerous computer vulnerabilities rather than hoarding them.
PWNED: Iowa Democratic Party leaders plan to calculate and transmit results from next month’s first-in-the-nation caucuses using a smartphone app despite concerns about hacking, Kate Payne at Iowa Public Radio and Miles Parks at NPR report.
They’re also declining to say what company or companies built the app and whether it has been audited for cybersecurity vulnerabilities, Kate and Miles report.
That’s raising fears among security experts that hackers could tamper with caucus night results, sowing confusion and undermining faith in the voting process. It’s highly unlikely such tampering would escape notice for long, but the results could still be “catastrophic” if the wrong winner was called on caucus night, Doug Jones, a University of Iowa computer science professor and former caucus precinct leader told Kate and Miles.
“Once you report something, it's really hard to undo it; no matter how many retractions you print, no matter how many apologies you say, it's too late,” Jones said.
Party leaders, however, defended the app and said they’d conferred on security with the Democratic National Committee and Harvard University's Defending Digital Democracy project.
“We as the party have taken this very seriously, and we know how important it is for us to make sure that our process is secure,” Troy Price, chairman of the state party, said.
— A bipartisan group of senators led by Intelligence Committee Chairman Richard Burr (R-N.C.) and ranking Democrat Mark Warner (Va.) introduced legislation yesterday that would deliver more than $1 billion to help develop and fund domestic next-generation 5G wireless technology to compete with China's Huawei and ZTE. Lawmakers and U.S. government officials have charged those companies are too beholden to the Chinese government and could be complicit in Beijing spying.
“The widespread adoption of 5G has the potential to transform the way we do business, but also carries significant national security risks,” Burr said in a statement. “Those risks could prove disastrous if Huawei, a company that operates at the behest of the Chinese government, military, and intelligence services, is allowed to take over the 5G market unchecked.”
—The cybersecurity company Cloudflare, which protects customers against phishing attacks and hackers flooding their websites with phony traffic, is joining the nonprofit group Defending Digital Campaigns, which offers political campaigns free and reduced-price cybersecurity products. Other DDC members include the anti-phishing company Area 1 Security, the encrypted messaging platform Wickr and the email security firm Agari among others.
Cloudflare already provides campaigns limited free protection from denial of service attacks and blocks about 400,000 attacks against campaign websites a day, an official said.
—Meanwhile, Google tells me it's planning a big update to its advanced protection program later this morning that will make security easier for campaigns and other highly-targeted organizations. Check here for details later.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The House Armed Services Committee will host a hearing on the Department of Defense's Role in Competing with China” at 10am
- The House Committee on Homeland Security will host a hearing examining the implications of U.S.-Iran tensions at 10am