THE KEY

The FBI has pledged to revamp its policies for sharing information about election breaches, bowing to criticism that it was far too secretive about Russian hacking efforts in 2016.

But the move, announced yesterday, doesn’t go far enough for some lawmakers who warn it could still leave the public in the dark about major hacking threats to the 2020 contest. 

Under the new policy, the FBI will alert both the local officials who run elections and state officials who certify those elections about breaches and hacking efforts it uncovers. But it still won’t alert the public or the state’s members of Congress. 

“All of this is welcome news, but it is not enough,” Rep. Stephanie Murphy (D-Fla.) said. “I will continue to push for federal officials to provide more information to the voting public when foreign powers interfere with our democracy.” 

The pivot demonstrates an acknowledgment by top law enforcement officials that their cautious and tight-lipped approach to most investigations can be counterproductive when it comes to election interference, which can feed off a public perception that government is not leveling with the public.

It comes after Murphy and other Florida officials savaged the bureau for failing to disclose to them for more than two years that Russian hackers breached two county voting databases in advance of the 2016 election. 

In fact, state officials only learned about the breaches along with the rest of the nation when they were described in the Mueller report, released in April, 2019. The FBI briefed Gov. Ron DeSantis (R) and Florida members of Congress after the report was out but only under the condition they wouldn’t disclose any details publicly, including the names of the counties. 

“This lack of transparency is counterproductive,” Murphy told me at the time. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”

She added that doubts about the integrity of votes in Florida — a perennial swing state — could throw a presidential election into doubt.

Sen. Rick Scott (R-Fla.), who was governor at the time of the county breaches, yesterday applauded the FBI shift.

“I’ve been encouraging the FBI to increase transparency and information sharing since I was governor and I’m glad they are taking the necessary steps to continue protecting Americans,” he told me in a statement. “I take the threat of interference in our election systems seriously, and while I’m confident in the security of Florida’s elections, we must all remain vigilant to ensure our elections remain secure.”

The FBI routinely notifies companies when it discovers they’ve been hacked and takes care to keep those notifications secret from everyone else -- an approach aimed at not unnecessarily damaging the company's reputation and protecting any further investigation. That approach doesn’t work for elections, though, where responsibility is shared between state and local officials, FBI and Justice Department officials told reporters during a call announcing the change. 

“When we talk about who is the victim here, there’s a politically responsible official in each state who’s going to have to sign on to [election] results,” a Justice Department official said. “That person needs to have some insight into potential threats that might undermine the integrity or perceived integrity of those results.”

The officials also left open the possibility that state or local officials might share those reports publicly, though they might be barred from doing so if they’re part of an ongoing FBI investigation. 

“This isn’t meant to say other notifications aren’t appropriate, not that other people shouldn’t learn…[But] maybe we’re not the best messenger,” the Justice Department official said, comparing it to the FBI telling a company it has been breached and then the company notifying customers. 

In some rare circumstances, the FBI might announce an election breach or hacking campaign publicly, but only if it determines there’s a pressing national security need to do so, the official said. 

“There’s no mathematical equation here of two plus breach equals disclosure,” the official said. “There are a number of factors…Is drawing public attention to something more likely to advance our overall efforts or is it more likely to cause more panic or harm?”

PINGED, PATCHED, PWNED

PINGED: Ukrainian officials are asking for the FBI’s help investigating a suspected Russian hack into computers at Ukrainian gas company Burisma that may have been aimed at digging up dirt on former vice president Joseph Biden and his son Hunter, my colleagues David L. Stern, Isabelle Khurshudyan and Matt Zapotosky report. Trump's push for Ukraine to investigate Hunter Biden's role on Burisma's board is central to the impeachment trial that began in the Senate Friday. 

Ukrainian Interior Minister Arsen Avakov met with an FBI representative to discuss the Burisma investigation yesterday, according to a Ukrainian government official, who spoke on the condition of anonymity to discuss ongoing investigations. 

The attacks against Burisma were reportedly conducted by the same Russian intelligence service known as GRU that compromised the Hillary Clinton campaign in 2016 and leaked emails to undermine her candidacy. 

Avakov also requested assistance with a probe announced yesterday into possible surveillance of U.S. Ambassador Marie Yovanovitch from the United States before President Trump dismissed her from the post. The suspected surveillance was discussed in text messages to Rudy Giuliani associate Lev Parnas.

PATCHED: European Union trade commissioner Phil Hogan doesn’t think there’s anything wrong with E.U. nations buying 5G telecom gear from Huawei and doesn’t believe the Trump administration will follow through on threats to limit intelligence sharing with nations that do so, Lisa O'Carroll at the Guardian reports.

“I think that is a bit of sabre-rattling. I don’t think that will actually happen,” he said. Hogan added he’s happy to “call Donald Trump’s bluff.”

U.S. officials fear Huawei could provide a backdoor for Chinese espionage and have encouraged allies to ban its equipment for national security reasons. So far Poland is the only European Union member to do so, though Australia, New Zealand and Japan have enacted similar bans.

“We don’t subscribe to the view that whatever you do you block Huawei,” said Hogan. “If they actually implement the rules of the game … all competition is welcome and must be fair.” 

PWNED: A computer server at the center of a years-long legal battle over the integrity of Georgia’s election systems may have been hacked in 2014, Frank Bajak reports for the Associated Press

The assessment comes from Logan Lamb, a security expert for the plaintiffs in the case, who filed an affidavit Thursday that described evidence suggesting hackers exploited a bug to gain full control of the server. Computer logs that could show whether anything was altered or stolen from the server go back only to Nov. 10, 2016 — two days after Donald Trump was elected president, Lamb noted.

The assessment is the latest twist in a lawsuit that has uncovered years of poor security practices by Georgia election officials and that was instrumental in forcing the state to adopt paper records for all ballots.

The new findings are proof that Georgia's election system was “incredibly compromised,” said Marilyn Marks of the Coalition for Good Governance, one of the plaintiffs in the case.

During an earlier examination of the server, Lamb discovered it had left exposed the personal data of 6.7 million voters as well as passwords used by county officials to access election files.

PUBLIC KEY

— The Department of Homeland Security would be required to appoint cybersecurity coordinators for each state under a bill introduced this morning by Sens. Maggie Hassan (D-N.H.), John Cornyn (R-Tex.), Rob Portman (R-Ohio), and Gary Peters (D-Mich).

The coordinators would be responsible for helping state and local governments prevent and respond to cybersecurity threats such as ransomware and for helping states and localities share information about digital threats. The officials would also work with schools, hospitals and local businesses.

DHS's main cybersecurity wing already employs protective security advisers in all 50 states and has a network of regional offices but doesn't task people specifically to do the full breadth of the cybersecurity coordinator roles.

— More cybersecurity news from the public sector:

U.S. President Donald Trump may discuss the reported hacking of Ukrainian energy...
Sen. Mark Warner wants to know what the Defense Health Agency is doing to secure “a significant number” of medical images.
Nextgov
Attorney General William Barr, a former telecom lawyer, has intensified a long-running fight between law enforcement and technology companies over encrypted communications, potentially setting up a showdown with Silicon Valley.
How Washington went to war against the Chinese smartphone giant, and how the runaway conflict could spell the end of a single, global internet.
Wired

PRIVATE KEY

— Cybersecurity news from the private sector:

More than 70,000 photos of Tinder users are being shared by members of an internet cyber-crime forum, Gizmodo has learned, raising concerns about the potential for abusive use of the photos. Ominously, only women appear to have been targeted.
Gizmodo
A vulnerability at Travelex that was exploited by hackers to disrupt the money-exchange company existed at dozens of major companies and institutions, potentially leaving them open to similar breaches, according to a cybersecurity firm.
Wall Street Journal
Stuxnet, the potent malware reportedly deployed by the U.S. and Israel to disrupt an Iranian nuclear facility a decade ago, helped change the way that many energy-infrastructure operators think about cybersecurity.
CyberScoop

THE NEW WILD WEST

— Cybersecurity news from abroad:

World
Police raided apartments and offices in Germany and Belgium, authorities said.
Loveday Morris, Quentin Aries and Souad Mekhennet
An Israeli court on Thursday ordered closed-door hearings in Amnesty International’s legal bid to stop NSO Group exporting surveillance software, which rights groups say is used to spy on journalists and dissidents worldwide.
Reuters
ESurv employees allegedly spied on unwitting Italian citizens.
Bloomberg

ZERO DAYBOOK

Coming up:

  • The Senate Commerce Committee will host a hearing on “the 5G Workforce and Obstacles to Broadband Deployment” at 10 a.m. on Wednesday.
  • RSA Conference 2020 is scheduled for February 24-28 in San Francisco