Gerstell's alarm bell comes after years during which the U.S. has failed to stem the tide of significant hacks from Russia, China, Iran and North Korea -- and as a wave of new innovations such as artificial intelligence, quantum computing and 5G telecommunications networks could radically expand the damage adversaries can do in cyberspace.
Gerstell noted this digital transformation is happening far quicker than the 40 or 50 years it took for automobiles, airplanes and other technology to become ubiquitous. It took even longer before government began seriously addressing the safety challenges they posed.
The U.S. must get ahead of the challenges posed by the warp-speed evolution of internet technology, he said. “The challenges presented by the digital revolution… are of such a magnitude and coming at us with such a rapidity that there's a danger we will treat it conventionally and underestimate its significance,” he said.
Gerstell said the U.S. probably will have to update the slate of laws that govern cyberspace, many of which date to the 1980s, and ramp up regulations on technology firms. But he stopped short of recommending specific updates.
The government will also probably have to consolidate responsibility for cybersecurity, which is spread across the Pentagon, the Department of Homeland Security, the FBI and numerous smaller agencies, he said. And it must figure out a way that it can better assist companies when they’re targeted by hackers backed by other national adversaries.
The increased hacking danger is also going to require the NSA to be far more public about its work protecting the U.S. government in cyberspace and digitally spying on adversaries, he said.
Gerstell took the reins of NSA’s main legal office just two years after leaks from former contractor Edward Snowden thrust the secretive agency — whose initials officials formerly joked stood for “no such agency” — into an uncomfortable spotlight.
As a result, Gerstell has spent a lot more time than his predecessors publicly advocating for the agency and warning about the dangers NSA combats. He wrote in a September New York Times op ed, for example, about a series of technological advances that could radically reshape the balance of power between nations and between government and the private sector.
The NSA is also doing more of its work in public view, such as in January when the agency announced it was revealing a dangerous bug it found in the Microsoft operating system rather than holding onto it to hack adversaries.
“The world has changed [and] the expectations of the public in the current environment are such that we cannot be ‘no such agency,’ and there's no intent to do that,” Gerstell told me. “For the last several years [we’ve] been focused on trying to be as transparent as we can be in order to let the public know what we're doing … and yet to not be so transparent … that we're letting our adversaries learn something that we don't want them to know.”
Gerstell practiced law for about four decades before joining NSA, most recently leading the Washington office of the firm Milbank, Tweed, Hadley and McCloy. During retirement he plans to continue advising the intelligence community in some form, he told me, and to do work at a think tank focused on how the United States should deal with technology changes and the rise of China. Cyberscoop identified the think tank as the Center for Strategic and International Studies.
PINGED, PATCHED, PWNED
PINGED: Today's Iowa caucuses might seem as low-tech as elections come, but security experts still say there are plenty of opportunities for hackers to wreak havoc, Eric Geller at Politico reports.
“While caucus-goers may make their preferences known with paper, those tallies will then move through a series of electronic handoffs, from the apps on precinct volunteers’ smartphones to the computers and websites that report the results,” Eric explains.
Security experts are concerned that hackers could interfere with the reporting apps to change or delay results. They could also tamper with reporting tools to announce the wrong winner or sow confusion.
Both parties say they've secured all their digital tools against hackers, including mobile apps that will report results. But security experts have slammed them for refusing to answer questions about the apps, such as who made them and where they store their data. “It is nonsense to suggest that security by obscurity is a best practice,” Gregory Miller, the co-founder and chief operating officer of the OSET Institute, an open-source election technology group, told Eric.
Officials are also preparing to respond to threats. DHS’s cybersecurity division will run an online war room throughout caucus night to respond to any reports of hacking or disinformation. The Democratic National Committee’s top cybersecurity and disinformation experts will also run a rapid response operation out of the Iowa Democratic Party’s main operations center, the DNC's chief technology officer Nellwyn Thomas told me.
PATCHED: West Virginia is set to expand its use of mobile voting in 2020, despite warnings it could increase the risk of election interference, Kevin Collier reports for NBC News.
West Virginia Secretary of State Mac Warner told Kevin he's likely to supply counties with a mobile voting app to make it easier to comply with a bill Gov. Jim Justice (R) plans to sign this week mandating that voters with physical disabilities all have access to digital voting systems.
West Virginia piloted the nation's first statewide mobile voting program in 2018 to allow overseas voters and military members to vote using smartphone app Voatz. Warner is still waiting on an audit of Voatz before the state decides to use it again, he told Kevin.
A growing number of counties and cities have launched their own mobile voting pilots, including for voters with disabilities, since 2018. But cybersecurity experts continue to warn that voting via smartphones increases the chance of hacking.
“Mobile voting systems completely run counter to the overwhelming consensus of every expert in the field,” Matt Blaze, an election security researcher at Georgetown University, told Kevin. “This is incredibly unwise.”
Sen. Ron Wyden (D-Ore.) asked Pentagon officials to audit Voatz in November, but its unclear whether that audit happened. Voatz says that independent experts audit its app for vulnerabilities, but the company hasn’t shared results of those audits.
PWNED: Online scammers are taking advantage of the global spread of the deadly coronavirus to trick people into downloading malicious PDFs and clicking online links that help hackers steal their personal information, Wired's Lily Hay Newman reports.
The malicious links usually claim to provide information about how people can protect themselves from the virus, which has killed more than 300 people and infected at least 14,000 more, security firm Mimecast found.
It's not unusual for hackers to tailor phishing emails to seasonal events, like tax season, or news events such as the Australian wildfires. The coronavirus gives hackers a new way to prey on victims' fears. The lack of information available about the disease has also caused an uptick in misinformation, making victims all the more vulnerable.
“Unfortunately we see this often in geopolitical events and world events,” Francis Gaffney, director of threat intelligence at Mimecast, told Lily. “This is when cybercriminals seek opportunities to use the confusion that vulnerable people have. They’ll click on links because they’re not sure.”
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
- New America’s Open Technology Institute will host an event titled “Privacy’s Best Friend: How Encryption Protects Consumers, Companies, and Governments Worldwide” on Feb. 4 at noon
- The Senate Armed Services Committee will host hearings to examine United States Special Operations Command and United States Cyber Command in review of the Defense Authorization Request for fiscal year 2021 and the Future Years Defense Program on Thursday at 10am.
- The Senate Homeland Security and Governmental Affairs Committee will host hearings to examine a roadmap for effective cybersecurity, focusing on what states, locals, and the business community should know and do. on Feb 11 at 9:30 am
- RSA Conference 2020 is scheduled for Feb. 24-28 in San Francisco