The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Americans are as insecure as ever on the 17th annual Cybersecurity Awareness month


with Tonya Riley

Seventeen years after October became National Cybersecurity Awareness Month, Americans are undoubtedly far more aware of digital threats. But they're as insecure online as ever. 

The Department of Homeland Security's annual PR campaign urging companies and individuals to stay safe online, ongoing since 2003, may get extra traction this year with just 32 days until the most closely-watched U.S. presidential election from a security perspective – and during the coronavirus pandemic as everything from school to work and grocery shopping moves online. 

“At the beginning it was really about trying to convince people they should even care about this issue,” said Jenny Menna, a former DHS official who managed the grant that funds the awareness month program during its early years and is now a cybersecurity executive at U.S. Bank. “Because of the state we’re in now, you no longer have to make that case. Now it’s, ‘Okay, now that we have your attention, here’s what you need to do to be safer.’ ”

Americans who had little idea what cybersecurity was nearly two decades ago are now being bombarded with news about the dangers of cyberattacks targeting election systems and the potential for disinformation and other digital dangers lurking on their apps and social media platforms. The coronavirus has also spawned an unprecedented wave of attacks targeting hospitals and aimed at conning people made desperate by layoffs and medical bills. More broadly, Americans have likely received a barrage of notices from companies that their data was stolen or passwords compromised. 

The annual cost of cybercrime, which was comparatively negligible in 2003, had grown to more than $80 billion annually by 2013 and to about $600 billion annually by 2018, according to estimates from the cybersecurity firm McAfee and the Center for Strategic and International Studies think tank. Consumers have reported losing more than $152 million to coronavirus-related fraud since the pandemic began, according to the Federal Trade Commission. 

But for all the focus on raising cybersecurity awareness, many companies still don’t follow basic practices designed to limit hacking threats. 

And the vast majority of cyberattacks are accomplished with very little effort by conning people into clicking on suspicious links and attachments when they should know better.  

That trend line has some cybersecurity pros wondering whether National Cybersecurity Awareness Month’s typical cavalcade of slogans-based ads and online training sessions are still the best way to stem the tide of damaging hacks.

“It’s a great idea in concept and has seen some success in the past,” Tony Cole, chief technology officer at the cybersecurity company Attivo Networks, said on Twitter. “However, this is 2020 and trying to make people more aware of anything feels akin to yelling into a sandstorm.”

For Kelvin Coleman, the growth in hacks shows the urgent need for the awareness month. 

Coleman is executive director of the National Cyber Security Alliance, a nonprofit that has run the awareness month since its inception with grant money from DHS.

He compared the month’s events to the U.S. Forest Service’s “Only you can prevent wildfires” campaign popularized by Smokey Bear. “You can never have too much awareness,” Coleman told me. 

The month’s events include an advertising blitz and a slew of online events. NCSA also breaks the month down with weekly themes, which this year include “if you connect it, protect it” and “securing devices at home and work,” a nod to the surge in telework during the pandemic. This year it’s changing the month's name to merely “Cybersecurity Awareness Month” and dropping the “national” to stress that the issue transcends national boundaries. 

NCSA also works with dozens of companies and other organizations that run their own events designed to make employees more careful about digital threats. The Department of Homeland Security’s cybersecurity division, for example, is using the month to make a final push on securing state and local election systems before November’s vote. 

“National Cybersecurity Awareness Month is [an] opportunity to raise awareness about the important role we all play in cybersecurity,” the division’s senior advisor for election security Matt Masterson, told me. “The election community knows this as well as anyone and is light years ahead of where it was four years ago.” 

But Coleman also acknowledges many people still lack basic cybersecurity savvy. 

“The three focus areas are products, process and people,” he said. “Since the campaign began, we’ve focused a lot on products and processes. I don’t think we’ve focused on the people part enough, on changing human behavior.”

Menna described the month as increasingly focusing on instilling specific good cybersecurity behaviors, such as using complex passwords and alerting a company's IT staff about suspicious emails. It's evolved “from awareness that this is something you should think about to awareness about the latest things you should be doing," she said. 

Many cybersecurity pros described the campaign as helpful but inadequate for the mammoth task of improving cybersecurity. 

“Awareness is essential … But we depend too much on awareness, because people will make mistakes and infinite resources applied to awareness won’t change that,” Phil Reitinger, a former top DHS cybersecurity official who now leads the Global Cyber Alliance, told me. “You need technology and awareness in the proper measures, and not to expect what awareness cannot give.”

Beau Woods, a cybersecurity fellow at the Atlantic Council think tank, urged refocusing the month to advocate for reforms that would force companies to make more-secure products and put better protections on people’s data. He compared it to passing and enforcing fire codes rather than simply promoting fire safety. 

“Awareness is the first step along a path towards fully addressing issues caused by cybersecurity failures. Perhaps it’s time to take the next step toward catalyzing action,” he said. 

Here’s Bryson Bort, founder of the cybersecurity company Scythe:

And Joel Benge, a former DHS official:

The keys

The Russian group that interfered in the 2016 election posed is posing as a right-wing news site to target voters. 

The Newsroom for American and European Based Citizens (NAEBC) is run by people associated with the Kremlin-linked troll farm the Internet Research Agency and posted content aimed at denigrating Democratic presidential candidate Joe Biden and the Black Lives Matter movement, Reuters’s Jack Stubbs reports.

The phony site republished articles from conservative media. It also paid real Americans to write about politically-sensitive issues. A network of sham accounts posing as editors and reporters then promoted the stories on social media, Jack reports.

Facebook and Twitter exposed a similar fake left-wing media outlet in September that they also said was run by people connected to IRA. The new revelation underscores how the Kremlin is targeting both sides in the election with misinformation.

NAEBC describes itself as a “free and independent” media outlet based in Hungary. A warning on its main page says, “Don’t get yourself fooled.” After Reuters contacted the site about its links to IRA, social media accounts for alleged staff removed references to the site and deleted previous posts.

Twitter removed 130 accounts linked to Iran that attempted to disrupt discourse around Tuesday's presidential debate. 

The accounts were removed based on intelligence shared by the FBI, the company said in a tweet. The accounts had low engagement and did not make any significant impact, Twitter said.

Twitter will publish a full report on the accounts and their contents once its investigation is complete. It shared a few sample tweets:

The FBI and DHS have warned that Iran, China and Russia will attempt to spread disinformation to influence the election. Facebook removed Chinese accounts targeting Biden and Trump last week. Those accounts also had low engagement.

Senior NSA and CIA officials tried to stop Trump's spy chief from releasing unverified allegations about Hillary Clinton from Kremlin intelligence.

Officials in Director of National Intelligence John Ratcliffe's own office also told him sharing the information with Congress could add credence to the unverified Russian claims, Dustin Volz and Warren P. Stroble at the Wall Street Journal report.

The Russian intelligence analysis obtained by U.S. spy agencies, which Ratcliffe shared with the Senate Judiciary Committee, had already been rejected by the Senate Intelligence Committee as lacking a factual basis. It claimed that Clinton approved a 2016 campaign plan to tie Trump to Moscow’s hacking of Democratic emails. 

Ratcliffe acknowledged in his letter to Senate Judiciary Chairman Lindsey O. Graham (R-S.C.) that the intelligence community could not confirm the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggerations or fabrication. 

Ratcliffe's decision to share the unverified intelligence also perplexed former FBI director James B. Comey, who testified in front of the Senate Judiciary Committee yesterday.

“I really don’t know what he’s doing,” Comey said.

Comey also defended the bureau’s 2016 probe into possible coordination between the Trump campaign and Russia, Matt Zapotosky, Devlin Barrett and Karoun Demirjian report

Health insurer Anthem will pay nearly $40 million to settle a probe into a 2015 data breach. 

An FBI investigation did not find any evidence that the stolen information had resulted in fraud, Dania Nadeem at Reuters reports.  

U.S. officials have asserted the Chinese government was behind the breach and a Chinese citizen was charged in connection with it in 2019. 

An FBI investigation did not find any evidence that the stolen information had resulted in fraud. As part of its settlement with state attorneys general, Anthem will strengthen its cybersecurity practices.

Hill happenings

The United States could lag behind China if it doesn't change its approach to technology and security, a new House report says.

The 37-page report calls for significant realignment of resources and expansion of intelligence-gathering on China, Karoun Demirjian reports.

The report also slams Washington as being unprepared for soft threats such as the novel coronavirus. It does not specifically call out the Trump administration's responses to the pandemic.

Securing the ballot

Election turmoil is heating up races for state election officials.

Challengers are attacking Republican incumbents in West Virginia and Washington state over their use of new election technologies, Eric Geller at Politico reports. Democrats say the technologies have cast doubt on the integrity of races in the states. 

Trump's attacks on mail-in ballots have also given ammunition to Washington state Democrats who say incumbent Secretary of State Kim Wyman, a Republican, hasn't done enough to refute the president's attacks. Washington state votes almost entirely by mail. 

More election news:

Facebook bans U.S. ads that call voting fraud widespread or election invalid (Reuters)

Memory sticks used to program Philly’s voting machines were stolen from elections warehouse (Philadelphia Inquirer)

Privacy, civil rights groups demand transparency from Amazon on election data breaches (The Hill)

Global cyberspace

Secretary of State Mike Pompeo warned Italian leaders about the threat of Chinese technology.

Pompeo urged Italian Foreign Minister Luigi di Maio to consider carefully the risks to its national security and the privacy of its citizens presented by technology companies with ties to the Chinese Community Party, Angelo Amante at Reuters reports.

The United States has been pushing Western allies to ban Huawei and other Chinese firms it considers a national security threat from 5G buildouts.

Huawei, meanwhile, has opened a Rome-based cybersecurity center aimed at convincing governments its technology isn't being used as a Chinese spying tool. “We will open our insides, we are available to be vivisected to respond to all of this political pressure,” the head of its Italian unit Luigi De Vecchis said at the opening, Reuters reports.

Launching the center the same day as Pompeo’s arrival in Italy was a coincidence, De Vecchis said.

More cybersecurity news:

To hunt hackers, FBI works more closely with spy agencies (Reuters)

Chat room

Cybersecurity reporter Kim Zetter on why election night is always filled with uncertainty:


Secure log off

The Washington Post is launching its first investigative podcast today.