with Tonya Riley

Election security was the cybersecurity story dominating 2020, and it is likely to dominate 2021 as well. That reflects an old saw about cybersecurity — that it is a race without a finish line. 

Some things went well this year: years of tireless work by state and local officials kept November’s presidential election safe from foreign hacking or major technological snafus. But faith in the election was battered by President Trump’s baseless claims that his loss was illegitimate. 

And the government’s cybersecurity chief, Christopher Krebs, who did more than anyone in the federal government to shepherd states’ election security work, paid with his job when he wouldn’t endorse Trump’s baseless claims. 

This time we won the battle but still managed to lose the wider war,” Jon Bateman, a former Defense Intelligence Agency analyst and now a Carnegie Endowment for International Peace cybersecurity fellow, told me. “We protected the integrity of the election, but a huge number of Americans fell for a disinformation campaign that aimed to delegitimize the election result in a way that’s much more serious and dangerous than anything that happened in 2016.”

That all means one the biggest cybersecurity stories of 2021 is likely to be whether Republicans and Democrats can unite behind a plan to give voters confidence their ballots were recorded accurately and guards against the distortion efforts of sore losers. Or, if bipartisanship fails again, whether Trump’s baseless post-election claims become the norm.

Here’s a rundown of four other big cybersecurity stories from this year and the year ahead. 

1. The coronavirus pandemic created a hotbed for hacking. Things will get even tougher next year.

The attacks ranged from China sponsoring criminal hackers targeting vaccine research to Russian-speaking cybercriminals shutting down computers at overstressed hospitals and holding them for ransom until the hospitals paid up. 

Things are likely to get even hairier in 2021 as the U.S. embarks on the mammoth task of distributing coronavirus vaccines to tens of millions of people — and as cybersecurity pros are tasked with protecting the vast supply chain necessary to get the vaccine vials where they need to go. 

China and other U.S. adversaries could try to disrupt vaccine distribution so their economies can recover more quickly than the United States. Disruption could also be driven by cybercriminals who lock up parts of the vaccine supply chain and hold them for ransom, knowing that, with lives hanging in the balance, victims are likely to pay out. 

“We’re pinning so much of our hopes for 2021 on vaccination and the real question is, ‘Are we confident the supply chain for the vaccine is going to be safe?’ Because the bad guys are pinning their plans on disrupting that,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official, told me. 

2. Russia pummeled the United States during Trump’s term. We’ll see if Joe Biden can bring the former Cold War adversary to heel. 

Russian hackers pestered the United States throughout the year with attacks on hospitals and disinformation campaigns targeting the election. But by far the harshest hit came just this month when officials discovered a Kremlin-backed hack of nearly unimaginable proportions that has compromised at least a half-dozen U.S. government agencies and likely many more, as well as U.S. companies here and abroad. 

There’s no question Russia would be hacking U.S. targets regardless, but the Kremlin may have been emboldened by Trump, who’s done little personally to hold Russian President Vladimir Putin accountable for its breaches. Trump has also expressed doubts about Russia’s maliciousness in cyberspace and repeatedly questioned U.S. intelligence agencies’ conclusion that Russia interfered in the 2016 election. 

The big question for 2021 is whether Biden can reduce the frequency and devastation of such attacks — likely through a mix of improving government cyber-defenses, punching back more aggressively when Russia does attack and some amount of geopolitical deal-making.

The thing Trump’s done worst on is high-level messaging to Russia that malign cyberactivity needs to stop or be dramatically reduced,” Chris Painter, who was State Department cyber-coordinator during the Obama administration and during Trump’s first months in office, told me. “Biden needs to make this real for Putin in a way that Trump never did.”

That’s sure to be a tall order, though. Success may require becoming far more aggressive with Russia than previous administrations, and risking either more retaliatory hacking from Russia or damaging other diplomatic goals such as arms control talks.

“There’s no solution to this without risk, so if they decide they’re risk intolerant, they’re not going to get anywhere,” James Lewis, a former government cybersecurity official who’s now a senior fellow at the Center for Strategic and International Studies, told me. 

3. Trump’s battle against Chinese technology began to bear fruit this year. Biden will have to create a longer-term strategy.

If there’s one area on which Trump and Biden largely agree, it’s China. Trump officials spent much of 2020 cracking down on the Chinese telecom giant Huawei over spying concerns and urging allies in Europe and elsewhere to block the firm from building their next-generation 5G wireless networks. 

The big idea was the West and China are in a race to control the future of the Internet and if China wins, U.S. data will never be safe from spying again

Trump officials saw some major successes this year, including a ban on Huawei in the United Kingdom. In 2021, the Biden administration will need to figure out a way to solidify those gains. 

The bigger challenge will be shifting U.S. technology investments so the United States and its allies can be more competitive with China when tech again shifts to new ground.

“If we work with trusted partners, we can build up alternatives [to Chinese firms], but that’s a long-term game,” Painter said. “We need to do that now so we’re not in the situation we were with 5G. We should have started work on 5G six years before we did.”

4. Trump continued a purge of the government’s top cybersecurity leaders this year when he fired Krebs. Biden will have to rebuild on the fly. 

Firing Krebs was a major blow to the government’s cybersecurity expertise, but it wasn’t the first. Earlier in his term, Trump eliminated cyber-director positions at the White House and State Department. Critics said the loss of those jobs helped create a scattershot cybersecurity policy during the Trump administration in which some good work was done but often without anyone coordinating it between different agencies. 

Congress recently bucked Trump by mandating the creation of new White House new cyber-director post inside a major defense policy bill that the president has vowed to veto. That position almost certainly won’t be filled until Biden takes office, however, and it will probably be just one step in creating a far more coherent government strategy.

You look at today’s news and you wonder if having a strong White House cybersecurity coordinator would have made a difference,” Suzanne Spaulding, who led DHS cybersecurity operations during the Obama administration, told me, referencing the major Russian breaches. 

In his first statement released yesterday on those breaches, Biden declared: “I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office.”

That’s a stark contrast with Trump, who has yet to speak publicly about the breaches and was briefed yesterday on them for the first time.

“Reinstating some of these high-level positions won’t just have a bureaucratic effect,” Cooper told me. “It would mean people are in the room talking about cyber and raising questions when under the current administration they might not be. It will be a signal that cyber’s back to being an important issue.”

The Cybersecurity 202 will be on hiatus through Jan. 4. Stay safe and have a happy New Year.

The keys

Russian hackers may have used more tools  than previously known in a massive breach of government systems. 

An alert from federal investigators provides the first indication that the widespread hacking campaign compromising the State and Treasury departments, among other agencies, went beyond sending out compromised software updates from the company SolarWinds, Craig Timberg and Ellen Nakashima report

The alert follows a report from Volexity that it discovered an intrusion into Microsoft’s email software using the same techniques as the SolarWinds compromise. Microsoft did not respond for comment.

The alert underscores the challenge federal officials face in trying to oust the hackers from key systems. Restoring the security of affected networks could take months, experts say.

The malware poses “a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” an alert Thursday from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said.

The scope of the breach is also widening to include more federal agencies and some states. 

At least three states were affected by the hack, two officials familiar with the investigation told William Turton and Michael Riley at Bloomberg News

The Energy Department said it found malware in its business networks but denied that functions including the agency overseeing nuclear weapons had been breached.

Microsoft was also hacked as part of the campaign, people familiar with the situation told Joseph Menn at Reuters. Microsoft said it has found no evidence hackers used its systems to attack customers. 

Biden also pledged to make dealing with the breach a top priority when he takes office. 

"Our adversaries should know that, as President I will not stand idly by in the face of cyber assaults on our nation, he said.

Biden said that he's directed his team to learn as much as we can about the breach. Trump has yet to comment on the breach but was reportedly briefed on it yesterday.

Sen. Mitt Romney (R-Utah) called the White House silence on the attack “inexcusable.”

Here's more from Anne Gearan, Karoun Demirjian, Mike DeBonis and Annie Linskey.

The House Homeland Security and Oversight committees are also investigating the hacks.

The committees requested the FBI, DHS and the Office of the Director of National Intelligence provide a classified briefing today on the sweeping compromise.

“While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for U.S. national security,” the chairs wrote in a letter addressed to the heads of the agencies.

The top Republican and Democrat on the Senate Finance Committee are requesting that the Internal Revenue Service provide a briefing on whether any taxpayer data was compromised. The IRS appears to have been a client of SolarWinds as recently as 2017, they note.

Securing the ballot

Dominion Voting Systems is demanding Trump-allied lawyer Sidney Powell retract “knowingly baseless” accusations.

The company’s lawyers say Powell’s wild, knowingly baseless and false accusations” about its voting machines have endangered its employees, business and American democracy, Emma Brown reports

Powell has filed unsuccessful lawsuits seeking to overturn the election in states including Georgia. The company wants her to retract claims that its machines were used to manipulate votes to elect Biden and that the company’s software was created to rig the election of Hugo Chávez, the late Venezuelan president. Federal courts have rejected four lawsuits touting the claims, calling them speculation and gossip and innuendo.

Smartmatic, another target of Powell’s conspiracy theories, issued legal notices and demands for retractions of dozens of factually inaccurate statements made on Fox News, Newsmax and One America News earlier this week. The complaint cites claims Powell made on Fox News.

Powell did not immediately respond to a request for comment.

Cyber insecurity

Dutch prosecutors say a hacker successfully logged in to Trump’s Twitter account. Twitter says it didn’t happen.  

The prosecutors aren't pressing charges against the hacker, Victor Gevers, because he disclosed the hacks in an effort to illuminate a security problem, Miriam Berger reports.

“We believe the hacker has actually penetrated Trump’s Twitter account, but has met the criteria that have been developed in case law to go free as an ethical hacker,” the prosecutor’s office said in a statement, according to the Guardian.

The White House disputed in October that Gevers accessed the account. Twitter also disputed the claim, saying it had seen no corroborating evidence. 

We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government, the company said in a statement.

More cybersecurity news:

Secure log off

Tom Hanks talks about an encounter with another Hollywood legend.