Welcome to The Cybersecurity 202! Please join me in congratulating Associate Editor Bob Woodward on 50 remarkable years at The Post. 

Below: The Republican Governors Association was hit with a data breach and Germany's election office was targeted in a cyberattack.

Pennsylvania Republicans are creating an opportunity for hackers

A partisan review of the 2020 election results in Pennsylvania threatens to endanger the personal information of the state's 7 million voters.

Pennsylvania Republican lawmakers voted to subpoena a wide range of voter data, including information that's highly valuable to hackers. The subpoena applies to everyone who cast ballots in the state's May 2020 primary and the November general election, as Elise Viebeck reports.

The data include:

  • Names
  • Dates of birth
  • Driver's license numbers
  • The last four digits of social security numbers
Yikes

That's raising alarms among election and security analysts. They warn consolidating that information and handing it over to a private company for auditing could dramatically raise the likelihood of the data being leaked or stolen by hackers. 

“All of the information being requested by this subpoena is exactly what a criminal would need to steal someone’s identity and open up fraudulent accounts in the names of any of these voters,” Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy and a longtime election security advocate, told me. 

State Democrats assailed the move and said they're mulling legal action to prevent it.

“Election security is not a game and should not be treated with such carelessness,” Pennsylvania Gov. Tom Wolf (D) said.  

The subpoena springs from the baseless claim that large numbers of Pennsylvania ballots were cast with the names of people who are dead or not citizens of the state. 

Ahh Arizona

Concerns are magnified following the partisan audit in Maricopa County, Ariz., run by the pro-Trump firm Cyber Ninjas.

Officials in Pennsylvania and Wisconsin have cited the Cyber Ninjas audit as a model for their efforts (Pennsylvania hasn't yet named a firm to carry out its audit). But that audit was riddled with cybersecurity flubs and poor management of sensitive data. Audit workers there routinely left laptops containing sensitive election data unattended and allowed those laptops to connect to WiFi, making them more vulnerable to hacking. 

“Before the Maricopa County audit, I would have assumed lawmakers interested in going down this forensic audit path would only hire professionals who are experienced at not only examining but handling and securing this kind of data,” Turner said. “But what we saw in Arizona is that’s not necessarily the case.”

The Pennsylvania review is part of an effort across multiple battleground states promoting baseless claims that Biden's victory was illegitimate

State Senate President Pro Tempore Jake Corman (R) tried to allay security concerns soon after the subpoenas were approved by a party-line vote of the body's Intergovernmental Operations Committee. 

“Every necessary step will be taken to ensure this information is secure, including making any vendor personnel sign nondisclosure agreements to make sure the data are protected under penalty of law,” he said in a statement.

Corman has pledged to conduct a “full forensic investigation” of the 2020 election. That's a term frequently used to describe the Maricopa County audit, though election officials say that review lacked the rigors of a professional and nonpartisan election audit. 

State Sen. Cris Dush (R), chairman of the committee that approved the subpoena, argued the voter information is needed because “there have been questions regarding the validity of people who have voted — whether or not they exist.”

In addition to voter information, the subpoena seeks county guidance issued by the Pennsylvania Department of State and communications between the department and county election officials. 

The damage such audits are doing to election and voter security is mounting

The Arizona state government is already on the hook for $3 million to replace Maricopa County voting machines, which lost their security certification during the Cyber Ninjas audit. The county is in a legal battle with the state over a subpoena to turn over routers, which would cost another $6 million to replace. Handing over the routers would jeopardize the security of vital county business including law enforcement operations, the county says. 

Pennsylvania Attorney General Josh Shapiro (D) has pledged to review any subpoenas for voting or tabulating equipment in that state.

“I would expect a subpoena like that to face litigation,” he said

The keys

A cybersecurity lawyer faces indictment in a Trump-era Russia probe

The lawyer, Michael Sussman, alerted the FBI in 2016 to suspicious Internet data traveling between the Trump organization and a Kremlin-linked Russian bank. The FBI ultimately determined the Internet traffic did not warrant concern.

Now, a special counsel appointed by the Trump administration to scrutinize the Russia investigation, John H. Durham, may indict Sussman following evidence he might have been working for the Clinton campaign when he spoke to the FBI, Devlin Barrett reports

Sussman denied he was working for the campaign. He told Congress in 2017 that he was working for an unnamed cybersecurity expert who helped analyze the data.

If Sussman is indicted, it could come as early as this weekend because of a statute of limitations on the case. Attorney General Merrick B. Garland has the power to block an indictment but is said to have declined to do so, the Times reported.

The Republican Governors Association was a victim in the Microsoft Exchange breach

The breach may have compromised the personal information of nearly 500 people, according to a notice posted on the Maine attorney general’s website.

The breach appears to be connected with a global compromise by Chinese government-sponsored hackers of Microsoft email servers that affected at least 30,000 public and private entities in the United States. The RGA did not name China in its alert.

According to the alert, one or more hacking groups “accessed a small portion of RGA’s email environment between February 2021 and March 2021.”
The association was unable to determine what specific information was compromised during the breach so is notifying everyone whose data might have been affected. The association patched the vulnerability and implemented additional security measures. 

The association alerted the FBI about the breach, according to the notice.

Lawmakers push to add dozens of cybersecurity measures to an annual defense bill

The measures include legislation that would give the Cybersecurity and Infrastructure Security Agency director a five-year term and a proposed State Department report on the digital surveillance techniques of human rights violators.

Lawmakers want to add the measures to a must-pass annual defense policy bill (the National Defense Authorization Act), which frequently becomes a Christmas tree for cyber measures among others. 

More details from Politico’s Eric Geller: 

Global cyberspace

A top European Union official calls for the alliance to bolster its cyber defenses

European Commission President Ursula von der Leyen called for the continent to become a world leader in cybersecurity during her annual State of the Union address. “We cannot talk about defense without talking about cyber,” said von der Leyen, Germany’s former defense minister. She urged developing a “European Cyber Defense Policy, including legislation on common standards under a new European Cyber Resilience Act.”

A top U.N. official wants a moratorium on AI tools that could violate human rights

United Nations Commissioner for Human Rights Michelle Bachelet called for a moratorium on artificial intelligence tools until more safeguards are in place to protect human rights, Sammy Westfall reports. Bachelet’s call came as the U.N. Human Rights Council published a report on the human rights risks of AI. 

The consequences of the unfettered spread of AI technology, Bachelet said, would be “catastrophic.” Critics say artificial intelligence systems can perpetuate racism and discrimination by using biased data sets. They can also increase police profiling of minorities. 

“We cannot afford to continue playing catch-up regarding AI — allowing its use with limited or no boundaries or oversight, and dealing with the almost inevitable human rights consequences after the fact,” Bachelet said.

Securing the ballot

Germany’s election authority was the target of an August cyberattack

Hackers bombarded the authority’s website with Internet traffic in an effort to overwhelm it. But election-related IT systems weren’t affected, Business Insider’s Lars Petersen reports. The attack was confirmed by a spokesman for the election office who told AFP that the site “only had limited accessibility for a few minutes due to a malfunction.” 

German officials did not identify who launched the denial of service attack. It comes as Germany prepares to hold Sept. 26 elections that will determine who will succeed longtime Chancellor Angela Merkel

Germany on Sept. 6 called on Russia to immediately cease “illegal cyber activities,” accusing a Moscow-backed group of targeting members of the country’s federal and local parliaments.

Government scan

Industry report

Daybook

  • Stanford University’s Program on Democracy and the Internet hosts a webinar on E.U. technology and cybersecurity proposals today at noon.
  • Rep. Jim Langevin (D-R.I.), Southern Company CEO Tom Fanning and others discuss cyber threats to critical infrastructure at a Carnegie Endowment for International Peace event Friday at 12:30 p.m.
  • Former Undersecretary of State Keith Krach and former U.S. Agency for International Development deputy administrator Bonnie Glick speak at a Center for Tech Diplomacy at Purdue event on semiconductors and supply chains on Sept. 21 at 9:10 a.m.
  • Homeland Security Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify at a Senate Homeland Security and Governmental Affairs Committee on homeland security threats since Sept. 11, 2001, on Sept. 21 at 9:30 a.m.

Secure log off

Follow the money. Thanks for reading. See you tomorrow.