The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Election security fights are still bitter and partisan in 2022

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202!  George Orwell died 72 years ago today. My favorite Orwell is “Homage to Catalonia.” Some of the best advice on writing is in his “Politics and the English Language.” 

Below: Israeli police allegedly used NSO Group spyware to monitor an activist on a gay dating app, and Olympic athletes are leaving their personal phones at home over hacking fears.  

An election security hearing devolved into partisan rancor

In the first election security hearing of 2022, Republicans and Democrats were divided as ever on even the most basic questions.

Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee's cyber panel, opened yesterday's hearing by criticizing Republican inaction on election security during the first years of the Trump presidency. Republicans responded by positing a need for voter ID laws — which experts say have little influence on election integrity — and in some cases echoing baseless claims by former president Donald Trump that his 2020 election loss was illegitimate.

“The statement that the November 2020 election was the most secure election in American history, that, in my opinion, is the big lie,” Rep. Andrew Clyde (R-Ga.) said, referencing the unanimous conclusion of the Cybersecurity and Infrastructure Security Agency (CISA) and the national association of top state election officials that the contest was not compromised by hacking. 

Clarke, meanwhile, charged that “election security and election integrity are being weaponized” to support false claims of fraud. 

Election goals

The partisan bickering is a reminder of how little Congress has accomplished on election security more than five years after the 2016 election was affected by Russian interference. There’s no evidence Kremlin hackers changed any votes in that race, but they succeeded in compromising voter information in two states and raising alarms about the security of voting infrastructure. 

The bickering is also an omen that little is likely to change until well after the 2022 midterms. 

That’s despite serious issues that experts say must be addressed, such as:

  • Retiring paperless voting machines, which are more vulnerable to hacking and still used by between 5 percent and 10 percent of voters
  • Examining whether election machine vendors’ supply chains are vulnerable to hacking and manipulation

The hearing came a day after Senate Democrats failed to pass a mammoth voting rights measure because Sens. Joe Manchin (D-W.V.) and Kyrsten Sinema (D-Ariz.) joined all 50 Republicans in blocking changes to the filibuster rule. 

While that effort focused primarily on making it easier to cast ballots, it also included a handful of long-sought security reforms, such as requiring states to conduct post-election audits, creating a post-election audit advisory committee at the Commerce Department and blocking states from using voting machines or voting software that isn’t assembled in the United States. 

Steps taken

Congress hasn’t been totally absent from election security efforts. 

Between 2018 and 2020, lawmakers managed to send out about $800 million in election security grants that helped many states transition away from older and less secure voting equipment. 

But that funding was tacked onto larger bills at the last minute and didn’t include any requirements that states use it to meet minimum cybersecurity requirements or retire the most vulnerable equipment. 

There are some big changes that could help in 2022.

Matt Masterson, who was the top election security adviser to CISA in 2020, outlined a few during Thursday’s hearing. He suggested:

  • Formally naming CISA as the lead agency for election security and tasking it with conducting security certifications of election equipment that are currently done by the Election Assistance Commission. “Right now what you have is muddied waters on the technical responsibilities,” he said, noting that EAC is overburdened with work and CISA has far more technical expertise.
  • Surging the cybersecurity aid that CISA provides to election offices in small counties that lack their own resources and expertise.
  • Developing cybersecurity baselines for election offices including regularly patching computers against bugs, using multi-factor authentication and moving their websites from .com domains to .gov domains, which will make it easier for the federal government to help secure them against hacking.

Clarke plans to introduce a bill that would require CISA to run a rumor-control page to combat election disinformation, she said during the hearing. The agency ran such a page during the 2020 election that drew Trump’s ire when it fact-checked some claims made by his supporters. 

Trump fired CISA’s director at the time, Chris Krebs, shortly after the election, citing his claims the contest was not marred by foreign interference. 

The keys

Israeli police reportedly used spyware to monitor an activist on a gay dating app

The police used information collected from the app to trail the activist to private meetings with men he met on the app, Tomer Ganon of the Israeli business publication Calcalist reports. Police didn’t get a surveillance warrant as required by Israeli law until after hacking the phone. 

Israeli police investigators have used similar methods to monitor many other targets, Ganon reports. The targets included protest leaders, mayors and former government officials, Calcalist previously reported.

Israel’s attorney general has launched an investigation into reports of improper police use of NSO spyware, Reuters reports. Israel’s police told Calcalist that it didn’t know about the incident and denied they acted illegally.

Authorities in Ghana used NSO Group’s spyware to surveil political rivals, according to a report by Israel’s Channel 13 News. Ghana’s Bureau of National Investigations found that government officials purchased Pegasus “to spy on the government’s political rivals a few months ahead of the country’s 2017 election,” Haaretz’s Omer Benjakob reports

An NSO spokesperson said the company had a deal in Ghana, but that “the system was never operational,” Benjakob writes.

Rudy Giuliani was at the center of an effort to submit alternate lists of Trump electors to undermine the electoral college certification

Rudy Giuliani oversaw an effort to send signed certificates saying Trump won in five states where President Biden received more votes, my colleagues Beth Reinhard, Amy Gardner, Josh Dawsey, Emma Brown and Rosalind S. Helderman report. “The rival slates were leveraged as evidence in last-ditch efforts to give Vice President Mike Pence the ability to reject Biden’s victory when he presided over the electoral vote count in the U.S. Capitol on Jan. 6, 2021,” they write.

“Understanding the origins of the rival slates has now become a focus of the House committee investigating the Jan. 6 insurrection, according to people familiar with the panel’s activities,” my colleagues write. “Two Democratic attorneys general have asked federal prosecutors in recent days to investigate whether crimes were committed in assembling or submitting the Trump slates.”

More problems in Georgia: Meanwhile, a Georgia prosecutor requested a special grand jury to aid in her investigation into whether Trump and his allies broke the law when they pressured election officials in the state to “find” enough votes to overturn Biden’s victory, John Wagner reports. Trump responded by saying that he “didn’t say anything wrong in the call.” Fulton County District Attorney Fani Willis (D) launched the probe in February.

Journalists and athletes attending the Olympics are leaving personal electronics at home

Spectators, athletes and journalists have to use a special app to upload their health information every day for the Winter Olympics, which kick off in Beijing in February. But, because of concerns about hacking by Chinese authorities, many are opting to use special “burner phones,” which don’t hold any other personal data, Paul Farhi reports. There have already been reports about vulnerabilities in the app that expose personal data. 

Attendees are also taking other precautions against hacking. USA Today sports columnist Christine Brennan, who has covered 19 Olympics, plans to use a new phone and laptop. She also “intends to keep her devices’ camera lenses covered when not in use, after hearing warnings that hackers can manipulate cameras from afar to surveil a user,” Paul writes.

National Olympic Committees are warning athletes about security risks, Reuters’s Hritika Sharma and Steve Keating report:

  • The United States Olympic and Paralympic Committee warned that “it should be assumed that every text, email, online visit, and application access can be monitored or compromised,” and suggested using “burner” devices and virtual private networks.
  • Canada’s Olympic committee told its athletes to think about leaving their devices at home. It also told them to be on alert because the Games present “a unique opportunity for cybercrime.”
  • Switzerland's and Sweden’s Olympic committees are going further, giving their delegations new devices and briefing them about cybersecurity measures they can take

Global cyberspace

The Biden administration sanctioned a former Ukrainian official for helping Russia plan cyberattacks

Former Ukrainian official Volodymyr Oliynyk allegedly gathered information about Ukraine’s critical infrastructure for Russia’s security services, the Treasury Department said. Russia has a history of launching cyberattacks on Ukrainian critical infrastructure, with a particular emphasis on disrupting the country’s energy sector, Treasury noted.

The Treasury Department sanctioned Oliynyk and three other officials including two active members of Ukraine’s parliament. One of the politicians, Taras Kozak, was involved in efforts to “amplify false narratives around the 2020 U.S. elections,” the department said.

The sanctions came as Ukraine prepares for a potential invasion by Russia, which has almost 100,000 troops on its border.

If tensions heat up, Russian hackers could target U.S. energy companies and other critical firms, three U.S. government agencies warned this month. Ukrainian officials this month blamed Russia for carrying out cyberattacks that wiped government agencies’ data. 

Russian cybersecurity firm draws U.S. federal scrutiny, concern from national security experts (Forensic News)

Canada agency says Russian-backed actors targeting infrastructure (Reuters)

Cyber insecurity

Pirates spammed an infamous Soviet short-wave radio station with memes (Motherboard)

Doomsday Clock remains at 100 seconds to midnight amid climate change, cybersecurity and pandemic (CBC News)

Industry report

Twitter Shakes Up Security Team (New York Times)

Daybook

  • The Cyber Threat Alliance hosts a webinar for its fifth anniversary on Monday at 10 a.m.
  • FTC Commissioner Noah Phillips discusses data privacy at an event hosted by the National Cybersecurity Alliance and LinkedIn on Wednesday.
  • Sens. Ron Wyden (D-Ore.) and Marsha Blackburn (R-Tenn.) speak at an R Street Institute event about a future federal privacy law on Thursday at 2:30 p.m.

Secure log off

Thanks for reading. See you Monday.

Loading...