The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Are voting machines too vulnerable to hacking? Georgia's having that debate

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Comment

Welcome to The Cybersecurity 202! There's only one Groundhog Day film to recommend. Luckily it’s a doozy

Below: NSO allegedly offered “bags of cash” to access a global cell network, and the FBI is urging athletes to bring burner phones to the Olympics. 

A new report on Georgia voting machines gives fuel to the fiery debate over election security

There's a long-running and complicated fight over how much security is necessary to protect elections against hacking. 

A brewing controversy in Georgia illustrates this perfectly.

A judge may soon release a sealed report which was prepared as part of a years-long lawsuit over the security of Georgia’s voting machines. Its author, Alex Halderman, was given rare access to dig through the machines and look for ways to hack them. He said in a declaration filed in the case that he found multiple vulnerabilities that could allow hackers to install malicious software and undermine elections.

Halderman, who runs the University of Michigan’s Center for Computer Security and Society, is an expert for the plaintiffs in the case, a group of Georgia voters who want the state to replace its touch-screen voting machines that produce paper records with hand-marked paper ballots that they say are far more secure. 

Georgia election officials see things differently. Secretary of State Brad Raffensperger (R) says Halderman’s claims are overblown and that the bugs he found couldn’t reasonably be exploited in an actual election. He compared Halderman’s findings — discovered over 12 weeks of probing the machines — to “having the keys and alarm codes to a home then claiming he found a way to break in.” 

The report, which could be made public as early as this week, could shed new light on a battle between security advocates and election officials that burst into public view after the 2016 contest was marred by Russian interference. Russian hackers penetrated voter rolls in at least two states during that contest, but there’s no evidence they changed any votes. 

  • Security advocates say voting machine protections haven’t kept up with the hacking threat, and the companies that make them aren’t taking the threat seriously enough. They’ve repeatedly found hackable bugs in election machines — though primarily in machines that aren’t actively being used for elections and the hacks require hands-on access to the machines.
  • On the other side, machine vendors and election officials say security advocates are focusing on hacks that would be difficult or impossible to pull off during actual elections, and they aren’t taking into account all the nontechnical safeguards that would prevent such hacks.

Things got even more complicated after 2020 when the election security debate was hijacked by former president Donald Trump and his supporters who lobbed baseless claims that the 2020 election was undermined by hacking.

Each side has fretted that the other could add fuel to Trump’s false claims and further undermine public faith in the electoral process — either by advertising vulnerabilities that aren’t that serious or downplaying ones that are. 

Georgia was ground zero for that fight, and Raffensperger played a key role by insisting that President Biden’s victory in the state was legitimate and rebuffing Trump’s urging in a phone call to “find 11,780 votes” that could flip the state to his column.

Halderman has insisted there’s no evidence the 2020 election was undermined by hacking — a statement supported by the vast majority of credible election security advocates. 

Trump allies nevertheless invoked the Georgia lawsuit as a basis for some of their outlandish conspiracy theories. Notably, the suit is referenced in a never-issued executive order that would have allowed the Defense Department to seize voting machines and that is being investigated by the Jan. 6 committee. 

“The consensus of the election security community is it’s worse to hide things like Alex’s report from the public because it allows the crazies of the world, the people supporting the “big lie,” to mislead voters into thinking the report supports their conspiracies and it doesn’t,” Cross told me.

He added: “It’s easier to say to someone like Trump that we have confidence you’re lying when there’s transparency in the system. We’re in a worse situation when this work is in the dark.”

The public could soon weigh the evidence. The federal judge in the case, Amy Totenberg, initially sealed the report out of concern it could be a road map for hackers. But Halderman, the plaintiffs in the case and now Raffensperger are all calling for it to be released so the public can vet the claims for themselves. Totenberg could make a decision as soon as this week. 

“What you really want is a spotlight on these sorts of findings so the public understands what’s really going on,” David Cross, a lawyer for the plaintiffs in the Georgia case, told me.

The keys

NSO offered a mobile security firm “bags of cash” for access to global cell networks, whistleblower says

The offer came in a 2017 meeting between executives from NSO Group and the California-based firm Mobileum, former Mobileum employee Gary Miller said. 

  • According to Miller, NSO executives wanted access to a global network that helps cell carriers route calls and services, Craig Timberg reports
  • Miller disclosed the incident in detail to the Justice Department and also shared his claims with the Federal Communications Commission and the Securities and Exchange Commission.

NSO denied the charges in a statement, saying that it has “never done any business with” Mobileum, and that it “does not do business using cash as a form of payment.” 

Miller now works as a mobile-security researcher for Citizen Lab, a cybersecurity research group at the Uniersity of Toronto that has done a large chunk of the research on NSO infections. The group has been highly critical of NSO.

The legal implications of such an offer are unclear. “Legal experts said they know of no law that would make it illegal merely to gain access to [the networks] in the United States or pay for a service in cash,” Craig writes. “But some types of surveillance are illegal in the United States if not explicitly authorized by a legal process, such as a court order, as happens when police get permission to conduct wiretaps. Unauthorized hacking also violates U.S. law, the experts said.” 

Rep. Ted Lieu (D-Calif.) in December sent a criminal referral to the Justice Department, which is investigating NSO, Craig writes. NSO said it’s not “aware of any DOJ investigation,” and the Justice Department declined to comment.

In other NSO news: Israeli police said they found evidence indicating that spyware was improperly used to spy on Israeli citizens, the Associated Press’s Ilan Ben Zion reports

  • The admission comes after police initially said they didn’t find any evidence that NSO spyware was misused in the country.
  • But a secondary inspection “found additional evidence that changes certain aspects of the state of affairs,” the police said.
  • They didn’t mention NSO, indicating that they could be investigating other spyware firms. NSO declined to comment to the AP.

The FBI advised U.S. athletes to bring burner phones to the Olympics

The warning comes just days before the Winter Olympics kick off in Beijing. Fears are mounting that Chinese authorities could use the Games to monitor sensitive communications from athletes, journalists and other attendees. 

The U.S. Olympic and Paralympic Committee previously told athletes to “assume that every device and every communication, transaction, and online activity will be monitored,” and that there “should be no expectation of data security or privacy while operating in China.” 

Some countries like Canada are giving athletes temporary devices to use while in Beijing. But even those devices could leak sensitive information. An app for athletes to log daily health information is riddled with security issues, Citizen Lab found.

Though the FBI’s new warning specifically mentions athletes attending the Games, some journalists have decided to use temporary devices while at the event, my colleague Paul Farhi reported last month.

The United States needs a nationwide strategy to grow the cybersecurity workforce, nonprofit says

That strategy should be developed by the office of National Cyber Director Chris Inglis with plenty of funding and resources provided by Congress, the National Academy of Public Administration said in its new study. Congress ordered the Department of Homeland Security to produce the study in an appropriations bill that passed in December 2020. 

The study:

  • Found that a “lack of clarity about federal agency roles and responsibilities has hindered the federal government’s ability to tap the [cyber] capabilities and resources in the private sector, academia, and other levels of government”
  • Calls for agencies like Cybersecurity and Infrastructure Security Agency to collaborate on the National Cyber Director’s effort, along with industry, academics and local governments
  • Concludes CISA will need clarified roles and responsibilities for workforce development, and the agency will need authorities from Congress so it can form outside partnerships

NAPA said it interviewed around 90 people for the report, including Inglis, CISA Director Jen Easterly and Federal Chief Information Security Officer Chris DeRusha.

Cyber insecurity

Inside Trickbot, Russia’s notorious ransomware gang (WIRED)

Billionaire Facebook investor Peter Thiel secretly funded a ‘cyber warfare’ startup that hacked WhatsApp (Forbes)

Weeks after a ransomware attack, some workers still worry about paychecks (NBC News)

Government scan

Meet the NSA spies shaping the future (MIT Technology Review)

Security specialists: Microsoft’s discounted logging offering warrants scrutiny  (NextGov)

National security watch

Drone company DJI obscured ties to Chinese state funding, documents show (Cate Cadell)

Global cyberspace

Iranian hackers suspected of breaking into defense company Rafael's systems (Calcalist)

Privacy patch

How a decades-old database became a hugely profitable dossier on the health of 270 million Americans (STAT)

On the move

  • Stephanie Doherty has joined CISA as its director of legislative affairs. She previously worked as legislative counsel to Sen. Mark R. Warner (D-Va.), who chairs the Senate Intelligence Committee. She has also worked for Sen. Jon Tester (D-Mont.) and the Department of Homeland Security in the Obama administration.

Daybook

  • The House Oversight and Reform Committee discusses legislation to bolster the U.S. government’s cyber defenses today at 10 a.m.
  • CISA Chief of Staff Kiersten Todt and Office of the National Cyber Director Chief of Staff John Costello discuss a report on the cyber workforce at a National Academy of Public Administration event today at 11:30 a.m.
  • Rep. Jim Langevin (D-R.I.) discusses cybersecurity at an Axios event today at 12:30 p.m.
  • The Senate Judiciary Committee could discuss the EARN IT Act as early as Thursday at 9 a.m.
  • The Senate Homeland Security Committee holds a hearing with three Biden nominees for positions in the Department of Homeland Security on Thursday at 10:15 a.m.
  • BSidesTLV founder Keren Elazari discusses hacker cultures at a Strauss Center event on Thursday at 1:15 p.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...