The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Trump's lies helped prompt one critical election reform

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Happy 41st birthday to the computer mouse, debuted in Xerox PARC on this day in 1981. 

Below: Opening up Twitter’s algorithm could carry some disinformation risks, and hackers tricked tech firms into handing over sensitive information they used to extort minors.

Holdout red states are finally embracing paper ballot records

Texas, Mississippi, Louisiana, Tennessee and Indiana are all belatedly making moves to require paper records for all votes cast in their states — a vital shift to ensure votes weren’t manipulated by hackers or altered by digital glitches. 

But there's a catch.

The moves were spurred in large part by former president Donald Trump’s false claims about fraud and manipulation in the 2020 election and his baseless crusade against voting machine companies — rather than by legitimate concerns spurred by Russian interference in the 2016 contest. 

It may be the only security-enhancing effect of Trump’s wild and baseless claims that his election loss was illegitimate — and election security advocates are celebrating it even as they’re dubious about the impetus. 

  • “I don’t condone bizarre claims about past elections or fearmongering about how we operate elections, but if people have to resort to misguided beliefs to come to true beliefs, things could be worse,” Mark Lindeman, director of the group Verified Voting, told me. 
  • “It’s really valuable to have paper ballots, and we don’t care how people come to that conclusion,” Lindeman said.
  • Here’s Tennessee Democratic Senate Minority Leader Jeff Yarbro, a longtime advocate for paper ballots, speaking to the Associated Press: “I’m disappointed that it’s taken this long and somewhat concerned over the rationale. … But at the end of the day, this is good public policy.”
Why paper?

Paper records of ballots are the single most important component of election security because hackers can’t manipulate ink on paper and auditors can consult the records if machine counts of ballots are called into question. 

Kremlin hackers probed election systems in multiple states in 2016 and accessed voter rolls in at least two states. There’s no evidence they altered any votes, but paperless ballots in some states would have made such changes far more difficult to detect. 

State of play: States and counties that lacked paper ballots have made massive strides to adopt them, with the percentage of votes cast without paper records nationwide dropping from about 20 percent in 2016 to less than 5 percent in 2020. 

States also adopted a raft of other election protections during that time including adding cyber sensors to election offices and conducting post-election audits. 

Irony alert

Between 2016 and 2020 congressional Democrats led the charge to surge federal funding for elections and to mandate cyber protections. But Democratic-leaning New Jersey is now the only state that lacks paper records for some votes and has not made significant progress toward fixing the situation by 2024 or 2026. 

  • In-person votes in New Jersey mostly lack paper trails, though they're currently available in some counties. A large share of state residents voted on paper in 2020 because of a surge in mail voting, but that's likely to change in November as the pandemic subsides.

“It’s terribly unfair to New Jersey voters that so many of them are stuck in this limbo where they cannot vote verifiably in person,” Lindeman told me. “All Americans should be able to vote verifiably, and we don’t consider New Jersey voters expendable.”

Here’s a rundown of the other states based on data provided by Verified Voting:

  • Texas has a plan in place that should result in paper records for almost all ballots by 2026.
  • Mississippi passed a bill requiring paper ballots by 2024.
  • Indiana passed a bill in March requiring a voter paper trail by 2024.
  • Tennessee lawmakers are debating a bill that would require a paper trail for voters in 2024.
  • A Louisiana legislative commission is working on a plan that could replace paperless machines by 2024.

But even if election security is better in reality, public faith in elections could still be undermined by Trump’s false claims and bogus conspiracy theories. 

Trump allies in battleground states are still pushing hard on those claims more than a year after the election. 

  • In Wisconsin, Republican Assembly Speaker Robin Vos this week extended the taxpayer-funded contract for a former state supreme court justice charged with investigating the claims, per the Milwaukee Journal Sentinel.
  • The Michigan GOP nominated two proponents of Trump’s phony stolen election claims to run the state’s elections office and to be attorney general.

The keys

Opening up Twitter’s algorithms is unlikely to increase hacking risks

Tesla chief executive Elon Musk, who acquired Twitter for $44 billion, has said that he wants to publish the social media network’s algorithms — a move aimed at increasing trust among users who believe that the platform’s algorithms are biased against them. While that’s unlikely to increase hacking risks, it could make it easier for bad actors to game the algorithm for disinformation campaigns and other malfeasance, CyberScoop’s Tonya Riley reports.

For example: actors linked to China’s government could theoretically game the company’s algorithms to give more prominence to pro-China tweets and less prominence to the country’s critics.

Publishing the algorithm could also have some upsides. “The kind of transparency Musk is hinting at could be a boon for Twitter, which has long been plagued with accusations that it limits the reach of content from certain groups of users,” Tonya writes. “The opaque nature of how social media companies like Twitter rank and spread content has also long been a source of friction with researchers looking to understand biases on the platform.”

Hackers tricked tech companies into handing over sensitive information used to extort minors

The hackers posed as law enforcement officials, tricking at least six social media platforms into handing over sensitive personal information about underage victims, Bloomberg News’s William Turton reports. The data was then used to target women and minors, with the hackers sometimes pressuring them to create and share sexually explicit materials and threatening to retaliate if they didn’t do so.

“The attackers have used the information to hack into victim’s online accounts or to befriend the women and minors before encouraging them to provide sexually explicit photos … Many of the perpetrators are believed to be teenagers themselves based in the U.S. and abroad,” Turton writes.

In many cases the requests for information appear legitimate because hackers have breached law enforcement agencies’ computer systems, Turton writes. 

Facebook has trouble keeping track of user data, according to leaked document

The company doesn’t “have an adequate level of control and explainability over how our systems use data,” making it difficult for it to comply with regulatory requirements that it control how user data is used, Facebook privacy engineers said in an internal document obtained by Motherboard’s Lorenzo Franceschi-Bicchierai. 

The revelation raises questions about whether Facebook can effectively comply with the European Union’s data protection rules. The E.U.'s General Data Protection Regulation puts strict limits on how companies can use user data and when they can use it for multiple purposes. According to the leaked document, Facebook may not even have the ability to limit how it handles users’ data,” Franceschi-Bicchierai writes. 

The engineers compared Facebook’s mass of data to a bottle of ink with data that comes from their own site and third parties across the globe. In the analogy, the bottle of ink is poured into a lake of water representing Facebook. “How do you put that ink back in the bottle?” the document asked. “How do you organize it again, such that it only flows to the allowed places in the lake?”

Facebook denied that the document showed it wasn’t complying with privacy rules. “Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates noncompliance,” a Facebook spokesperson told Motherboard. The spokesperson said the document "reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Global cyberspace

Spain got judicial approval to use Israeli spyware on Catalan separatists – report (Times of Israel)

UK: Concerns raised over Chinese surveillance camera firm (Associated Press)

UN to begin new phase of negotiations on cybercrime treaty, alarming human rights activists (CyberScoop)

Cyber insecurity

American Dental Association hit by new Black Basta ransomware (Bleeping Computer)

Government scan

US offers $10 million reward for tips on Russian Sandworm hackers (Bleeping Computer)

Biden nominates new Cyber Command No. 2, Navy cyber chief (The Record)

NGA will take over Pentagon’s flagship AI program (NextGov)

Securing the ballot

Trump’s Georgia allies are running on 2020 grievance. It may not work. (By Matt Brown, Amy Gardner and Josh Dawsey)

Building the “big lie”: Inside the creation of Trump’s stolen election myth (ProPublica)

Industry report

  • Craig Newmark Philanthropies has committed to donating $7.5 million to the Global Cyber Alliance to support its participation in Craig Newmark Philanthropies's Cyber Civil Defense initiative.

Telecom group wants NIST to map performance goals to the cybersecurity framework (NextGov)


  • Cybersecurity officials speak at the AFCEA Technet Cyber 2022 conference through Thursday.
  • Clearview AI founder and chief executive Hoan Ton-That speaks at a Washington Post Live event today at 11 a.m.
  • CISA Executive Assistant Director for Cybersecurity Eric Goldstein speaks at the State-of-the-Field Conference on Cyber Risk to Financial Stability on Thursday at 9 a.m.
  • The Committee on House Administration holds a hearing on the effects of disinformation on communities of color Thursday at 10 a.m.
  • CISA Director Jen Easterly testifies before a House Appropriations Committee panel on Thursday at 1:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.