Welcome to The Cybersecurity 202! I hope everyone had a great and relaxing Memorial Day weekend. Here's Robert Frost's “Not to Keep” on the hidden costs of war.
Dominion's voting machines have vulnerabilities, but there's no evidence they were hacked in Georgia
Georgia’s voting machines recorded votes properly – but they have hacking vulnerabilities that went undiscovered for years.
The findings are from a recent review of the voting machines and represent a mixed bag for people concerned about foreign and domestic interference in U.S. elections.
First, the good news: There’s no evidence any of the vulnerabilities have been used to alter votes in any elections, as my colleagues Ellen Nakashima and Amy Gardner report. Most of the vulnerabilities are also quite difficult to exploit, requiring hands-on access to the voting machines. And they’re likely to be caught by standard security protocols in election offices.
But: The vulnerabilities in the Dominion Voting Systems-brand machines remained undetected for years. They might not have been discovered now if not for a long-running lawsuit over the security of Georgia’s machines during which University of Michigan computer scientist J. Alex Halderman was given a chance to examine the machines on behalf of the plaintiffs in the case.
Such independent reviews are still relatively rare — and election security advocates warn vulnerabilities in other voting systems could still be waiting out there undiscovered.
Halderman’s findings were verified by the Cybersecurity and Infrastructure Security Agency (CISA), which is in the process of notifying more than a dozen states that use the machines about the vulnerabilities and mitigation measures they should take, according to Ellen and Amy who got an advance look at the CISA advisory.
The CISA advisory details nine flaws in versions of Dominion’s ImageCast X machine. The advisory is expected to be publicly released next week after states have reviewed it. Halderman’s report remains sealed as part of the Georgia lawsuit, which argues the state should abandon its machines because of security concerns in favor of hand-marked paper ballots.
A review commissioned by Dominion and conducted by the Mitre Corporation, a federally funded research and development center, reached similar conclusions to CISA, Georgia Secretary of State Brad Raffensperger (R) told my colleagues. That report, which was concluded Friday, hasn’t been released yet.
The disclosures come after Tuesday’s primary elections in Georgia, which saw record turnout for a midterm primary and no evidence of tampering with voting machines
The report highlights a major challenge in election security right now.
- The public is demanding a far higher level of security and transparency from election systems in the wake of foreign interference efforts in the 2016 and 2020 contests. There’s no evidence U.S. adversaries have ever changed votes in an election, but Kremlin hackers penetrated voter rolls in at least two states in 2016.
- But election officials and voting machine vendors are struggling to keep up with the level of security and transparency they’re demanding. Vendors, who were notoriously opaque about security before 2016, have had a particularly difficult time keeping up with demands.
The challenge has been exacerbated by election fraud conspiracy theories spread by former president Donald Trump and his allies, whose claims are unfounded but have nevertheless sparked a wave of distrust in election systems.
Dominion machines played an outsize role in many of Trump’s false claims. Georgia was also ground zero for Trump’s pressure campaign to overturn election results. Multiple audits upheld President Biden’s narrow victory in the state and yet Trump urged Raffensperger in a phone call to “find” enough votes to make him the winner.
There’s also a heightened threat of malicious insiders — mostly adherents of Trump’s lies — who work in election offices and might have an easier time exploiting some of the election machine vulnerabilities that would be far more difficult for an outsider.
One big example
Mesa County, Colo., clerk Tina Peters was indicted on a charge of trying to secretly copy hard drives from Dominion Voting Systems equipment. Despite her legal troubles, Peters is seeking the Republican nomination to be Colorado’s top election official — one of many adherents to Trump’s election lies seeking such offices across the country.
Election officials and companies have always taken a balancing-act approach to security. They accept some vulnerabilities that would be more difficult for hackers and other bad actors to exploit to ensure other priorities such as making elections operate efficiently or be accessible to people with disabilities or who speak different languages.
They also expect that some purely technical vulnerabilities will be counteracted by procedural safeguards such as keeping machines locked down when they’re not in use.
Here’s Gabriel Sterling, a top Georgia election official: “Both the CISA and Mitre reports show what reasonable people already know — if bad actors are given full and unfettered access to any system, they can manipulate that system. That is why procedural, operational, and legal election integrity measures are crucial.”
But the balance has swung far in the direction of security since 2016 and the trend seems unlikely to slow down.
- States including Georgia that lacked paper trails for all their votes have almost entirely shifted to voting machines that produce paper records of votes or to hand-marked paper ballots.
- The three largest election machine vendors, which control more than 85 percent of the market, have made a variety of commitments to have their tools vetted by CISA and other outside security testers.
Privacy policies aren’t working, The Post’s tech columnist argues
Our tech columnist Geoffrey A. Fowler collected all the privacy policies for the apps on his phone. Combined, they ran nearly twice the length of “War and Peace” — far too long for users to read, understand and meaningfully consent to them.
His conclusion: “We the users shouldn’t be expected to read and consent to privacy policies. Instead, let’s use the law and technology to give us real privacy choices.”
- Companies should stop collecting unnecessary data unless users opt-in. A federal privacy law could move companies in that direction.
- Computers should also ask users about their preferences and act “like a butler, interacting with apps and websites on your behalf” while making privacy decisions based on users’ options.
It’s official: The U.S. has joined dozens of nations in banning some hacking tool exports
The U.S. government officially imposed a rule this month designed to limit exports of hacking tools to China, Russia and other countries of concern.
The regulation is aimed at limiting exports that will fuel the hacking arms race while making sure cross-border cybersecurity collaboration isn’t stymied. My colleague Ellen Nakashima described the rule at length in October, when the Commerce Department first announced it
The regulations cover newer hacking tools like NSO Group’s Pegasus spyware. NSO has said it doesn't sell its software to China or Russia, and requires its clients to only use its spyware for law enforcement or counterterrorism purposes.
They were also designed to cover software made in the United States that could be used to develop hacking tools elsewhere. Such exports would require a special Commerce Department license under the rules.
Israeli investigator allegedly hired Indian hackers for Russian oligarchs
Russian oligarchs including sanctioned aluminum magnate Oleg Deripaska hired Israeli private investigator Aviram Azari for intelligence and surveillance services to get an upper hand in legal disputes, lawyers representing journalist Scott Stedman told a federal court. Reuters’s Raphael Satter first reported on the filing.
Azari, in turn, purchased “surveillance and cyber intelligence services from India, Israel, and elsewhere” to do the dirty work, Stedman wrote in a filing.
Stedman’s legal filings shed light on the usually opaque international hacking-for-hire marketplace employed by some prominent but unscrupulous businesspeople.
The claims come amid a high-profile legal battle between Stedman, the founder of investigative journalism site Forensic News, and the British security consultant, Walter Soriano. Soriano has sued Stedman in the United Kingdom, alleging that “Stedman’s reporting on him — which he claims is inaccurate — amounted to illegal data collection,” my colleague Reed Albergotti reported in March.
- Stedman wants a federal court to serve a subpoena on Azari, who his legal team says could vindicate Stedman’s reporting. They’re seeking documents on Azari’s work for Soriano with hacking companies like NSO Group and information about contracts with four Russian and Swiss business executives.
- Stedman’s allegations are “blatantly untrue,” a Deripaska spokeswoman told Reuters. Soriano’s lawyer, Shlomo Rechtschaffen, told Reuters that Stedman's claims are “false and unfounded,” and Stedman."
On the move
- Laura Bate has joined the Treasury Department’s Office of Critical Infrastructure Protection. Bate was previously a senior director of the Cyberspace Solarium Commission.
- FBI Director Christopher A. Wray and CISA Executive Director Brandon Wales speak at a Boston College cybersecurity conference Wednesday.
- The R Street Institute hosts an event on the path forward for a federal privacy law Wednesday at noon.
- The Atlantic Council hosts an event on the upcoming election for secretary general of the International Telecommunications Union on Thursday at noon.
- National Cyber Director Chris Inglis speaks at a Foundation for Defense of Democracies event Thursday at 2 p.m.
- The Atlantic Council’s Digital Forensic Research Lab hosts a two-day summit starting June 6.
- The Senate Homeland Security Committee hosts a hearing on ransomware and cryptocurrency payments June 7 at 10 a.m.
Secure log off
Thanks for reading. See you tomorrow.