The Cybersecurity 202: Election officials confident about security days before first contests of 2020

THE KEY

Election officials are striking a confident tone about digital security at their final summit before caucus and primary season begins. But they’re also planning for the worst, war-gaming how to handle any major hacks from Russia or other adversaries.  

“We’re planning as if they’re coming back,” Chris Krebs, the Department of Homeland Security’s top cybersecurity official, said on the sidelines of the conference hosted by the National Association of Secretaries of State. “The playbook’s out there. It’s not just about Russia. It’s about anyone else that may want to get into this space.” 

Krebs led more than 200 officials through a series of worst-case scenarios during the conference, testing how they’d respond and work together during a cyberattack or misinformation campaign targeting a primary or general election. Among the participants were representatives from 44 states, 15 election vendors and 11 federal departments and agencies, a DHS spokeswoman said. 

The conclusion: Officials are far better prepared than in 2016 when Russian hackers probed election infrastructure across the nation and upended Hillary Clinton’s campaign by hacking and releasing emails and flooding disinformation onto social media. 

DHS hasn’t seen any major hacking campaigns aimed at election systems so far this cycle, Krebs told reporters. And, while they’ve monitored a steady stream of disinformation from Russia and elsewhere since 2016, there hasn’t yet been any surge of it related to the 2020 contest. 

But there’s a long way to go before November. “What we’re trying to accomplish here is to test some of the planning assumptions we have, the playbooks we have … to identify where things need improvement so we can take advantage of the time we have between now and November,” Krebs told reporters. 

The meeting itself would have been nearly unthinkable three years ago when DHS first launched a mammoth effort to improve election cybersecurity and state and local officials lashed out at what they considered a federal takeover of states’ responsibility to run elections. 

Since then, DHS has largely repaired relations with states and worked with them to vet election systems for digital vulnerabilities and to place cybersecurity sensors in every county election network.

“We’re light-years ahead today from where we were three years ago,” West Virginia Secretary of State Mac Warner (R) said during the event. 

Iowa Secretary of State Paul Pate (R), whose state will hold its first-in-the-nation caucuses Monday, was also confident about security — even as he expressed concern about disinformation campaigns, which he said his office will be closely monitoring. 

“I’m pretty comfortable that we’re going to see a good night,” Pate, who’s also president of the national association, told reporters. “We take our role seriously … We want to have a positive perception that we run good, clean, fair and honest elections.” 

Pate’s office hasn’t spotted any foreign campaigns aimed at spreading disinformation about the caucuses, but it has spotted a few instances when local candidates inadvertently shared incorrect information about voting times and locations, he said. In those cases, his office was able to get the information corrected rapidly and to enlist local media to help — an experience he said will be good training if and when a real disinformation campaign starts.

He’s also confident that Iowans believe their votes won’t be undermined by foreign hacking, despite a recent NPR, PBS and Marist poll that found 41 percent of Americans believe the United States is not very prepared or not prepared at all to keep November’s election secure. 

He suggested many people are confident about the security of their local elections but less so about elections elsewhere in the nation — an argument that was basically supported by a 2018 Pew survey that found 66 percent of Americans were confident about election security in their own state but only 45 percent were confident about the security of elections across the nation.

“If you asked Iowans, are the Russians hacking and changing my vote, they’re going to tell you, ‘hell, no,’ ” he said.

He also warned that sounding too many alarms about election security could backfire by making people cynical about whether their votes will be hacked. 

“I’m a little sensitive when I talk to the media … because I don’t want to hype it,” he said. “We want you to be cautious. We want you to be concerned. We want you to be engaged. But I don’t want to terrify you to such a point where you don’t believe the process is working, because then the foreign agents do win.”

PINGED, PATCHED, PWNED

PINGED: Secretary of State Mike Pompeo praised a set of European Union recommendations for securing next-generation 5G wireless networks yesterday, despite the recommendations not including the main thing the United States has been pushing the E.U. on for the past year — a ban on Chinese 5G builder Huawei.

Pompeo’s statement basically dances around the issue by praising the E.U. for urging member nations to “exclude high risk suppliers from critical and sensitive parts of their 5G networks” while ignoring the fact the E.U. never calls out Huawei by name and several E.U. member nations are likely to allow the Chinese firm to build at least some of their 5G infrastructure.

State Department spokeswoman Morgan Ortagus went a step further on Twitter, claiming that “The United States and EU agree: #5G networks are just too important to our security and prosperity to hand control to untrusted suppliers like Huawei and ZTE” — despite the fact the E.U. made no statement about Huawei or ZTE, another large Chinese telecommunications firm. 

The letter appears to mark a step back from the diplomatic brink for U.S. officials who traveled the globe lobbying allies to ban Huawei over Chinese spying concerns and threatened to cut off or curtail intelligence sharing with any nation that allowed the company inside its 5G networks. 

Pompeo also reassured the United Kingdom that its decision to allow Huawei to build limited parts of its 5G network wouldn’t damage diplomatic relationships even though he has called on U.K. Prime Minister Boris Johnson to rethink that decision, Sebastian Payne and Helen Warrell at the Financial Times report.

“Good friends don’t always agree on everything,” Pompeo said. Huawei has denied aiding Chinese spying.

PATCHED: Free anti-virus software maker Avast will shut down the subsidiary it used to collect and sell data “effective immediately,” it announced yesterday. The decision follows an investigation by Motherboard and PCMag that found the company was selling the data of millions of users it had collected for security purposes without their consent, sparking outrage by lawmakers. 

“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable,” chief executive Ondrej Vlcek wrote in a public letter yesterday.

But concerns with the anti-virus software industry may not be over. Both Sens. Mark Warner (D-Va.) and Bernie Sanders (I-Vt.) used the news to call on the Federal Trade Commission to further regulate the industry.

PWNED: An Iowa prosecutor dropped charges against two cybersecurity testers yesterday whose arrests while probing for bugs at the Dallas County, Iowa, courthouse sent major shock waves through the cybersecurity community this fall.

The pair was charged with burglary and trespassing even though they were testing the courthouse’s security as part of a contract between their employer, Coalfire, and the court. There appeared to be confusion between Coalfire and the Iowa court system, which purchased a security testing package, about some of the methods the penetration testers would use, according to a third-party review commissioned by the Iowa Supreme Court.

The court earlier reduced the initial charges against the employees Justin Wynn and Gary De Mercurio to trespassing.

Dallas County Attorney Charles Sinnard agreed to drop all charges after deciding that the public was better served by further cooperation with industry to “secure the sensitive information maintained by the judicial branch,” Anna Spoerre at the Des Moines Register reports

PUBLIC KEY

— Cybersecurity news from the public sector:

PRIVATE KEY

— Cybersecurity news from the private sector:

Better anti-tracking measures have become the norm for Chrome, Firefox, Safari, and other modern browsers. But they still disagree on how exactly they should work.

Wired

THE NEW WILD WEST

— Cybersecurity news from abroad:

ZERO DAYBOOK

Today

  • The National Association of Secretaries of State convention will take place through Sunday in Washington.

Coming up:

  • New America’s Open Technology Institute will host an event titled “Privacy’s Best Friend: How Encryption Protects Consumers, Companies, and Governments Worldwide” on Feb. 4 at noon
  • RSA Conference 2020 is scheduled for Feb. 24-28 in San Francisco

Leave a Reply