By Joseph Marks
Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. (Evan Vucci/AP)
“We haven’t had anyone decline to have a call with us or not be excited about the resources we’re offering or the support or services,” DHS senior adviser on election security Matt Masterson said of offers to the crowded field of 2020 candidates, during a panel discussion at the Atlantic Council’s International Conference on Cyber Engagement.
That’s a far better reception than ahead of the 2018 midterms, when state election officials broadly rejected DHS’s offer to help with their cybersecurity early in the Trump administration. Despite the Russian hacking and influence operation that upended the presidential election, state officials were concerned DHS aid could lead to a federal takeover of election administration and were angered by the department's slow pace sharing information about Russia's 2016 hacking attempts.
It was well into 2017 before some states changed their tune and began working with DHS on girding their election systems against hacking from Russia and elsewhere in the midterm elections.
Now, the acceptance of free help from DHS is a sign the campaigns and states are getting on the same page as the federal government about the need for security to protect both voter information and the integrity of the vote.
“They, I think, realize the risk and vulnerability that are out there and the need to secure their systems,” Masterson said. “We haven’t had any conversations that suggest people aren’t taking this seriously and don’t see the real risks out there.”
DHS is offering campaigns all the services it offered to state election officials in advance of the 2018 midterm elections, including scanning their computer networks for bugs and doing more complex penetration testing, according to Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency.
Campaigns are especially vulnerable to hacking because they form quickly with a mix of professional and volunteer staff — many of whom many not be especially digitally savvy. They’re also typically hyper-focused on winning votes, donations and news cycles to stay in the race, rather than on tedious administrative tasks such as ensuring everyone is following proper protocols before accessing sensitive databases or guarding against phishing emails.
Krebs, on the sidelines of the Atlantic Council conference, declined to say which campaigns his division spoke with and which accepted CISA services. But said he hopes to work with all the presidential campaigns — Democratic and Republican — once the field of candidates is settled.
“If there are two high priorities on election security, it’s state and local [election offices] and its campaigns,” Krebs said. “We will provide whatever services they request.”
There could be trouble, however, if campaigns are wary of letting the federal government nose around computer systems that hold sensitive data such as donor information, opposition research on other candidates or campaign strategies.
That’s the sort of information Russia or another adversary might be most interested in stealing — either for blackmail or embarrassing leaks -- and in the greatest need of protection. But Democratic campaigns might also be wary of giving access to databases containing sensitive strategy documents to a federal agency that's part of the government of the opposition party -- and ultimately reports to a president who's running for reelection.
As the 2020 campaign progresses, Krebs said he’d consider creating an external organization that provides the same cybersecurity services CISA offers but doesn’t report directly to DHS.
A model for that organization could be the Multi-State Information Sharing and Analysis Centers, he said — a nonprofit organization that receives federal government funding and shares cybersecurity threat information among federal, state and local governments.
Liisa Past, a former Estonian cybersecurity official, described during the Atlantic Council conference the model that government uses to secure campaigns: Estonian government cybersecurity pros test every campaign website that touches the public Internet for vulnerabilities but don’t touch any internal databases.
“We knock on the doors and windows, and that’s worked very well,” she said.
Or, DHS could offer some cybersecurity aid with the assistance of organizations that have their own cybersecurity operations and strong relationships with campaigns, including Harvard’s Defending Digital Democracy project or the Democratic and Republican National Committees, Krebs said.
“We’ll be working through any option our stakeholders want,” Krebs said. “I’m based on demand signals, so if campaigns come and say, ‘This is the capability we need,’ we’ll look at the feasibility of pulling it together.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Homeland Security Secretary Kirstjen Nielsen talks outside her home in Alexandria, Va., on Monday, April 8, 2019. (AP Photo/Kevin Wolf)
Nielsen, who the Times reported “had become increasingly concerned about Russia’s continued activity in the United States during and after the 2018 midterm elections — ranging from its search for new techniques to divide Americans using social media, to experiments by hackers, to rerouting internet traffic and infiltrating power grids” resigned under pressure earlier this month.
Here are more details from the Times: “In a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it ‘wasn’t a great subject and should be kept below his level.’”
“Even though the Department of Homeland Security has primary responsibility for civilian cyberdefense, Ms. Nielsen eventually gave up on her effort to organize a White House meeting of cabinet secretaries to coordinate a strategy to protect next year’s elections.”
“As a result, the issue did not gain the urgency or widespread attention that a president can command. And it meant that many Americans remain unaware of the latest versions of Russian interference.”
A staff member uses a laptop at a display for 5G wireless technology from Chinese technology firm Huawei. (AP Photo/Mark Schiefelbein, File)
But the controversial Chinese telecom will only be allowed to build peripheral sections that perform less vital functions, the Journal reported.
More from the Journal: “The decision is a victory for Huawei in its fight against a U.S. campaign to block the use of its 5G equipment in the networks of U.S. allies. The U.S. has long held that Huawei equipment is a security threat, which the telecoms company forcefully denies....The decision came at a meeting of Britain’s National Security Council on Tuesday attended by Prime Minister Theresa May and several British government ministers.”
“They agreed that Huawei should be allowed to participate in the construction of the network, but would be barred from involvement in its critical core, the official said. The decision wouldn’t be final until announced before lawmakers in the House of Commons.”
Meanwhile, Ciaran Martin, the head of GCHQ’s National Cyber Security Center, downplayed the rift between the U.S. and its five main intelligence sharing partners over Huawei in a BBC Radio interview. “It’s objectively the case that in the past decade there have been different approaches across the Five Eyes and across the allied wider Western alliance towards Huawei and towards other issues as well,” Reuters reported from the interview.
PWNED: Krebs also revealed during the Atlantic Council conference that as soon as next week CISA will publish its list of “critical functions” that government and industry should prioritize protecting against cyberattacks.
The general idea of the list is that the “critical infrastructure” that DHS helps protect against physical and cyberattacks encompasses too much for the department to protect everything equally — so it has to identify the most critical of the critical infrastructure.
The list, which Krebs said will include about 57 critical functions, is the first major output from CISA’s National Risk Management Center, which the department launched last year to focus on long-range cybersecurity problems.
Krebs didn’t provide specific examples of critical functions, but said the benchmark is services “that if interrupted … would literally crater the economy.” An example that Krebs and other officials have cited in the past is Global Positioning System data, which is vital to everything from trucking to financial transactions.
-- Democrat and Republican leaders of the House Energy and Commerce Committee are demanding answers from Google amid privacy concerns about a database the company maintains of users’ precise location information, according to a letter to CEO Sundar Pichai.
The New York Times’s Jennifer Valentino-DeVries profiled the database, which Google calls “Sensorvault” and which law enforcement frequently seeks information from during criminal investigations, earlier this month.
Here are details from that report: “For years, police detectives have given Google warrants seeking location data tied to specific users’ accounts.”
“But the new warrants, often called 'geofence' requests, instead specify an area near a crime. Google looks in Sensorvault for any devices that were there at the right time and provides that information to the police.... Google first labels the devices with anonymous ID numbers, and detectives look at locations and movement patterns to see if any appear relevant to the crime. Once they narrow the field to a few devices, Google reveals information such as names and email addresses.”
The House committee’s Chairman Frank Pallone Jr. (D-N.J.) and ranking Republican Greg Walden (Ore.) want to know how Google uses the database, what privacy protections it applies and whether it’s storing other databases of location information.
More cybersecurity news from the public sector:
-- Apple CEO Tim Cook lashed out during a Time magazine conference Tuesday at the FBI’s 2016 attempt to force the company to help crack its own encryption during an investigation into San Bernardino shooter Syed Farook, saying it “was a very rigged case” and “was not the government’s finest hour,” CNBC’s Kif Leswing reported.
An inspector generals’ investigation later revealed the FBI didn’t explore all possible avenues before asking a federal judge to force Apple’s cooperation, and several people inside the bureau believed the goal was to force a court precedent rather than to solve the specific case. The bureau eventually withdrew its case when a third party offered it a way to hack into the phone without Apple’s assistance.
“I have personally never seen the government apparatus move against a company like it did here in a very dishonest manner,” Cook said.
More cybersecurity news from the private sector:
Cybersecurity news from abroad: