Search This Blog

Translate

Search Tool




Nov 16, 2020

Analysis | The Cybersecurity 202: Trump’s finally talking about election security – but only to spread conspiracy theories

Joseph Marks


with Tonya Riley

For election security advocates, watching President Trump’s unfounded claims about voting machines feels like bizarro world. 

They've spent years trying to highlight legitimate concerns about hackable vulnerabilities in election technology only to be rebuffed by the White House. Trump, meanwhile, mostly ignored election security during four years in office — except for when he was outright undermining it by disputing the intelligence community’s conclusion that Russia interfered in the 2016 contest. 

Now, he's finally talking about the topic, but it's only to spread conspiracy theories, hijacking fears about election hacking to serve his own political ends

“We’d welcome attention from the top down on these issues, but it’s hard not to be cynical about this sudden interest,” Maggie MacAlpine told me. She's a co-founder of the Voting Village at the annual Def Con cybersecurity conference where ethical hackers expose vulnerabilities in voting equipment. 

Trump tweeted a video on Saturday an NBC News story about the Voting Village to cast doubt on the voting machine company Dominion, which is at the center of his efforts to blame insecure technology for his loss. He's touting a debunked conspiracy theory that Dominion altered thousands of votes and claiming without evidence that it’s a “radical left” company with “a bad reputation & bum equipment.”

Rudy Giuliani, who is leading the president’s legal efforts to contest the election results, is also soliciting information about Dominion, which supplied voting machines or vote scanners in Georgia and dozens of other states. Another Trump lawyer, Sidney Powell, claimed without evidence on Fox News someone had intentionally changed thousands of votes using Dominion machines — an act that would be easily spotted by an audit of paper ballots. 

It’s one thing to say, ‘let’s safeguard democracy.’ It’s another to finger-point at potential vulnerabilities when there’s an outcome you don’t like,” said MacAlpine, a founding partner at the election security firm Nordic Innovation Labs.

To be clear, there’s no evidence that Dominion machines altered any votes or that company officials oppose Trump. 

The conspiracy theory sprouted from a single Michigan county that initially miscounted votes to favor Joe Biden. The miscount was because of human error rather than Dominion machines and was quickly caught and corrected, the New York Times reported

Dominion has released an extensive fact check refuting claims made by the president and his allies. The company is also pointing to a joint statement from federal, state and local officials that said there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” 

Trump has also had plenty of chances to improve election security — but didn't take any of them. 

The president made no effort to support Democratic legislative efforts to increase federal oversight of election technology vendors or to mandate changes such as paper ballots and post-election audits that would make it difficult or impossible for hackers to successfully alter large numbers of votes unnoticed. Those efforts were all blocked by Senate Majority Leader Mitch McConnell (R-Ky.). 

He's also never supported congressional efforts to give states money to upgrade their election procedures. Congress has approved about $1 billion in such funding since 2018, though Democrats sought about $3 billion. 

To add insult to injury, Trump is even mulling firing Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency, which did more than any other federal agency to ensure the 2020 election was protected against hacking. 

His attack on Dominion is the latest salvo in a flurry of claims aimed at reversing Joe Biden’s win. 

Those efforts, which include claims that dead people voted in large numbers and that Trump observers were unfairly barred from watching vote counting, have failed so far to produce any significant wins in the courtroom. 

Experts have warned for years that election equipment makers should do more to protect their systems from hacking and should be more transparent about their security

But that’s very different from claiming hackers could change thousands of votes without getting caught — which experts say would be exceptionally unlikely. 

“There’s a conflation on the part of people trying to cast doubt on the election outcome between the presence of security vulnerabilities in some parts of our election infrastructure — which are undoubtedly there — and the actual exploitation of those vulnerabilities,” Matt Blaze, another Voting Village co-founder and a Georgetown University computer science professor, told me. 

The chances of such an attack have also decreased dramatically during the past four years because states have shifted from paperless voting machines to either hand-marked paper ballots or machines that print out a paper record where people can verify their votes were recorded correctly. More states and counties are also conducting post-election audits to make sure votes were tabulated correctly.  

It’s undoubtedly the case that election systems are better this year than they were in previous years,” Blaze said. “They’re not where they need to be but they’re improving.”

Here’s more from Alex Halderman, an election security expert at the University of Michigan:

From the Def Con conference:

Election technology makers are also taking cybersecurity more seriously than four years ago — though not as much as security advocates would like. 

The NBC clip Trump tweeted focused largely on hostility between vendors such as Dominion and Election Systems and Software and Def Con Voting Village security researchers. That hostility has ebbed some in recent years as some vendors have endorsed paper records for all votes and allowed some outsiders to vet the cybersecurity of their systems. 

Blaze said the relationship is “better than it was a few years ago but not where it needs to be.” 

The keys

The White House’s top cybersecurity official is taking leave to work for a group seeking to prove Trump’s voter fraud claims.

Camilo Sandoval, who was confirmed as chief information security officer this month, is just one of several Trump appointees working for the group called the Voter Integrity Fund, Jon Swaine and Lisa Rein report.

The Virginia-based group was founded by a 2016 Trump staffer. It's analyzing ballot data and calling voters in an effort to prove the president's unfounded claims about voter fraud. The group claims to have found evidence of fraud but has not yet made it public.

The White House Office of Management and Budget confirmed Sandoval was on leave but would not say whether he was still receiving a government salary. Sandoval confirmed he was not using government equipment for the work, which would violate a government ethics policy.  

Sandoval replaced Grant Schneider as CISO, a longtime government technology official who served under Republicans and Democrats. Schneider told me in an exit interview he was proud government cybersecurity had steered clear of partisan politics during his tenure as CISO. 

Russian and North Korean hacking groups are targeting coronavirus vaccine makers.

Hackers targeted pharmaceutical companies and researchers in Canada, France, India, South Korea and the United States, Microsoft reported in a blog post

The majority of the targets have vaccines in clinical trial stages and received government funding or contracts. Microsoft’s security protections fended off most of the attacks, the company says. Microsoft did not say if any attacks were successful. 

The U.S. government and the World Health Organization have also warned about the increased threat of cyberattacks against coronavirus research. China has sought to penetrate research facilities working on a coronavirus vaccine, the FBI warned this summer.

Ransomware attacks against schools are increasing, with more hackers releasing student data.

At least three dozen ransomware attacks have hit school districts since March that collectively serve about 700,000 students, Tawnell D. Hobbs at the Wall Street Journal reports. That number doesn't include private schools, unreported cases and colleges and universities. 

Ransomware attackers typically lock up the victim’s computer files and offer to unlock them for a fee. The hackers are demanding ransoms ranging from $35,000 to $1.14 million in cases identified by the Journal. 

The FBI advises victims not to pay ransoms. But that could put the privacy of students and staff at risk.

Hackers released personal information, including Social Security numbers, when school districts in Las Vegas and Toledo refused to pay ransoms. In the Toledo hack, parents found out from the media rather than the school district about the breach. “My information is out there, and they could contact me,” said Toledo parent Krista Wilcox, the mother of an 8-year-old son. “How do I know it’s not child traffickers? I feel betrayed by the school system.” 

National security watch

The government has given TikTok more time to reach a deal to avert being banned.

ByteDance, the Chinese parent company of the popular video app, has until Nov. 27 to reach a deal that meets the approval of the Committee on Foreign Investment in the United States, Rachel Lerman reports. The interagency committee determined earlier this year that the company's Chinese ownership posed a national security risk and ByteDance would have to divest its ownership if the app continues to operate in the United States.  

The U.S. government claims TikTok could be compelled to share U.S. user data with the Chinese government, a claim TikTok denies. TikTok has been in talks to launch a new company with investments from American companies Oracle and Walmart. The deal appeared to have the president's blessing but negotiations stalled. 

More national security news:

Cyber insecurity

A vulnerability in dating app Bumble could have allowed hackers to find users' approximate location. 

Bumble fixed the flaws six months after a researcher first flagged them.

“The underlying user security-related issue has been resolved and there was no user data compromised,” a company representative said.

More cybersecurity news:

Daybook

  • The Cybersecurity Coalition and the Cyber Threat Alliance will host CyberNextDC on Nov. 17-18, starting at 11 a.m.
  • USTelecom and Inside Cybersecurity will host a webinar on information technology priorities in the coming year on Nov. 17 at 2 p.m.
  • MIT Technology Review's CyberSecure conference will take place December 2 and 3.

Secure log off

SpaceX launched four astronauts to the International Space Station on Sunday. Read more here and watch below:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.