First in MC: New election security bill arrives in House
With help from Martin Matishak and Eric Geller
MC EXCLUSIVE: HOUSE INTEL MEMBERS DROP ELECTION SECURITY BILL — A bipartisan group of House Intelligence Committee members today will introduce a companion bill to the Senate’s Secure Elections Act, S. 2593. The legislation is being proposed by Republicans Tom Rooney and Trey Gowdy and Democrats Jim Himes and Terri Sewell. “Although the Russian government didn’t change the outcome of the 2016 election, they certainly interfered with the intention of sowing discord and undermining Americans’ faith in our democratic process,” Rooney, who chairs the committee’s NSA and Cybersecurity subpanel, said in a statement. “There’s no doubt in my mind they will continue to meddle in our elections this year and in the future.”
Story Continued Below
Like the bipartisan Senate bill — which has the backing of several senior lawmakers and is due to be marked up by the Rules Committee on Aug. 22 — the House measure aims to boost coordination among federal and state agencies when it comes to sharing information about potential threats to election systems. DHS has been pilloried by lawmakers for waiting until last summer to disclose that Russian hackers tried to breach election systems in at least 21 states in 2016. Last month the agency’s top cyber official testified that he believes hackers tried to target every state and territory during the heated presidential race.
“It is our responsibility to take every precaution necessary to safeguard our elections and ensure no vote count is ever interfered with,” according to House Oversight Chairman Gowdy, who, like Rooney, is not seeking re-election this year. Himes, the top Democrat on the Cybersecurity subpanel, said the measure will ensure state and local officials “have the information, modern equipment, financial resources and federal support needed to protect our elections.” Sewell, the ranking member on the Defense intelligence subcommittee, warned that with less than 100 days until the midterms “action is urgently needed to protect our democracy against another attack.”
The bipartisan legislation will likely be referred to the Committee on House Administration, whose Democratic members issued a report last month calling for another $1.4 billion to secure the nation’s election voting systems.
ARE CAMPAIGNS TRYING HARD ENOUGH? — Congressional campaigns remain a target for hackers eager to knock out a pillar of the democratic process, Martin reports with assists from Tim and our colleague Daniel Lippman. Political campaigns and members of Congress insist they have made great strides in cybersecurity since attackers penetrated the DNC in a coordinated campaign to upend the 2016 presidential race, but many have not implemented standard cybersecurity protections to defend against digital attackers and detect malicious emails or attempts to infiltrate websites. “It just doesn’t seem to be as urgent of a concern in the conversations I’ve had,” said Ronald Bushar, government chief technology officer for FireEye.
Neither the RNC nor the DNC would specify the steps they have taken, saying they didn’t want to reveal those measures due to their own security concerns. However, with increased awareness there’s also a growing sense of urgency and paranoia among many working in politics and on the midterms. For example, at the DCCC, cybersecurity advice hangs in the bathrooms, according to a Democratic source. And at the DNC, a flyer that hangs above a men’s room urinal warns: “Remember: Email is NOT a secure method of communication, and if you see something odd, say something.”
“As counterintuitive as it sounds, cybersecurity is a human problem, it’s a leadership problem, it’s not a technical problem,” said Eric Rosenbach, who leads the Defending Digital Democracy Project, a bipartisan effort devoted to election cybersecurity at Harvard Kennedy School’s Belfer Center. Campaigns “should just assume from here on out, for the next several decades at least, that they will be targets for cyberattackers, both nation-state intelligence services and other nefarious individuals, who are trying to have some influence on the political situation in the United States.” Pros can read the full story here.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Your MC host has been to Vegas twice, total, and both times for work. I remain, sadly, sin-less. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
DEF CON 1 VS. DEF CON 5 TODAY — Conditions are ripe for DEF CON’s Voting Village — which kicks off today — to be a friendly event, or the opposite. One day in advance, the National Association of Secretaries of State launched a broadside against what it considered to be “unrealistic” aspects of DEF CON’s simulated election, set up for hackers to probe. DEF CON mounted a defense that the event was more realistic than the association suggested, and that the organizers were happy to make it more realistic still with the association’s help. One Hill source said the association has become a problem. “NASS has in recent months really shifted to doing the bidding of the vendors. It’s really unhelpful,” the source told MC. The association “keeps advocating for watering down any legislative response.” At least one voting machine vendor fired shots at DEF CON.
Whatever swords cross, California Secretary of State Alex Padilla is set to be the first person with that title to speak at the event, and he’ll be part of a lunch panel alongside federal and local officials. There’s plenty more, like kids taking part in hacking some machines, and speakers drawn from former government service, industry and academia.
BLACK HAT ROUND-UP — Flashpoint is paying close attention to the movements of Russian hackers, two of the cybersecurity company’s officials told MC, and it’s seeing some trends. To deal with a cyber talent gap, Russia is seeking Russian ex-pats to help conduct attacks in the West, said Vitali Kremez, director of research. Kremez also said Russia is mimicking China’s targeting of the health care sector. For some of the lower-end Russian cybercriminals, “their opsec is terrible,” where usernames on forums are sometimes tied directly to their social media profiles, said Steven Weinstein, director of threat research. Cybercriminals in general are in flux since law enforcement crackdowns on dark web markets Alpha Bay and Hansa, and the indictments of members of the Carbanak gang could have a more sweeping impact than anyone realizes, Kremez said.
A panel on international cyber norms exposed some of the limits of the voluntary codes of behavior. “We probably have all the norms we already need,” said James Lewis, a cybersecurity expert at the Center for Security and International Studies. “We’ve reached the end of this path. Instead of building trust, there’s much more distrust than there was in 2010,” when the U.N. Group of Governmental Experts on Information Security began pumping out such norms. “If there are no consequences, that’s a norm itself,” said former State Department cybersecurity coordinator Chris Painter — as in, the “norm” is that there are no penalties for violating norms. Nonetheless, they still serve their purpose. “Can we imagine a time when we need norms more?” asked former top DHS official Jane Holl Lute. “I can’t.” All of the panelists were commissioners on the Global Commission on the Stability of Cyberspace, which helps shape norms with the idea of government adoption.
Self-driving car security is “ahead of the curve,” according to famed car-hackers Charlie Miller and Chris Valasek, who now work for Cruise, GM’s autonomous ride sharing service. But being ahead of the curve doesn’t mean perfect. “Nothing’s unhackable,” Valasek said the pair learned from being on the offensive side in the past. The idea is to “make the return on investment so low, it wouldn’t be worth the time money or effort to hack something we’re securing.” What worries them most? “Compromising the entire fleet, that’s what keeps us up at night,” said Valasek. The pair spoke both in a briefing session and at a gathering of reporters.
FireEye has been observing a series of interplays between destructive attacks and financially motivated cyberattacks, company officials said at a media panel. Charles Carmakal, FireEye’s vice president and chief technology officer of strategic services, said there’s been a rise in “incredibly disruptive breaches” that “deliberately destroy data.” In some cases, the attackers pretend to be demanding cash for ransom, but are using that to disguise destructive attacks; in other cases, they’re both demanding cash and then conducting destructive attacks to hide their crimes; and in some cases (according to John Miller, deputy director of FireEye’s iSIGHT intelligence group), they’re just trying to sow confusion about who wants what.
HATS OFF? — U.S. Cyber Command and NSA chief Army Gen. Paul Nakasone has submitted his recommendation on splitting the two organizations to Defense Secretary Jim Mattis. “I will allow him to read it and leave it at that,” Nakasone said Thursday during an Intelligence National Security Alliance leadership dinner. Nakasone vowed during one of his confirmation hearings to make his opinion on the years-long debate surrounding the “dual-hat” leadership structure within his first three months. “Whatever the decision,” the partnership between the two organizations is one “that our nation needs,” he said.
He later added that last week’s show of force at the White House on election security conveyed how “very serious” national security leaders are about stamping out meddling and malign influence. “We are pursuing this with a strong sense of purpose,” Nakasone told the audience. He also weighed in on the the idea of standing up a cyber service. “I’m not there yet in terms of a separate service,” he said, adding he’s focused on “building readiness within” the existing branches. He jokes that he found it “fascinating” the topic came up the same day the administration announced plans to create a space force.
MIND YOUR MANRS — A coalition of major tech companies has endorsed the Mutually Agreed Norms for Routing Security, a project that encourages network operators and internet backbone providers to take common-sense cybersecurity steps. “Challenges related to routing security are real and pressing, impacting citizens’ and business interactions online daily,” the tech companies, operating under the banner of the Cybersecurity Tech Accord, said in a statement. “These challenges will only be resolved through the coordinated action and activities of the many divergent parties.” The 44 members of the tech coalition include Facebook, Microsoft, Dell, HP, FireEye and VMware. The goal of the coalition is to “protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”
The tech coalition also created a working group with the people behind MANRS that will “investigate how companies beyond network operators and IXPs can contribute to routing security,” according to its statement. Accord members KPN and Swisscom already implement MANRS recommendations, and the coalition vowed to “raise awareness of the challenges of routing security and encourage actions to address those, in addition to [promoting] the culture of collective responsibility of the Internet’s global routing system.”
A MARBLE-OUS TROJAN — The Department of Homeland Security on Thursday continued its campaign to unmask and neuter North Korean malware by revealing technical details of the North’s “Keymarble” remote access trojan. Keymarble is a first-stage implant that secures its place on a target computer and calls home to a group of IP addresses hard-coded into its programming. In its malware analysis report, DHS said that Keymarble “is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.” The malware is part of a North Korean hacking campaign that the U.S. government has dubbed “Hidden Cobra.”