SPECIAL REPORT: CybersecurityOur team's special coverage on Cybersecurity
William Carter, deputy director for the CSIS technology policy program, says that he is very worried about the prospect of a cyberattack on the 2020 election, but it’s not vulnerable voting machines that keep him up at night. To understand where the Russian threat is coming from, he says, “you have to understand the way that they think about attacking our elections.”read more
The 2020 summer Olympic games in Tokyo are ripe targets for cyberattacks, and the best defense is international cooperation, experts said Tuesday. “These kinds of international events are ripe for bad actors like Russia to carry out cyberattacks, whether they’re testing new capabilities or whether they’re angry they’re prevented from participating,” said Meg King, strategic and national security advisor to the Wilson Center’s CEO & President.read more
Developing more complex artificial intelligence is necessary for the United States to keep pace with Russia and China, top defense technology officials said Tuesday.read more
WASHINGTON — A House Appropriations committee said Wednesday that not only did foreign actors attempt to interfere in the 2016 election, but that ahead of the 2020 election, vulnerabilities in many state election systems have not been fixed.
Their testimony reaffirmed the assessment of the Director of National Intelligence as part of the Worldwide Threat Assessment last month, which forecast that “our adversaries and strategic competitors probably already are looking to the 2020 U.S. elections as an opportunity to advance their interests.”
Alex Halderman, center, a professor of computer science at the University of Michigan, gives testimony to a House Appropriations subcommittee on vulnerabilities in the U.S. elections system. (Cameron Peters/MNS)
All three witnesses at the hearing supported the committee’s assessment and identified specific concerns about the state of United States elections infrastructure. They also, however, agreed that there is no evidence that a foreign power has affected the outcome of an American election.
Eric Rosenbach, the co-director of Harvard University’s Belfer Center for Science and International Affairs and former Pentagon chief of staff, said that Congress must prioritize domestic defenses, offensive cybersecurity capabilities and a posture of public deterrence if further attempts to interfere in elections are to be avoided.
Digital voting machines were identified as a particular vulnerability in some states’ systems, and direct-record electronic (DRE) voting machines were subject to particular scorn. DRE voting machines, which Rep. Matt Cartwright, D-Penn., described as a “clear and present danger” to election security, are currently in use in several states, in some cases without an accompanying paper trail.
Witnesses stressed that digital-only voting machines could potentially be manipulated undetected, and that paper ballots are preferable.
According to Alex Halderman, a professor of computer science at the University of Michigan and an expert on election security, a paper trail is an important step toward more secure elections, but it’s not enough by itself.
Halderman said a rigorous audit of election results is also necessary to assure a high degree of confidence in an election. However, eleven states do not have auditable elections.
He also advocated for federal policymaking to strengthen the election system. “I think it would be excellent if we had a uniform national policy that elections be rigorously audited,” Halderman said.
Steven Sandvoss, the executive director the Illinois State Board of Elections, said that Illinois voting machines are antiquated and in dire need of replacement. He estimated the cost of replacement at around $175 million, but noted that the Illinois budget would likely preclude replacing the machines.
The House Appropriations subcommittee on Financial Services and General Government hears testimony on vulnerabilities in the U.S. elections system Wednesday (Cameron Peters/MNS)
Rosenbach said that U.S. Cyber Command should also take on a larger, more proactive role in preventing election interference. States, he said, shouldn’t be left to deal with attacks on their own.
He added that the states should receive federal funding to combat the threat. “This is a nation-state actor,” Rosenbach said. “The states are not designed to have cybersecurity to defend against that threat.”
As the 2020 election approaches, the disparity in levels of election security between states presents another challenge. Halderman said that it may not matter which state is targeted by cyberattacks if that attack undermines confidence in the national outcome.
As such, he said, “until we bring up the most weakly protected states to an adequate level of security, the whole nation will be at risk.”
WASHINGTON –– The United States’ energy infrastructure has increasingly become a primary target for hostile cyber attacks, Assistant Secretary of Energy Karen Evans told lawmakers on Thursday.
“The frequency, scale and sophistication of cyber threats have increased,” she said at the Senate Energy and Natural Resources Committee hearing on cybersecurity efforts in the energy industry.
As a reason for urgent action, Republican and Democratic senators highlighted the actual cyberattacks that occurred since 2015, including a 2015 Russian hack that cut off power to nearly a quarter-million people in Ukraine and another in 2017 that disabled a Saudi petrochemical plant’s safety systems.
“We know we don’t want that to happen here,” said Chairwoman Lisa Murkowski, R-Alaska. “We cannot let it happen in the United States. The resulting loss of power would impact hospitals, banks, cell phone service, gas pumps, traffic lights — you name it.”
Sen. Angus King, I-Maine, pushed one witness on whether the government should implement mandatory standards to the energy industry. Energy agencies under the Trump administration have not set standards to the level Democrats have called for.
“There’s a weird calmness about this hearing. This is not calm! The Russians are already in the grid, are they not?” King asked James Robb, president of North American Electric Reliability Corporation, who eventually said he’d look into the standards. Robb would go no further nor acknowledge the widely reported story that Russian hackers have infiltrated the energy grid.
To limit vulnerabilities, David Edward Whitehead, CEO of Schweitzer Engineering Laboratories, said the government must communicate with industry quickly when it identifies these energy cyber threats.
““There’s a lot of reporting up that [we do] to various agencies, but what we don’t see is that there’s not a lot of reporting back down to us. There seems to be a one way communication,” he said, calling for a daily 8 a.m. conference call with government officials and industry leaders to discuss any potential cybersecurity threats that day. He said that this brief call would help keep industry more informed and prepared for essential cybersecurity measures.
Many Republicans, however, were hesitant to support mandating any standards in what they say is a “dynamic” industry. For Sen. Martha McSally, R-Ariz, though, the government should act now.
“If I close my eyes, this sounds like a hearing from 19 years ago,” she said. “What has changed in 19 years is that… the threat is real, and it is happening.”
Moving forward, King hopes to see the committee focus on deterrence of adversaries, who he says haven’t felt a price from these cyberattacks.
“Thus far there has not been a doctrine or a strategy of this country that deters these kinds of attacks as there is in other areas of our national security,” he said.
WASHINGTON – Once again asserting that Cambridge Analytica and other companies improperly obtained millions of Facebook users’ data, Mark Zuckerberg said Wednesday at his second congressional hearing in two days that he was among Facebook users whose data was compromised.
In 2013, Aleksander Kogan, a Cambridge University researcher, created an app that asked users to share their and their friends’ information.
“In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the Facebook information apps could access,” Zuckerberg said. “Most importantly, apps like Kogan’s could no longer ask for information about a person’s friends unless their friends had also authorized the app.”
But in 2015, Kogan shared data accessed through his app with Cambridge Analytica, a data firm that worked for President Donald Trump’s campaign. Facebook banned Kogan’s app from its platform and demanded the app and other entities it shared data with certify they deleted users’ data. Last month, The New York Times reported Cambridge Analytica may not have deleted users’ data.
Zuckerberg testified Tuesday before the Senate Judiciary Committee and the Senate Commerce, Science and Transportation Committee, repeatedly apologizing for not better protecting users’ data. In Wednesday’s testimony before the House Energy and Commerce Committee, he repeated the apologies, but committee members brushed them aside, saying they want to see action to protect the privacy of Facebook users.
Facebook users choose to share their information on Facebook, Zuckerberg said, when Rep. Bobby Rush, D-Ill., questioned him Wednesday about manipulating people’s right to privacy. “On Facebook, you have control over your information. The content you share, you put there. You can take it down at any time,” Zuckerberg said.
Rep. Joe Barton, R-Texas, asked Zuckerberg why Facebook blocked conservative bloggers. “Our team made an enforcement error,” Zuckerberg said. “We should work to get people the fullest free expression that is possible.”
WASHINGTON — The Department of Homeland Security has failed to hire needed cybersecurity professionals even though it was given approval to do so by Congress in 2014, according to a report released March 8 by the Government Accountability Office.
The GAO, which is the watchdog arm of Congress, said DHS also overstated the number of cyber professionals assigned with the proper identification codes.
The agency has not implemented expedited hiring authority granted in 2014 by Congress. Several House Homeland Security subcommittees held a joint hearing to review cybersecurity hiring problems at DHS.
“Although DHS clamored for these authorities for several years prior to 2014, the department does not plan to fully implement them until April 2019,” said Rep. Bennie Thompson, D-Miss., the top Democrat on the House Homeland Security Committee. “We cannot afford to waste this kind of time.”
The top Democrat on the oversight subcommittee, Rep. Jose Luis Correa, criticized DHS for not reporting its cyber workforce needs to Congress.
“Without appropriate tracking, DHS will not be positioned to effectively examine its cybersecurity workforce, identify its critical gaps or improve its workforce planning,” Correa said.
Rep. Cedric Richmond, the top Democrat on the cybersecurity protection subcommittee, recommended DHS look for talent beyond university students to fulfill the cybersecurity vacancies at the department. “We need to look beyond four-year universities,” he said. “There is untapped talent in unconventional places, and we will find it if we look for it.”
He also said the White House needs to recognize the importance of cybersecurity threats.
“The president must come out and say that the cybersecurity posture of the federal government has a direct impact on our economy, our national security priorities, our critical infrastructure and even the integrity of our elections,” Richmond said.
But Angela Bailey, DHS chief human capital officer, defended the agency, saying it is working to combat increasing cyberattacks on federal networks. “Cybercriminals and nation-states are continually looking for ways to exploit our hyper-connectivity and reliance on IT systems,” she said. “Our enemies will not rest and neither will we.”