Tag Archives: cyber security

The Problem Of Focus: Viewing the Russian Interference Issue

At the risk of redundancy, please remember the findings and suggestions in the Cardin Report:

Putin’s Asymmetrical Assault on Democracy in Russia and Europe: Implications for U.S. National Security,” finds that President Trump’s refusal to publicly acknowledge the threat posed by the Russian government has hampered efforts to mobilize our government, strengthen our institutions, and work with our European allies to counter Putin’s interference in democracies abroad.

Never before in American history has so clear a threat to national security been so clearly ignored by a U.S. president, and without a strong U.S. response, institutions and elections here and throughout Europe will remain vulnerable to the Kremlin’s aggressive and sophisticated malign influence operations.

Notice the three elements incorporated in this introduction.  We haven’t mobilized our federal agencies into preventative action. We haven’t strengthened our political institutions to prevent further incursions from Russia.  Nor have we cooperated fully with European allies to prevent more interference.

The current occupant of the Oval Office and his apologists appear to define Russian meddling only in terms of electoral results, if the Russian interference didn’t cause any change in the voting returns then there was no big problem, and hence no sense of urgency in addressing the Russian bots, trolls, and other efforts.  There has been no cabinet level meeting to date during which the Russian Interference constituted a major agenda item.  Recall AG Jefferson B. Sessions’ statement last October:

“We’re not,” Sessions said, when asked by Sen. Ben Sasse, R-Neb., if the government is taking adequate action to prevent meddling in its elections. “The matter is so complex that for most of us we’re not able to fully grasp the technical dangers that are out there.”

Sessions said he accepts the U.S. intelligence community’s findings that Russia interfered with the 2016 election and may attempt to do so again. He said the Justice Department has been aggressively looking into the stealing of trade secrets in the private sector and noted that the FBI’s computer experts are also highly trained.

“Are we at the level we need to be yet? I don’t think so,” Sessions conceded.”

Sessions made the statement in mid-October 2017, if finger counting is correct that’s 8 months since the onset of the current administration. Nor has the Cyber-security page on the DoJ been updated since that date.  “Are we at the level we need to be yet?”  I don’t think so either.

The Department of Homeland Security also has a cyber-security component.  DHS describes its concerns:

“Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”

The idea that the Russians might be profoundly interested in disrupting the delivery of essential electoral services doesn’t seem to have moved to the top of the department’s concerns, at least not to the point of making any special reference to those instances of interference.  There is a draft of a DHS publication on cyber-security efforts (pdf) available online for the purpose of public comment, published this month.  At this point let’s review the Cardin Report summation of the problem, and then read a portion of the DHS Draft Report on what might be the same subject.

Cardin Report: “Mr. Putin has thus made it a priority of his regime to attack the democracies of Europe and the United States and undermine the transatlantic alliance upon which Europe’s peace and prosperity have depended upon for over 70 years. He has used the security services, the media, public and private companies, organized criminal groups, and social and religious organizations to spread malicious disinformation, interfere in elections, fuel corruption, threaten energy security, and more.”

 DHS Draft 1-5-18: “Given the networked nature of the risks, real coordination is necessary to fully understand the problem and identify paths to solutions. While the information technology and communications sectors do actively work to understand security risks, sectors often are unable to coordinate well with other sectors. Even though some entities coordinate domestically or regionally, there are few global mechanisms to share information about threats, solutions, and their adoption and efficacy. In many cases, lack of clarity around roles and responsibilities has impeded collective action, resulting in security failures.”

At no point in the draft does one find any specific reference to interference in political institutions and operations.  A generous interpretation might be that political interference is included in the general category of infrastructure.

In short there’s not much in the DHS Draft which would offer any Nevada voter, of any stripe, comfort as to the security of our political institutions, or our election processes.  In fact, a quick reading of the draft leaves the impression that the issue of political cyber-security is left to the private sector, and market forces, whatever that might be.

Therefore, we’re back where we started, with a federal Executive Branch unable or unwilling or un-directed to develop specific guidelines or regulations toward preventing Russian interference in political matters and a market (Google, Facebook, Twitter) adrift and stumbling around what they may perceive as business and public relations pot holes on the road to prosperity.

“Russian trolls sought to steer Facebook users toward events, even protests, around contentious issues like immigration. In its response to Congress, published Thursday, Facebook elaborated that Kremlin-aligned agents created 129 events on 13 of its pages. Roughly 338,300 unique accounts viewed these events, while 25,800 accounts indicated they were interested and about 62,500 said they would attend. “We do not have data about the realization of these events,” Facebook explained.”

“Google, meanwhile, previously informed Congress that it had discovered that Russian agents spent about $4,700 on ads and launched 18 channels on YouTube, posting more than 1,100 videos that had been viewed about 309,000 times.”

“And Twitter told lawmakers at first that it found 2,752 accounts tied to the Russia-aligned Internet Research Agency. Last week, however, the company updated that estimate, noting that Russian trolls had more than 3,000 accounts — while Russian-based bots talking about election-related issues numbered more than 50,000.”  [Recode]

There does seem to be some movement from social media operations, however nothing in the draft appears to directly address any specific assistance to state and local governments trying to secure their election rolls, ballot security, and count integrity.  Not to put too fine a point to it, but the DHS draft reads like it was crafted by the Chamber of Commerce not law enforcement agencies.  A wide and highly generalized focus such as the one presented in the DHS draft doesn’t exactly offer much satisfaction to those voters seeking an answer to the problem: What are we doing about Russian interference?

PS: “The Departments are requesting comment, asking for further insight into the issues and goals raised by the report, as well as the proposed approach, current initiatives, and next steps. The draft will be finalized based on adjudication of received comments before submission to the President. The final report is due to the President on May 11, 2018.” <https://www.ntia.doc.gov/report/2018/report-president-enhancing-resilience-internet-and-communications-ecosystem-against&gt;

Comments Off on The Problem Of Focus: Viewing the Russian Interference Issue

Filed under Nevada politics, oversight, Politics, Public Records, public safety

Who Is Supposed To Watch The Henhouse?

Let’s assume for the moment that while we may not yet know the full extent of Russian efforts to attack our election systems and voter rolls, we do know that they did so and will make future efforts to repeat their invasions based on what they have learned from 2016.  If this proposition seems reasonable, then the actions of the current administration are almost incomprehensible.

We have the official announcement that Chris Painter will leave the US State Department’s office of cyber issues at the end of this month. [TheHill]   Why the coordinator for US cyber issue policy would be leaving isn’t clear, but what is worthy of note is that Secretary of State Tillerson says staffing is a matter of “leaning in” and that the Cyber Security unit of the Department of State was organized by Secretary Clinton in 2011 to organize disparate parts of the department which dealt with cyber crime, cyber-security, internet freedom, and the protection of dissidents’ digital security. [NextGov]  One possible conclusion is that Tillerson is further truncating an already compressed organizational chart.

There are at least 50 reasons why more, not less, departments of the US government should be gearing up (not down) before the next round of elections: Alabama…Wyoming.

In September 2016 ABC News reported that Russian hackers targeted nearly half the US state voter registration systems and were successful in infiltrating four of them.  By that time 18 states had reached out to DHS Secretary Jeh Johnson for assistance with cyber-security.  As of June 2017 reports were published saying that there may have been as many as 39 breaches of state cyber security in regard to voter rolls and/or election systems. [VF] The hackers may have targeted swing states, and voter registration officials.

This onslaught would seem to support the idea that MORE needs to be done by the US Department of State, the Department of Justice, and the Department of Homeland Security (as well as the Election Assistance Commission) to help states prevent future hacks and assaults on our elections.  At this point the obvious clashes with the ideological.

There is baked into Republican ideology the notion that more can always be done with less.  The central concept appears to be that offices are filled to the transoms with unnecessary employees doing unimportant jobs.  However, consider the manpower needed to assist 50 states with 50 disparate voting systems from attacks by foreign powers intent upon doing everything from malicious mischief to outright fraud.  We might well ask not only who’s watching the hen house, but who’s even available to answer the phones?

The irony of the current situation lies in the 2016 Republican Platform which made some important promises:

“The platform highlights the recent passage of cybersecurity information sharing legislation and calls for a U.S. response to national state attacks that would include “diplomatic, financial and legal pain, curtailing visas for guilty parties, freezing their assets, and pursuing criminal actions against them.” It also calls for the U.S. to take an offensive strategy against cybersecurity attacks “to avoid the cyber equivalent of Pearl Harbor.” Supply chain issues, cyber workforce, cyber insurance, and the right to “self-defense” against cyber attackers were also included in the platform.”

Indeed, we’ve had the cyber equivalent of Pearl Harbor, but all we’ve heard from the current Republican administration is the disparagement of investigations of Russian interference as a Witch Hunt and Hoax, the suggestion that it would be “nice” if we had better relations with the Russians, talks about returning the Russian spy compounds in New York and Maryland, and now the Department of State will be operating without a coordinator for cyber-security.

What Americans should be advocating are:

  1. Full and adequate funding for the Election Assistance Commission, the only agency specifically tasked with testing and certifying election equipment in our elections.
  2. Adequate staffing and funding for cyber-security activities in the Department of Homeland Security, the Department of State, the Department of Defense, and the Department of Justice.
  3. Prioritization of cyber-security efforts to prevent attacks on our election systems by agents of foreign powers or the foreign powers themselves, as demonstrated by a nationwide effort to coordinate with all the election jurisdictions in this country to assist them in countering cyber assaults.

What happened in 2016 was a serious attack, a “Pearl Harbor” in GOP parlance, and the American public deserves to have this issue taken seriously.

Comments Off on Who Is Supposed To Watch The Henhouse?

Filed under Foreign Policy, Politics

Meanwhile back in the real world: Cyber Security Questions

If the American media can get off the horse race/predictable elections tangent it’s been on of late, there are some stories needing far more explication and analysis than they’ve received, a not-so-modest-list on one topic:

Cyber Security:  There are questions in this realm that need to be explored, and if I had my druthers there would be far more discussion of —

(1)  How individuals can secure their data, or at the very least be assured that the results of data mining operations can be regulated such that breaches can be minimized and misuse mitigated?  If you aren’t a bit disturbed by recent Congressional action to allow the collection and compilation of your information from the Internet to the providers — without your consent, and certainly without paying you for it — then please give this another thought or two.   There’s been entirely too much “ho hum” attached to reports of data breaches.  This, in the face of the fact that 47% of data breaches in 2015 were either malicious or criminal in nature.  In 2015 Anthem Inc. was hit, 80 million customers at risk; in 2014 Ebay was hit, 145 million customer records were compromised; also in 2014 76 million JPMorganChase customers had their data in peril. [Bankrate]

There have been other breaches, which hit the news flaring like a roman candle on the 4th of July, and then flaming out of view just as quickly.  Ok, the subject matter is technical and explanations can be tedious, but aside from advising people to secure their data and change passwords, etc. the media has been behind the story in too many cases.

(2) No state Secretary of State and no local election officials want to be the subject of allegations they’ve not secured voter information.  Our ears should perk up when any one or more of these officials say things even remotely related to “it can’t happen here.” We know that this has happened in at least 39 states, and it obviously DID happen here.  Again, if “meddlers” (a kind word for foreign interests — Russian) want to muddle our elections then a break-in to election rolls, coupled with a few changes here and there, mixed with the already documented problems with the Cross Check program, is an obvious recipe for serious issues.

Update:  And the the WTF Moment — Secretary of State Tillerson says his desire is to work with the Russian government on…Cyber security.  We might want to wait on this until we find out the full extent of Russian efforts to intrude on our election systems and election information sources??

(3) Now, imagine that a breach can be made of such things as the Republican National Committee data on US voters. Oh wait.  It has been left vulnerable, for 12 days no less, simply sitting in a cloud file in a nicely packaged spreadsheet format– of nearly 200 million people.  This may not count as a “breach,” perhaps more like a giant leak.  And, will this major spill be investigated?  Broadly reported? Endlessly analyzed?  If the past is any indicator — probably not.  Yet, if major parties or marketers are allowed (maybe even encouraged) to compile large files of voter/customer data, then what liability do these entities have in terms of securing what has been collected?

Common sense would appear to dictate that “if you collect it you must secure it.”  Further, we need to ask: Are current penalties for storing data in such a state that it is vulnerable to attack sufficient to deter collectors from sloppy data management systems? If you haven’t heard talking heads opining on this lately,  neither have I.

Perhaps we should.

Comments Off on Meanwhile back in the real world: Cyber Security Questions

Filed under Politics, privacy, Privacy and Civil Liberties Oversight Board, Voting

Heller, GOP sustain filibuster of Cyber Security Bill

OK, thus much for the spirit of bipartisanship and negotiation — according to Senate Majority Leader Harry Reid (D-NV) the Senate of the United States of America has been working on a cyber-security bill, the rationale for which ought to be reasonably clear to anyone who’s ever Googled anything.   Or, put in nicer, fancier terms:

“National security experts say there is no issue facing this nation more pressing than the threat of a cyber attack on our critical infrastructure.  Terrorists bent on harming the United States could all too easily devastate our power grid, our banking system or our nuclear plants.  A bipartisan group of Senators has worked for three years to craft this legislation. Yet Republicans filibustered this worthy measure in July.”  (Reid 11/14/12)

Surely this should have been something about which at least a modicum of agreement might have been secured?  The Senate Majority thought so:

“It’s imperative that Democrats and Republicans work together to address what national security experts have called “the most serious challenge to our national security since the onset of the nuclear age sixty years ago.”I found it encouraging when a number of my Republican colleagues – Senators McCain of Arizona, Chambliss of Georgia, Hutchison of Texas, Kyl of Arizona, Coats of Indiana and Blunt of Missouri – recently wrote President Obama advocating legislative action on cyber security.   They wrote: “An issue as far-reaching and complicated as cyber security requires… formal consideration and approval by Congress… Only the legislative process can create the durable and collaborative public-private partnership we need to enhance cyber security.”  (Reid 11/14/12)

What did the Senate Republicans do with the Cyber-security bill? They filibustered it.   And, what did they do when the Majority Leader submitted a cloture motion to stop the filibuster?  They rejected the cloture motion on a 51-47 vote.   “They” would include newly elected Nevada Senator Dean Heller (R-NV). Who, evidently, doesn’t see the need for a “durable and collaborative public-private partnership” to “enhance cyber security.”

The running total for filibusters is now 110 filibusters, 68 cloture motions filed, and 37 successful votes to invoke cloture and stop a filibuster.

Three years of work on a piece of legislation, and work on a matter which should engage the attention of Senators (some of whom surely do  online banking), and the effort comes to a screeching halt before the GOP obstructionism in the Senate.  Memo to Senator McConnell (R-KY): The President isn’t going to be a one term office holder.

Comments Off on Heller, GOP sustain filibuster of Cyber Security Bill

Filed under filibuster, Reid, Republicans