Tag Archives: Internet Security

The Problem Of Focus: Viewing the Russian Interference Issue

At the risk of redundancy, please remember the findings and suggestions in the Cardin Report:

Putin’s Asymmetrical Assault on Democracy in Russia and Europe: Implications for U.S. National Security,” finds that President Trump’s refusal to publicly acknowledge the threat posed by the Russian government has hampered efforts to mobilize our government, strengthen our institutions, and work with our European allies to counter Putin’s interference in democracies abroad.

Never before in American history has so clear a threat to national security been so clearly ignored by a U.S. president, and without a strong U.S. response, institutions and elections here and throughout Europe will remain vulnerable to the Kremlin’s aggressive and sophisticated malign influence operations.

Notice the three elements incorporated in this introduction.  We haven’t mobilized our federal agencies into preventative action. We haven’t strengthened our political institutions to prevent further incursions from Russia.  Nor have we cooperated fully with European allies to prevent more interference.

The current occupant of the Oval Office and his apologists appear to define Russian meddling only in terms of electoral results, if the Russian interference didn’t cause any change in the voting returns then there was no big problem, and hence no sense of urgency in addressing the Russian bots, trolls, and other efforts.  There has been no cabinet level meeting to date during which the Russian Interference constituted a major agenda item.  Recall AG Jefferson B. Sessions’ statement last October:

“We’re not,” Sessions said, when asked by Sen. Ben Sasse, R-Neb., if the government is taking adequate action to prevent meddling in its elections. “The matter is so complex that for most of us we’re not able to fully grasp the technical dangers that are out there.”

Sessions said he accepts the U.S. intelligence community’s findings that Russia interfered with the 2016 election and may attempt to do so again. He said the Justice Department has been aggressively looking into the stealing of trade secrets in the private sector and noted that the FBI’s computer experts are also highly trained.

“Are we at the level we need to be yet? I don’t think so,” Sessions conceded.”

Sessions made the statement in mid-October 2017, if finger counting is correct that’s 8 months since the onset of the current administration. Nor has the Cyber-security page on the DoJ been updated since that date.  “Are we at the level we need to be yet?”  I don’t think so either.

The Department of Homeland Security also has a cyber-security component.  DHS describes its concerns:

“Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”

The idea that the Russians might be profoundly interested in disrupting the delivery of essential electoral services doesn’t seem to have moved to the top of the department’s concerns, at least not to the point of making any special reference to those instances of interference.  There is a draft of a DHS publication on cyber-security efforts (pdf) available online for the purpose of public comment, published this month.  At this point let’s review the Cardin Report summation of the problem, and then read a portion of the DHS Draft Report on what might be the same subject.

Cardin Report: “Mr. Putin has thus made it a priority of his regime to attack the democracies of Europe and the United States and undermine the transatlantic alliance upon which Europe’s peace and prosperity have depended upon for over 70 years. He has used the security services, the media, public and private companies, organized criminal groups, and social and religious organizations to spread malicious disinformation, interfere in elections, fuel corruption, threaten energy security, and more.”

 DHS Draft 1-5-18: “Given the networked nature of the risks, real coordination is necessary to fully understand the problem and identify paths to solutions. While the information technology and communications sectors do actively work to understand security risks, sectors often are unable to coordinate well with other sectors. Even though some entities coordinate domestically or regionally, there are few global mechanisms to share information about threats, solutions, and their adoption and efficacy. In many cases, lack of clarity around roles and responsibilities has impeded collective action, resulting in security failures.”

At no point in the draft does one find any specific reference to interference in political institutions and operations.  A generous interpretation might be that political interference is included in the general category of infrastructure.

In short there’s not much in the DHS Draft which would offer any Nevada voter, of any stripe, comfort as to the security of our political institutions, or our election processes.  In fact, a quick reading of the draft leaves the impression that the issue of political cyber-security is left to the private sector, and market forces, whatever that might be.

Therefore, we’re back where we started, with a federal Executive Branch unable or unwilling or un-directed to develop specific guidelines or regulations toward preventing Russian interference in political matters and a market (Google, Facebook, Twitter) adrift and stumbling around what they may perceive as business and public relations pot holes on the road to prosperity.

“Russian trolls sought to steer Facebook users toward events, even protests, around contentious issues like immigration. In its response to Congress, published Thursday, Facebook elaborated that Kremlin-aligned agents created 129 events on 13 of its pages. Roughly 338,300 unique accounts viewed these events, while 25,800 accounts indicated they were interested and about 62,500 said they would attend. “We do not have data about the realization of these events,” Facebook explained.”

“Google, meanwhile, previously informed Congress that it had discovered that Russian agents spent about $4,700 on ads and launched 18 channels on YouTube, posting more than 1,100 videos that had been viewed about 309,000 times.”

“And Twitter told lawmakers at first that it found 2,752 accounts tied to the Russia-aligned Internet Research Agency. Last week, however, the company updated that estimate, noting that Russian trolls had more than 3,000 accounts — while Russian-based bots talking about election-related issues numbered more than 50,000.”  [Recode]

There does seem to be some movement from social media operations, however nothing in the draft appears to directly address any specific assistance to state and local governments trying to secure their election rolls, ballot security, and count integrity.  Not to put too fine a point to it, but the DHS draft reads like it was crafted by the Chamber of Commerce not law enforcement agencies.  A wide and highly generalized focus such as the one presented in the DHS draft doesn’t exactly offer much satisfaction to those voters seeking an answer to the problem: What are we doing about Russian interference?

PS: “The Departments are requesting comment, asking for further insight into the issues and goals raised by the report, as well as the proposed approach, current initiatives, and next steps. The draft will be finalized based on adjudication of received comments before submission to the President. The final report is due to the President on May 11, 2018.” <https://www.ntia.doc.gov/report/2018/report-president-enhancing-resilience-internet-and-communications-ecosystem-against&gt;

Comments Off on The Problem Of Focus: Viewing the Russian Interference Issue

Filed under Nevada politics, oversight, Politics, Public Records, public safety

From Deep Throat to Deep Root: Republicans Careless With 200 Million Voter Files

Oh for the Olden Times when the Grand Old Party had its individual and collective knickers in a twist over Secretary Clinton’s “carelessness” with State Department e-mails on <clutch pearls here> a private server…  However, now we have to visit the Business and Technology section of the Washington Post to find the following:

“Detailed information on nearly every U.S. voter — including in some cases their ethnicity, religion and views on political issues — was left exposed online for two weeks by a political consultancy which works for the Republican National Committee and other GOP clients.

The data offered a strikingly complete picture of the voting histories and political leanings of the American electorate laid out on an easily downloadable format, said cybersecurity researcher Chris Vickery. He discovered the unprotected files of 198 million voters in a routine scan of the Internet last week and alerted law enforcement officials.” (emphasis added)

Translation:  Data mined information on 198 million Americans was  collected, collated, compiled, and then left for 12 days in an UNPROTECTED STATE for the eyes of any and all — criminal identity thieves, criminal scammers, and anyone who didn’t want to go to the bother of hacking into any server in any location.  For 12 days all this information was out there, like the food on a buffet — those in line just had to recognize what was on offer.

Where are the calls for hearings?  The Outraged cries for an investigation into how this could have happened?  The questions as to how we might be able to guarantee something this horrendous doesn’t happen again.

If a “good guy” could find this data during a “routine scan” what might happen when someone with less admirable intentions conducts a targeted scan of what’s available on American voters?

Let this sink in.

Comments Off on From Deep Throat to Deep Root: Republicans Careless With 200 Million Voter Files

Filed under Politics, privacy, Public Records, Vote Suppression, Voting

Trump Invites Cyber Attack

Cyber Attack Combo If you have a computer and use the Internet read the following statement from candidate Donald Trump very carefully:

“When asked about documents stolen in a cyber attack on the Democratic National Committee’s servers, (1) Trump suggested hackers had also breached Clinton’s personal email server.

“By the way, if they hacked, they probably have her 33,000 emails. (2)  I hope they do,” the GOP nominee told reporters, referring to Russia, who security experts suspect was behind the hack. “They probably have her 33,000 emails that she lost and deleted.”

He also addressed the country directly: (3) “Russia, if you’re listening, I hope you can find the 33,000 emails that are missing. I think you will probably be rewarded mightily by our press.” [TPM] [numbering added]

Let’s begin with Number One. The e-mails are a piece of the interminable GOP Benghazi nothing-burger which to date has yielded the participation of no less than 10 Congressional investigations; 252 witnesses called to testify, 62 hours of publicly available hearings, and 13 published reports – none of which indicate that Secretary Clinton did anything wrong.  But, there is always hope in GOP hearts. A hope expressed by Trump, who offered ZERO evidence that the hack included Clinton’s personal server.  He has no evidence her server was hacked – he just hopes so.  Let that sink in a second.

Number Two: He hopes they hacked her server.  Who hopes for someone else to be the victim of a cyber-attack?  Does anyone really wish for the Russians or any other source to cyber-attack anyone in the United States of America?  Is he really saying that he hopes a foreign power hacked one of our government officials?   After 10 Congressional investigations, an FBI report, and every single published report exonerating the former Secretary of State of any illegal activity – Trump is still wishing for something, anything, to come to light which would assist his political campaign.  This is Richard Nixon on steroids.  This isn’t keeping an “enemies list,” or “taping Oval Office conversations.” This is actively seeking assistance from a foreign power (probably the Russians) to get results of cyber-attacks on the United States of America.

Number Three: Now witness the stretch in the Trump Tweet.

Trump Cyber Attack Tweet If the Russians, or some other power, has found deleted e-mails then Trump wants them “handed over.”   On Twitter, Trump wants the e-mails handed over to authorities, but during the press conference he suggests that the media will jump all over the opportunity to publish them for click bait.  And, all this without offering a single attributable FACT that the deletions are “illegal,” or that they would contain any information relevant to the  investigations.

Worse still for Mr. Trump, there has been an FBI investigation and the security logs show NO evidence of any foreign hacks on the server in question. [NYT] [WaPo]  Therefore, all we can say is that Mr. Trump is trying to perpetuate the Fox News mythology of “missing e-mails” and not-very-smoking guns.  And yet more bad news for the mythologizers, the hacker who made claims about getting into Secretary Clinton’s e-mail server flat out lied. [PCWorld]

Let’s Get Serious

Mr. Trump’s anodyne platitudes and sweeping generalizations notwithstanding – there are a couple of things that he obviously doesn’t understand.

First, there’s cyber-war.  He called American efforts “obsolete.” I suppose we might thank him for suggesting that our enemies could safely underestimate our capacity. However, all sides understand  this is not the case.  For a more in-depth report on Mr. Trump’s inadequacies in regard to the nature and effectiveness of the U.S. cyber arsenal please read this piece in the Atlantic.

Secondly, there’s the insidiousness of suggesting that any foreign power should be applauded for gaining access to U.S. information via cyber-attacks.

In August 2015, Russian hackers carried out a cyber-attack on the Pentagon.  The attack shut down the unclassified e-mail system for the Joint Staff for about two weeks.  No classified information was accessed, nothing was stolen, and only unclassified accounts were involved in the cyber-attack – thank goodness. [USNWR]  However, we have to believe that there will be other, more sophisticated, and more egregious attacks to come.  Is Mr. Trump suggesting that if the Russians found out something useful for his campaign they should turn it over to the FBI and the Press? – From the Pentagon?

In June 2015, we learned the Chinese had hacked the computers of the Office of Personnel Management. The agency estimated about 4.2 million federal employees were affected, including 1.5 million who are members of the U.S. military. [WSJ]  Is Mr. Trump suggesting the hackers hand over any information which might be of any use to his campaign to the FBI and the Press?

Cyber-attacks aren’t playground dodge ball. Those who unsure of this proposition should read the articles in Wired, Business Insider, and Ars Technica on Stuxnet and Nitro Zeus.  For a truly nightmare scenario, imagine an attack on the U.S. electrical grid. [The Hill] Just such an attack happened in Ukraine last December. [Wired]  Is Mr. Trump suggesting that the Press might find it amusing to have the power go out in a major U.S. city during a campaign event for his opponent, Secretary Clinton?

The bottom line is that NO ONE, should be rooting for a cyber-attack, for any reason under any circumstances. NO ONE should be rooting for a foreign power to find a way into our secure information, our military operations, our personnel files, our electrical grid, our defense contractors, our banking institutions, our hospitals, our schools, or our retailing systems.

NO ONE.

Comments Off on Trump Invites Cyber Attack

Filed under Politics, privacy, Republicans