With just three weeks to go before the Iowa caucuses, two top-polling Democratic candidates are still declining to say how they’re protecting their campaigns against hacking.
Sens. Elizabeth Warren (Mass.) and Bernie Sanders (I-Vt.) — who are among six candidates squaring off at tonight’s Democratic debate in Des Moines — both refused this week to say whether they’re following basic cybersecurity precautions recommended by the Democratic National Committee.
That puts the two top progressives in the race at odds with four other candidates who will take the stage tonight: former Vice President Joe Biden, Sen. Amy Klobuchar (D-Minn.), former South Bend, Ind., Mayor Pete Buttigieg and businessman Tom Steyer. Representatives for those candidates all told me they were taking numerous steps to protect their campaigns against hacking, including mandating cybersecurity training for staff and requiring that staff use extra security precautions before accessing smartphones and websites.
The refusal sounded alarm bells for some cybersecurity advocates with memories of how Russian hackers breached Hillary Clinton’s 2016 campaign and strategically released embarrassing emails to damage her candidacy. That hack was part of a broad Russian effort to hurt Clinton and help Donald Trump, U.S. intelligence agencies concluded. Now they’re warning that not only Russia, but also China and Iran “all will seek to interfere in the voting process or influence voter perceptions” in 2020.
“In 2016, we saw how lax cyber hygiene led directly to foreign interference in the election,” Maurice Turner, an election security expert at the Center for Democracy and Technology think tank, told me. “Campaigns at this level are the equivalent of a midsize nationwide business with annual revenue nearing $100 million dollars. Appropriate investments need to be made in security to protect the candidate and staff, as well as the personal data of donors and volunteers.”
Sanders and Warren previously declined to discuss their campaign cybersecurity protections in June and September. Sanders’s campaign told me, “We don’t comment on matters of security” and a Warren representative said, “We’re not going to broadcast our cybersecurity practices out in public.” The stance was the same when I contacted both of their campaigns on the subject this week.
Publicizing basic precautions wouldn’t hurt the Democrats, Turner said, because without them, the campaigns would be exceptionally vulnerable to hackers.
Sanders was slightly more forthcoming in an interview with the New York Times opinion section published yesterday. But his comments were pretty hard to parse.
An interviewer asked whether Sanders uses two-factor authentication — a DNC-recommended security protection in which people must use both a password and second factor, such as a fingerprint or SMS code, to log into devices and websites.
His answer: “There is a woman in my office whose name is Melissa who drives me crazy and gets angry at me all the time. Again, we take that issue very seriously, and she works on my phone and my iPad, my computer, as she does for the whole office. In fact, I was briefed maybe a month ago by the F.B.I. on the dangers there.”
Campaigns for the other debate participants were more forthcoming this week. Klobuchar, Buttigieg and Steyer said they were using all six cybersecurity protections I asked about.
In addition to multi-factor authentication, the list included requiring staff to use complex passwords for websites and passcodes for smartphones, and using encrypted apps for text messaging.
Biden’s campaign declined to answer some of the specific questions but said it’s “executing a comprehensive approach to defending, protecting and securing” campaign systems.
“We have brought on high-quality personnel, require the use of multi-factor authentication on all devices, and are training staff on cybersecurity best practices and tools to ensure the campaign infrastructure remains secure,” a spokesman said.
PINGED, PATCHED, PWNED
PINGED: Russian military hackers compromised a Ukrainian gas company at the center of an impeachment inquiry into President Trump in a possible effort to dig up dirt on former vice president Joseph Biden and his son Hunter, who was a board member there, my colleague Ellen Nakashima reports.
The attacks against the Ukrainian gas giant Burisma were conducted by the same Russian intelligence service known as GRU that compromised the Clinton campaign in 2016 and leaked emails to undermine her candidacy, Ellen reports. The hack was discovered by the cybersecurity company Area 1 Security and first reported by the New York Times.
The GRU successfully breached the servers of Burisma Holdings and several of its subsidiaries and partners, Oren Falkowitz, Area 1 Security’s chief executive, told Ellen. The agency also targeted a media organization founded by Zelensky, the firm said.
“The timing of the GRU’s campaign in relation to the 2020 U.S. elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 U.S. elections,” Falkowitz said.
PATCHED: Attorney General William P. Barr ramped up attacks on Apple yesterday for refusing to help it crack into two phones belonging to a gunman who killed three people at a Florida military base last month. The standoff between the tech giant and the Justice Department has become the latest flash point in a years-long debate over law enforcement access to encrypted data.
“This situation perfectly illustrates why it is critical that investigators be able to get access to digital evidence once they have obtained a court order based on probable cause,” Barr said at a news conference. “We don’t want to get into a world where we have to spend months and even years exhausting efforts when lives are in the balance.”
Barr declined to say whether he would seek a court order to compel Apple to help break into the phone like the Justice Department attempted in 2016 after Apple refused to crack a phone belonging to San Bernardino, Calif., shooter Syed Farook.
Apple said it turned over all data in its possession and rejected Barr’s claims.
“We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation. Our responses to their many requests since the attack have been timely, thorough and are ongoing,” the company said in a statement. “We have always maintained there is no such thing as a backdoor just for the good guys.”
The Justice Department and FBI acknowledged to congressional staff on a phone briefing yesterday that the company was unable to unlock the iPhones and criticized the company for not having a method to do so, the Wall Street Journal reported.
Tech companies and privacy advocates are already pushing back.
Encryption “backdoors are a horrible idea,” Microsoft CEO Satya Nadella said in response to the speech, per the Information’s Jessica Lessin.
Sen. Ron Wyden (D-Ore.) slammed Barr and the Trump administration, per Gizmodo’s Dell Cameron:
NEW: Top privacy hawk Sen. @RonWyden fires back after AG Barr called on Apple to assist investigators seeking to unlock the Pensacola shooter’s iPhone; and more broadly, for Apple to provide the FBI with “backdoor” access to all encrypted consumer devices. pic.twitter.com/Vmz2CKiA4r
— Dell Cameron (@dellcam) January 13, 2020
But some Republicans supported the attorney general. “Companies shouldn’t be allowed to shield criminals and terrorists from lawful efforts to solve crimes and protect our citizens,” said Sen. Tom Cotton (R-Ark.). “Apple has a notorious history of siding with terrorists over law enforcement. I hope in this case they’ll change course.”
PWNED: Consumer Reports is slamming 25 companies including Amazon-owned Ring for selling smart home devices that are vulnerable to hackers. The group sent a letter calling out the companies yesterday following a string of high-profile privacy incidents including one where a hacker used a Ring device to harass the owner’s family.
In December, 2019 alone, there were at least 17 reported security incidents related to connected cameras, according to research by Consumer Reports. That includes a leak of more than 3,000 Ring owners’ login credentials last month. (Amazon CEO Jeff Bezos also owns The Washington Post.) The company also called out Wyze, which exposed the personal information of 2.4 million consumers in a breach revealed last month.
“Due to the sensitive nature of the data these devices collect, we are urging manufacturers to incorporate additional security measures and better protect consumers,” said Ben Moskowitz, director of the Digital Lab at Consumer Reports.
The organization is urging companies to implement more stringent security measures such as requiring users to verify logins through a secondary means such as a text message, and emailing users when a login occurs from a new device or IP address. Ring recently introduced multi-factor authentication for all new devices.
— Cybersecurity news from the public sector:
The Department of Housing and Urban Development is failing to safeguard and manage more than 1 billion records containing personally identifiable information, according to a management alert from the agency’s internal watchdog.
Federal Computer Week
— Cybersecurity news from the private sector:
Top blog site Boing Boing said Monday it had been hacked and that its website had temporarily redirected readers to a dangerous malware page.
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The House Committee on Foreign Affairs will host a hearing evaluating the administration’s Iran policy today at 10am.
- The U.S. Election Assistance Commission (EAC) will host an all-day summit on Tuesday addressing preparations for the 2020 elections at the National Press Club.
— Coming up:
- The House Armed Services Committee will host a hearing on the Department of Defense’s Role in Competing with China” on Wednesday at 10 am
- The House Committee on Homeland Security will host a hearing examping the implications of U.S.-Iran tensions at 10am on Wednesday