Hillicon Valley: Officials prepare for fake election hack claims | Apple chief calls for tougher data rules | Lawmakers want Pentagon to probe cloud computing contract | Facebook, Twitter find no proof of Chinese meddling
Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley.
Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Jacqueline Thomsen (@jacq_thomsen), and the tech team, Harper Neidig (@hneidig) and Ali Breland (@alibreland). And CLICK HERE to subscribe to our newsletter.
FAKE OUT (HACK): State and federal officials say they are well prepared for the possibility of a cyberattack on American election systems Nov. 6, but experts warn that even a false claim of interference by foreign actors on Election Day could undermine the public’s faith in the voting process.
The top cyber official at the Department of Homeland Security (DHS) said it’s a very real possibility that groups will announce they successfully hacked certain election results. That would require swift action from federal authorities to decisively refute any unsubstantiated declarations of election meddling, analysts say.
“I could absolutely envision a scenario where someone claims to have had access or claims to have hacked” an election, Christopher Krebs, the undersecretary of the National Protection and Programs Directorate (NPPD), told reporters last week.
Krebs said if such a claim were made, federal officials would contact the state and local officials running the election to see if they could verify it. If the allegation is shown to be false, he said federal officials would do their best to help spread the word.
“If they need independent verification, my teams are ready to go,” he said. “The FBI and the Department of Justice are ready to help out as well.”
Another cybersecurity official at DHS, Jeanette Manfra, said Tuesday that a hacker could undermine the legitimacy of a race just by misrepresenting the results posted on a state’s website.
“Are they actually manipulating the vote tally? No, but could you have then confusion or concern?” said Manfra, undersecretary for cybersecurity and communications at NPPD.
TIM COOK BACKS U.S. PRIVACY LAW TO REIN IN DATA COLLECTION: Apple CEO Tim Cook on Wednesday called for stricter laws protecting internet privacy, taking shots at tech platforms like Facebook and Google that specialize in collecting user data and employ algorithms that can “magnify our worst human tendencies.”
“Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” Cook said during a conference in Brussels before Europe’s privacy regulators.
“Scraps of personal data are collected for digital profiles that let businesses know users better than they know themselves and allow companies to offer users increasingly extreme content that hardens their convictions,” Cook added. “This is surveillance. And these stockpiles of personal data serve only to enrich only the companies that collect them.”
His comments come as tech companies such as Google and Facebook face increased scrutiny over their data-protection practices following a string of data privacy scandals in recent months.
As controversy and scrutiny have engulfed the internet companies over their data practices, Cook has been keen to distance Apple from the scandals, highlighting how his company’s business practices are distinct from other Silicon Valley giants.
And Cook adds a personal note: Apple CEO Tim Cook said he became the first head of a major company to come out publicly as gay in order to set an example for kids.
“I did not do it for other CEOs to come out,” Cook told CNN in an interview Wednesday. “It wasn’t even in my mind.”
Cook said he is very proud of the decision he made, saying being gay is “God’s greatest gift to me.”
Cook made public his sexual orientation almost exactly four years ago.
TOO AFRAID TO VOTE?: Nearly 1 in 5 Americans is unlikely to vote in the upcoming midterm elections, largely over worries of foreign interference, according to a new survey.
The 2018 Unisys Security Index, released Wednesday, found that a vast majority of the respondents — 86 percent — said they feared that U.S. voting systems could be manipulated by outside actors.
The survey also found that 19 percent of American respondents “will not vote” or “have a high likelihood” of not voting next month.
Out of those concerned about election security, Americans between the ages of 18 and 34 were the most likely to say that they would not vote, with 31 percent of respondents in that age bracket saying they might not cast ballots.
Still, 65 percent of respondents said worries about election integrity wouldn’t keep them from casting their ballots.
Chris Krebs, the Department of Homeland Security’s (DHS) top cyber official, said that he wasn’t “necessarily surprised” by the study results because Americans largely didn’t consider election security before the 2016 elections.
The Hill talked to Krebs after the release of the report. He said that Americans should remember that part of the Russian interference in 2016 “was to get in our heads, get in our heads as voters and create doubt and undermine our confidence in our systems.”
“Whether they had technical abilities to do anything to disrupt the system, that’s not technically what their objectives were,” he said. “They were just trying to undermine our confidence and question our processes.”
The report included a number of notable findings: This year’s version of the annual index found that consumers are most concerned about threats to online security, with identity theft topping the list of concerns.
And while Americans are wary of using biometric technologies like facial recognition software for convenience’s sake, they’re willing to use it for security: 66 percent said they would be willing to use facial recognition systems as a safety precaution while boarding a plane, and 65 percent said they would use it for the same reason at a U.S. border crossing.
You can read the full report here.
BACK TO BASICS: Many county election websites are lacking basic cybersecurity measures that could leave voters vulnerable to misinformation, security firm McAfee said Wednesday.
McAfee threat researchers looked at county websites in 20 states and found that many county sites used .com domains instead of .gov ones, which are required to be thoroughly vetted as being official sites by government officials.
Researchers found that Minnesota had the highest percentage of non-.gov domains for county election sites at 95.4 percent, followed by Texas at 95 percent and Michigan with 91.2 percent.
Steve Grobman, the senior vice president and chief technology officer at McAfee, noted in a blog post that .com and other domains can be bought by anyone, meaning that misinformation about elections could be more easily shared with potential voters.
McAfee also found that a large majority of the county sites did not enforce the use of Secure Sockets Layer (SSL) certificates, which protect visitors to a website from being redirected to fake sites and encrypt users’ personal information.
“SSL is one of the most basic forms of cyber hygiene, and something we expect all sites requiring confidentiality or data integrity to have at a minimum,” Grobman wrote. “The fact that these websites are lacking in the absolute basics of cyber hygiene is troubling.”
FROM RUSSIA, WITH CYBER: A cybersecurity firm on Tuesday said a Russian-linked research institute likely helped develop malicious software that was used by a sophisticated hacking group to wage a cyberattack against a Saudi petrochemical plant, forcing its operations shut down last year.
The firm, FireEye, said with “high confidence” that the Moscow-based lab known as Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) helped build tools used by the hacking group Xenotime or TEMP.Veles.
The security firm’s attributions are one of the most direct linking Kremlin-backed hackers to a cyberattack against another country’s critical infrastructure.
Xenotime is known for its malware attacks.
This hacking group employs Triton, or Trisis, software, which has the capability of disrupting industrial control system software which leads to industrial plants shutting down, albeit safely.
PRIVACY ADVOCATES CALL FOR TOUGHER FTC: The Federal Trade Commission (FTC) is under pressure after recent privacy scandals as critics question if the agency has the regulatory teeth to oversee the tech industry’s customer data policies.
The new scrutiny also comes with Congress mulling federal privacy legislation. Many privacy and consumer watchdogs say beefing up the agency’s powers and resources to handle data privacy should be a top priority.
“I think they do a decent job with the limited authority they have, but they have nowhere near the legal authority nor the staff to really meaningfully police the tech industry,” said Justin Brookman, a former policy director in the FTC’s Office of Technology Research and Investigation.
SENATE DUO THINKS GOOGLE MAY HAVE VIOLATED FTC ORDER: Two Democratic senators are questioning if Google violated a consent agreement with the Federal Trade Commission (FTC) in failing to disclose a software vulnerability that exposed the data of nearly half a million Google Plus users.
Sens. Catherine Cortez Masto (Nev.) and Amy Klobuchar (Minn.) on Wednesday sent a letter to Google CEO Sundar Pichai expressing their concerns about the exposure and the company’s response to it.
“While Google has not uncovered evidence that developers took advantage of this vulnerability or that profile data was misused, it has failed [to] protect consumers’ data and kept consumers in the dark about serious security risks,” the senators wrote.
“At a time when Americans’ trust in large, online companies is at an all-time low, we are deeply dismayed that more care was not taken to inform consumers about threats to their personal information.”
A DIFFERENT KIND OF CLINIC: The Center for Long-Term Cybersecurity at UC Berkeley unveiled its “Citizen Clinic” on Wednesday, aimed at offering cybersecurity support to groups like media outlets and non-profits that could face cyber attacks.
Trained groups of students at the clinic will offer help to organizations facing online threats, and will also help organizations create new policies to boost their cybersecurity policies.
“Citizen Clinic is helping address an urgent challenge, as many civil society organizations are highly vulnerable to spyware, surveillance, troll campaigns, censorship, and other online threats,” Steve Weber, the faculty director of CLTC, said in a release.
“Many of the other resources available to civil society are focused on responding to cyber emergencies, as opposed to prevention and baseline security. Citizen Clinic represents an important new model for helping these organizations develop long-term resilience in the face of an evolving threat landscape.”
WHO YOU GONNA CALL? BUG BUSTERS: The Department of Defense announced Wednesday that it was awarding contracts to three private security firms in an expansion of its bug bounty program.
The department will now partner with Synack, HackerOne and Bugcrowd — all Silicon Valley crowdsourced companies — to add new features to the “Hack the Pentagon” program. The department began the program two years ago, inviting security researchers and ethical hackers to examine the Pentagon’s networks and identify cyber vulnerabilities.
The new partnerships mean the department will be able to run year-long and continuous testing of top assets, as well as “enable vetted hackers to simulate real and insider threats to certain systems,” according to a department release.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, the director of the Defense Digital Service. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets.”
LAWMAKERS SEEK PROBE INTO AMAZON CONTRACT: Two Republican lawmakers are asking the Pentagon’s inspector general to investigate the bidding process for a multibillion-dollar Defense Department cloud computing contract, which critics claim is biased toward Amazon.
Reps. Steve Womack (R-Ark.) and Tom Cole (R-Okla.) in a letter dated Monday expressed their concerns about the process behind the Joint Enterprise Defense Infrastructure (JEDI) cloud contract, which they fear might be “tailored to one specific contractor.”
They noted that currently the JEDI contract specifies that the vendor who wins it must meet Impact Level 6 requirements to host secret and top-secret data. The lawmakers called the requirement “unnecessary” and noted it can “only be met by one contractor.”
They didn’t specify the contractor, but the only company bidding that meets the requirements is Amazon Web Services.
FACEBOOK AND TWITTER: ‘IT WASN’T US’: Facebook and Twitter say they have not found evidence of Chinese meddling in the 2018 elections, according to a Bloomberg report.
Company officials told Bloomberg that they have not found evidence of Chinese campaigns so far, though they have identified misinformation campaigns that seem to come from Russia and Iran.
Other tech firms, namely cybersecurity companies FireEye Inc. and Symantec Corp, have said they have found no evidence linking China to election meddling.
Twitter confirmed to The Hill that the company hasn’t found evidence of Chinese meddling so far, but emphasized that it is extremely difficult to determine with certainty where disinformation originates.
Facebook could not immediately be reached for comment.
AN OP-ED TO CHEW ON: The U.S. has lost its entrepreneurial advantage
A LIGHTER CLICK: Pay the toll.
NOTABLE LINKS FROM AROUND THE WEB:
People trust Amazon a lot more than a lot of government institutions.
Authorities lose access after Apple patches ‘Greykey’ iPhone passcode hack. (Forbes)
Judge blocks GA election officials from throwing out absentee ballots due to errors. (ACLU)
Two new supply-chain attacks come to light in less than a week (Ars Technica)
Apple just killed the ‘GrayKey’ iPhone passcode hack (Forbes)
Government spyware vendor left customer, victim data online for everyone to see (Motherboard)
When Sears flourished, so did workers. At Amazon, it’s more complicated. (The New York Times)
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..